Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
3Wireshark-...64.exe
windows10-2004-x64
9$PLUGINSDI...gs.dll
windows10-2004-x64
3dumpcap.exe
windows10-2004-x64
1dumpcap.html
windows10-2004-x64
1extcap.html
windows10-2004-x64
1generic/qt...in.dll
windows10-2004-x64
1glib-2.0-0.dll
windows10-2004-x64
1gmodule-2.0-0.dll
windows10-2004-x64
1gthread-2.0-0.dll
windows10-2004-x64
1iconengine...on.dll
windows10-2004-x64
1iconv-2.dll
windows10-2004-x64
1imageformats/qgif.dll
windows10-2004-x64
1imageformats/qico.dll
windows10-2004-x64
1imageforma...eg.dll
windows10-2004-x64
1imageformats/qsvg.dll
windows10-2004-x64
1intl-8.dll
windows10-2004-x64
1ipmap.html
windows10-2004-x64
1k5sprt64.dll
windows10-2004-x64
1krb5_64.dll
windows10-2004-x64
1libbcg729.dll
windows10-2004-x64
1libffi-8.dll
windows10-2004-x64
1libgcrypt-20.dll
windows10-2004-x64
1libgmp-10.dll
windows10-2004-x64
1libgnutls-30.dll
windows10-2004-x64
1libgnutls-...27.dll
windows10-2004-x64
1snmp/mibs/...IB.vbs
windows10-2004-x64
1snmp/mibs/...IB.vbs
windows10-2004-x64
1snmp/mibs/...IB.vbs
windows10-2004-x64
1styles/qwi...le.dll
windows10-2004-x64
1tls/qcerto...nd.dll
windows10-2004-x64
1tls/qopens...nd.dll
windows10-2004-x64
1tls/qschan...nd.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
Wireshark-4.2.2-x64.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
dumpcap.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
dumpcap.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
extcap.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
generic/qtuiotouchplugin.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
glib-2.0-0.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral8
Sample
gmodule-2.0-0.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
gthread-2.0-0.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
iconengines/qsvgicon.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
iconv-2.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral12
Sample
imageformats/qgif.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
imageformats/qico.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
imageformats/qjpeg.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
imageformats/qsvg.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral16
Sample
intl-8.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
ipmap.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
k5sprt64.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
krb5_64.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
libbcg729.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
libffi-8.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral22
Sample
libgcrypt-20.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
libgmp-10.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
libgnutls-30.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
libgnutls-openssl-27.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral26
Sample
snmp/mibs/DISMAN-EVENT-MIB.vbs
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
snmp/mibs/DISMAN-EXPRESSION-MIB.vbs
Resource
win10v2004-20231222-en
Behavioral task
behavioral28
Sample
snmp/mibs/FRAME-RELAY-DTE-MIB.vbs
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
styles/qwindowsvistastyle.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral30
Sample
tls/qcertonlybackend.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
tls/qopensslbackend.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral32
Sample
tls/qschannelbackend.dll
Resource
win10v2004-20231215-en
General
-
Target
Wireshark-4.2.2-x64.exe
-
Size
82.4MB
-
MD5
8065ba4793da47e2263bb4ce27a0d363
-
SHA1
2b8f90a64b1dad7791de0b430f661788f8d082ce
-
SHA256
3bd13a521b1e9d100e800b666705da132e584cccbd4f30c88e9cf0d93289b2fa
-
SHA512
17ecef2c94e4f30b58068b398cc5401a18f1e5919eeeefae541fc6e4810752da568bb54a2fa583115d4cecea712d817f37d34e8d42a95f354965bdb322a74cf4
-
SSDEEP
1572864:h/Pn6aSZnQObir9UDSnpyzYpx9nHTrULfehHNrDYE2DqB9KZAmd6PTAceSbu2AFH:h/P6hn29UsbnHHULkHF2+BMd67QYfAaM
