Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/09/2024, 14:01
Static task
static1
Behavioral task
behavioral1
Sample
chrrmesetup.msi
Resource
win7-20240708-en
General
-
Target
chrrmesetup.msi
-
Size
27.8MB
-
MD5
60b6321a22e3cfcecc3c1c68295cc868
-
SHA1
808a316ee3b0f4fc7bce63358ff4f744e628465b
-
SHA256
df41ebd057040524d137711938752fef32872f8a3ed2f4ee10e6b7c05d7f4410
-
SHA512
b4047e9ef64bf63933143d289ce88b11107d552d37ef2905c3139e414bc8a61f86f49b548ee2e8978d0d02f5acfdc407640def7d05a9bcaffacfcebd5d872b91
-
SSDEEP
786432:NURQ1YYLOtsId3pQof4c0RtYhGYrCw45alNJFOF:N2U9XeI8bwal8
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\DeployEngineerCalm\ChromeSetup.exe msiexec.exe File created C:\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe msiexec.exe File created C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe RVMrLdYYerZH.exe File opened for modification C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe RVMrLdYYerZH.exe File created C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.exe RVMrLdYYerZH.exe File created C:\Program Files\DeployEngineerCalm\Aspose.Pdf.dll msiexec.exe File created C:\Program Files\DeployEngineerCalm\MSjpGFGbYdhVKRljAaZT msiexec.exe File created C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.xml RVMrLdYYerZH.exe File opened for modification C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.xml RVMrLdYYerZH.exe File opened for modification C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.exe RVMrLdYYerZH.exe File opened for modification C:\Program Files\DeployEngineerCalm gafcETxyYz4.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f773ee4.msi msiexec.exe File created C:\Windows\Installer\f773ee7.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f773ee4.msi msiexec.exe File created C:\Windows\Installer\f773ee5.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3FBE.tmp msiexec.exe File opened for modification C:\Windows\Installer\f773ee5.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
Executes dropped EXE 3 IoCs
pid Process 2616 RVMrLdYYerZH.exe 1784 gafcETxyYz4.exe 2924 ChromeSetup.exe -
Loads dropped DLL 10 IoCs
pid Process 2196 MsiExec.exe 2196 MsiExec.exe 2196 MsiExec.exe 2196 MsiExec.exe 1784 gafcETxyYz4.exe 1784 gafcETxyYz4.exe 1784 gafcETxyYz4.exe 1784 gafcETxyYz4.exe 1784 gafcETxyYz4.exe 1784 gafcETxyYz4.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1620 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RVMrLdYYerZH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gafcETxyYz4.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\54C49777214F77A419A86C2403F1E555\AFC7F96DBCD857B428991B4339BD9527 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AFC7F96DBCD857B428991B4339BD9527 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\ProductName = "DeployEngineerCalm" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AFC7F96DBCD857B428991B4339BD9527\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\54C49777214F77A419A86C2403F1E555 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\PackageName = "chrrmesetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Version = "151388168" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\PackageCode = "79FDD66EA25769F40B8EC75BE5FFDB45" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Language = "1033" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2840 msiexec.exe 2840 msiexec.exe 1784 gafcETxyYz4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1620 msiexec.exe Token: SeIncreaseQuotaPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeSecurityPrivilege 2840 msiexec.exe Token: SeCreateTokenPrivilege 1620 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1620 msiexec.exe Token: SeLockMemoryPrivilege 1620 msiexec.exe Token: SeIncreaseQuotaPrivilege 1620 msiexec.exe Token: SeMachineAccountPrivilege 1620 msiexec.exe Token: SeTcbPrivilege 1620 msiexec.exe Token: SeSecurityPrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeLoadDriverPrivilege 1620 msiexec.exe Token: SeSystemProfilePrivilege 1620 msiexec.exe Token: SeSystemtimePrivilege 1620 msiexec.exe Token: