5747325bf9347e431412ae207c6e163dc1a9c968741989b12fe407a9cb440a8a

Resubmissions

17/03/2023, 21:41

230317-1j6b7acb5t 8

17/03/2023, 21:40

230317-1h82paab27 1

Analysis

max time kernel
1600s
max time network
1603s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
17/03/2023, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mcbot-main.zip
Size

4.1MB
MD5

e00f4960bf3de863ecab55af200712c1
SHA1

b6aa9c80020be3584226cf83fbf3b39701d8928f
SHA256

5747325bf9347e431412ae207c6e163dc1a9c968741989b12fe407a9cb440a8a
SHA512

eacaaa47f0230d5150c775b1deb549fbcd5dc94fc6bc58a290eacd48c4f3d7395814b6a1239b4537ccd9b6c3d5d0e74251d93b975eefb4677a6bafa85b750539
SSDEEP

98304:ckZ4Mp/g8GXOn+vnk/kI2k8RpIZrXdCq++/vID+pqxHmGN1:5Z5N+vnk/k5VyNb7vpQr

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%systemroot%\system32\mycomput.dll,-112 = "Administra discos y ofrece acceso a otras herramientas para administrar equipos locales y remotos."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\gameux.dll,-10310 = "El objetivo de Solitario Spider es quitar todas las cartas del juego en el menor número de movimientos posible. Alinee escaleras de cartas desde el rey hasta el as, en palos del mismo color, para quitarlas."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\gameux.dll,-10301 = "Disfrute de Backgammon, el clásico juego de estrategia. Compita contra jugadores en línea y sea el primero en quitar todas las piezas del tablero."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@searchfolder.dll,-32822 = "Todo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dicte texto y controle el equipo con la voz."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\pmcsnap.dll,-700 = "Administración de impresión"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050702eb42359d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%windir%\system32\MdSched.exe,-4002 = "Compruebe si existen problemas de memoria en el equipo."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003070aab22359d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000108d00ba2359d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\gameux.dll,-10060 = "Solitario"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\gameux.dll,-10304 = "Mueva todas las cartas a las celdas iniciales, usando las celdas libres como marcadores de posición. Cree mazos de cartas por palos, colocadas en orden jerárquico, de menor (as) a mayor (rey)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\odbcint.dll,-1310 = "Orígenes de datos ODBC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%windir%\system32\migwiz\wet.dll,-590 = "Transfiere archivos y configuraciones de un equipo a otro"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\MdSched.exe,-4001 = "Diagnóstico de memoria de Windows"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@gameux.dll,-10209 = "Más juegos de Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\gameux.dll,-10209 = "Más juegos de Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@gameux.dll,-10057 = "Buscaminas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\gameux.dll,-10102 = "Backgammon en Internet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\C:\Windows\system32,@elscore.dll,-9 = "Transliteración de bengalí a latín de Microsoft"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\ehome\ehdrop.dll,-152 = "Programa de TV grabado de Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\NetProjW.dll,-501 = "Conectarse a un proyector de red"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\gameux.dll,-10302 = "Compita junto con oponentes en línea, o bien contra ellos, en el juego de Picas, el clásico juego de cartas por parejas y bazas. Consiga la máxima puntuación para ganar."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\SampleRes.dll,-104 = "Medusa"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\migwiz\wet.dll,-591 = "Informes de Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Obtenga más información acerca de las características de Windows y empiece a usarlas."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\gameux.dll,-10056 = "Corazones"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%systemroot%\system32\recdisc.exe,-2001 = "Crea un disco que puede usarse para obtener acceso a las opciones de recuperación del sistema."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\eHome\ehepgres.dll,-308 = "Paisajes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\mycomput.dll,-300 = "Administración de equipos"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\OobeFldr.dll,-33056 = "Tareas iniciales"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\dfrgui.exe,-103 = "Desfragmentador de disco"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\C:\Windows\system32,@elscore.dll,-6 = "Transliteración de cirílico a latín de Microsoft"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\SampleRes.dll,-101 = "Crisantemo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%systemroot%\system32\Msinfo32.exe,-130 = "Mostrar información detallada del equipo."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\NetProjW.dll,-511 = "Muestre su escritorio en un proyector de red."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitario es el clásico juego de cartas de un solo jugador. El objetivo es recopilar todas las cartas en escaleras de palos de color rojo y negro alternativamente desde el as hasta el rey."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\System32\SyncCenter.dll,-3000 = "Centro de sincronización"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%windir%\system32\displayswitch.exe,-321 = "Conecte el equipo a un proyector mediante un cable de pantalla."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans es una especie de solitario que se juega con fichas en lugar de cartas. Empareje las fichas hasta que desaparezcan todas del tablero de este clásico juego."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture una parte de la pantalla para que pueda guardar, compartir o hacer anotaciones en la imagen."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\wdc.dll,-10021 = "Monitor de rendimiento"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@gameux.dll,-10060 = "Solitario"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\eHome\ehepgres.dll,-312 = "Elemento multimedia de ejemplo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\system32\SampleRes.dll,-108 = "Pingüinos"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@C:\Windows\System32\wshext.dll,-4804 = "Archivo de secuencia de comandos de JScript"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@searchfolder.dll,-32820 = "Ubicaciones indizadas"	SearchProtocolHost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
768	javaw.exe
1156	javaw.exe
844	javaw.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: SeManageVolumePrivilege	1808	SearchIndexer.exe
Token: 33	1808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1808	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
596	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
1560	SearchProtocolHost.exe
536	SearchProtocolHost.exe
536	SearchProtocolHost.exe
536	SearchProtocolHost.exe
536	SearchProtocolHost.exe
536	SearchProtocolHost.exe
536	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 596	1808	SearchIndexer.exe	34
PID 1808 wrote to memory of 596	1808	SearchIndexer.exe	34
PID 1808 wrote to memory of 596	1808	SearchIndexer.exe	34
PID 1808 wrote to memory of 1800	1808	SearchIndexer.exe	35
PID 1808 wrote to memory of 1800	1808	SearchIndexer.exe	35
PID 1808 wrote to memory of 1800	1808	SearchIndexer.exe	35
PID 1808 wrote to memory of 1560	1808	SearchIndexer.exe	37
PID 1808 wrote to memory of 1560	1808	SearchIndexer.exe	37
PID 1808 wrote to memory of 1560	1808	SearchIndexer.exe	37
PID 1808 wrote to memory of 1048	1808	SearchIndexer.exe	44
PID 1808 wrote to memory of 1048	1808	SearchIndexer.exe	44
PID 1808 wrote to memory of 1048	1808	SearchIndexer.exe	44
PID 1808 wrote to memory of 1608	1808	SearchIndexer.exe	45
PID 1808 wrote to memory of 1608	1808	SearchIndexer.exe	45
PID 1808 wrote to memory of 1608	1808	SearchIndexer.exe	45
PID 1808 wrote to memory of 536	1808	SearchIndexer.exe	46
PID 1808 wrote to memory of 536	1808	SearchIndexer.exe	46
PID 1808 wrote to memory of 536	1808	SearchIndexer.exe	46
PID 1808 wrote to memory of 892	1808	SearchIndexer.exe	47
PID 1808 wrote to memory of 892	1808	SearchIndexer.exe	47
PID 1808 wrote to memory of 892	1808	SearchIndexer.exe	47