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation vc_redist.x64.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\system32\vcomp140.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File created C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\mfc140ita.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\system32\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\mfc140enu.dll msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Wireshark\radius\dictionary.quintum Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.wichorus Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\libgnutls-openssl-27.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\nghttp2.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\brotlidec.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.nokia.conflict Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\cares.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.kineto Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.ruggedcom Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.alcatel-lucent.aaa Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.audiocodes Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc4603 Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.versanet Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\colorfilters Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.cablelabs Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc2867 Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc5904 Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\diameter\eap.xml Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.altiga Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.meraki Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.starent Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.acc Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.cisco.bbsm Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.dellemc Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc7155 Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\krb5_64.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\libsmi-2.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\diameter\Huawei.xml Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.3com Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\libspeexdsp.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.localweb Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.mikrotik Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.shasta Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.microsoft Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.surfnet Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.aerohive Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.alcatel Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.sofaware Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc6930 Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.wimax.wichorus Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\dtds\reginfo.dtd Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\smi_modules Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\diameter\AlcatelLucent.xml Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.openser Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc3576 Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.camiant Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.wimax.alvarion Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\lua52.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\nghttp3.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\diameter\Nokia.xml Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.bskyb Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\gmodule-2.0-0.dll Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\diameter\sunping.xml Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.nortel Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.yubico Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.lucent Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.nokia Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\diameter\Juniper.xml Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.bluecoat Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.extreme Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.freedhcp Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.aruba Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.livingston Wireshark-4.2.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.springtide Wireshark-4.2.2-x64.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e58b1b7.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e58b1ca.msi msiexec.exe File opened for modification C:\Windows\Installer\e58b1ca.msi msiexec.exe File created C:\Windows\Installer\e58b1df.msi msiexec.exe File created C:\Windows\Installer\e58b1b7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC7B2.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} msiexec.exe File created C:\Windows\Installer\e58b1c9.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB4A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBBB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC18.tmp msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 4644 vc_redist.x64.exe 400 vc_redist.x64.exe 412 VC_redist.x64.exe 4560 npcap-1.78.exe -
Loads dropped DLL 13 IoCs
