Analysis
-
max time kernel
104s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:39
Static task
static1
Behavioral task
behavioral1
Sample
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe
Resource
win7-20240215-en
General
-
Target
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe
-
Size
1.2MB
-
MD5
c297662ff1585f3e893e47c4c68c56c3
-
SHA1
75863127ecce4742f7f781d0e9e71a1592254e42
-
SHA256
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4
-
SHA512
39fcec01ae48648366c334db3a3c220150795ec31ad1613da096f4e33901ab4f29e451a12d34012fbf02ab653bbe80de4d04207964fc82fe495c1ab38bf4bcd3
-
SSDEEP
12288:Fgq7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi++:FgqCks7WE9F5pwg8zmdqQjC60jiHkU
Malware Config
Signatures
-
Executes dropped EXE 60 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 484 1724 alg.exe 2772 aspnet_state.exe 2420 mscorsvw.exe 2388 mscorsvw.exe 2580 mscorsvw.exe 1300 mscorsvw.exe 1584 ehRecvr.exe 760 ehsched.exe 2612 elevation_service.exe 1384 IEEtwCollector.exe 2176 GROOVE.EXE 1680 maintenanceservice.exe 1424 msdtc.exe 2140 msiexec.exe 2668 OSE.EXE 2440 OSPPSVC.EXE 2876 perfhost.exe 844 locator.exe 2732 snmptrap.exe 2204 vds.exe 2912 vssvc.exe 3052 wbengine.exe 2364 WmiApSrv.exe 1628 wmpnetwk.exe 1848 SearchIndexer.exe 1992 mscorsvw.exe 2828 mscorsvw.exe 1368 mscorsvw.exe 2720 mscorsvw.exe 1472 mscorsvw.exe 2656 mscorsvw.exe 2100 mscorsvw.exe 2420 mscorsvw.exe 888 mscorsvw.exe 1720 mscorsvw.exe 2168 mscorsvw.exe 1408 mscorsvw.exe 528 mscorsvw.exe 1888 mscorsvw.exe 2468 mscorsvw.exe 2720 mscorsvw.exe 1460 mscorsvw.exe 2960 mscorsvw.exe 2260 mscorsvw.exe 2752 mscorsvw.exe 2564 mscorsvw.exe 1592 mscorsvw.exe 1520 mscorsvw.exe 2408 mscorsvw.exe 2720 mscorsvw.exe 2420 dllhost.exe 1004 mscorsvw.exe 2648 mscorsvw.exe 2932 mscorsvw.exe 1336 mscorsvw.exe 2312 mscorsvw.exe 2424 mscorsvw.exe 1540 mscorsvw.exe 1984 mscorsvw.exe -
Loads dropped DLL 19 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exepid process 484 484 484 484 484 484 484 2140 msiexec.exe 484 484 484 484 484 736 484 2312 mscorsvw.exe 2312 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
alg.exeGROOVE.EXE97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exemsdtc.exeSearchProtocolHost.exedescription ioc process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\locator.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\wbengine.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\msiexec.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\vssvc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\System32\alg.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4234b7c0bfe435d8.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\System32\snmptrap.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe -
Drops file in Windows directory 50 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exemscorsvw.exemscorsvw.exealg.exedllhost.exemsdtc.exedescription ioc process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8E0D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9444.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B882B0A6-820C-4CE1-A816-6350AA44275D}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B882B0A6-820C-4CE1-A816-6350AA44275D}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeehRec.exeSearchIndexer.exeehRecvr.exewmpnetwk.exeSearchFilterHost.exeGROOVE.EXEdescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0ac60f54489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090f9ddf24489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game." SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exe97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exepid process 768 ehRec.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: 33 2208 EhTray.exe Token: SeIncBasePriorityPrivilege 2208 EhTray.exe Token: SeDebugPrivilege 768 ehRec.exe Token: 33 2208 EhTray.exe Token: SeIncBasePriorityPrivilege 2208 EhTray.exe Token: SeRestorePrivilege 2140 msiexec.exe Token: SeTakeOwnershipPrivilege 2140 msiexec.exe Token: SeSecurityPrivilege 2140 msiexec.