Analysis
-
max time kernel
161s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 05:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
-
Size
1.6MB
-
MD5
78f3a1793ce06093cbba5023d29e650e
-
SHA1
c4d5739de577f3d4715d3f0ff9eda8b8e69f63f8
-
SHA256
948a99a872a34e0d7456de1a4f268b24d82e33ee7e41991b6cb03fdae8242e3a
-
SHA512
ed67a96a9eb2bdf62b1ec6d796aa1f2350fc9c73b8c318f6d21e5b63d60bf4f94364a3b345b1667f3c78bedd48eb8c0192984d1b40bf07f40160b69a5f94c0c6
-
SSDEEP
24576:xPHeMy8QQGeQrRUm7KAd6JtFMGFWwH5iksXSGBwKMDHreO9w7chAdaD38VvhYPjs:tbhSnKAwCWjZmXtgBwpi3Fj5Ngb9
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2896 alg.exe 4596 DiagnosticsHub.StandardCollector.Service.exe 1624 fxssvc.exe 4536 elevation_service.exe 1312 elevation_service.exe 3540 maintenanceservice.exe 3472 msdtc.exe 2880 OSE.EXE 4076 PerceptionSimulationService.exe 1564 perfhost.exe 4708 locator.exe 1120 SensorDataService.exe 4588 snmptrap.exe 3980 spectrum.exe 5028 ssh-agent.exe 4484 TieringEngineService.exe 4140 AgentService.exe 3588 vds.exe 4780 vssvc.exe 3080 wbengine.exe 3972 WmiApSrv.exe 5040 SearchIndexer.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\28b63836b3e2edcd.bin alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2689f37088bda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c65d9738088bda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 680 Process not Found 680 Process not Found -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4968 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeAuditPrivilege 1624 fxssvc.exe Token: SeRestorePrivilege 4484 TieringEngineService.exe Token: SeManageVolumePrivilege 4484 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4140 AgentService.exe Token: SeBackupPrivilege 4780 vssvc.exe Token: SeRestorePrivilege 4780 vssvc.exe Token: SeAuditPrivilege 4780 vssvc.exe Token: SeBackupPrivilege 3080 wbengine.exe Token: SeRestorePrivilege 3080 wbengine.exe Token: SeSecurityPrivilege 3080 wbengine.exe Token: 33 5040 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5040 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5040 wrote to memory of 3508 5040 SearchIndexer.exe 127 PID 5040 wrote to memory of 3508 5040 SearchIndexer.exe 127 PID 5040 wrote to memory of 5148 5040 SearchIndexer.exe 129 PID 5040 wrote to memory of 5148 5040 SearchIndexer.exe 129 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3776
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1312
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3540
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3472
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2880
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4076
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:1324
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1120
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4588
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3980
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5028
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1476
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3588
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3972
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3508
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵PID:5148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5b3f6af610d32087e17c1816c015ec91c