pid Process 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 1860 Wireshark-4.2.2-x64.exe 400 vc_redist.x64.exe 1048 VC_redist.x64.exe 4560 npcap-1.78.exe 4560 npcap-1.78.exe 4560 npcap-1.78.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008bec060def88e6600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008bec060d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008bec060d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8bec060d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008bec060d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.snoop\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vwr\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\VC_Runtime_Additional msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIcon\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\",1" Wireshark-4.2.2-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpc\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\27DD5200959A5B540A3AE7EF1BA50805 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\.cap\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpz\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.out\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tr1\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Servicing_Key msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fdc\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vwr Wireshark-4.2.2-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.36.32532" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pklg Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rtp Wireshark-4.2.2-x64.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\.cap Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.out Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{D5D19E2F-7189-42FE-8103-92CD1FA457C2}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\ = "Wireshark capture file" Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ntar Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file" Wireshark-4.2.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\PackageName = "vc_runtimeMinimum_x64.msi" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\.erf Wireshark-4.2.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rf5 Wireshark-4.2.2-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bfr Wireshark-4.2.2-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1260 WINWORD.EXE 1260 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 2036 msiexec.exe 2036 msiexec.exe 2036 msiexec.exe 2036 msiexec.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 2036 msiexec.exe 2036 msiexec.exe 2036 msiexec.exe 2036 msiexec.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1860 Wireshark-4.2.2-x64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1804 vssvc.exe Token: SeRestorePrivilege 1804 vssvc.exe Token: SeAuditPrivilege 1804 vssvc.exe Token: 33 3940 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3940 AUDIODG.EXE Token: SeDebugPrivilege 4500 taskmgr.exe Token: SeSystemProfilePrivilege 4500 taskmgr.exe Token: SeCreateGlobalPrivilege 4500 taskmgr.exe Token: SeShutdownPrivilege 412 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 412 VC_redist.x64.exe Token: SeSecurityPrivilege 2036 msiexec.exe Token: SeCreateTokenPrivilege 412 VC_redist.x64.exe Token: SeAssignPrimaryTokenPrivilege 412 VC_redist.x64.exe Token: SeLockMemoryPrivilege 412 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 412 VC_redist.x64.exe Token: SeMachineAccountPrivilege 412 VC_redist.x64.exe Token: SeTcbPrivilege 412 VC_redist.x64.exe Token: SeSecurityPrivilege 412 VC_redist.x64.exe Token: SeTakeOwnershipPrivilege 412 VC_redist.x64.exe Token: SeLoadDriverPrivilege 412 VC_redist.x64.exe Token: SeSystemProfilePrivilege 412 VC_redist.x64.exe Token: SeSystemtimePrivilege 412 VC_redist.x64.exe Token: SeProfSingleProcessPrivilege 412 VC_redist.x64.exe Token: SeIncBasePriorityPrivilege 412 VC_redist.x64.exe Token: SeCreatePagefilePrivilege 412 VC_redist.x64.exe Token: SeCreatePermanentPrivilege 412 VC_redist.x64.exe Token: SeBackupPrivilege 412 VC_redist.x64.exe Token: SeRestorePrivilege 412 VC_redist.x64.exe Token: SeShutdownPrivilege 412 VC_redist.x64.exe Token: SeDebugPrivilege 412 VC_redist.x64.exe Token: SeAuditPrivilege 412 VC_redist.x64.exe Token: SeSystemEnvironmentPrivilege 412 VC_redist.x64.exe Token: SeChangeNotifyPrivilege 412 VC_redist.x64.exe Token: SeRemoteShutdownPrivilege 412 VC_redist.x64.exe Token: SeUndockPrivilege 412 VC_redist.x64.exe Token: SeSyncAgentPrivilege 412 VC_redist.x64.exe Token: SeEnableDelegationPrivilege 412 VC_redist.x64.exe Token: SeManageVolumePrivilege 412 VC_redist.x64.exe Token: SeImpersonatePrivilege 412 VC_redist.x64.exe Token: SeCreateGlobalPrivilege 412 VC_redist.x64.