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeBackupPrivilege 2912 vssvc.exe Token: SeRestorePrivilege 2912 vssvc.exe Token: SeAuditPrivilege 2912 vssvc.exe Token: SeBackupPrivilege 3052 wbengine.exe Token: SeRestorePrivilege 3052 wbengine.exe Token: SeSecurityPrivilege 3052 wbengine.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: 33 1628 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1628 wmpnetwk.exe Token: SeManageVolumePrivilege 1848 SearchIndexer.exe Token: 33 1848 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1848 SearchIndexer.exe Token: SeDebugPrivilege 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1728 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeDebugPrivilege 1724 alg.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe Token: SeShutdownPrivilege 1300 mscorsvw.exe Token: SeShutdownPrivilege 2580 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2208 EhTray.exe 2208 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2208 EhTray.exe 2208 EhTray.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
SearchProtocolHost.exepid process 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe 1872 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 2580 wrote to memory of 1992 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1992 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1992 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1992 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2828 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2828 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2828 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2828 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1368 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1368 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1368 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1368 2580 mscorsvw.exe mscorsvw.exe PID 1848 wrote to memory of 1872 1848 SearchIndexer.exe SearchProtocolHost.exe PID 1848 wrote to memory of 1872 1848 SearchIndexer.exe SearchProtocolHost.exe PID 1848 wrote to memory of 1872 1848 SearchIndexer.exe SearchProtocolHost.exe PID 1848 wrote to memory of 2392 1848 SearchIndexer.exe SearchFilterHost.exe PID 1848 wrote to memory of 2392 1848 SearchIndexer.exe SearchFilterHost.exe PID 1848 wrote to memory of 2392 1848 SearchIndexer.exe SearchFilterHost.exe PID 2580 wrote to memory of 2720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1472 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1472 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1472 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1472 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2656 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2656 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2656 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2656 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2100 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2100 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2100 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2100 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2420 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2420 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2420 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2420 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1720 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2168 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2168 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2168 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2168 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1408 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1408 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1408 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1408 