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mcbot-main.zip
1⤵
PID:1208

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  - Modifies data under HKEY_USERS
  PID:1048
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:892

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Temp1_mcbot-main.zip\mcbot-main\MCBOT.jar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:768

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\mcbot-main\mcbot-main\MCBOT.jar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1156

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\mcbot-main\mcbot-main\MCBOT.jar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk

Filesize
8KB

MD5
38749ae4a056b9d3540ca7b750a21342

SHA1
27f97d9fa42a3c8f5d3a147e5b759b281574a2cf

SHA256
6b2d06625c1a2fe07044dc72c6221b489af44815484cb5fa8ebf62a25d5a19f1

SHA512
459a8892a2bff48d971e9922457951cdb4af3a9cc621cbd2c9b2d17f4d64801c1455c80cad52a9d88a97ee0ff646638a70c1ddcbe6f22c4255bb513866bb63ac

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
80b878b71b411b285250f5d77e03ded8

SHA1
793a99e4843cf613d5b176c34ad2d0e74b2d26ba

SHA256
bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c

SHA512
25f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e

Download Submit
memory/768-132-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/844-154-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1048-175-0x000007FF18070000-0x000007FF1807A000-memory.dmp

Filesize
40KB

Download
memory/1048-161-0x000007FF18070000-0x000007FF1807A000-memory.dmp

Filesize
40KB

Download
memory/1808-107-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1808-169-0x00000000037E0000-0x00000000037E8000-memory.dmp

Filesize
32KB

Download
memory/1808-122-0x0000000003340000-0x0000000003348000-memory.dmp

Filesize
32KB

Download
memory/1808-54-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1808-105-0x0000000002B40000-0x0000000002B48000-memory.dmp

Filesize
32KB

Download
memory/1808-99-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1808-159-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1808-93-0x0000000002B40000-0x0000000002B48000-memory.dmp

Filesize
32KB

Download
memory/1808-167-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1808-116-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

Filesize
32KB

Download
memory/1808-170-0x0000000003810000-0x0000000003818000-memory.dmp

Filesize
32KB

Download
memory/1808-171-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1808-70-0x0000000001840000-0x0000000001850000-memory.dmp

Filesize
64KB

Download
memory/1808-180-0x0000000001110000-0x0000000001118000-memory.dmp

Filesize
32KB

Download
memory/1808-181-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1808-185-0x0000000001100000-0x0000000001108000-memory.dmp

Filesize
32KB

Download
memory/1808-187-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1808-193-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/1808-203-0x00000000047D0000-0x00000000047D8000-memory.dmp

Filesize
32KB

Download