SeProfSingleProcessPrivilege 1620 msiexec.exe Token: SeIncBasePriorityPrivilege 1620 msiexec.exe Token: SeCreatePagefilePrivilege 1620 msiexec.exe Token: SeCreatePermanentPrivilege 1620 msiexec.exe Token: SeBackupPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeShutdownPrivilege 1620 msiexec.exe Token: SeDebugPrivilege 1620 msiexec.exe Token: SeAuditPrivilege 1620 msiexec.exe Token: SeSystemEnvironmentPrivilege 1620 msiexec.exe Token: SeChangeNotifyPrivilege 1620 msiexec.exe Token: SeRemoteShutdownPrivilege 1620 msiexec.exe Token: SeUndockPrivilege 1620 msiexec.exe Token: SeSyncAgentPrivilege 1620 msiexec.exe Token: SeEnableDelegationPrivilege 1620 msiexec.exe Token: SeManageVolumePrivilege 1620 msiexec.exe Token: SeImpersonatePrivilege 1620 msiexec.exe Token: SeCreateGlobalPrivilege 1620 msiexec.exe Token: SeBackupPrivilege 2704 vssvc.exe Token: SeRestorePrivilege 2704 vssvc.exe Token: SeAuditPrivilege 2704 vssvc.exe Token: SeBackupPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeLoadDriverPrivilege 2076 DrvInst.exe Token: SeLoadDriverPrivilege 2076 DrvInst.exe Token: SeLoadDriverPrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1620 msiexec.exe 1620 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2840 wrote to memory of 2196 2840 msiexec.exe 34 PID 2196 wrote to memory of 2616 2196 MsiExec.exe 35 PID 2196 wrote to memory of 2616 2196 MsiExec.exe 35 PID 2196 wrote to memory of 2616 2196 MsiExec.exe 35 PID 2196 wrote to memory of 2616 2196 MsiExec.exe 35 PID 2196 wrote to memory of 1784 2196 MsiExec.exe 37 PID 2196 wrote to memory of 1784 2196 MsiExec.exe 37 PID 2196 wrote to memory of 1784 2196 MsiExec.exe 37 PID 2196 wrote to memory of 1784 2196 MsiExec.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrrmesetup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1620
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1D0C1A46CF5D986241218BA52AAADD7 M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe"C:\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe" x "C:\Program Files\DeployEngineerCalm\MSjpGFGbYdhVKRljAaZT" -o"C:\Program Files\DeployEngineerCalm\" -pCVtfwrfwUvBoTLjcdFbD -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe"C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe" -number 250 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
-
C:\Program Files\DeployEngineerCalm\ChromeSetup.exe"C:\Program Files\DeployEngineerCalm\ChromeSetup.exe"3⤵
- Executes dropped EXE
PID:2924
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000330" "00000000000004D8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD502d71430364448b399e35623e5e34a3d
SHA1c54573ed114946157f5a4413ef8ddfc27b9b5f7a
SHA256211439023c2c7c1a6d6ef9c37faa225bb8672945150fdb6b12ce9aecdbd00fb2
SHA5125d36df8cf9580c1795aab6bda6447730d1411b938a40a757e3b7a5e774fefad69cc2117be6b0d812b78e328a11d365fc3726a349de7aa9100ee503cbd78ca80f
-
Filesize
8.5MB
MD55adff4313fbd074df44b4eb5b7893c5e
SHA1d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7
SHA256d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae
SHA512f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60
-
Filesize
1.9MB
MD5af02d33c55b6178318bf59b6f26b3b5d
SHA180d56ade2e9f52347d5aa7be46bcf970a93cd689
SHA256c135cb4f3c7b7f480499187109dde41281a1e8f29259fae95893ee53d744f1da
SHA5128d86f7de37c3e22dd5223cf3bd6140f58ff57019ad1560c43ffaff17a83ee181b64fbe210b77ed6548e0125c412bb2a9912f5aa04344e01d53454fd5bfcd6d6a
-
Filesize
3.2MB
MD561c267c568496d0621a0107c0fecb047
SHA1d1d02d62bfcb4ea245fd54eb1507150d2d344284
SHA256f7db71cf62374b28b0b635a1fbedb5524d84773ff14ea9a579f0d45ca945a059
SHA5125e6cd5c304c5e7effd58c4eb08a4b71236d0697b6cf6e4b82c5ab980daeb3b9e7691915d7b086dd4f9dbefe49a45c3036a9f91f520be516e4872d4bd8cfe3983
-
Filesize
27.8MB
MD560b6321a22e3cfcecc3c1c68295cc868
SHA1808a316ee3b0f4fc7bce63358ff4f744e628465b
SHA256df41ebd057040524d137711938752fef32872f8a3ed2f4ee10e6b7c05d7f4410
SHA512b4047e9ef64bf63933143d289ce88b11107d552d37ef2905c3139e414bc8a61f86f49b548ee2e8978d0d02f5acfdc407640def7d05a9bcaffacfcebd5d872b91
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796