Overview
overview
8Static
static
3Dism/AppxProvider.dll
windows11-21h2-x64
4Dism/Assoc...er.dll
windows11-21h2-x64
1Dism/Folde...er.dll
windows11-21h2-x64
1Dism/IBSProvider.dll
windows11-21h2-x64
1Dism/LogProvider.dll
windows11-21h2-x64
1Dism/MsiProvider.dll
windows11-21h2-x64
1Dism/Offli...er.dll
windows11-21h2-x64
1Engines/spsreng.dll
windows11-21h2-x64
1Engines/spsrx.dll
windows11-21h2-x64
1Engines/srloc.dll
windows11-21h2-x64
__app__v.3...4_.msi
windows11-21h2-x64
setup/FXSOCM.dll
windows11-21h2-x64
1setup/cmmigr.dll
windows11-21h2-x64
1setup/comsetup.dll
windows11-21h2-x64
1setup/msdtcstp.dll
windows11-21h2-x64
1setup/pbkmigr.dll
windows11-21h2-x64
1setup/tssysprep.dll
windows11-21h2-x64
1wbem/WMIPJOBJ.dll
windows11-21h2-x64
7wbem/WMIPSESS.dll
windows11-21h2-x64
7wbem/WMIsvc.dll
windows11-21h2-x64
8wbem/wmitimep.dll
windows11-21h2-x64
7wbem/wmiutils.dll
windows11-21h2-x64
7Analysis
-
max time kernel
562s -
max time network
567s -
platform
windows11-21h2_x64 -
resource
win11-20241007-es -
resource tags
arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows -
submitted
16/10/2024, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
Dism/AppxProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral2
Sample
Dism/AssocProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral3
Sample
Dism/FolderProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral4
Sample
Dism/IBSProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral5
Sample
Dism/LogProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral6
Sample
Dism/MsiProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral7
Sample
Dism/OfflineSetupProvider.dll
Resource
win11-20241007-es
Behavioral task
behavioral8
Sample
Engines/spsreng.dll
Resource
win11-20241007-es
Behavioral task
behavioral9
Sample
Engines/spsrx.dll
Resource
win11-20241007-es
Behavioral task
behavioral10
Sample
Engines/srloc.dll
Resource
win11-20241007-es
Behavioral task
behavioral11
Sample
__app__v.3.9.8__x64_.msi
Resource
win11-20241007-es
Behavioral task
behavioral12
Sample
setup/FXSOCM.dll
Resource
win11-20241007-es
Behavioral task
behavioral13
Sample
setup/cmmigr.dll
Resource
win11-20241007-es
Behavioral task
behavioral14
Sample
setup/comsetup.dll
Resource
win11-20241007-es
Behavioral task
behavioral15
Sample
setup/msdtcstp.dll
Resource
win11-20241007-es
Behavioral task
behavioral16
Sample
setup/pbkmigr.dll
Resource
win11-20241007-es
Behavioral task
behavioral17
Sample
setup/tssysprep.dll
Resource
win11-20241007-es
Behavioral task
behavioral18
Sample
wbem/WMIPJOBJ.dll
Resource
win11-20241007-es
Behavioral task
behavioral19
Sample
wbem/WMIPSESS.dll
Resource
win11-20241007-es
Behavioral task
behavioral20
Sample
wbem/WMIsvc.dll
Resource
win11-20241007-es
Behavioral task
behavioral21
Sample
wbem/wmitimep.dll
Resource
win11-20241007-es
Behavioral task
behavioral22
Sample
wbem/wmiutils.dll
Resource
win11-20241007-es
Errors
General
-
Target
__app__v.3.9.8__x64_.msi
-
Size
51.4MB
-
MD5
25cf10e4cb809a53a6762d97bda6b3ee
-
SHA1
e200a4543b55e824485c66bb08b3b0a9acca7a98
-
SHA256
f49d3f3a5634cc854a78f5cc7183bd5e291bb16de20a55216b6f1b78461f7f9b
-
SHA512
cbd5ba433210a82a94cdd887810b9cb3817d010cdffd19434ded1cb06b1a948eae155e8cc2f6fc00a81dde76b26bb85c2c0ec9531a1a9d2d806adb156c31c23a
