Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 00:55
Static task
static1
Behavioral task
behavioral1
Sample
9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
Resource
win7-20240221-en
General
-
Target
9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
-
Size
1.4MB
-
MD5
1b5ef1a77d711af341cda60e9a2ccd3a
-
SHA1
20bec02ed9ec1d3155189ba51d985cc448de1d62
-
SHA256
9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55
-
SHA512
9c50cd114105cf85e6c7e18efcee41e5adaf09ce076f60e7d7e233fd2425ef07326b9e021fcb2b7ebb034e4294b7edcee6fabfd9106d0e371bc145ee796acaa3
-
SSDEEP
12288:/2iEExbs8rHos3KcZt+8x/T5zpBzqUV6jWOev+C3oaxj9y97HQKjs:OOtTTos3TZBRXzqCO+t3oagF
Malware Config
Signatures
-
Executes dropped EXE 52 IoCs
pid Process 468 Process not Found 2668 alg.exe 2764 aspnet_state.exe 2616 mscorsvw.exe 2484 mscorsvw.exe 1264 mscorsvw.exe 2820 mscorsvw.exe 2012 ehRecvr.exe 1052 ehsched.exe 1704 mscorsvw.exe 2780 mscorsvw.exe 2384 mscorsvw.exe 1048 mscorsvw.exe 1980 mscorsvw.exe 1968 mscorsvw.exe 528 dllhost.exe 2340 elevation_service.exe 2708 IEEtwCollector.exe 1996 GROOVE.EXE 2732 maintenanceservice.exe 1732 msdtc.exe 944 msiexec.exe 1692 OSE.EXE 1560 OSPPSVC.EXE 908 perfhost.exe 1848 mscorsvw.exe 2296 locator.exe 2112 snmptrap.exe 2860 vds.exe 2528 vssvc.exe 936 wbengine.exe 1428 WmiApSrv.exe 2848 wmpnetwk.exe 2072 SearchIndexer.exe 2000 mscorsvw.exe 2140 mscorsvw.exe 836 mscorsvw.exe 2592 mscorsvw.exe 2568 mscorsvw.exe 1504 mscorsvw.exe 1760 mscorsvw.exe 1424 mscorsvw.exe 1488 mscorsvw.exe 3056 mscorsvw.exe 1104 mscorsvw.exe 2236 mscorsvw.exe 2344 mscorsvw.exe 2108 mscorsvw.exe 804 mscorsvw.exe 2496 mscorsvw.exe 2884 mscorsvw.exe 2420 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 944 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 764 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File opened for modification C:\Windows\system32\dllhost.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8cc78722ae4ef42b.bin aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe mscorsvw.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE aspnet_state.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe aspnet_state.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DAA49BC8-B4CA-4E69-8F46-6DDB1F8E8197}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DAA49BC8-B4CA-4E69-8F46-6DDB1F8E8197}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{41D9D081-6C51-4AD9-A3F5-6C25595D03BD} wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b53dd68693da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2764 aspnet_state.exe 2764 aspnet_state.exe 2764 aspnet_state.exe 2764 aspnet_state.exe 2764 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2656 9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe Token: SeShutdownPrivilege 1264 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 1264 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 1264 mscorsvw.exe Token: SeShutdownPrivilege 1264 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2764 aspnet_state.exe Token: SeRestorePrivilege 944 msiexec.exe Token: SeTakeOwnershipPrivilege 944 msiexec.exe Token: SeSecurityPrivilege 944 msiexec.exe Token: SeBackupPrivilege 2528 vssvc.exe Token: SeRestorePrivilege 2528 vssvc.exe Token: SeAuditPrivilege 2528 vssvc.exe Token: SeBackupPrivilege 936 wbengine.exe Token: SeRestorePrivilege 936 wbengine.exe Token: SeSecurityPrivilege 936 wbengine.exe Token: SeManageVolumePrivilege 2072 SearchIndexer.exe Token: 33 2072 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2072 SearchIndexer.exe Token: 33 2848 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2848 wmpnetwk.exe Token: SeDebugPrivilege 2764 aspnet_state.exe Token: SeShutdownPrivilege 1264 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeDebugPrivilege 1264 mscorsvw.