Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 15:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
fdf2b2afc999203392e9a98d92594e5c
-
SHA1
6e384beb916b5c76a6a035f0c141e7a61a869e16
-
SHA256
a92805cd1cea9c4a5fec1e351082206c8fc387df4f2e07eb55d6ec2f02a804c4
-
SHA512
16848aa4f5651ad735996b6480b0e44c83b9d39ff7edd393c20100277a87567022b8c1c82d488caa0d31a31e0f0001fc682c1948c225341fa8943dddf0860cda
-
SSDEEP
196608:LP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018zt1:LPboGX8a/jWWu3cq2D/cWcls1i
Malware Config
Signatures
-
Executes dropped EXE 34 IoCs
pid Process 472 Process not Found 2528 alg.exe 2728 aspnet_state.exe 2468 mscorsvw.exe 112 mscorsvw.exe 2348 mscorsvw.exe 2908 mscorsvw.exe 1536 dllhost.exe 1428 ehRecvr.exe 2636 ehsched.exe 440 elevation_service.exe 1816 IEEtwCollector.exe 1668 GROOVE.EXE 888 maintenanceservice.exe 1708 mscorsvw.exe 2380 msdtc.exe 2772 mscorsvw.exe 112 msiexec.exe 948 OSE.EXE 676 OSPPSVC.EXE 1204 perfhost.exe 1572 locator.exe 2604 mscorsvw.exe 1020 snmptrap.exe 768 vds.exe 2264 vssvc.exe 564 mscorsvw.exe 2740 wbengine.exe 2832 WmiApSrv.exe 944 mscorsvw.exe 3004 wmpnetwk.exe 1768 SearchIndexer.exe 1772 mscorsvw.exe 2964 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 112 msiexec.exe 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 752 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\44fb4a3dae4ef42b.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CEEFE1ED-AAC4-4587-B1BC-503993FF4F7C}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CEEFE1ED-AAC4-4587-B1BC-503993FF4F7C}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe -
Modifies data under HKEY_USERS 40 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{EF86B51D-BBCE-4973-972F-6AB668E0A2C2} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{EF86B51D-BBCE-4973-972F-6AB668E0A2C2} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1384 ehRec.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 2348 mscorsvw.exe Token: SeShutdownPrivilege 2908 mscorsvw.exe Token: 33 1200 EhTray.exe Token: SeIncBasePriorityPrivilege 1200 EhTray.exe Token: SeDebugPrivilege 1384 ehRec.exe Token: SeShutdownPrivilege 2348 mscorsvw.exe Token: SeShutdownPrivilege 2908 mscorsvw.exe Token: SeShutdownPrivilege 2908 mscorsvw.exe Token: SeShutdownPrivilege 2908 mscorsvw.exe Token: SeShutdownPrivilege 2348 mscorsvw.exe Token: SeShutdownPrivilege 2348 mscorsvw.exe Token: 33 1200 EhTray.exe Token: SeIncBasePriorityPrivilege 1200 EhTray.exe Token: SeRestorePrivilege 112 msiexec.exe Token: SeTakeOwnershipPrivilege 112 msiexec.exe Token: SeSecurityPrivilege 112 msiexec.exe Token: SeShutdownPrivilege 2908 mscorsvw.exe Token: SeBackupPrivilege 2264 vssvc.exe Token: SeRestorePrivilege 2264 vssvc.exe Token: SeAuditPrivilege 2264 vssvc.exe Token: SeBackupPrivilege 2740 wbengine.exe Token: SeRestorePrivilege 2740 wbengine.exe Token: SeSecurityPrivilege 2740 wbengine.exe Token: SeManageVolumePrivilege 1768 SearchIndexer.exe Token: 33 1768 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1768 SearchIndexer.exe Token: 33 3004 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 3004 wmpnetwk.exe Token: SeDebugPrivilege 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1284 2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1200 EhTray.exe 1200 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1200 EhTray.exe 1200 EhTray.