Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3Software_1.30.1.rar
windows7-x64
3Software_1.30.1.rar
windows10-2004-x64
7Debug/Addition.dll
windows7-x64
1Debug/Addition.dll
windows10-2004-x64
1Debug/Autoupdater.ini
windows7-x64
1Debug/Autoupdater.ini
windows10-2004-x64
1Debug/Cracker.dll
windows7-x64
1Debug/Cracker.dll
windows10-2004-x64
1Debug/DebugPPF.tmp
windows7-x64
3Debug/DebugPPF.tmp
windows10-2004-x64
3Debug/DebugPPT.tmp
windows7-x64
3Debug/DebugPPT.tmp
windows10-2004-x64
3Debug/Helper.dll
windows7-x64
1Debug/Helper.dll
windows10-2004-x64
1Debug/Management.log
windows7-x64
1Debug/Management.log
windows10-2004-x64
1Debug/Resource.dll
windows7-x64
1Debug/Resource.dll
windows10-2004-x64
1Debug/main.ini
windows7-x64
1Debug/main.ini
windows10-2004-x64
1Language.pimx
windows7-x64
3Language.pimx
windows10-2004-x64
3Main.ini
windows7-x64
1Main.ini
windows10-2004-x64
1Packaged/Main.xml
windows7-x64
1Packaged/Main.xml
windows10-2004-x64
1Packaged/Resource.dll
windows7-x64
1Packaged/Resource.dll
windows10-2004-x64
1Packaged/Utils.xml
windows7-x64
1Packaged/Utils.xml
windows10-2004-x64
1Software_1.30.1.exe
windows7-x64
10Software_1.30.1.exe
windows10-2004-x64
10Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
Software_1.30.1.rar
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Software_1.30.1.rar
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Debug/Addition.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
Debug/Addition.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Debug/Autoupdater.ini
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Debug/Autoupdater.ini
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Debug/Cracker.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
Debug/Cracker.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Debug/DebugPPF.tmp
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
Debug/DebugPPF.tmp
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Debug/DebugPPT.tmp
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral12
Sample
Debug/DebugPPT.tmp
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Debug/Helper.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
Debug/Helper.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Debug/Management.log
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
Debug/Management.log
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Debug/Resource.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
Debug/Resource.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Debug/main.ini
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral20
Sample
Debug/main.ini
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Language.pimx
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Language.pimx
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Main.ini
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
Main.ini
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Packaged/Main.xml
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
Packaged/Main.xml
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Packaged/Resource.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
Packaged/Resource.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Packaged/Utils.xml
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
Packaged/Utils.xml
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Software_1.30.1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
Software_1.30.1.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
Software_1.30.1.exe
-
Size
459KB
-
MD5
1502131d8e2862b1c4c8c32460d5a471
-
SHA1
661c7dbfffa6c8a03df60e6f9daf1dcfaf9b1591
-
SHA256
f5c5b3ecadf87600083fa78130c7c046405e542c878a86a144626286dd857349
-
SHA512
87088e55f5a0fb586771ca0bded9649e790393646036579ebf29ed051af706f24516c261a9a4365d84c675aa8f75b277ccf58eda9a86bd67eb2f1c9edfdb5f4b
-
SSDEEP
12288:P4J4ZH65jJnZ0iQaNJI0pqIRWqsfedoM/Sk2+JEXRa:w4ZGnhDVqXqsWaM/dbGB
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral32/memory/2180-0-0x0000000000D70000-0x0000000000DE7000-memory.dmp family_zgrat_v1 behavioral32/memory/1372-1-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 behavioral32/memory/2180-2-0x0000000000D70000-0x0000000000DE7000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral32/memory/2180-0-0x0000000000D70000-0x0000000000DE7000-memory.dmp family_redline behavioral32/memory/1372-1-0x0000000000400000-0x000000000044A000-memory.dmp family_redline behavioral32/memory/2180-2-0x0000000000D70000-0x0000000000DE7000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2180 set thread context of 1372 2180 Software_1.30.1.exe 90 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586001203264964" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 3608 chrome.exe 3608 chrome.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4224 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1372 RegAsm.exe Token: SeDebugPrivilege 4224 taskmgr.exe Token: SeSystemProfilePrivilege 4224 taskmgr.exe Token: SeCreateGlobalPrivilege 4224 taskmgr.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe Token: SeShutdownPrivilege 3608 chrome.exe Token: SeCreatePagefilePrivilege 3608 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 3608 chrome.