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 2548 SearchProtocolHost.exe 2548 SearchProtocolHost.exe 2548 SearchProtocolHost.exe 2548 SearchProtocolHost.exe 2548 SearchProtocolHost.exe 2548 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe 1772 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 1704 1264 mscorsvw.exe 36 PID 1264 wrote to memory of 1704 1264 mscorsvw.exe 36 PID 1264 wrote to memory of 1704 1264 mscorsvw.exe 36 PID 1264 wrote to memory of 1704 1264 mscorsvw.exe 36 PID 1264 wrote to memory of 2780 1264 mscorsvw.exe 37 PID 1264 wrote to memory of 2780 1264 mscorsvw.exe 37 PID 1264 wrote to memory of 2780 1264 mscorsvw.exe 37 PID 1264 wrote to memory of 2780 1264 mscorsvw.exe 37 PID 1264 wrote to memory of 2384 1264 mscorsvw.exe 38 PID 1264 wrote to memory of 2384 1264 mscorsvw.exe 38 PID 1264 wrote to memory of 2384 1264 mscorsvw.exe 38 PID 1264 wrote to memory of 2384 1264 mscorsvw.exe 38 PID 1264 wrote to memory of 1048 1264 mscorsvw.exe 39 PID 1264 wrote to memory of 1048 1264 mscorsvw.exe 39 PID 1264 wrote to memory of 1048 1264 mscorsvw.exe 39 PID 1264 wrote to memory of 1048 1264 mscorsvw.exe 39 PID 1264 wrote to memory of 1980 1264 mscorsvw.exe 40 PID 1264 wrote to memory of 1980 1264 mscorsvw.exe 40 PID 1264 wrote to memory of 1980 1264 mscorsvw.exe 40 PID 1264 wrote to memory of 1980 1264 mscorsvw.exe 40 PID 1264 wrote to memory of 1968 1264 mscorsvw.exe 41 PID 1264 wrote to memory of 1968 1264 mscorsvw.exe 41 PID 1264 wrote to memory of 1968 1264 mscorsvw.exe 41 PID 1264 wrote to memory of 1968 1264 mscorsvw.exe 41 PID 1264 wrote to memory of 1848 1264 mscorsvw.exe 54 PID 1264 wrote to memory of 1848 1264 mscorsvw.exe 54 PID 1264 wrote to memory of 1848 1264 mscorsvw.exe 54 PID 1264 wrote to memory of 1848 1264 mscorsvw.exe 54 PID 1264 wrote to memory of 2000 1264 mscorsvw.exe 63 PID 1264 wrote to memory of 2000 1264 mscorsvw.exe 63 PID 1264 wrote to memory of 2000 1264 mscorsvw.exe 63 PID 1264 wrote to memory of 2000 1264 mscorsvw.exe 63 PID 2072 wrote to memory of 2548 2072 SearchIndexer.exe 64 PID 2072 wrote to memory of 2548 2072 SearchIndexer.exe 64 PID 2072 wrote to memory of 2548 2072 SearchIndexer.exe 64 PID 1264 wrote to memory of 2140 1264 mscorsvw.exe 65 PID 1264 wrote to memory of 2140 1264 mscorsvw.exe 65 PID 1264 wrote to memory of 2140 1264 mscorsvw.exe 65 PID 1264 wrote to memory of 2140 1264 mscorsvw.exe 65 PID 2072 wrote to memory of 440 2072 SearchIndexer.exe 66 PID 2072 wrote to memory of 440 2072 SearchIndexer.exe 66 PID 2072 wrote to memory of 440 2072 SearchIndexer.exe 66 PID 1264 wrote to memory of 836 1264 mscorsvw.exe 67 PID 1264 wrote to memory of 836 1264 mscorsvw.exe 67 PID 1264 wrote to memory of 836 1264 mscorsvw.exe 67 PID 1264 wrote to memory of 836 1264 mscorsvw.exe 67 PID 1264 wrote to memory of 2592 1264 mscorsvw.exe 68 PID 1264 wrote to memory of 2592 1264 mscorsvw.exe 68 PID 1264 wrote to memory of 2592 1264 mscorsvw.exe 68 PID 1264 wrote to memory of 2592 1264 mscorsvw.exe 68 PID 1264 wrote to memory of 2568 1264 mscorsvw.exe 69 PID 1264 wrote to memory of 2568 1264 mscorsvw.exe 69 PID 1264 wrote to memory of 2568 1264 mscorsvw.exe 69 PID 1264 wrote to memory of 2568 1264 mscorsvw.exe 69 PID 1264 wrote to memory of 1504 1264 mscorsvw.exe 70 PID 1264 wrote to memory of 1504 1264 mscorsvw.exe 70 PID 1264 wrote to memory of 1504 1264 mscorsvw.exe 70 PID 1264 wrote to memory of 1504 1264 mscorsvw.exe 70 PID 1264 wrote to memory of 1760 1264 mscorsvw.exe 71 PID 1264 wrote to memory of 1760 1264 mscorsvw.exe 71 PID 1264 wrote to memory of 1760 1264 mscorsvw.exe 71 PID 1264 wrote to memory of 1760 1264 mscorsvw.exe 71 PID 1264 wrote to memory of 1424 1264 mscorsvw.exe 72 PID 1264 wrote to memory of 1424 1264 mscorsvw.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe"C:\Users\Admin\AppData\Local\Temp\9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2668
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2616