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 760 SearchProtocolHost.exe 760 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2908 wrote to memory of 1708 2908 mscorsvw.exe 44 PID 2908 wrote to memory of 1708 2908 mscorsvw.exe 44 PID 2908 wrote to memory of 1708 2908 mscorsvw.exe 44 PID 2908 wrote to memory of 2772 2908 mscorsvw.exe 46 PID 2908 wrote to memory of 2772 2908 mscorsvw.exe 46 PID 2908 wrote to memory of 2772 2908 mscorsvw.exe 46 PID 2348 wrote to memory of 2604 2348 mscorsvw.exe 52 PID 2348 wrote to memory of 2604 2348 mscorsvw.exe 52 PID 2348 wrote to memory of 2604 2348 mscorsvw.exe 52 PID 2348 wrote to memory of 2604 2348 mscorsvw.exe 52 PID 2348 wrote to memory of 564 2348 mscorsvw.exe 56 PID 2348 wrote to memory of 564 2348 mscorsvw.exe 56 PID 2348 wrote to memory of 564 2348 mscorsvw.exe 56 PID 2348 wrote to memory of 564 2348 mscorsvw.exe 56 PID 2348 wrote to memory of 944 2348 mscorsvw.exe 59 PID 2348 wrote to memory of 944 2348 mscorsvw.exe 59 PID 2348 wrote to memory of 944 2348 mscorsvw.exe 59 PID 2348 wrote to memory of 944 2348 mscorsvw.exe 59 PID 2348 wrote to memory of 1772 2348 mscorsvw.exe 63 PID 2348 wrote to memory of 1772 2348 mscorsvw.exe 63 PID 2348 wrote to memory of 1772 2348 mscorsvw.exe 63 PID 2348 wrote to memory of 1772 2348 mscorsvw.exe 63 PID 2348 wrote to memory of 2964 2348 mscorsvw.exe 65 PID 2348 wrote to memory of 2964 2348 mscorsvw.exe 65 PID 2348 wrote to memory of 2964 2348 mscorsvw.exe 65 PID 2348 wrote to memory of 2964 2348 mscorsvw.exe 65 PID 1768 wrote to memory of 760 1768 SearchIndexer.exe 66 PID 1768 wrote to memory of 760 1768 SearchIndexer.exe 66 PID 1768 wrote to memory of 760 1768 SearchIndexer.exe 66 PID 1768 wrote to memory of 3060 1768 SearchIndexer.exe 67 PID 1768 wrote to memory of 3060 1768 SearchIndexer.exe 67 PID 1768 wrote to memory of 3060 1768 SearchIndexer.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-05_fdf2b2afc999203392e9a98d92594e5c_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2728
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:112
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 170 -NGENProcess 18c -Pipe 270 -Comment "NGen Worker Process"2⤵PID:816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 1f8 -Pipe 18c -Comment "NGen Worker Process"2⤵PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"2⤵PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"2⤵PID:772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 1e0 -Pipe 274 -Comment "NGen Worker Process"2⤵PID:1056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 1e0 -Pipe 1f8 -Comment "NGen Worker Process"2⤵PID:3040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 120 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"2⤵PID:1764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1536