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 1860 Wireshark-4.2.2-x64.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe 4500 taskmgr.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1860 wrote to memory of 4644 1860 Wireshark-4.2.2-x64.exe 98 PID 1860 wrote to memory of 4644 1860 Wireshark-4.2.2-x64.exe 98 PID 1860 wrote to memory of 4644 1860 Wireshark-4.2.2-x64.exe 98 PID 4644 wrote to memory of 400 4644 vc_redist.x64.exe 99 PID 4644 wrote to memory of 400 4644 vc_redist.x64.exe 99 PID 4644 wrote to memory of 400 4644 vc_redist.x64.exe 99 PID 400 wrote to memory of 412 400 vc_redist.x64.exe 100 PID 400 wrote to memory of 412 400 vc_redist.x64.exe 100 PID 400 wrote to memory of 412 400 vc_redist.x64.exe 100 PID 412 wrote to memory of 4796 412 VC_redist.x64.exe 112 PID 412 wrote to memory of 4796 412 VC_redist.x64.exe 112 PID 412 wrote to memory of 4796 412 VC_redist.x64.exe 112 PID 4796 wrote to memory of 1048 4796 VC_redist.x64.exe 113 PID 4796 wrote to memory of 1048 4796 VC_redist.x64.exe 113 PID 4796 wrote to memory of 1048 4796 VC_redist.x64.exe 113 PID 1048 wrote to memory of 1152 1048 VC_redist.x64.exe 114 PID 1048 wrote to memory of 1152 1048 VC_redist.x64.exe 114 PID 1048 wrote to memory of 1152 1048 VC_redist.x64.exe 114 PID 1860 wrote to memory of 4560 1860 Wireshark-4.2.2-x64.exe 115 PID 1860 wrote to memory of 4560 1860 Wireshark-4.2.2-x64.exe 115 PID 1860 wrote to memory of 4560 1860 Wireshark-4.2.2-x64.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wireshark-4.2.2-x64.exe"C:\Users\Admin\AppData\Local\Temp\Wireshark-4.2.2-x64.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Program Files\Wireshark\vc_redist.x64.exe"C:\Program Files\Wireshark\vc_redist.x64.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\Temp\{46BF31EF-B948-4527-B62D-AE2C847B99A7}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{46BF31EF-B948-4527-B62D-AE2C847B99A7}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=656 /install /quiet /norestart3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\.be\VC_redist.x64.exe"C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5E7D1600-573E-46DB-8D01-BEF29E68E286} {0AC1BFBA-A9DC-4569-8F7B-7CE7A4F3ED20} 4004⤵
- Adds Run key to start application
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1016 -burn.embedded BurnPipe.{6FC121CD-2FAD-442A-AF79-330DA61D94F8} {16358523-154A-40C6-A2DE-9852EBC3C65E} 4125⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1016 -burn.embedded BurnPipe.{6FC121CD-2FAD-442A-AF79-330DA61D94F8} {16358523-154A-40C6-A2DE-9852EBC3C65E} 4126⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9F50E1EC-D821-4E16-BB98-211C22E112CE} {AAE5FC33-42B3-4AD9-99F2-F59A38CA3C1A} 10487⤵
- Modifies registry class
PID:1152
-
-
-
-
-
-
-
C:\Program Files\Wireshark\npcap-1.78.exe"C:\Program Files\Wireshark\npcap-1.78.exe" /winpcap_mode=no /loopback_support=no2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4560
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x3801⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4500
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:1712
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\OpenShow.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5b33146064bb9ea2f5a8ce066f52df116
SHA10f50cc832d3bb4046c77ff3b38b78dc6ec897536
SHA2567aa6355d0185fd8d85676a29bfe3b72ad85ce0fb5c136be12fbd8d92388770d8
SHA5120223b60f5e6bd30619d199069beeb760a1dce508710b2e51779bd3fe4c1920ccf47ff490b1fc5a11a172cd8c363da880a56b0537d4d37030642f184cb383e0e4
-
Filesize
19KB
MD528a37f9295116c3ae754f6d9bd091eee
SHA13f6cee001c0c04457d717392e7839660a9cf675c
SHA2568e80e01ec063c68fb8a1c93bc403f63e07356c2ab7371e0fca41aec176a4de8c
SHA512192da035f96adf41766c1db2c3b55bb0a7bc4cf194821618c8c2ff536a19addfad65e3046b8b82d2cb97caa3a768ba1ce1ceb21633b7cd27b8e60c8dff4348f5
-
Filesize
21KB
MD5b85172ba0d76f26e75733ff6cf9312b5
SHA146305f2830d3f18e7b2c038c9dab99f58787d0e7
SHA256d2bda25c5dc03fbceec9556e225973848b74c9d2404dac5b3cf37f061a048b03
SHA512ae58c985f3a3f4bde284783233a4aac7a9ef7eeb957873e9dde15e77d28779654f1e893bf3229e818edd41aba5dbfe170c44a68e07f7fb562b5a846843643bc3
-
Filesize
21KB
MD50399684adcdbc73e4b5b0f8163185a8c
SHA1fa759f223b229559ad6e553a2dfcadee9028c3d1
SHA25639ff74a5681ddedc60d56de0cd7dae76252590a84c26affe9a71c8df893f0799
SHA51214b7de58fd1f3f1cea44faaafe113ef7cf1a4ff9feeb63a1cd8e7c24e87964c79b7e7ab67be36b2acf3c8ff87b1b5d4708a8493f157e62c1af431ff83bcb90f5
-
Filesize
1.1MB
MD51b7dfff4e1f16785d5e800c193301bd7
SHA1e1ee172ee36999daa3cfb2a0406fd8950038cefe
SHA256deeb39ae22a44ea2698c4a58732e621bc45b84686a444c405491fef946898d90
