Analysis
-
max time kernel
415s -
max time network
405s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07-09-2022 02:32
Static task
static1
Behavioral task
behavioral1
Sample
Bws_agreement_2020 (cff).js
Resource
win10-20220812-en
General
-
Target
Bws_agreement_2020 (cff).js
-
Size
483KB
-
MD5
1eb0afac12c4bae3a3fd238dd38feddc
-
SHA1
135b3e89fd114fc590655df6a575800416afe379
-
SHA256
5f6a9c6f3d8e243fce0af61ba82d82ce081020906b9b07490ea4988e1a0d7a8b
-
SHA512
c6958530bdc1d74516bcd1a78688cc9ff358178f0a625e783dcb9dfaeb7a5c216c0255c2a18227a75eb00a9d906fe5a4a7f6ee474732734bcf48b639d8b8275d
-
SSDEEP
6144:GQBXSEulaxl4khEfD3NA7Wiagmd4iLAmWh6CSF:kwhEfD3Nviagmd4iLAmWh6f
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 8 2804 wscript.exe 10 2804 wscript.exe -
Drops file in System32 directory 1 IoCs
Processes:
SearchProtocolHost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat SearchProtocolHost.exe -
Drops file in Windows directory 3 IoCs
Processes:
SearchIndexer.exetaskmgr.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT SearchIndexer.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchProtocolHost.exeSearchProtocolHost.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice\Hash = "5e7DVUzNNSI=" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.ADTS = "1" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6b029873c2d801 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.m4a = "1" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice\Hash = "RdtaXaNPHfE=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcf9a13073c2d801 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a5d2f0d73c2d801 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice\Hash = "jcthARrsAVg=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.pdf = "1" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice\Hash = "IpG0Qt4IjF0=" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047998d9773c2d801 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\Hash = "jpCBBDT/BCE=" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.gif = "1" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mpv2 = "1" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eadfc51273c2d801 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice\Hash = "vcp/wCI4ek4=" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.dib = "1" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f83ed1373c2d801 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice\Hash = "gxqIVrOf8VU=" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.TTS = "1" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.cr2 = "1" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
taskmgr.exepid process 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
SearchIndexer.exetaskmgr.exedescription pid process Token: 33 1908 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1908 SearchIndexer.exe Token: SeDebugPrivilege 4272 taskmgr.exe Token: SeSystemProfilePrivilege 4272 taskmgr.exe Token: SeCreateGlobalPrivilege 4272 taskmgr.exe Token: 33 4272 taskmgr.exe Token: SeIncBasePriorityPrivilege 4272 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
taskmgr.exepid process 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
taskmgr.exepid process 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe 4272 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1908 wrote to memory of 4732 1908 SearchIndexer.exe SearchProtocolHost.exe PID 1908 wrote to memory of 4732 1908 SearchIndexer.exe SearchProtocolHost.exe PID 1908 wrote to memory of 4208 1908 SearchIndexer.exe SearchFilterHost.exe PID 1908 wrote to memory of 4208 1908 SearchIndexer.exe SearchFilterHost.exe PID 1908 wrote to memory of 2260 1908 SearchIndexer.exe SearchProtocolHost.exe PID 1908 wrote to memory of 2260 1908 SearchIndexer.exe SearchProtocolHost.exe PID 1908 wrote to memory of 2196 1908 SearchIndexer.exe SearchFilterHost.exe PID 1908 wrote to memory of 2196 1908 SearchIndexer.exe SearchFilterHost.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Bws_agreement_2020 (cff).js"1⤵
- Blocklisted process makes network request
PID:2804
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4460
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4732
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 496 500 696 8192 6882⤵
- Modifies data under HKEY_USERS
PID:4208
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2260
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 496 500 696 8192 6882⤵PID:2196
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4272