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1428
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2636
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:440
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1816
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1668
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:888
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2380
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:112
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:948
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:676
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1204
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1572
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1020
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:768
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2832
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:760
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:3060
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:2040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5587a1c5dfd4e3258dce815a76f645120
SHA1b1efb51ae3e0e3123606a066bb232c34b8b171cf
SHA2569ef5e97256d5024acdf1c173d34f2e1cc7935ac556bcd5fbbebb25cdf6c679f6
SHA5126706c2a7e0d669de39a89d7ec7773e7524671c7fa5b5c62c891290e884705d5b556998b4e285ca427ce3f5b75fa3b41465c50dad8791cbe01881953c6eea41e1
-
Filesize
2.8MB
MD5a4bc6e157c402ae8bcdb1dfac31a56bf
SHA140406e3add91bd9e710319b5e6de72b0ebcffe6e
SHA2560cba789a9648790c0c1e26c20bf8a4ec02dd0252c4a0e1554486b5bf8bda5e29
SHA512d7d3186438e220d81fc9a3fc8d18f295556095a170772a1895fa4c015c85368908b8d9a21df727e4d564c000b16e43a0dddafa88d73eecd62324c7afb5918612
-
Filesize
1.1MB
MD5333b8d4eb97fde79b6564557450ea1e3
SHA10201d22262d92bbe3e7bc043900cc5f3bda3d7bf
SHA2562bcef0e5c319b23458ba1727a6fa6c5a6fe4f476c1cb0aa213d6c2e2e42075ea
SHA5123f9e48d7d00a4ea545778e71a8af42905439b760b418690458a9ec6ea3c5a7a90fb0163a0236548ecee60f7ebd984013a0f006a70fd93ef9aaa20b0ae9115bc1
-
Filesize
1.6MB
MD53a688c3d8bd3bbc82161175eab782473
SHA101af745855976bd5fb9175739214e65b014e09cf
SHA256046b1f78dbe1c2e46ad7d2646801f031c1269ce0ac178fb7a1778351ccba525c
SHA5129af8c604b924ffb90b0772b5f2bb915808cb5b9f3fba3f03972b25c2b463212db885b88af5e3743da178a39ae1d2f4b7c974f0d0d6332fec305f73dd5ca08b3e
-
Filesize
1.2MB
MD52bbffc73f2c9c8c2cd5be7999ad2da5d
SHA1efd6b7d5e5b301c76d5648ac9a540a6e406fd88d
SHA25619ef26863965c5c7428dc8c029e076aa260fc27760505a1d68343669d9b24640
SHA512e2b861d29a52ff16c1ee236657653e0f0dc4904eaa00e9dfddccc0bc35677689312bbead024d73409b313ba0db9d63b841f859a8bafdfa15801cfbff21cbf49f
-
Filesize
2.1MB
MD567f3b930c46bf0632e4e495fea01136f
SHA19a00a2821d317cbbfe2142ab6e7cd9f9cbad7d76
SHA256b1dbf1b40c34f73057116443ef916d119fc9335e5ec1019c5408d5082666be74
SHA512b7500345db198be9da5b28f43155457c5375f04be1d241628ab64e6d961ab057846555454118bbbdb13b0749be35f76f3a32f16f89f2d2c7cca5d8770036a4f5
-
Filesize
1.2MB
