Analysis
-
max time kernel
1050s -
max time network
840s -
platform
windows7_x64 -
resource
win7-ja-20211208 -
submitted
16-01-2022 18:03
Static task
static1
Behavioral task
behavioral1
Sample
8 Cores.msi
Resource
win7-ja-20211208
Behavioral task
behavioral2
Sample
8 Cores.msi
Resource
win10-ja-20211208
Behavioral task
behavioral3
Sample
8 Cores.msi
Resource
win10v2004-ja-20220113
General
-
Target
8 Cores.msi
-
Size
319KB
-
MD5
6047ee1af2d30ef7db95fabb788ec9f9
-
SHA1
2731a77f03f97aa03adcd2c7c6f4342d2fd1d515
-
SHA256
b3f5506d672e2ea0564c52413f1f8847c569542d2cd475937c6f21a443292728
-
SHA512
7d8de10cdf4399692da6b7e80c96d865ffc891292e1bf16adaf663f2cf087802ae61bde15057a9aa7c82d6dbd0930e623c3a4c947502c5c1129bbc66d8aa03e8
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 1 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF DrvInst.exe -
Drops file in Windows directory 13 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\volsnap.PNF DrvInst.exe File opened for modification C:\Windows\Installer\f76bf97.msi msiexec.exe File opened for modification C:\Windows\Installer\f76bf98.ipi msiexec.exe File created C:\Windows\Installer\{D64EDF07-2981-4FAF-9FAA-09B4BED8B156}\_853F67D554F05449430E7E.exe msiexec.exe File opened for modification C:\Windows\Installer\{D64EDF07-2981-4FAF-9FAA-09B4BED8B156}\_853F67D554F05449430E7E.exe msiexec.exe File created C:\Windows\Installer\f76bf9a.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76bf97.msi msiexec.exe File created C:\Windows\Installer\f76bf98.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC1AA.tmp msiexec.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker ドライブ暗号化" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "ピアツーピア信頼" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\system32\qagentrt.dll,-10 = "システム正常性の認証" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\system32\dnsapi.dll,-103 = "ドメイン ネーム システム (DNS) サーバー信頼" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7\LanguageList = 6a0061002d004a00500000006a006100000065006e002d0055005300000065006e0000000000 DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker データ回復エージェント" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\Version = "16777216" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1FF73963BD1AD984A9283A1550B29A28 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\ProductName = "8 Cores" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70FDE46D1892FAF4F9AA904BEB8D1B65\DefaultFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\ProductIcon = "C:\\Windows\\Installer\\{D64EDF07-2981-4FAF-9FAA-09B4BED8B156}\\_853F67D554F05449430E7E.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList\PackageName = "8 Cores.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70FDE46D1892FAF4F9AA904BEB8D1B65 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\PackageCode = "C1A39ED4F64C95C4094B1CE484881222" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1FF73963BD1AD984A9283A1550B29A28\70FDE46D1892FAF4F9AA904BEB8D1B65 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70FDE46D1892FAF4F9AA904BEB8D1B65\DeploymentFlags = "3" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exemsiexec.exepid process 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1512 msiexec.exe 1512 msiexec.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exemsiexec.exepid process 1392 taskmgr.exe 652 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exetaskmgr.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 652 msiexec.exe Token: SeIncreaseQuotaPrivilege 652 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeSecurityPrivilege 1512 msiexec.exe Token: SeCreateTokenPrivilege 652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 652 msiexec.exe Token: SeLockMemoryPrivilege 652 msiexec.exe Token: SeIncreaseQuotaPrivilege 652 msiexec.exe Token: SeMachineAccountPrivilege 652 msiexec.exe Token: SeTcbPrivilege 652 msiexec.exe Token: SeSecurityPrivilege 652 msiexec.exe Token: SeTakeOwnershipPrivilege 652 msiexec.exe Token: SeLoadDriverPrivilege 652 msiexec.exe Token: SeSystemProfilePrivilege 652 msiexec.exe Token: SeSystemtimePrivilege 652 msiexec.exe Token: SeProfSingleProcessPrivilege 652 msiexec.exe Token: SeIncBasePriorityPrivilege 652 msiexec.exe Token: SeCreatePagefilePrivilege 652 msiexec.exe Token: SeCreatePermanentPrivilege 652 msiexec.exe Token: SeBackupPrivilege 652 msiexec.exe Token: SeRestorePrivilege 652 msiexec.exe Token: SeShutdownPrivilege 652 msiexec.exe Token: SeDebugPrivilege 652 msiexec.exe Token: SeAuditPrivilege 652 msiexec.exe Token: SeSystemEnvironmentPrivilege 652 msiexec.exe Token: SeChangeNotifyPrivilege 652 msiexec.exe Token: SeRemoteShutdownPrivilege 652 msiexec.exe Token: SeUndockPrivilege 652 msiexec.exe Token: SeSyncAgentPrivilege 652 msiexec.exe Token: SeEnableDelegationPrivilege 652 msiexec.exe Token: SeManageVolumePrivilege 652 msiexec.exe Token: SeImpersonatePrivilege 652 msiexec.exe Token: SeCreateGlobalPrivilege 652 msiexec.exe Token: SeBackupPrivilege 1316 vssvc.exe Token: SeRestorePrivilege 1316 vssvc.exe Token: SeAuditPrivilege 1316 vssvc.exe Token: SeBackupPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeDebugPrivilege 1392 taskmgr.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeRestorePrivilege 960 DrvInst.exe Token: SeLoadDriverPrivilege 960 DrvInst.exe Token: SeLoadDriverPrivilege 960 DrvInst.exe Token: SeLoadDriverPrivilege 960 DrvInst.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe Token: SeRestorePrivilege 1512 msiexec.exe Token: SeTakeOwnershipPrivilege 1512 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msiexec.exetaskmgr.exepid process 652 msiexec.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe 1392 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
taskeng.exedescription pid process target process PID 1592 wrote to memory of 936 1592 taskeng.exe default-browser-agent.exe PID 1592 wrote to memory of 936 1592 taskeng.exe default-browser-agent.exe PID 1592 wrote to memory of 936 1592 taskeng.exe default-browser-agent.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\8 Cores.msi"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000003E0" "00000000000004D0"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {CE204EF9-A707-4ED6-92BC-636B244F64ED} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5850053B-6249-44B0-96B1-45442FEF8076} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {096ECB54-A331-4A23-84FA-2B5892985696} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