Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
ba05ca7e85cf2ca75c0bb8295a75a77a
-
SHA1
80f12db2bc5368cdd1b63c0b5ee20e8affd569f0
-
SHA256
e3c554113cc2c84642591ec5f0a245d0f25ffd596995495dfa299d67ffdf46f8
-
SHA512
c020a503c5f0863099b405c8a9c8bedbcf59880209fba6949a78f7992404ae9290bb7ce11ff291d91ed709c077235aa8ee816b0af045443623cf89a87da97a73
-
SSDEEP
196608:GP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018JHBVH:GPboGX8a/jWWu3cI2D/cWcls1sH
Malware Config
Signatures
-
Executes dropped EXE 53 IoCs
pid Process 480 Process not Found 2652 alg.exe 2564 aspnet_state.exe 2620 mscorsvw.exe 2928 mscorsvw.exe 548 mscorsvw.exe 1576 mscorsvw.exe 1500 ehRecvr.exe 2788 ehsched.exe 564 mscorsvw.exe 808 mscorsvw.exe 1568 mscorsvw.exe 908 mscorsvw.exe 3004 mscorsvw.exe 2916 mscorsvw.exe 2696 mscorsvw.exe 2516 mscorsvw.exe 2568 mscorsvw.exe 2728 mscorsvw.exe 1968 mscorsvw.exe 1932 mscorsvw.exe 3036 mscorsvw.exe 956 mscorsvw.exe 1564 mscorsvw.exe 824 mscorsvw.exe 1684 mscorsvw.exe 2604 mscorsvw.exe 1608 mscorsvw.exe 2720 mscorsvw.exe 2740 mscorsvw.exe 2724 mscorsvw.exe 1660 elevation_service.exe 564 IEEtwCollector.exe 936 GROOVE.EXE 580 maintenanceservice.exe 1636 msdtc.exe 1984 msiexec.exe 2712 OSE.EXE 1592 OSPPSVC.EXE 2896 perfhost.exe 2432 locator.exe 2416 mscorsvw.exe 2316 snmptrap.exe 1536 vds.exe 1436 vssvc.exe 2404 wbengine.exe 1068 mscorsvw.exe 580 WmiApSrv.exe 2908 wmpnetwk.exe 2884 SearchIndexer.exe 2548 mscorsvw.exe 1688 mscorsvw.exe 1440 dllhost.exe -
Loads dropped DLL 15 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 1984 msiexec.exe 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 764 Process not Found 480 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\152ef7d078a61a12.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{295564C6-6285-4637-A18E-197AC00C293D}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{295564C6-6285-4637-A18E-197AC00C293D}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Modifies data under HKEY_USERS 35 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A6C0C501-6DDB-4745-96B5-B3471C1763B3} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{A6C0C501-6DDB-4745-96B5-B3471C1763B3} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 1576 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 1576 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 1576 mscorsvw.exe Token: SeShutdownPrivilege 1576 mscorsvw.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeSecurityPrivilege 1984 msiexec.exe Token: SeBackupPrivilege 1436 vssvc.exe Token: SeRestorePrivilege 1436 vssvc.exe Token: SeAuditPrivilege 1436 vssvc.exe Token: SeBackupPrivilege 2404 wbengine.exe Token: SeRestorePrivilege 2404 wbengine.exe Token: SeSecurityPrivilege 2404 wbengine.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeManageVolumePrivilege 2884 SearchIndexer.exe Token: 33 2884 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2884 SearchIndexer.exe Token: SeDebugPrivilege 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2864 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: 33 2908 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2908 wmpnetwk.exe Token: SeShutdownPrivilege 1576 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeDebugPrivilege 2652 alg.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 1576 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe Token: SeShutdownPrivilege 548 mscorsvw.