MD56a18d5065ca02d54c2bd1b8466336fb3
SHA11a5b4fbd272048e8d81813a2987623585c6cfb6a
SHA2563b89b0ff3387b8172cfda4d8adeff4a516319e4d4a8d00f7339b8a3a65a98f1d
SHA5122341f027d76fbcfd6ff9a04eee4ca0b524d12c045628d351d8e6e84ff631eb09eb3fdc3367b9bb236793c77fed3d65fc92d34d6669043dd0d875a49d6b3330bb
-
Filesize
1024KB
MD5c42e3ef71d8f69c9b800c9242a67c410
SHA1a47e68ae4d7a95f40c6dcdd5b1f3d2e9e4788e60
SHA2560a3559fc3909481a838c46e3cb3476c0a86874d12eb8b2d61775119e848ab5bf
SHA512c43c766a0db3c17abbc17f1900bf0c6dd5f6cd9fd08e7773ac53d341f6a604a5624d651ea9f13ec241d86cef4d2e617eaa8b068a2fb523456d8ea25e2e0b447e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.5MB
MD527d3b073c69870d1ad551561942e2ce3
SHA1c48ebb75581b21c2f48fed3d0477ed6eadedd421
SHA256995d5ee05f53184a0d8ff408531456d03b7879b977af6f0832ba3481ca8a20c6
SHA512976541c5f3dc6ee547193ccaa4da192ba6a1c418891e3d78c86d1ff12a78b5fcafbcdf7cceca35455f7939708d1b79169bda289efbf20672f3d5d5bd5fecbf2d
-
Filesize
872KB
MD53c432764bcdfce6781efe688d29dbaba
SHA11ddc385e26541ab0f063e042d30ceb8a449cf5ee
SHA256a6f67e86257c03ffa20328275780970b8e58b81747664464348448cdd537f073
SHA5125b3fdddbbb1fe57f70290f88166bbd50ab105663eb1f29d3c43a4d1ee0ce76f04c7ddd913116e78110df6bf90d2ff66bade54e0d6559471531b4701ef5c30aca
-
Filesize
1.5MB
MD527da22fc24c2812b2e25cedc4a4d9d09
SHA1a9bd70e6d9ed1b970cdf9b6b81ef8b7c1fa592f5
SHA256ae1d6c523c4128773ec2aa1a95ddd16d63484552f4d405c73f7c3ae5180ef851
SHA5124376bf1e7c3745fb4a48c566a275239be7a52a5a63b0168ea32036f4aa3659b0c07986e9b915b059324b039ed653b023d6d07ed1a075c9294c039afe80081ca6
-
Filesize
1.5MB
MD5c6a4bdb78e249b4742303e092a6de092
SHA1f4bf8c7758fbd9ac61fec539e6db8e64e8079adb
SHA2563607de6e24ee2e1df82c2af88388b4a164b367d506df387b213c61d01fa14c94
SHA512b18597c0f6de3e2e20e30eec4e1e240eb3fb14c0068eab046b978e59540b96d65acf6fcedde5575ff7f32e4bbed785121aad7db199ce18ba671c77e3a0f9c860
-
Filesize
1003KB
MD5a8227ff66515a61d0a5b6a2bfd9aa367
SHA1ca9ecdec7f9771419cc317a0912a4af7628d943d
SHA2567a078e5faae5a97d8fc5e8ee2375e722694d7405164d9f35382b75272999868e
SHA512e8dc1272fca01ae622c9791a21040d16daf3796914eb97f3330851c9e8583ede31c40de82be3cb6d9710fae07b2d229d9f33ca489f8aac90e9a13cf42c7649f7
-
Filesize
1.5MB
MD593f825a63b6f738d48ec7b55da9b8347
SHA19eeb9de8c88b7250e5cd26fb638dd58b1e95c63e
SHA2560511cf38d2a930f66b76285471292a96d6e9f3a1062fd3e8c20e22da9b2d6dde
SHA512b1877d8885e809aac5ae8e9186e72fda2f0aee74289ed185bd9deeaabf85ba8252cb8f6eb5d15c25b25a9813cd7f3f35a6742a0a6dbe931fe8776a6f7fadd287
-
Filesize
1.4MB
MD5a7a16736329be9f7baf641515dcf2dc0
SHA1cf6e43a03604b66ad907fcaf8a2e732eb9451a55
SHA2567da1c3d6614f204d2f983faf7ae0fba16946cfff7760ff4cf509dc3cbe1c7a86
SHA512af56841877e86f85122b8254e2b99442607c6afb29900b1232bb36ced05dc2f322974536a585776f7e768a5d70ade877243de365a9522d4d7e9c315ccb081c08
-
Filesize
1.4MB
MD5fb1a7606e6d4f885c5f33dffdbf8424d
SHA147358a4ec23cc75afe9f4e69a2faac518c61bc33
SHA256ddbda77ff53690e9d3c140e2d9a79ce4a77a4be6a9c7e1d7600b96b3876d2395
SHA5128a0e04adc00ea5e87d5c052d8d45910d1dadcf4a0fdefc8c73d0ec718f0a70d720676c05131ecb12f86055afd6c296fcbd5ae9b0635596318e0457bc6a0185fc