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 2180 wrote to memory of 1372 2180 Software_1.30.1.exe 90 PID 3608 wrote to memory of 1052 3608 chrome.exe 121 PID 3608 wrote to memory of 1052 3608 chrome.exe 121 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 3328 3608 chrome.exe 122 PID 3608 wrote to memory of 2768 3608 chrome.exe 123 PID 3608 wrote to memory of 2768 3608 chrome.exe 123 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124 PID 3608 wrote to memory of 4916 3608 chrome.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe"C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff84110ab58,0x7ff84110ab68,0x7ff84110ab782⤵PID:1052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=584 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:22⤵PID:3328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:2768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:12⤵PID:5132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:12⤵PID:5156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3948 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:12⤵PID:5528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:5560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:5580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:5796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:5880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:82⤵PID:5932
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:6044
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff62bf0ae48,0x7ff62bf0ae58,0x7ff62bf0ae683⤵PID:6060
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4872 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:12⤵PID:5608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 --field-trial-handle=2036,i,15173955513594560594,15043515559632362774,131072 /prefetch:22⤵PID:5240
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5312
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288B
MD5cd7c9a5c429610a62d52197704d12f4d
SHA1ef2cc545d06106de2b2a657ca0e037c836e533dc
SHA2569ae2d79787455d43ebfddab900509479ca2df48feae36f283af1b41aaca1dc1b
SHA512fa88b8813247963630677df7365c2fa40f20ba66a7491a5c4b8e98456af46d753bb9380c4401776943f94d4742e218c44e842520a10afad334d624a8a6a7affd
-
Filesize
2KB
MD5fa01fe3fb076b07361af30f4422b4efd
SHA181b9c4cdf0db3f1f3d092bfaf281a1ac77509d99
SHA256c903090f33c22d8b10d4d64b921447c04d55e8fd90b1d39b594788ee38a07c7b
SHA5121cc717905d38867395162f10f3478660a1b927835dac662e20eb309e52ae931ad69aea503275624a223d3678787d9de23dcfadc2b8148efbe111ec6cc7ab3b0e
-
Filesize
2KB
MD5956d1f3a4909089882e93ec896f459c2
SHA15532af64bc04a9d81ef6d157fd20c65dbaea55d5
SHA2562e823d15e1abec907418849472935bbbd3d59fc1477bf335ad6898b923218f46
SHA51214fbdca6041844165246d0a5c93a3544244abb51c4db0133567579efb51ba0d13647ae2d9e5599e9fdaeb6b1e0a3249d99914bac6e2b378c89b6717f034b5be7
-
Filesize
2KB
MD5cb3e9f3f817b049eb6cd16ebe977285d
SHA11b8cd86b46ff6d86d3437f4fc7b7c9b2fcfbb0ce
SHA2563abb8faf543b1a3dc7ce62654184f37e65140c883fdc58c8e3bccef735b48456
SHA51257320eaf7d733f11df9deefd9043ddfeb41c67b7284612ceb07c63edcfab255a0cc72cf1ef4098f3e33733b3a68ec43070bf5132dd9409d6d1c13292ebafa799
-
Filesize
2KB
MD52b9930cec66c07ff207f4d80852b37ec
SHA1a87dddffe499c7fcf3f4dae545f92e980a24da9e
SHA256babbee5481b24f04a62016f6034f19795990e96b28e53bd71525813b9feb26b9
SHA512f4073072f3f1d51c422dd9e8c755ac3932dec74a9030a370344df6f118ddbf2514ab0938905ca1d319a0687394bc2055b86a0048c0fb5be4dc7c022317ec305e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD54c6fea890af2afba9a0ff59455b988bc
SHA170129b91d9f4d77db29d7b20539956bf9c708bc6
SHA256b791a73c5debdee2c94c812875bcf72810cfcad82113f1762594a4ec3f6704ef
SHA512ee9de8d59fec1da41a115f204508bd87b4dc049329ff157e584b4ff87fa9ded944b982f6b80ae891b22d0d7e672d9ae279c21f6be55b63f00407fe7e915435a9
-
Filesize
356B
MD5472209d26498d0a74cf4fa942906c58c
SHA188a198987929fcc349c29c10e3dc8c7b9b22ef21
SHA25669be5063a06c0a722f173466142c6233e2a9c4e66cd9caffbc658736076c41eb
SHA512d79ce9fc87760b167306d60ca21e232686ec57b1c73de04105629bf86b3ce91653a825b0a48e6572d1b5d23c3b5950ee6bfbe63402898e8b237da16795e49078
-
Filesize
7KB
MD5f0b2f3dc850a1ee16b5017401db95d5b
SHA11148a0583253a3d582ee5a0fb6be67bb0e893d3c
SHA256a48c8a729d838507f9dcacf22c637d7c6c831baef1df1e514f3298d47f92c523
SHA512337b1b2cc452d78f09a1511b042de37872f5e354fbda2ed7b3a04537b7a2a870c180765e841838ee71a553ab3bb433a19c58d6f4de6226abd9ae5d5b52eb84a5
-
Filesize
6KB
MD5121497930213dd6f4cfc5f43987a0fae
SHA1b97650ce3ecf81b31dacc8024ca2ede6e345071a
SHA256fa7e936d4881aa29f066d9e0fa94b645bf44fd0ce67478cff4567954b5fdee1c
SHA5127b80979d67a6d8564fab3e1f5d0511048071a2cc3c56e14fb7a3055319e47973090234b4f9068f4a96d6e7ab8c2d054c1f664963b54c28965eb860611dee5c3f
-
Filesize
16KB
MD5ca95fa6f4b5dfaf94e07ea6e52fb1eac
SHA171a4ce2e377488fa682517733d61d13903178973
SHA2561764e24699603af2020990a39af6a35c8f2fd2cbd9a8589664937ed106896177
SHA512731c8272625ba0dc1c0cbb18cb1cc64776d65c0411f730a8bc318797bb39c5590a8de0cfdffd77e4c2e7f9ad8c0a3694c36ffce5b4466ae8e3b69aacf540afa1
-
Filesize
253KB
MD55d7c7282b68d7ee55961cc57fd75729b
SHA1d8fe17c92a0b39647651687dd30a86572dc01113
SHA2561fe302bf25ea72a78aa59906a462e2b28ea0b6082f4ee58a62ba547cb0989e25
SHA51226d598fc59a9af924e3a14d58166d3ef77232ecb8c8a51c7d5fe6841aa352e519db52400336e2a05dc2e7fe1537f758d49c2b2befe04704b72d6d5e86dbb7dfe