SHA19d986aa5b7cfbac173316c2bd5eb964e3ba3f381
SHA2568f6310be2902e676a49a7ca7b78b6d69bc86841d053c9ad352b12f86a2925aa8
SHA512083ab9e47b446a2b1b8c876221ee678bada5ed7b50479383ea6957e461af396cca252af42c81f53ee5bc69ee65b1a8e7c1e3c952c65c597bd66bd03dc0cca97b
-
Filesize
1.7MB
MD588d183f36c4fe473beee6961f2b518f6
SHA1691aa9cb49037383e6e79b7e793ebe2c437aeba3
SHA256c32b9f32327af3463521b4d8f83d6988f8ae3d645d6534e79b591941ab9c1dfb
SHA51214ebf125420555990012b087371086aea59a28f78e374463722e4fb9f3a730acd22251b3748ee0e8f63d7636247a928f4bb1176032924e18146abd8cfda892bf
-
Filesize
1.7MB
MD54b9ad18a3c7224f803f6b526776ba65d
SHA11c9ac101f8ae04705bdbdb810390d80a17936f2f
SHA2568df5369777a9549342babb85f4ce82c116d9056581e83d48f68550775af29b7f
SHA51284663871965e4ff195b3d3ca1bd587577e4d77d3f13698412a8bbc8e10bc68fcad4ce2c2e8e15845ccffd32b45044f6d912795691917faa0bb5ab8b5197d513c
-
Filesize
2.1MB
MD591edb100452d263e91ab57ebffc7b30b
SHA19ed12e9ee82cee76f35d4d81e8bb174f73724362
SHA256c2562e2f570075cc5f767e51f03b97d37cdb76491349bef71038e6267a9b17be
SHA5126c79adb2f89d93d739f32cb9f413754d94abd317030a8c3be27162c3d1dd75ac92ceff2494b6ad6ba5f28e2a70af7d3dd2f2c7c06de386547cf8efa474ce263c
-
Filesize
1.5MB
MD5ed90d070d53b24510ed25dbe07d3ac8d
SHA1b8f17c1aca8a6bec41e816fde99c5049a812453f
SHA256a7e0cac90c176f7d0f8ec7feaddee31ac403c85ec2251f56c11cbb83bc56b093
SHA512d81ae7b76f311b0829c58fd09cfaea728987a02423a809ef98c8c23bd6dd6fb19d82249068754fc36a97b8737de3d4f1daaf869912f752c02923d29f486eddb0
-
Filesize
1.7MB
MD5c620f3663067080f2b65bbdc67d83bf2
SHA16157406613ef201ba2bd789ac54cc23788d6bec1
SHA2565532110881bab056d669decf758ba38560f53a8368c6d0cc5053c00ee581970f
SHA512329fc6ccb1ab73f2363dc3fe9f8d838f22890255192cd4fcf57736f5a832bc8444bab3b89abc5ca80c50fab7b61c59cac8a09d2ec84285d76d60b82213d0d544
-
Filesize
1.6MB
MD53bb2fb5b72ebb49bca52f9537a028234
SHA1d59af26e3615a61799b2fb2609fd7cfa7ea70c17
SHA25666d24e0b59714f9cbc224303c403b790f938eefe984ca1019aa14833f720d7b6
SHA51239ec19316d1711bcad3e63bd5683c6261cc775c94c9c2ff809b2aa589b907d39bc2c546f9d0e451743b1b57a00ec85ce8b1da896255623a9df4cd296bd62fdab
-
Filesize
1.2MB
MD5a2ea672198579af28e1a1d32a22e4d88
SHA1717d929a50f05384ed7da35bbaf52327e0b3d351
SHA256ed7d7340fcd9482c6fdf4ad3df9cf37f108e82f7e826e8aeb827487e80e1ac4c
SHA5129799657128ffb99e52a401004b3a26aab4692b61709c8a0fc05682883154ffc59480b301710f6eb709ec0149548ddb45ebf99549480bfb6d21331a2c937c0acf
-
Filesize
1.5MB
MD5cddf5990bd1e2eeb65e3dbe2d157a54c
SHA157ebe7aae420b443e502f88fadf1e268263fd501
SHA2560fff09280914b15c1b3c8f554382084058a1a2cbad89a2233915aa84464421af
SHA51203ee238277df4364924d25cc7dbbd145fb981fc891aa1631be7e7a8f9b0eafdff02b7410b22d159722d1257c692b91e365ce1cfc0594d9029b83f9b64ba3c939
-
Filesize
1.9MB
MD5af2ae7da5340dfa2bb6d630353df4883
SHA1728d709dd50ee328fba480b10879f59cec5f1fa1
SHA25619671d3ae2ac475db0a18b0f36b1db2e4d8a48d303f1495beafd73e00def9687
SHA5123b10207d86bb9a5f4162612737a77622f2f8311a4a50bfdc16b14ecca9bc2e2727665648cd436dbc39cf54cd91116d07cf888c5450bbcc5d433982acc86d991d
-
Filesize
1.6MB
MD55d9243f1698e752e59ff1faeb3fc8f79
SHA1c14445d47d3bc8063c8e398b0f32e35beb8c4c73
SHA2561d79535c53156940c5feab4d8c1623aa457fb4311030a55c052bb51c9ff51e4b
SHA512b0c4f19d43e92cd1b8782c9b62f9455d9e4b48291ddb4912175bc368d2e627648a562427e9a5de9eed980aa9c5549fecb9747d02e00594478766c1bb62e4d656
-
Filesize
1.4MB