-
Filesize
1.1MB
MD5849b35cc2c16c3dc77a64144bf77aa90
SHA1ab67a42aa1da3751eeab4228374d6e4537db9ae4
SHA256516dfb0dbfc58db182e20e64a081e123b26239fddd6823af0be583caacc61e99
SHA5125185dc4eff102fed520f76a438213b54f51278e0bef9170d25d7f50748b87eb770da8bdcdd4ed3be84f866f7d774156ba41100aee72fb2b10d474155ddbafd80
-
Filesize
2.1MB
MD5d39b93d8207be395fe18306503d51b75
SHA1b96448d66725394adf664201a981434fbc358017
SHA2562c35c03a7eaadb08870fcdadf0ee7f84f6e6adb1808a41e3849a76f41e968e2b
SHA51281285e63bcaf2823ebb4b4a96257c9fccdf9cafc89051ea98317651ef7e848c97b09c361b42f21df97226c331eda9eabe68688689da7522443820bc6d20af48e
-
Filesize
1.5MB
MD5837e6a7a8bee4e683cda444a787065bc
SHA1bdbfdec049907d6f3726aa67e5a2ed1a33ec9a6c
SHA25608814d9d109e8de44042949f1fccfe5025e5858182d1c29138126aaff2458551
SHA5122536ae7899115478ac2072f9e7e443c1baa40fd4906fd69d5d9bdc09fa411770bbed9bc77c8670f9a1f9d4a4198b1b578b899d5cbe2dc3315f1f04fbcf2c839b
-
Filesize
1.4MB
MD570aa74b08bcf241dbead09c0d6b898c1
SHA1891919b77a5e634f105a785076979fd52ddd0a0d
SHA2562184b74a11f4ec97bd14ceefdfc72949c75bc855cd86a427a9449947bbb358d9
SHA51214deeadedc2db6ee9e2896203441bbaee93eb71a7fc71c77f35c302231724d0b3cbde435543481fbac3bb646a5644946615fcc9a1c2a826b5ec40f329835f4d8
-
Filesize
1.5MB
MD5e2c230232d0ffd05d57e77060540828e
SHA118f6b342abc5dc743e3117ea2dbd10e5efbfb20d
SHA25678863cc01a4d53bf2313e26d09bce5c9610eaaf39bee2999a53e39844cc01076
SHA51259801e2d807e005c7032eb09ba0b0af5f5914bf93a52cd5b25e4da80d63c999afe93f8e2ad4a0572b76f51570ebc5530169c58add9e0487b6797b7c8af9af18e
-
Filesize
1.5MB
MD590d1ae9cb562f9646f5c6529f8455093
SHA13262d3830fffa6a56386908b19681e931f6ad59b
SHA256a5b900412d929f0e7457b6bdf0f3cc8a7d5cd2ed274dd452eabdb15bf132734e
SHA512b43e0ee35fa7115930f0ae700b414e93ec865fd387353e0f56767f681c8a5a8fa8bf3b32f492e60488ff8d2d9cbe3e138d75b9c57002d482265ad9c03e307c9f
-
Filesize
1.2MB
MD553e5039a2c0be9af960ecd524a2e9c72
SHA11e95e2f4e32c2f89a15ef6e6340a7900fd4720e3
SHA256f1ddc2714b228c7e6553069ddfc9286e8bfc738622e9495a57efb3920ff95d80
SHA512cc78022274afbfefca16560dadbf999215762202e4699107fb3b2c3ddc111053383d038c88252b8885a712b842974acc29ff07d4fe4e19ffd23e00e119f0326b
-
Filesize
1.9MB
MD5431f15fd2fc419f202a6c4b0f52167e7
SHA164ac0bcf100a58ac1ba128b9c0f0b374c08850e7
SHA25643336bcb85d08f10f987fd917e7dee4dd7a6f9ea44e31c79159aebba0d2d3025
SHA512d450c92220747a8e862949569a2b6d413eff973318c5302c227f3d87a75ff6428588462bab81df7e689e522e1add8953d453d53e46cd6e47c662e3446fea2376
-
Filesize
1.6MB
MD580651c0fba2d44c39177b0d9dfca1d0a
SHA1faade327b3460a0978abc06dd9a656d91f57b19c
SHA256fabacac008c5e55abb05a498287ad1831a27d01d919fb2001b5bd108103e6658
SHA512063345008992b079cf7372b69732344de8ee774d41575cf982775500812fda8d0e911669813901992934c6dc9f5903d6b69be1516f6b8c27c94befd1bd42cc72
-
Filesize
2.0MB
MD5559750b6b25d1298b38d59dfb9fbd9ce
SHA1f246c61185aebf3560e1a9988f176648842ee421
SHA256d6e7b37a158ab19e3f05ba137909957e0fc4c5de788970b1949a1ca025c9254a
SHA5120e517385ae5bc4214de8bc36dfc7f41019d7a13c912b1111b4b4467ed6fa84de0aaef420e0501f89967d15f5235757616d10cd6e7ec5556c3f5e45689dda5e72