-
SSDEEP
1572864:Tp+Ty2SfWnHDk8FjVbfzPTq4l+R8hliQ59dG2I7P2n:W/0WnHDkkjBPTq4BhMQ5LlI
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 3648 MsiExec.exe 3 3648 MsiExec.exe 4 3648 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 66 drive.google.com 12 camo.githubusercontent.com 12 drive.google.com 58 camo.githubusercontent.com 65 drive.google.com -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI9118.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB952BD6FA21DF587.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF9265A78DB9B653DC.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIB2EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EC3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA83D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIAD14.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFAD9560A006B5385D.TMP msiexec.exe File opened for modification C:\Windows\Installer\e578da9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9196.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI91B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA8DC.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF0E4C397EC15694E4.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIA84E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA92B.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e578da9.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9098.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI90E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI90F8.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{079437C1-1816-4002-8B61-16F01646CA96} msiexec.exe File created C:\Windows\Installer\e578dad.msi msiexec.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Executes dropped EXE 1 IoCs
pid Process 1420 UnRAR.exe -
Loads dropped DLL 12 IoCs
pid Process 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4788 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735838020009491" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3208 msiexec.exe 3208 msiexec.exe 3372 chrome.exe 3372 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4788 msiexec.exe Token: SeIncreaseQuotaPrivilege 4788 msiexec.exe Token: SeSecurityPrivilege 3208 msiexec.exe Token: SeCreateTokenPrivilege 4788 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4788 msiexec.exe Token: SeLockMemoryPrivilege 4788 msiexec.exe Token: SeIncreaseQuotaPrivilege 4788 msiexec.exe Token: SeMachineAccountPrivilege 4788 msiexec.exe Token: SeTcbPrivilege 4788 msiexec.exe Token: SeSecurityPrivilege 4788 msiexec.exe Token: SeTakeOwnershipPrivilege 4788 msiexec.exe Token: SeLoadDriverPrivilege 4788 msiexec.exe Token: SeSystemProfilePrivilege 4788 msiexec.exe Token: SeSystemtimePrivilege 4788 msiexec.exe Token: SeProfSingleProcessPrivilege 4788 msiexec.exe Token: SeIncBasePriorityPrivilege 4788 msiexec.exe Token: SeCreatePagefilePrivilege 4788 msiexec.exe Token: SeCreatePermanentPrivilege 4788 msiexec.exe Token: SeBackupPrivilege 4788 msiexec.exe Token: SeRestorePrivilege 4788 msiexec.exe Token: SeShutdownPrivilege 4788 msiexec.exe Token: SeDebugPrivilege 4788 msiexec.exe Token: SeAuditPrivilege 4788 