Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
75s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22/09/2023, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
AI Verification Tool.msi
Resource
win7-20230831-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
AI Verification Tool.msi
Resource
win10v2004-20230915-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
AI Verification Tool.msi
-
Size
8.1MB
-
MD5
fe32a93b8ed4344e76673a23c604e90c
-
SHA1
f97f313dbcd04d12d2cf57800c621764be913de2
-
SHA256
0bfa57b1afc0367ae7663b769bcaacf6d4d59c802a011dd9c11811409a36e342
-
SHA512
a2f3377e18f31bca7f4e0951d2c8f2f507bf0446e350ae6fe503febbd56edaeb329af3ce0fe1377baac50df7722a674f65c9378dcd0faa88816e1733d41d7072
-
SSDEEP
196608:9gWlD5FAHHcbU+CNSf2U9Pxmat3sXSbNioZzQ:9nllGcSNw2U9PxmqCSI
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://www.google.com/webhp
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\content.js msiexec.exe File created C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\background.js msiexec.exe File created C:\Program Files (x86)\Google\Install\logo.ico msiexec.exe File created C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\install.ps1 msiexec.exe File created C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\manifest.json msiexec.exe File created C:\Program Files (x86)\Google\Install\install.cmd msiexec.exe File created C:\Program Files (x86)\Google\Install\install.bat msiexec.exe File created C:\Program Files (x86)\Google\Install\VyprVPN-3.3.1.10335-installer.exe msiexec.exe File created C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\favicon.png msiexec.exe File created C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\background.vbs msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI9750.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7694d3.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f7694d0.msi msiexec.exe File created C:\Windows\Installer\f7694d3.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f7694d5.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f7694d0.msi msiexec.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 3 IoCs
pid Process 596 taskkill.exe 1996 taskkill.exe 464 taskkill.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2340 msiexec.exe 2340 msiexec.exe 2804 powershell.exe 2804 powershell.exe 2804 powershell.exe 1516 chrome.exe 1516 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2412 msiexec.exe Token: SeIncreaseQuotaPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeSecurityPrivilege 2340 msiexec.exe Token: SeCreateTokenPrivilege 2412 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2412 msiexec.exe Token: SeLockMemoryPrivilege 2412 msiexec.exe Token: SeIncreaseQuotaPrivilege 2412 msiexec.exe Token: SeMachineAccountPrivilege 2412 msiexec.exe Token: SeTcbPrivilege 2412 msiexec.exe Token: SeSecurityPrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeLoadDriverPrivilege 2412 msiexec.exe Token: SeSystemProfilePrivilege 2412 msiexec.exe Token: SeSystemtimePrivilege 2412 msiexec.exe Token: SeProfSingleProcessPrivilege 2412 msiexec.exe Token: SeIncBasePriorityPrivilege 2412 msiexec.exe Token: SeCreatePagefilePrivilege 2412 msiexec.exe Token: SeCreatePermanentPrivilege 2412 msiexec.exe Token: SeBackupPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeShutdownPrivilege 2412 msiexec.exe Token: SeDebugPrivilege 2412 msiexec.exe Token: SeAuditPrivilege 2412 msiexec.exe Token: SeSystemEnvironmentPrivilege 2412 msiexec.exe Token: SeChangeNotifyPrivilege 2412 msiexec.exe Token: SeRemoteShutdownPrivilege 