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 884 SearchProtocolHost.exe 884 SearchProtocolHost.exe 884 SearchProtocolHost.exe 884 SearchProtocolHost.exe 884 SearchProtocolHost.exe 884 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 564 548 mscorsvw.exe 60 PID 548 wrote to memory of 564 548 mscorsvw.exe 60 PID 548 wrote to memory of 564 548 mscorsvw.exe 60 PID 548 wrote to memory of 564 548 mscorsvw.exe 60 PID 548 wrote to memory of 808 548 mscorsvw.exe 38 PID 548 wrote to memory of 808 548 mscorsvw.exe 38 PID 548 wrote to memory of 808 548 mscorsvw.exe 38 PID 548 wrote to memory of 808 548 mscorsvw.exe 38 PID 548 wrote to memory of 1568 548 mscorsvw.exe 39 PID 548 wrote to memory of 1568 548 mscorsvw.exe 39 PID 548 wrote to memory of 1568 548 mscorsvw.exe 39 PID 548 wrote to memory of 1568 548 mscorsvw.exe 39 PID 548 wrote to memory of 908 548 mscorsvw.exe 40 PID 548 wrote to memory of 908 548 mscorsvw.exe 40 PID 548 wrote to memory of 908 548 mscorsvw.exe 40 PID 548 wrote to memory of 908 548 mscorsvw.exe 40 PID 548 wrote to memory of 3004 548 mscorsvw.exe 41 PID 548 wrote to memory of 3004 548 mscorsvw.exe 41 PID 548 wrote to memory of 3004 548 mscorsvw.exe 41 PID 548 wrote to memory of 3004 548 mscorsvw.exe 41 PID 548 wrote to memory of 2916 548 mscorsvw.exe 42 PID 548 wrote to memory of 2916 548 mscorsvw.exe 42 PID 548 wrote to memory of 2916 548 mscorsvw.exe 42 PID 548 wrote to memory of 2916 548 mscorsvw.exe 42 PID 548 wrote to memory of 2696 548 mscorsvw.exe 43 PID 548 wrote to memory of 2696 548 mscorsvw.exe 43 PID 548 wrote to memory of 2696 548 mscorsvw.exe 43 PID 548 wrote to memory of 2696 548 mscorsvw.exe 43 PID 548 wrote to memory of 2516 548 mscorsvw.exe 44 PID 548 wrote to memory of 2516 548 mscorsvw.exe 44 PID 548 wrote to memory of 2516 548 mscorsvw.exe 44 PID 548 wrote to memory of 2516 548 mscorsvw.exe 44 PID 548 wrote to memory of 2568 548 mscorsvw.exe 45 PID 548 wrote to memory of 2568 548 mscorsvw.exe 45 PID 548 wrote to memory of 2568 548 mscorsvw.exe 45 PID 548 wrote to memory of 2568 548 mscorsvw.exe 45 PID 548 wrote to memory of 2728 548 mscorsvw.exe 46 PID 548 wrote to memory of 2728 548 mscorsvw.exe 46 PID 548 wrote to memory of 2728 548 mscorsvw.exe 46 PID 548 wrote to memory of 2728 548 mscorsvw.exe 46 PID 548 wrote to memory of 1968 548 mscorsvw.exe 47 PID 548 wrote to memory of 1968 548 mscorsvw.exe 47 PID 548 wrote to memory of 1968 548 mscorsvw.exe 47 PID 548 wrote to memory of 1968 548 mscorsvw.exe 47 PID 548 wrote to memory of 1932 548 mscorsvw.exe 48 PID 548 wrote to memory of 1932 548 mscorsvw.exe 48 PID 548 wrote to memory of 1932 548 mscorsvw.exe 48 PID 548 wrote to memory of 1932 548 mscorsvw.exe 48 PID 548 wrote to memory of 3036 548 mscorsvw.exe 49 PID 548 wrote to memory of 3036 548 mscorsvw.exe 49 PID 548 wrote to memory of 3036 548 mscorsvw.exe 49 PID 548 wrote to memory of 3036 548 mscorsvw.exe 49 PID 548 wrote to memory of 956 548 mscorsvw.exe 50 PID 548 wrote to memory of 956 548 mscorsvw.exe 50 PID 548 wrote to memory of 956 548 mscorsvw.exe 50 PID 548 wrote to memory of 956 548 mscorsvw.exe 50 PID 548 wrote to memory of 1564 548 mscorsvw.exe 51 PID 548 wrote to memory of 1564 548 mscorsvw.exe 51 PID 548 wrote to memory of 1564 548 mscorsvw.exe 51 PID 548 wrote to memory of 1564 548 mscorsvw.exe 51 PID 548 wrote to memory of 824 548 mscorsvw.exe 52 PID 548 wrote to memory of 824 548 mscorsvw.exe 52 PID 548 wrote to memory of 824 548 mscorsvw.exe 52 PID 548 wrote to memory of 824 548 mscorsvw.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2564