msiexec.exe Token: SeSystemEnvironmentPrivilege 4788 msiexec.exe Token: SeChangeNotifyPrivilege 4788 msiexec.exe Token: SeRemoteShutdownPrivilege 4788 msiexec.exe Token: SeUndockPrivilege 4788 msiexec.exe Token: SeSyncAgentPrivilege 4788 msiexec.exe Token: SeEnableDelegationPrivilege 4788 msiexec.exe Token: SeManageVolumePrivilege 4788 msiexec.exe Token: SeImpersonatePrivilege 4788 msiexec.exe Token: SeCreateGlobalPrivilege 4788 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 4788 msiexec.exe 4788 msiexec.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4524 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3208 wrote to memory of 3648 3208 msiexec.exe 80 PID 3208 wrote to memory of 3648 3208 msiexec.exe 80 PID 3208 wrote to memory of 3648 3208 msiexec.exe 80 PID 3208 wrote to memory of 1420 3208 msiexec.exe 83 PID 3208 wrote to memory of 1420 3208 msiexec.exe 83 PID 3372 wrote to memory of 4176 3372 chrome.exe 87 PID 3372 wrote to memory of 4176 3372 chrome.exe 87 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 3956 3372 chrome.exe 88 PID 3372 wrote to memory of 2604 3372 chrome.exe 89 PID 3372 wrote to memory of 2604 3372 chrome.exe 89 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90 PID 3372 wrote to memory of 4844 3372 chrome.exe 90
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__app__v.3.9.8__x64_.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 268F4DD0379A8D2A79EEFD1F2C18A4702⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe" x -p "C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\kafkjo.rar" "C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\"2⤵
- Executes dropped EXE
PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bdf9cc40,0x7ff9bdf9cc4c,0x7ff9bdf9cc582⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:22⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:32⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:82⤵PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:2320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3532,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:12⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4360,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3588 /prefetch:82⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3772 /prefetch:82⤵PID:4504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:82⤵PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4824,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4288 /prefetch:12⤵PID:740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5128,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3764,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4276 /prefetch:12⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=212,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3196,i,13988793194645074324,17531520934580985497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:4144
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4604
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a1d855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5a04bce67dc2049c23fea727f7d39f19a
SHA1dc16bc2949e8029ae2e3d396ca4f8fd314468dd2
SHA256f29bc3e976f7990e0be056fb7548d5b04f100c64460f2bbd3591cb7941cbd6fb