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 528 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 528 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 528 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 528 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 1888 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2468 2580 mscorsvw.exe mscorsvw.exe PID 2580 wrote to memory of 2468 2580 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe"C:\Users\Admin\AppData\Local\Temp\97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 25c -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 258 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 234 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 268 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1cc -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 280 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 1cc -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 280 -NGENProcess 248 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 290 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 28c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 288 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 1d0 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 2ac -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1e4 -NGENProcess 2a0 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 274 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e4 -NGENProcess 1e8 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 1e4 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e4 -NGENProcess 25c -Pipe 214 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1e8 -NGENProcess 1bc -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1c8 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"2⤵PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 26c -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"2⤵PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 26c -Pipe 1e0 -Comment "NGen Worker Process"2⤵PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 26c -NGENProcess 1c8 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1440
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1584
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:760
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2612
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1384
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2176
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1680
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1424
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2668
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2440
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2876
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2732
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2204
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2364
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 5922⤵
- Modifies data under HKEY_USERS
PID:2392
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ecb2e9629c9341e231558500eb5e6351
SHA1e82f010c203b8e9b865f1cfcb355cd801f971dc6
SHA256efb88ed42258600a3449bd93d5db2e4a199181b35e2c103dd6338dc430aba19f
SHA512858965deef02a694e2ca9dd31dcaf92de8d69b2e285117e78fb1e84a8d8ae326042a65d176b0ec7bb9a7c88166b45e0198defdea1bc11eb909a3f15ffc4d74e9
-
Filesize
30.1MB
MD55cebf419867c1f3f3da85f73c7e228b8
SHA1230cce0623d42b18a65e36145b70047e609587ce
SHA2566eb3ba782f74cfe0c30988ba26c610a8d56a94ddd2253185618c30abd78e34bd
SHA5120291e6ee6611fa2295daa21716813e6b1b883c29da2351459bd5135e63f1533727d765330c94bd9cbadb7b462b194ad725c917949870d46c27521a957640488d
-
Filesize
1.4MB
MD5c7507d8bdd98481e355742551bde8cfe
SHA14b50492e5371b5bc35ff8049b90e196f5c76904a
SHA256cd5f5ac9ab7235d89ff0031bda140d79f8c6e363848dfd23cb022e93f5d473f4
SHA51202d47458f97900d98dffced1ba6f2631d5a57e1fcdfe20e80990d799224b33097cf2ff9b68b69f9078d2d94d0b83e8dfce92fa327edb1d58dababea27b17e1a6