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2620
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2928
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 244 -NGENProcess 23c -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1ec -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1ec -NGENProcess 230 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 234 -NGENProcess 1d0 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1e4 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 230 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 234 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e4 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 274 -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 248 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d0 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1ec -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 29c -NGENProcess 264 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 28c -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 1ec -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2a8 -NGENProcess 220 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1068
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1500
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2788
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:564
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:936
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:580
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1636
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2712
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1592
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1684
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2896
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2432
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2316
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1536
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:580
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 5922⤵PID:1568
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52f2e27ce23093c2fe56b425d6f6d6ce4
SHA13fc42c55e4c5f0eaa303bdad1c0f0cd031fa030d
SHA256212e73e4258028f92bfce620191c5ae592901c33a325e13d47a2cc1be61fd735
SHA512e1a51cc11f08787a1a4550c205ae2a34331920a12b98ce43d9ba2281e26aa9b5cb82fba95456cd857835c5d2b3d935b41554e8788f61169d1bbbe3d7d86a5ace
-
Filesize
30.1MB
MD5c90ebe3fe3414785dbecac0a99de0375
SHA14997ee02c86952271d1cfcadebb1a300241f8087
SHA25661f30706c325d301e3e984915f2298e66de25fd1c86295de06eb4ac9c0ea0f3a
SHA5120547310cfcae28e4fdc1d6d1d18126843952607c12049c02bfb2f76d6daef78d2808ba76d1c86ecd4f65c96ebac4dba859e5cca0dda405a3c9cb6bccea7f1695
-
Filesize
1.4MB
MD5c78c52530eeebc88831d50d93fbd08b2
SHA155332fc9cfdb7c68a7c145b0a3903fbee4f5a1ed
SHA256ff609e2176910b5713da81b8eece71f745ba2249e8dbc883a05d5dae65ba61a2
SHA512aea5497be4984fa24721c438fe49c577170900da91b8a1fb45d657c42a57b3e2740325c7dae89cd0ebdbfabf71e424cfcab4d6e2f4d4cfab77a08de5f85b274d
-
Filesize
5.2MB
MD5c8937d700b0911d3a7982de6dcc2a8a0
SHA1431b0726ea2486e0e3e147710b2cdda7653f2561
SHA256b05c447a7c96b1d2719ce7425427ee6bd07ff56570b3242b82038cb82b82aa0b