SHA5128c2eeef06a141b1ca1a9082f5ca538e45117ab01c28f167bae04098fa6cd76fc46a4c3101f6f9ce58cec5ad37dc2cdf441db526dabb28b575a56e03b2a1765f4
-
Filesize
649B
MD5454a40df4d59f7d65e4ae1b6b4c684cb
SHA18dc60c6d08a40e92d3a0f99a72c107eb2c1a5a94
SHA256e39df9b6080a8e98900dc164380ac85cce6017eb2241e461bd73cead6c8ef351
SHA51245c525a500727b5e96599e052ee3dec196301e7ad0f36efadbe71ac9059ed9040e28561399d0825d3b5e5d0b4d27db6e5683d95d19e3f5eb3bf64cb5866a4d7e
-
Filesize
2KB
MD518df0c8e550b3d4c144c327652d5bb94
SHA1559971a0c122db5535ef0bee9738bdae3e8da0c5
SHA256c60c6b63d1127361fe7293845aaf0479d3b378c33ab065749d87f79e8024b6c9
SHA512a86ef320df14c7c8f0e2664f53cb10df7c2053d6e91433207869223a5638c61cf7133b0971446d6e87cd61b627bf928f47054225f2d96d9a012ef40aaafa6aa6
-
Filesize
6KB
MD5c50c26fce30a6c366e077a008e147c9a
SHA118432f3afa36df176d1966e2577fee23e28b35e0
SHA2567210e7f0bce032c1444bfbffd094fd100d46a38c17ac7881ec79ad8156f43eeb
SHA51253da2b468c63f113b855731c568b2e0c33c1bdfea9520370c3fef1a6b3eacf733238b71794a968dd4093a07af4b9419fe2cdafc52406af666a7fa26c0807bcbd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5a38f5c216cd4508f26385e886a89af85
SHA137fdf3ecb5418de3e84355eefec6d1e68993da16
SHA25613b77d44723a648d7721663e1dbb52e4e727046ba9dea9a76cf9f954de2ef0c8
SHA5126ba4907012eec4292e5fce5c746154c2355be4b87a9f5f2d136ba59e060597d06e6b0cc31905c3f68812bcabcd5bc55294aafc161506ad5c674b2213c0ee1f43
-
Filesize
1KB
MD5e1cae9655889715d3b031c7eaeb4fc57
SHA15265539d3f19a13ed54920702bb597d8144d1cc6
SHA256ccfa9b6e091661132cd0dd561c8594404f7e3e825e89c2a5393aa99c5c16af94
SHA5129853bc2c1cfaa7a829eb49d95b62c4fbdc399b86f04277cd28281a74da7d7b66f8ac816b716941cb857fe4ee50ba0268e182ddd5e0460cdbd2cfa51f0969de45
-
Filesize
524B
MD59ee28c6a4783688338458ec0d078dc05
SHA10d47d0c98ae040ba35aa9ab6a9db98061c34d338
SHA256036515e9174679a0b64f0c543f984093ce78388767f5d8cb04ad068ad47651e0
SHA5122ad7934c6ba2cebd85da7769335d99113f9ed42fb07ff03649a4b06d9a00f708e1bdd02a52b1d312dfab7cb2772829edf2311fc60024318124bdc679b924fc63
-
Filesize
858B
MD57f5633743f8066fc819e124ca63b9331
SHA1bc6f334cf9aa2558464c7b0b03785e51a03c3342
SHA25670b7713b04392f0f3b36676e7be76a80cca020f18c3bf223997894e0e7104660
SHA512eb95be3d125d7dabf96bb21bf701de7a7c59af4a95540b8a1a6d292a6761feb858258d03e16f5c5b60ec78af89451e65d6ba605304e7ace5d2c6c6db9c6503d9
-
Filesize
1KB
MD55bcb82470bc0bb58847ebdad8ecba665
SHA15021e600be1745e5f24fb3cb9e8f25f6be988ea4
SHA256896bfa49b48b98cee671a03d6b1bd6587e2b350c8af035aaa9bbc07f92538a07
SHA5127eca5b759dd385abda66c85420ad0e4b3eb2b603bb205fa4d895064a44491562d6d06d65f760fc59f4f008f9f9981aa844ae3e88010ffbbfdfb64b98397cab22
-
Filesize
10KB
MD540d49a6da209545c4c500a78ecaef437
SHA160103fd3cdcb8725597fe9ae53d2eb750b22f072
SHA2562fa12edcea8ea276a1d5d2c0122dcba1fec45f1ad9cfc1c04d7fd513deea2679
SHA51230bebf31048f869fa6a8ef092aa7c97950209da3eabfe79675cfb85ef752bdf78cf54f63c2ed8d6ed2cc92c88abdadfeacac312b585ab7ae98d65ef71f675e76
-
Filesize
9KB
MD57dcfbf935479ab3908767566fdf1b179
SHA1940b2627f34836ec736483ecdafc2879fe6eacd2
SHA2569d90305d5ab3a5a29bc681156528d30ec64eec96c3f3ec8796bc2f45037a4e85
SHA5126fa10a7c76da27b59bdd33f82be40c75e06f17519c44daf9efa9bfa557a81f977cfb5a5dda9a1d39ffdad49985fc45647a6f608ce005a187b4f7a19b4f45d1de