-
Filesize
5.2MB
MD5ce3eb89543d3a3a5a889b628178a1ea6
SHA1355f7cc698035499e8927b0a6d79b57e5d2449c8
SHA256eb1bf9089ac8d12317ba359c631398c19a2c68080ef783ba0644bf49fb70573f
SHA512a8ca66b6aab76c8fe8c2db154dcb5b70b76b5a58117db7ea998aef2d2227ee8ddd14fa2cfb1be3bbd47499fd54b003624406ade6ae3ef1ac29cbb2cc91c6240b
-
Filesize
2.1MB
MD59178146249ee0d46c2c1c946ef357fe1
SHA1bfa256e470912f668d5bd8b365338760830475ea
SHA256f44a84cc748c65f5d178b2bcd50289a5445e5b4055dd4001838e0460b0b39986
SHA5121e936c09b8ae1c2048c18eeea42c75414ab62fc999e0bca27e6918fa12937ed63b636c1d2da116a5b46fc34487b90fbc99ac2edf50dc6af3466bfd1b8e2f37b6
-
Filesize
1024KB
MD586f9ea1f543ed9ad5c957988a75bfca9
SHA1cf70699e5d2d14385b9e194ed8e4d97ae9fae718
SHA256fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001
SHA51224066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5140619f4c260fdd89da7689c01d5e93b
SHA115f9117f9e2a432320768ada82b7544bbef236a6
SHA256b6100121507b53b83255d03f4980ddcab667eb5ab4fb5a8d4df8d9bf10925f17
SHA5123f722882e38069e2bf39efa455adcf3c93cb054e27acd01dcdaa5aaa6546edfeefb719df7d13658669202d6fedf5fcc7e378ffcb36ddd67f2df34dd9677cabc1
-
Filesize
872KB
MD5605a0546ec029e4264933a21953f43d7
SHA1a931fc56fbb331b27dcf6811c8681e3fdd6defd7
SHA2567a643d57d9eed51bd1a381292879c66d47e77fe596adc15efa7e45d13b4960dd
SHA512c5db6456074114162cfd81e37bda3056e73ff7935da781e0dbfbffe88d6cdbd86f6cd717efd6aeef4cd76b78c58c0d3ef31440c15a611d544fecfbac7eef857d
-
Filesize
1.3MB
MD5b09d5490cfa629fc0d4ffddff21027a3
SHA1d2ac52211a798f3c30a875c78dcff96d438e08df
SHA2569ebc4f824406ca969577788a05202fd385c3543c3af730325629bcf69b146223
SHA512ad516e35f3d713f48cadcddace18590e58cf4155c14b16a0cb27ddf4f1c54e1d39661a9bfa2222917824e13d336dfd215377e1d75fa5979ca3fa515e89d56f49
-
Filesize
1.2MB
MD51f9f0c1265fc40a4ce98bd63d01f13fb
SHA139f6cf28b701a5816a685a5ef7cbd070b4d91e06
SHA256b43badd2692c9cfd7a2b5ae84b14a70c56e7d7df1e4ce47132d0e81e738dacf6
SHA5124f59644e62b934fe4e74fe14bbf6adad88be402d5e7d5b432fcf78780817a150b6c33f20e122d29284139236a12dac1b63d5ef74381dd2a09a1fdefaa9a1afb5
-
Filesize
1003KB
MD5eb54ea05910768c87b049a7732a904da
SHA1bf6ae1789b032004fb14a69a0fe4e5fde1e5842b
SHA256c7a4b08088dd7ad548f54e8978cbe76a5fdff5da1eb0186db0185e2a13d024f1
SHA5124c8a5eece2e37b6b2abff80a0e1a3408cd51e944578405704e79ee0189255e8e024f867a37baa53bcc77690a7162a6fc7b1d3e1eb72ddbc02d6acabb2bc018c2
-
Filesize
1.3MB
MD56b1d1f9935c3f7e929705121c556b75e
SHA1551118fc9a8d51ad5994613fdc60d0fe7495bc03
SHA25611c1b3998ace6445632669caa0aca7466817a196f264f6feb7dbb072f82641b4
SHA51254833930daeccabc43e66c1ef5cfc47d1526b4e96a94876326cb4e2a4a1706f591222cf76c06f036876dbdb6062115f281d5ab07901bff709280a1a25032afcc
-
Filesize
8KB
MD5062dd1948e3a0768f936b04a40102e41
SHA12e0ab9904b76b8759eadbf66ad5030930cc231a5
SHA25638737330ce592e9049d61eec3b95486a9bf20a3c2a636744ebc599ee6573d7c2
SHA5121b039cf4b9c5f25c002825294d9832c28121b8864732a781922de8976bf109b142d0ea9f3fe81adb8793deacebd10672d42287063d5863e85cb2ab7422aeb446
-
Filesize
1.2MB
MD583a04c43047120ab9173c2b8b5f92c48
SHA13ee9d584249e14d58b777ce9bfc601e2189762c2
SHA25601098c770700fb462815a07d61644acef7f7dcc00b06c23692145bf93bbaf749
SHA512b9e3d457eaed5c5cb1fb9bd570161a6568782da43ab64b57c256a3aec3610777b4d0c7b02dd0d43ee9b474784750171231781136efe213f4f0074069aa98fe8b
-
Filesize
1.2MB
MD57f06f45e5baae7100d3ce0448e6d9918
SHA1a6774007a04cadcab60ce10e614d451057ca2799
SHA256f9f26a09af0592b18a98bd0fbdde6d312dd1872cc2087ab6e1a023dca793e597
SHA512565eee54151925b79f1e6cb2edf792650804eac173bfcdfda7816edcada227aa33f8ca10bd2e375b9e17d3900574ff37c8830c0d0fc3ef011dcd85a1040973b7
-
Filesize
1.1MB
MD5ce2f0544e51a81a91dd388829e02f970
SHA1984664ec865c1c68675f8857f0d6d72d700de2cd
SHA2569d87de6d06dd047d2558fcbb69f3983cb11fc824df091e7a69370dbf9fb024ae
SHA5126f9f07fdbe778130c753eb3f3ee8c6c82fff574682f2271827d04530179d9aa94c39bf42ab1b709f9acf7726c9ff128593d4d5fdd82fa13da7cd11c0a482cdcd
-
Filesize
2.1MB
MD517e964916b410a68ad7e336ea2e5b1e1