2412 msiexec.exe Token: SeUndockPrivilege 2412 msiexec.exe Token: SeSyncAgentPrivilege 2412 msiexec.exe Token: SeEnableDelegationPrivilege 2412 msiexec.exe Token: SeManageVolumePrivilege 2412 msiexec.exe Token: SeImpersonatePrivilege 2412 msiexec.exe Token: SeCreateGlobalPrivilege 2412 msiexec.exe Token: SeBackupPrivilege 2616 vssvc.exe Token: SeRestorePrivilege 2616 vssvc.exe Token: SeAuditPrivilege 2616 vssvc.exe Token: SeBackupPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeLoadDriverPrivilege 2468 DrvInst.exe Token: SeLoadDriverPrivilege 2468 DrvInst.exe Token: SeLoadDriverPrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2412 msiexec.exe 2412 msiexec.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe 1516 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1728 2340 msiexec.exe 32 PID 2340 wrote to memory of 1728 2340 msiexec.exe 32 PID 2340 wrote to memory of 1728 2340 msiexec.exe 32 PID 2340 wrote to memory of 1728 2340 msiexec.exe 32 PID 2340 wrote to memory of 1728 2340 msiexec.exe 32 PID 1728 wrote to memory of 596 1728 cmd.exe 34 PID 1728 wrote to memory of 596 1728 cmd.exe 34 PID 1728 wrote to memory of 596 1728 cmd.exe 34 PID 1728 wrote to memory of 1996 1728 cmd.exe 36 PID 1728 wrote to memory of 1996 1728 cmd.exe 36 PID 1728 wrote to memory of 1996 1728 cmd.exe 36 PID 1728 wrote to memory of 464 1728 cmd.exe 37 PID 1728 wrote to memory of 464 1728 cmd.exe 37 PID 1728 wrote to memory of 464 1728 cmd.exe 37 PID 1728 wrote to memory of 2804 1728 cmd.exe 38 PID 1728 wrote to memory of 2804 1728 cmd.exe 38 PID 1728 wrote to memory of 2804 1728 cmd.exe 38 PID 2804 wrote to memory of 1516 2804 powershell.exe 40 PID 2804 wrote to memory of 1516 2804 powershell.exe 40 PID 2804 wrote to memory of 1516 2804 powershell.exe 40 PID 1516 wrote to memory of 1740 1516 chrome.exe 41 PID 1516 wrote to memory of 1740 1516 chrome.exe 41 PID 1516 wrote to memory of 1740 1516 chrome.exe 41 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2080 1516 chrome.exe 42 PID 1516 wrote to memory of 2124 1516 chrome.exe 43 PID 1516 wrote to memory of 2124 1516 chrome.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AI Verification Tool.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2412
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\cmd.execmd /c ""C:\Program Files (x86)\Google\Install\install.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
PID:596
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
PID:1996
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
PID:464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic/install.ps1"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic" --new-window https://www.google.com/webhp4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef2f9758,0x7feef2f9768,0x7feef2f97785⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:25⤵PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:85⤵PID:2124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:85⤵PID:2364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:15⤵PID:1756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:15⤵PID:1732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2876 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:15⤵PID:1156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3268 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:25⤵PID:1004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3468 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:15⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 --field-trial-handle=1360,i,14566529772070843136,5327152196199435305,131072 /prefetch:85⤵PID:2032