-
Filesize
9KB
MD5d408f5743f12661b68001f943f4a8059
SHA17fcbff6f773eb892b052c9ebd12b645ad6bf2162
SHA25620ad71b1d0f0b687be6f633d8274bc47e37c069c4b3cab5f6387efcc7f07ede3
SHA51252add384bcf5f83e71e1cccd064feb40516539ca6c4b6aa1a7106e4ab37c304a50faf469cca05c0a24f53b1e679dc05a72f7b9455f82fa433a1a885f4d1079e8
-
Filesize
10KB
MD557c0a206c34be84f3f2a365d9eb17c67
SHA18aba80576d6428222e6526063c7d0d14674b9238
SHA25663cbcefff4239f4d0e57e19f4e614b240c5016ca55a49fd2d04e8e5085da6563
SHA512f6edb5fb8dee4aa3e1978a7ea0c3c0c2ddecb40f5c507f16cfcd712bd018073f05252a8dfa6b29e02e3dcc3da8fb7dad0eb53de8b24f971f78680be522d778aa
-
Filesize
10KB
MD5205e9efc53415743356f7c25423c0c78
SHA158e5882d067b91acf4c7f17adaac28a00e6a23d1
SHA2569cea52d9127656ec9c6b7a86ddf54cba758f21f6ed272139961048067ad60477
SHA512a16c872693b82f57b1951e6100ab54658a6ca325a6c22eac029a5f07e6f0f1affc47426c5396234595029a4aea712e9b06da8cac6717aa5a2222712d293b6988
-
Filesize
11KB
MD57e262d7b7d5813258926d8492c176f57
SHA1fb16d7f53fec9b05b2751b22bce52eb84c2a0db7
SHA2566346002401c27928348c6ffadaa49f17dbe03cce060416cb458f96ba688b51d5
SHA512ef760ca3fc85a43f70619946c63e371cd6d359e87f5c453ea0553707a4ded53653c3987e991e335041067e18a2a3d96a455d0363c98efc2d37c8b63fa3522ae1
-
Filesize
15KB
MD5ad4203ca425804f15987393fb8a7f6b0
SHA1fddaa1d4e7fc09625466354214158c38ecd45f02
SHA256c45e3a25b60ea81cd3c4fba7345973bb3ade9ed84f5f5bfe02317b4d9ae59a74
SHA512f82178d3c3c9bc22ecb3f092cc57ea60d6a933af7ce4c1040edfe5e0841fc00115184be4640b2b6b8dcf57dfbfda6e79480cccbf7cb29276d6655a7beccdf131
-
Filesize
228KB
MD5933037738c72e370291b1c4bb6959252
SHA185ae69f96cd207c1cfe038fdd6758cc7f8b44f27
SHA256456433f87c6492d31a0360d1e567fe855f103b07c522e14752728e98ff1bcc66
SHA5124cfac162e8dab5719ca13546eaf5f8f507968286939716f7ca6ac604b8853dea07471d1d7ab7103b6f53cda5bab7dece4d0f26c80c5344191607b2dc09878f3e
-
Filesize
228KB
MD5263f467a11b123025f9df58cf9752339
SHA1d19a18176cbbb04ac8eb6e7dcc86d236041028e7
SHA256ebb6a79aa3075f20c57d9283304de953d88995d61d3a0909ed88c06a16bf4e11
SHA5126d6e8f01fe062c613b35287a7cc4882fc1ad626c5e632ccd4bd10184750842d95ebc91487e5dfe235ddd445bb330d02bef05ca13f8494263affcaa842035f7d3
-
Filesize
228KB
MD53d9d54bc7e4f781bc38fecfb2b1584b9
SHA156781b65b4b69cd840bf7ee0381700d0d58d3814
SHA2567d96fc3dfd19c816d7320fc3617611e62a18707e638480d1df9719d290070d6f
SHA5125fbcf081f29cffa676967e519731c1a2ab520e125c51385af646f619689532f5b4e3e4652208dd579be4fffb7c6d6c4ce4332f12fb56a0e143c52a00fe01c08e
-
Filesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
870KB
MD56119e62d8047032a715ba0670fc476c5
SHA152e639024460bf111c469e95fb011c07d6fc89e8
SHA256bc31f85266df2cdfdbe22149937105388fa3adc17e3646fa4a167736e819af77
SHA512e7301fa21f01f7f7562b853e9bb246ed051951e3cef152bb0b3558d4863f141edbbc0c4d439c30f51f9997805490f131a5e4cd00872b61ccb08ba9d200f811d8
-
Filesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
Filesize
314KB
MD561123cbc153cb7f178ddbb318a7ea000
SHA10cfb1faa4c166d2a335ee62b05dd62b730ded9d6
SHA256e5e0183dfd9f65406042762c0427bbcff010402b9934dadd2bddbb6c382d625c
SHA5123249f814c9e4c472b5962ab159729bb44e28314e2e402abf4b5ec6789cb729192b662c948d362fa71f4284038544e4fdbb8f6d55b6ec0fb92c4de04840a15926
-
Filesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f