SHA1de7a4372a17683d9e445993a4a165e428e2761ed
SHA256d2fe4aafd5febbcd2482ed206e5e1b7c9e8b6923f18ece47681d7a5846d7d387
SHA512edd9ec1828038970a95e94aa39b9ae98ddfa773cc64c914053b51204eba9981a702af975e7d95e45b57d55ff98f0fd09ce0e7fd3b76281bd07e9df0507b50a0f
-
Filesize
1.3MB
MD52bc90cd7b647707bf8e131008e44e212
SHA1b315a5f8d6ed5ab6776c9560b4aed1aa3133a4ed
SHA25661cf2971cc68bb948900e3c0e9658375931897c6530d12aa74227f52cc19f4a8
SHA5124da1981f81a0abc1b9387967a66b12792a068390e0d430610e1e822ab63c27ec060ee66b1f7d29537cd5277b360c0649a59db959192de5f24803e5daaeae97b6
-
Filesize
1.3MB
MD5b75095980a3c3f3d24eb350ca89186ea
SHA1361dec5c42ac2026564bf55ea40e548ec92a0990
SHA2560fffca959882b16341c404e1a44ed622700cf8e7b2c6f3572755c0ccb489acc0
SHA5122a24a2455a00f2c002081b338d43bf9895fc84d19beff862db78eac752152abc063c28e805d374a1fe76ca1792c42b29982cacee96441ec7864095ced6fd2646
-
Filesize
1.2MB
MD54644e96766c5f78d240dea141661f08f
SHA18e96ddf784e3e32e89e0717d4e6e75d9105134c6
SHA25676633429fd1198eecf8b868394720d713d0ae915a0d7f338194dfa16eb8cd4aa
SHA512070f71e812607faee69617943561b8759e13949f9957f887afe48e3650f92ef4f2b4a2e13a980282507b9bd1b6269041fe41c60b7cf68d435bdee18768b681e9
-
Filesize
1.7MB
MD5db80d06cf8d9c82e23eaa1ea3f190cd4
SHA174131f5a77907796dd18c4988b6e5bb110194a0b
SHA256bad966ce507b7f58aee9145e819bc83bc22becff277be3eebac9e91fff4da007
SHA5129ab83fd8048a14fbd85a5aa8f24888cf0e97c76e7c54aa3f560d6b6e7e1e0f34ca81e14a7ce798ab24dfee3d48ac8b5dc965d67ce10cac12e579b1ff4dead718
-
Filesize
2.0MB
MD52878cb65d4c3929c80ea9b3dc3a2b566
SHA19aaa9e642890b99b047d9281c2d108d9efbc8c1b
SHA2569bd97eaf53be40f073af47f7af51311e3b5b16473ebcb5801a8ec34bec69b7b2
SHA51211c3b7d57b78e4564d9a44f05901ef1d53ea625f8433564f24b551f2e068f860d218d50d53855e017095823c7bba83bb3d9896bb6d2f1c407ccf714ec0a1bf89
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
Filesize
1.2MB
MD5326785c42e2520b031b318cf0fc8fdc7
SHA1a1622a1a36d170add238525f633c223285891d0b
SHA25665ed0b6beba50509956d2fcfade6f1f52af8716e12c4bcd2419a6ef0f9678de8
SHA512582ca974035494c4a209cd16b7de104fbb5f3350ba0ffe3019c8d2f3f067b0977bebdf977241838ccb19bccaaec52545b84bf206dbdb351cd25098708ba8f229
-
Filesize
1.3MB
MD5d2e906e355c7286be11866dd917296ed
SHA1fd02475bb354b59e043bc39e29efd1460d86ab38
SHA256e74f6f6d940c6a57ef998cba163bd6906a10a6ff38a2786f1d9f9167666dfbfe
SHA512b3246351c9a3a293490f8b6bcbb459a8408b931f2eb0703cd4d78e07b301ce420efe1d14274f2c26e74fbfb5223e195a4c78b451a1e504f21fa16eb6f117e2f9
-
Filesize
2.0MB
MD51fecb0a1cfbff78fc286e70c042bcc69
SHA1abb91f7b44f26e57c7c27e7fb016ee53b2c6156b
SHA256c80be808b03557a623b063a1c9bcbded26607144ab1af98e7aa0e5226f0b856e
SHA512775275e69b6b5ad80ef902a90e3d397b13d0131144f12046327948c9b8801ace4e6ab5d543c0efad34456cfa02986cae3257d331e8e8bcfc24e54ae13d2f2cfc
-
Filesize
1.2MB
MD588bbebcabb42762e3879078b32421686
SHA14529d27b195a0709ffb18851ef29ac78a4314b32
SHA2569e4195958ef86288739606f9f179d7d344fda5fde13792b2fa7dae3663e395da
SHA512e7fe43b3c3d5f4c507198d635a2e55d66abcd0118d93d52093cf37caae79edffc3605a3897a54f83b6445b505198e2edf92671ca702670222d25c792e2010678
-
Filesize
1.3MB
MD518f9b71f9bb56a848e0c9bd6be9aa80e
SHA138b519966f6cc3e8d8b4d17dcc4342c130ebb42d
SHA256065217ca9b3e6b149af0236381841111deed2d4bb93c04dd33fd9fc5f4f49257
SHA5121a8c9bc6f3954fe933e390132bc0e68f1e85efa8789720f11f45248e9a252cbfb3d3ae3f5e6417809eb3ad0f02f0fc7fefc2ae1ab389bf790557ff994976866c
-
Filesize
1.3MB
MD55fcedab78a8b07da157260a79f357e86
SHA1ff9f920e68dfd5e07bd6d6933284cc4ea7b81c69
SHA2566f73f13c4e635153fe47acc1f270a88c4cec9ac38a24db2d815ca6ec3527c921
SHA512e81da7af560f359ea6aff9ca5b7b39ea2bbd1d6d9535f89d6c3c30ca00bcc4ec4750e96dbd80af14cc35edac0e67b7a81dc32d0284297be631d124c6a860882f
-
Filesize
1.4MB
MD58dc4df4828a38676825262552e7f6a55
SHA19056250ad04431ab2fe8420151c29806e12729cd
SHA2563e41945b6e6ab26628bafcc44690af32a9042114b798250568f43a9b74466cb5
SHA5126954106436798d03e5fd0d239ad87deec77728476089d638a9748312c918effc5fabec9f2863c549e51cd16b0bc1cc9bc40877226cc860a9267a67ce12cb6f58