-
Filesize
1.5MB
MD5b0265011cfa13a94627ff8d24dc77392
SHA1c33615c1033ce4e78cc80a42b4ddbbcf8601cf24
SHA2565043bb3869c3bd5eecdbdbfbad64b96fe0b4fa1d06c587d4d2c167341c41daea
SHA512678823f6fb1ba5ea4be4e2102e2de116fb820eaf74fd8aee09b55483d075c7b4260ad11cb3595611d753378a4e9c4156762943f3f3ad72c06751c1d9dd61f056
-
Filesize
1.2MB
MD56d7dea531cc3c5cfbb00498c70e0f241
SHA1b2f227ed305d445b8ad130a4d71c9f9ed594ff71
SHA2567ee21ae12dfffe037831002a4fbc416b034e5c19b56d37f15c2d4795e0a9a3ac
SHA5124ad4c86cfb78a3fd3c239689642933451bc95afc0393104e20070c6b046d9c20dbc74bf552abeeea6ec658b186e45217c4f3da5402ec4653f7fa733db1e631c5
-
Filesize
2.0MB
MD5983ed8b834f19c2642e5684a0b3875f4
SHA1b0b77367375512b3e9bbe692c5a0dea70388c7ab
SHA25693020797514366e3b08e982dfc96203c1178b77593c3840653ca4972b2696b96
SHA512b1b5d03dbb1b520406bd845695160332cb3acf566dee940763a01bc92f7f61199a73062b3f51fd28c1436d6ef2d0b7c67e76424ab1beec71d8eff43ecae40a9b
-
Filesize
1.4MB
MD533ef6c66277575fcdc7b731a716715b3
SHA13e46f2416330515fde8751267ade9219ee439ebc
SHA256540cd74ee9dab8f2fc6a2092021d2d480d5ae7701b43455dce77231840b9e9a1
SHA512f6ef2a745abadc5053520f620021fdbc36619c9a629eabb41a71526cb882107ccf98c06631607ad90a9a652685818c0ac63385a024f29b98c739912ad321dfc7
-
Filesize
1.5MB
MD59b4b30b682814c4700ae70221cbf8ea4
SHA1cd2e945da9aaa1cc3ebe127a64d07e5f6e95d87d
SHA2564c6e8b5a7ffb9893d6fe1db2c1a9ef00ef0cc70dcdff2202db058a842e751b07
SHA5128ae2eb882b407265b7b15426f7b680a2282b20c9b85173ec53bd0aa7a73eb3fa2b50a9219a51c270495dd94aa392d548de903c3871f69980687683bf31fdad3c
-
Filesize
1.2MB
MD51bf4b120f2da4e322b4589e9f254ea8f
SHA17da07cce6a28812c1b4b3bbfa6a486eabfe36c35
SHA25698eab37c7c569aa7bdba3c2aeff6d7e9d6522ca3d2ad354f6cce2208e1eed441
SHA5128ef0112fe9a6c7214e68ef74da97375232c167092bc3db37fb3fa6bec65cf1c65cac519c6d7fca57d746e10acbbaa28fe0ebc2fe73f0b0c73b85a98a8f42bc00
-
Filesize
1.4MB
MD5e135b257cf9e56ae3ad472bde692d82d
SHA1330f969433f667f0e0f6b88cdcd2552f3f3bd23c
SHA25616cb2ed08f604ae6dd55b5cd27bc9cbd4bfdba3d4519820cadcd6b22306850bc
SHA512f417e7dfef12af7eac3161bb69687b9afda40cb1f524be32607ef890b400ef881a7d8e1a1e25e303229c03042767f575027bffb4df982a2c84d71d91c36c8091
-
Filesize
1.2MB
MD55fb230ff60ff2ebc979ffdab7aefc230
SHA1e90740faa6a3b0d6a0dc3285b310dcf335f32db6
SHA256a9b9a929f8859496b42584f029218e3c0537f920d71d0df71d0e98c4ad4d8100
SHA5129723ea2044f12d019cc4057fa65ec6037f703c58b91374ba534918637893078aad03c916764f3a9a168fedc110e3a9de203867aed75141f3275bbd662429a1be
-
Filesize
1.9MB
MD5c9019af5c93219b073ae2ac5efc11cb0
SHA1df322612f9fae86429750d2fc67c7eea101954ad
SHA256017197405691cc4171a92210fc50918f9202f892e8ddc38392f1e8e5c632954f
SHA512b8c878b843d116349ee71b543888553a325df3d5669c9703aaea65a1e5c28fc400f1060f4810b3e3497a078b5498914ade82e79cc100f63113a34defb8e2119f
-
Filesize
1.2MB
MD52c6eefa52292670fb396333f886001b2
SHA1153e8176595ef6dcb2b82b24505c66df4878e9e7
SHA256fa6619908a94a638f7664d4eb039dab2359315776853410bdaa34e5895b8a8ea
SHA51226cb7d545abec213aaffdf02349fb88dedd5f2b76988f2bce61118fc8adde87c77ea7b22368ea59cc083bb126650e81d7d30e5734fb87d79f9a4814e04cade72