SHA51271f8affed3e51b00c85039f211218c5eee66b724bd674bdd4b1c609cff3c440a4ab6ee0c6fa7bc8de39dac5a65f7c7c04a8dcae3baf52c091c512f293ec86920
-
Filesize
5.5MB
MD59375651493dced23ece462f63da6d3c7
SHA112e0cc4f794567ea6ac633687ce2872acf2c848b
SHA256b9c2020d93986e37cb0bec774147bf4752fbae17afdfdbdee6e1e9314a7bc2b8
SHA5126cf5ae63fbdeb47aaf146b4b01797eba199c4518db99d1d5f237890c03c52dc0a369314f267f54db89068886d19cb197735bc1e0fc2b56c51bdebbed5c06cfbe
-
Filesize
11.0MB
MD53744c30128d19e06ae4dcc79914f3b65
SHA1bb7a8660a50b4e437981ee3bddb3c95175db1c98
SHA256f950d6c9ef659da43cb7bb1609b5544ba7f18cf9997a27eee4008aff6297747d
SHA512bae648f906508df5e622b95137a9a6a84963f02ee897a1fea68ef7a74bf2d922f8d5440bb3c5374134ae563a71cb81b1c7a4095156053d4da3a4bfe7e61086ea
-
Filesize
2KB
MD5cc8c1057bac26fefe0cedee85b3a7df2
SHA16ec70e7446f395dd50f2052317e77ab9d1cc3b10
SHA256d807af777ad9b41e01adcb57090019a247c38670a6be998c4c38649eb0eb9e0b
SHA5129e07443af9f45f781d73be60643282ff422a9722c067f272fc800ca8dc2f3365c3e9174cba8f25925f11b9cbdcc9e9472afc44292169b58761d633a4dab46954
-
Filesize
2KB
MD5e9662c7f31928d45c55a55830a62eaf0
SHA1d819ed0406df5d099c65f181c0d72a78d24d52c9
SHA2568ca6a37ed792a0d7f1ba04032c4c2dc6f5bdef8d437bae60db65401e606d729d
SHA512559b2f40e9127b58583f655da1663e82e1f4b8d153cf55008251e04a19005223b84a5bdef9bcbdc05bcdc851b57a519c285f99fc86954376e7d96aba4d747b70
-
Filesize
904B
MD5a7503cc175535989650d0749c18c8881
SHA11f4d8aed9a2677e9a2f0467c022fc98b732ce81a
SHA256e0f775ff3740334da3924a6537b87d8fc1211942e42d4565f9edd26cf50e7b3f
SHA5123495eee44dd3756b180e50a6f59e3b5fb41707bd243e9f2631e8f23e8f2cc1f668e449a0f905d8876e997c341adbc234ca4a0b7a6f9857d77ee7fd2f689face5
-
Filesize
15KB
MD5d095b082b7c5ba4665d40d9c5042af6d
SHA12220277304af105ca6c56219f56f04e894b28d27
SHA256b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA51261fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
-
Filesize
2KB
MD56d92cfc906fb0684194241de46130860
SHA1f1b71ec77becf094746fc2b1e5c7b8a06f4c8568
SHA256eca18a27265e0c02a715cd107848253f8b4dd95728090f3f05a2721201bfe8cb
SHA5124128cffdb1f9a94c37e5e800772c0214399ac164b0a8b92071c7215d937f80853a39f14e9ebd759b50d85b96c96efcb3ffd25a17fcea63cd9293dcbcadfd9a96
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
2KB
MD5229ff08c19081c5ee1587464d2e9eb2f
SHA14eaff45ac494531262401a6d6cd18b494852de3b
SHA25663adcfeabb88025b23d133eb6cb5cf1838e4cf0ecc8747fa1d9ec05209274c0a
SHA512bd4fb74d11cfe84b01f393695da631a63877baceeaad36112da27e7f11804a8c26944cc8d8bfc4f21d3d9ac2b57877506ef636d3c090cdbf169d107756f1780b
-
Filesize
2KB
MD5f51a9a052278bbb1738acff8d4510e96
SHA19524e8ecff95ac043aaa332273e4032af71e39c4
SHA2562370f609d1ed069e4d05bf84fc3bd35cadb54399298a45d6e063c8dd8267430c
SHA512d050057b04357a843f3dc50f98b8f847f7b1a0df27ce80fed80442f2efafefe9e24b01b8c4f5b75def5f7803c6e70bcaca1041876338abcba28ad27c51e0ac29
-
Filesize
9KB
MD51d8f01a83ddd259bc339902c1d33c8f1
SHA19f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA2564b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA51228bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
19KB
MD5f020a8d9ede1fb2af3651ad6e0ac9cb1
SHA1341f9345d669432b2a51d107cbd101e8b82e37b1
SHA2567efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0
SHA512408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4
-
Filesize
249B
MD5aa0b671de92ea32c5842c57159abc15a
SHA17a08948ba971414a4b2c35076f2e142c03483746
SHA2568f89bdb9e5d379ecb3eadefb4350f35b2ba10baddd60d941aa71f27e8c60f699
SHA5127b132efd64faad61086b6d6a87e04d880bd8bb68cc566c1f42750f7672d6ac5945601db60179a7d3a3a61e2cced603817912b62cddbef9584599dcf0de4d773b
-
Filesize
188KB
MD5a4075b745d8e506c48581c4a99ec78aa
SHA1389e8b1dbeebdff749834b63ae06644c30feac84
SHA256ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93
SHA5120b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
5.4MB
MD546efc5476e6d948067b9ba2e822fd300
SHA1d17c2bf232f308e53544b2a773e646d4b35e3171
SHA2562de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138
SHA51258c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c
-
Filesize
935KB
MD5c2df6cb9082ac285f6acfe56e3a4430a
SHA1591e03bf436d448296798a4d80f6a39a00502595
SHA256b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11
SHA5129f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13
-
Filesize
188KB
MD5dd070483eda0af71a2e52b65867d7f5d
SHA12b182fc81d19ae8808e5b37d8e19c4dafeec8106
SHA2561c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07
SHA51269e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a
-
Filesize
64KB
MD50da66aaf2738d7703383590ee0a6ab87
SHA164d93982f95c4b591212882ee6b9a3c4f93bcd29
SHA256e539a43e411014cad28aeb7715ffa33d603b0bd5877861611bc58b907aa065a5
SHA512c4d6ea83d4b088d936188d33088c6544f8c14f58496f6b66a9424eea4e77b5549dcb4778295838780efbc71c49df7151bb37a855c34c342fe5c2e526d0685639