MD56e2567b8160b06511965d59834760a5d
SHA188743600900a276d7fc448e7956cef13a0f46f27
SHA256fd614c363304288f266e2e467d14df8b8cff5fdaa84b6323f9b77639960ac27e
SHA51285f39f7fadacf9d8ce8876dd7aa757070c48c5da32a924b81296648a8963220c5e44dd0c26811e67a59386a1798afc739dc93ccbbce6483b1134e384d6e4322a
-
Filesize
1.8MB
MD53a721defb3183772773e4251a794d5ae
SHA167fb08c8bd58dd1fa8b609de56c42e0d504c35b7
SHA2564661be4446291507810d26fc3d4320c4d14b752f90e35e328c14861991048f41
SHA512a92014457d6a2961f01c167c038a982b83dea9012789b14d462d5d580873e5d1a6aca8291b7d2e0fc717b52178468291e95ec45f02e628fd65e4ac90ee43f7d5
-
Filesize
1.4MB
MD553a3a524a8eb6a0b76f3ddaefb37b0ab
SHA114fedbfa9637a075481df0fb0596f8cbb741c607
SHA256323e8ba72a723319f77fda4cfc17cb440cefbf6342b09608fe24bfbb258a8e93
SHA512149c8cae46992c34569fb1d51c29bec61182beb0261614da159ed4f3323626de60b88dca9cca3047a4f482337518786655e0b3f25965e8ae65aaa5e4ddcd8516
-
Filesize
1.8MB
MD57d74a4083c7d9a1cb49905ef1272c7d5
SHA132d78c5cde05dcca60fd1d573b2d236e9ca7a08a
SHA256e087cdda63b61461ca54a12ac41f48c96e0c140ab4a72a37cdb0f44822deb000
SHA5129cdcb712f95b53f61debd12c0b356fef27c4c432ddfe29a030a27f99c0b7bb927ef7219b2b99ea6fea381df8c6020a1a778eb41aeedd49089fe4ca7b742d7bcc
-
Filesize
1.2MB
MD56d1af20b1e16f0216271abf1bbed91f2
SHA12a521b1fe7dea24cd1a4438fc12328153b39f1a4
SHA256e8d07aec6364e68dd52bc9fa2c8ab98b03600357192070333d00038b032465a4
SHA51272a600fd6446ac63fc3d8ad6bcd0a5430c1b253633ca1d86674a6b265dc87c47d5d32a0c94c8cd8504a0a08afef974e268742903a4603111a3d664fdb6772989
-
Filesize
1.6MB
MD52db0ea470a7d40480d308167c9303f20
SHA146120315ce6b2efd48489c85a139c3f0f24de82c
SHA256faa50e2531644f6072641273a1f71d2f02abdce4d8986f20678a25979fc4c138
SHA512341e274d18f2865f6d154ecb214f4a08475531b7c787ab1c2345793030b4a7a2c8095678aacad49c531fd435108fe62e77a2c35e6f2df23ffad0a8e80904c20b
-
Filesize
1.6MB
MD5baadbaaf49ace8cd12270ce80224f24c
SHA14d8e482fc21ea33126709d57baa830b12e946a32
SHA2565aa1c4519af800707fb774fb524e72efb517701a54d72473587aa205a76822f8
SHA5128ab3098bdddfbea9ad4101a19e5eabdf312603e3e87a71f8eeb0045e3c68194b89798da235aeb2766481465dd744b4bd76aa01aa81b4e46b2823ec8afa83c987
-
Filesize
1.5MB
MD5350b921a0e325de1ec7709a71d18d0af
SHA15580da118e4694a2c4d56eee25150fbf75a1c835
SHA2560735a95834be97b4e61643e0632695e173411cfbce5124cd752e8a54e781576b
SHA5129b14e0211a24c92b1528a4c98c134a748d929626711838a2f33c15d2727cfdbff4babb206b4009a0bf9ebb782fcdc58f7123d5692bc984a21ff9bccc411e3b71
-
Filesize
1.3MB
MD58775edd4309a02682b0bef4e9e7d9f41
SHA1588ef815802b686d81df9a106a66296fa8de66c3
SHA2567049aef4bc5fc5027e36a872fc5b3efc32f660952462221a24c32adcdc5c3a3f
SHA51232d09786a3327ba4516d76a42413ff3e6d3bd6608c4ce2eb99ff95948f9b1a3f8ace842ab8ce573b27fc8a4e51682b29164b14c5d9e76608e6e02edde9e0c8ae
-
Filesize
1.7MB
MD53ffacecdd951beba25b87d90c43255d8
SHA10fa41a8c4ef60283273d7b0d8acbe986a99e6520
SHA2568523ae6d26837c4c2d8574e8aa4565a05417b56b16c8bce990dd97ab21ffb985
SHA512012d605886c49515830e2396f668d6aea6f630cb36044eeb5989081b42f70a2c96986465502aeaef431584f0ddb3e4c8ec407d0c8b344438870d1ad0706416e7
-
Filesize
2.1MB
MD592eda872e6fb9fd3f4f2c1edf78a9fad
SHA104f3586fabf7b007346108dbe98ca23c30ed5164
SHA2562fae36f772a8b04690843f407747d4c5c6176483725ce475c563838db15ad029
SHA512a7c25887d8d325713d170da09c918ff8d5e16bdbf2a39a9d19a41d3015a3ec0a914ed174354b7702148035f95382880ed8ab9ca347fe0b7c8603c3972995f120