SHA5124fef5df6975738722286a5b661d8ead9c9da6186578f6bba9b1c74c130d9aeaf18724805658bd4b5b94d5ca9e1ba52105b9b75c584a137f062ee69970f03472b
-
Filesize
2.1MB
MD5108ba131dcb8140c47883c7a31d90637
SHA1a2d31fa6737c9bd829b546a62acb4d0cfd8b9485
SHA256557713df0d029c72535c6388a38e112ef8dea33c80e0c5037651f56628e6a9e9
SHA51290a482d69fcd91a956d28bad91ddc33d206154bf372655df0956dc317ba83c2b44c9bba94c14de7c02dea8bcbedc15baace016d170f5b4eb07c0f5ecbaee90f8
-
Filesize
1024KB
MD5395b90b5d6e98603b7ffaddbc8383fb3
SHA10a6cbbddf032fbc48d9563957c84d12b3d5c2067
SHA256b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd
SHA5124ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821
-
Filesize
1.3MB
MD54beee9dbec180711607c2e5d6bbf9d1f
SHA1250b5ad24d50c112f3d6d4ec687a339744e51153
SHA256dd146ea06224b586fd56aa0a423a57752f0d210142239ff66771068b7b2bbd2e
SHA51243283a930ebb5c75747d8f0bdad4f69ccbfde4dce58249527e2a523b1cfe2367ef55861b07de6c63c0afe73eefdc579ed2a3268617ebfda634d84294cfc751f4
-
Filesize
872KB
MD5aefc1ea29ffca2198958417ee1a347be
SHA19be42baa2bb9720064aff4d50fca156bbe4f69a2
SHA256795042d333491facfa2ff7ce03b5f95eed7ed80226f320dd84e2ad242dc273bd
SHA512593cca9fcddacb2b4b19a4f4d7815480035d605dfa5d523100f088311a6de6da6f69cdedbfc7c004482d50f7c2281e0a233e46965040b4266de968efcfff9762
-
Filesize
1.3MB
MD536c5a166cb18cec47ebad15ca7d715ba
SHA164bc2a6093a86c6b5c7ab7b9cafb34eb649fe637
SHA2563f2b63901a81e0819f50d3df487105f9bbadff2b44db303a8b2eacb04d63394f
SHA5121aaed6f4ae53e6bd8e89742327547ef50940b21c874493747dac919f3b6370e4125f52e675ee26a4f5cdc824f74121d74f712ff27c90544070e12202dd5a3320
-
Filesize
1.3MB
MD545f59a69eec0766cb5712e5dd91cc3d5
SHA1c5d54169065ff16e097abdbcc7a2e7f139cc05b6
SHA256f292f39144f026cddd3a09e9384a4221278a2e3919cfd4584562ad59a02664ed
SHA512e36bf2ccbff4f1f75b9914058c7b27b7b21b3da3a3ac400a94b35d7f77e6502e2da1b0bf1d49059528ce54dcf13c9b35a2c50e3f7d233835bdbae15647a80067
-
Filesize
1003KB
MD5706998df8ed7961314631f7cc8c18eb8
SHA15f9b6edc1ca2ce8f59df8a7f594a362af56d6f5b
SHA25692a49259c51353500e62b7d13a99c714806fd8bca658049fa401dfd7677244c8
SHA51266c18eeba03b61f9621a624869bd0c6ae6d92f722ed2911a82d4719f27e7ac8b74fb0d6b4839a39213af6404233065bb6e3af980b89a50e4b14c9af7eb06566d
-
Filesize
1.3MB
MD5ad9a979cf2ac3e90d118c040551c5409
SHA1f4e7cd3b92019023557591d2ad1cb2786ead8cce
SHA2563cbe814b87689b2d7ffeee7dde640b6602193ab49d582fc4a56debd22e25ec7d
SHA5129adafa7b75ba583cd50c769e3154bbbf2ddc12d85d8c3bcd05c9460990b603f880c80db972a7332b58187725732eb479a4ffd547b980443188ce18c90e830228
-
Filesize
1.3MB
MD5d20452b57bb561c7a6633c9ad6f87f72
SHA1aeae6fee4a4468105febe2e89abef9977ccc0252
SHA256904f6ca0d842a050d236fac682614868a00ed593738313e3d294c72bbf31470b
SHA51295c907e4d1515fa198e99188fff2747636ce110c1359705a9ebc96b9cef63e0c1d540e192c1ac7be22871fe2a5b8fe12e0536eda2865a55f821217863ebec16d
-
Filesize
2.1MB
MD5b0a0a6eaa8495c8e6ef2336ff72ccbc0
SHA10fbdaf1b63f195d0f5ad37cf3a4a687383510a1a
SHA2561fea4b887bc77258e5c8a3d3983828289433c3b3d6cbbc03e7ae4e96d2b87af2
SHA51217c8aa1fd7c73cbebc52a5eed19eb6d79409f3a2b25e19a262588809a74eaeced35f50e21b81179bb07873adacf1b54a1d3ed968549a6d1dec87279332ac3b89
-
Filesize
1.3MB
MD5eae670ec13e38cbe23f01717c94f7a1a
SHA19b0c1b879ca577a14e37fbc141acc6e9cf475845
SHA2568cd45e8810021d49908c5b07754c575f21d4b8161179527bac59272001bd0d3e
SHA512a9b862edc508756a78d7ad362f484e7b5149890b5e6c6c298494799f253d942b25f703ee2cedb33f683bc6b46831caa904d45f0be8fb13cf13c2e28d96df5620