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002B8" "00000000000002BC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD53513ef16ef054a2f568125bae0809dd0
SHA116e6760ca42e31cdbf2937e9fbd0e607bcc1d6e6
SHA25637894c3303e8020b2e49e80909024e0df058b7d828eade19a222a21a24efb38c
SHA51213b76c07c7bcdcf9fa2b51eb27de7645169ccd47c76159c09e6612b527dfcd24a42eddbace5833a8f7a69fbb2c1201cc82269f8e524107699f0d425ecddde7c1
-
Filesize
200B
MD50a7d6d0a288a233c07e4a662db7693e8
SHA1f404c8e2213baf004b823e1a87e3eece01c36246
SHA256d0b30b5c2b07e0766ba9c3a98c92ad91d3e86e06bb1e237d0c5fc7baeab8c646
SHA5123e751e93d6d64790c4b032458bbb7f07adfe201161089654b1eafe84c3f0692495d6d603e16743c6b76e176347fd2df3b427b64011c9e8cde15ad9eec7df2071
-
Filesize
200B
MD50a7d6d0a288a233c07e4a662db7693e8
SHA1f404c8e2213baf004b823e1a87e3eece01c36246
SHA256d0b30b5c2b07e0766ba9c3a98c92ad91d3e86e06bb1e237d0c5fc7baeab8c646
SHA5123e751e93d6d64790c4b032458bbb7f07adfe201161089654b1eafe84c3f0692495d6d603e16743c6b76e176347fd2df3b427b64011c9e8cde15ad9eec7df2071
-
Filesize
18KB
MD537c3a74f360a113cce683949187d3b0e
SHA1cf15caa5634d64fc5517021abd11697b63bf6b41
SHA2560dfa4f3fc9d99a7e8765f4d116740bafbbfbe5da25fa100682f7896680a09391
SHA512ad67954c51046fb3dcd186094f2f85fa460f157ac35c54e3ce503ca41dc1f72c7d12ec06fa662b1637955a326bff52d4c0688d5086c428cdba74b6d9c29a0e8d
-
Filesize
258B
MD54d53e2f9289e4d01cb88e277bba25c72
SHA1a54fc0fd884a33229216eebd93d868f0c43eec0d
SHA256ff5cc0f88e7f10993ac60437a74ca9224ae13c9d15b86677991d053242237195
SHA51225d96794904b7e5401eb6789ea0f2f22b535b9b6aa69d119a5f65115c06556e156abb66de17f889986940400904d262e744057e4e0daa7aba0505906d6b98cff
-
Filesize
2KB
MD58be1facb79791a064862a61399b6dfea
SHA193bc1b7172e9a3aa7c7d7b24b7be53c992e4566f
SHA25689ff11a2237f9ec798ed4493738b14be76f11f282c5ab755847779fe241ef857
SHA5126bdbb91648377ff2af465973c85021085ff413ab0b8da3c59127f46e5b58e9116c5227ed4c8e923d98185f8a85471e84007c927b58a21a06f081e702d0e731ab
-
Filesize
1KB
MD5b6ff7935b71f74697671e0f32d8860f6
SHA1516e483421c82aba020cfe315fb6f61dac984150
SHA2561431e81d97ef11f2041dd18731ec23470c8e04480a357d9c723f9cf2e562c9bf
SHA512514ea760d1105c00a7a026ad6e8bd0eafcfebf121b522120d2d02dacf1b333b05553944dbf963c0927d48577c7e45b073b426498c338b8ea25e120927217cafa
-
Filesize
714B
MD5162ce37b0f293f4cfad78aeffa7028a5
SHA14633122a48f30074e75379aee0eabdc2a934846f
SHA256f7ae9888bbfb60d6598fe9247fef9edebc8928593f4e4032292d846e40b50254
SHA512888a4c2e7108ea31d29dab5314daae5729fb1f9e0b538db1aa272443499fe321d95d0e0c912ae262e2058acf81a15adbd5ae64c76485ddd9251bc75e974dbc44
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD525949be0fc6991c15e85824640b0f180
SHA188cbb3b9a3d62b12059b99ce08bd5cb6a5ed4c37
SHA256ac1ba6367b1006399ac99aef43363b825dc39ba393eaa590d148a9eb4715c90d
SHA512ae2531f574304c87a0865d12d07299643a6dbd4da7ef3b5f7afc4aabcfd7900a21443f2184e01f56ea08d3fc6bdfb51d87b3e41d8fa9c9c316d5d3de1637a87d
-
Filesize
5KB
MD549dadec34090dc49e5aa24bef1ede1b7
SHA19dc3d6c44ecc84fd112b7cf779a68d677b14a9a1
SHA256f68d540b23b510acce026a83f1c2b2632edaf1ca2ecac931f45bb0c2c1d1ad88
SHA51235ed77f17be696d620e0f1e9ec967594b14856a0f1b0b74cd3e7b7cdb936925ad9775620cc55cbcf575513705e87502c24705da058fc08b005f6a510fb1a4f5a
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
8.1MB
MD5fe32a93b8ed4344e76673a23c604e90c
SHA1f97f313dbcd04d12d2cf57800c621764be913de2
SHA2560bfa57b1afc0367ae7663b769bcaacf6d4d59c802a011dd9c11811409a36e342
SHA512a2f3377e18f31bca7f4e0951d2c8f2f507bf0446e350ae6fe503febbd56edaeb329af3ce0fe1377baac50df7722a674f65c9378dcd0faa88816e1733d41d7072