-
Filesize
1.4MB
MD564e82ae76aba48c2f5a10704272a9d7b
SHA1122403ea119513a363d5c32be51baaf3f82db221
SHA25669e5df95dfd0f3ee76a50a6573c0db07d2bdd2760d2ce2eab80a2a68467f30c1
SHA5124bde7d8a7cfc1982f4e98a6ad5e28edf6279471acf13a601253a68739160e476c3c2c0338683190bd7cc60b8f2e5ffab6b21883b49fb26c7d0ca72cae977e08b
-
Filesize
1.3MB
MD51bba41c6791f244c1963329a2024e158
SHA14bb69d3371a025ff275b243015f0cf415ac49d7f
SHA2568eafa922ed27f8347a39921323ec0ce510f302165795750d18304b54e4a6edea
SHA5127f362561ffb15936795d154b8a265eb38b9101b5d319400adbe4dc1d00f23b413a4e4e12037c9cf0a2c34b7a44def2c93a599ab65b185fc13ddb0e78925489c6
-
Filesize
1.7MB
MD5b6c5be40fbb1f89ae2e2ebca212341cc
SHA1edbe5952cb39d57061af07eaf726bbcdb9e463a6
SHA25687db70118c7bfb8b41c4b0b380cd842964907798a107b9fd616ab52b30fbf2c5
SHA5124faf1489a954af18dec9251f96c2b36eda49b01ccb1a62939f4932342fd71f4ef1bc87fbf2517f8da1c853dd77c506bba0198f65ebb432ca88a5b3e643688461
-
Filesize
1.2MB
MD5ac0ded4b425b8381476b200650cbba37
SHA1455748864c68ef7023c533a4677cb2b961700ef4
SHA2569e826c2059a916058a6aaea439ea3d4838eec7501ff0a9052a5f22cc84f172ed
SHA51250bd2bdc074831feb6acfa9f0fe10eacc837294c010e8559550c8e68b99fb1e85270444e5c3b0da23d8a8d11d9e4caf31fa219d6d78d83d3b1b1de5182f08384
-
Filesize
1.3MB
MD5f249df6a5144e254d38696581f14de53
SHA1f934855179a46eeb8e1906577c8966999b429c60
SHA25601b00f4f6fb196091efb6c303aca175f2c88271ca7ac6d02d179e8a86c811432
SHA5121395639e7366c9074820d0c5cfe3ed0703e77bca4cfdb1c18c2b3b5ded744ae9d3423b4cfaa7adb8b6a2e9a2bd21eecc9defa969b7aaf95dfa75feed14711c3f
-
Filesize
1.2MB
MD573ccccb8087df0ef04c920e1e32fe9be
SHA18c744e68b45c084ddb8d01f2437b5a77a3fa4d25
SHA2560ef070fc7d4dda1c772e27028edf9f5fcdc495989d51e5fae45a2b0378618cc9
SHA512725918c30fca6f8e7e3c4e0663f4442090bcfbbf8c74b671d6df6da506088e1776c0471deb969efebc283fa0886b349e7d28c7304270984a23367c32d46f2b5a
-
Filesize
1.3MB
MD59f9291be4989a2aed8aaea3136ca9eb0
SHA1f4b3ec614d36c9eab8bad5d005cea41b9ce01c4e
SHA256e4c804ce541a184a7b0d5778ed982118a46fa038a67342bc0029bfc82bdd8e0d
SHA512c2e69f5073f0c06c64588cd778d568ae9fcc3a107d392b4f7d04afa2d19b8dd4aef85aadc75163b80447bd94b36a8b967ad9610d2209f4e11d85a2ddeb8f69e7
-
Filesize
1.4MB
MD5c094cf74840bfeac2f99171657bd38cb
SHA11fe466360fa501ee8c8f1fcdbcc6836945e778d6
SHA256879ff6d2a4e8c5ced4827efad94207d3b65f36072a62221ab0fb9f518c04a3b9
SHA5126066994019cbccd71cce7d1f362e2e557f4484bd95a79d1a80f2190e2ba86d9efb463aec2153e8618613367befdb1d28f783d160ad11309d90920feef82b19a1
-
Filesize
1.4MB
MD570f753f2628e293045011da2f1541bd4
SHA1b5b436e338dc96c0ed0b11254b976a2fc769cb76
SHA256796de055d7bfcea8d169da0905d5b6a5d68ffc2ffaff524032b809a10a77ad77
SHA512b0a2ed6ba1427b71f3d1f34235caafa771eaf9075c14dff2674babfb1350c37e456d490abfb63a1cde919cf07d76c3c97a2563f41435fa37f425c6d33b8686ca
-
Filesize
2.0MB
MD54d132b3cb4bd573ccf314b6f0c884ced
SHA1c44f9d0820613813c6d9f98cb0b437e49c2d8d89
SHA2561f90d61ce4009a80e8cf064d6b7ae2b18e6e1fd5537fdb4b7d8628479f5843fd
SHA51291b32e511988c2ee442f88d43854c2774e49f6fd3bd845ad4c440a0f8a26d062dbe4bce8f73cdaf446779d6e78fee611328126002091e73b1c5e0ec42c9952c8
-
Filesize
1.4MB
MD5dc847f92e026b7ee6460c09f8b4dc075
SHA14771a02c342d6847f91329e0782fedbc98c00c99
SHA2566eb7b239257d676f6bfcf6c11b25a7ed57fc4be4e7cfad3a7590d569211aabd3
SHA5120697cfcb8999dfa54373995bc86c74f278391a97d819322575f51fa53b53c52cecefc9cac7f1e6eb734357f9d6ad6a41047e91ce2048515cc2279a7e091f4b6a