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2484
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 254 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 254 -NGENProcess 238 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 234 -NGENProcess 1f0 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 280 -NGENProcess 1ac -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 234 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 184 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 234 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 2a0 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 298 -NGENProcess 2a4 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 24c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 24c -NGENProcess 1d4 -Pipe 120 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 24c -NGENProcess 11c -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 29c -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 11c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 1d8 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 194 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 22c -NGENProcess 214 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2012
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:528
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2340
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2708
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2732
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:944
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1692
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:908
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2296
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2112
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2860
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1428
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:440
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54595ad7b6b1ccd43891ac89b25d85811
SHA13a3940df952a1b6b36cdbe97b95cfc128f84513a
SHA256e614771d2b61a506909f1eadce6255a400b7b36eea413fdf2f839f8f7dd42a9a
SHA512c341204a2e05d0a1adb7eb2a75c3271f6603b7b3e019e16b4395399694aa69620a5a93d985c5c311a050534454d18c54f376569179cafac2a71d0789f6608f5b
-
Filesize
30.1MB
MD5cb0362d2d1dd9c738add00262d165965
SHA19b35b089584b8d68ecbd6334347533f946efce3c
SHA256d8b7f6852f85085848b192f469a97d40c162c4fde5e1ae5b852058d5e13073d6
SHA51278b614f81adfe450f1a5c4a7ba81c9ef437a86b47c55b7aa46c69e108d8040080ec63fec0bdb95e97b01038c5d82e8d5a828e4721dc5fad7a276e2bfc5277841
-
Filesize
1.6MB
MD51a9612412f0c34be682c7a5214f2d8f0
SHA10ecfbe85e67df40653b805fe2029cea8af2e3d32
SHA256702b7d4d0042c973f11d9477f94c6f302e1c8ea00720e4dcf4b7831dda32187b
SHA512ee3944fb8cb2b47dd536aa29e99fdf5413c7e48d626ec959f3a52374460307730abb94c48e028bbd132b183b0680e68efcbdcac0bb06069f8e9fe4d2678148b7
-
Filesize
5.2MB
MD53213b23faf793fb2d14f4ef8850bad50
SHA15fa1f4e9be3941a0103831b7505a1caaedbc854b
SHA256e834c0e4e9334822b10c278a57564873a45b79687e2afc6e0a3f5619d098cc94
SHA512d8154e111b7bf7ab8033e565b1e95333b6b4bea8a83501149d23f8da26118ca46da837369a806bf8d9b064c114375a5c5842821dc6a1e1613bcf3a580cefd34e
-
Filesize
2.1MB
MD5fb102df9687d01408386fea4f839db27
SHA1db082f4f8e43a0b5df13579bee3ee3b6193e9c9d
SHA2560df802f767743bf78904b3da05bfbae9e64943b9539a62ecdb3816d10b57c5b4
SHA5120754eb1eb187d2c6679f8079b92ee13d40aadf6698d82593d4a65cc066d6605fc2c5da22b07e2a113317656cbcfc8c9c108f4a1fa9314e320e6f1d99840075f6
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
Filesize
1.4MB
MD55766284dc035d891a4d7e7f7248f9ace
SHA16daa60463dc7b657c1c544b7f50be4c9dff3bc89
SHA256cca41bbc86e69de779e74911f75a1adcd4d489edbf1e2df9487316f6e2acb0c5
SHA51229469baa01c798bbd49c6a060caf720d6fd53e1b5733612f8cdf5fd098fd611d055441f090381841fd69946a824a4636da76fdec25885e05bd2207c6c45e2d85
-
Filesize
872KB
MD5587d5712b8ecb4dbf7c742887f1a1c4b
SHA1de9d7597d5c6e54c97594a4615c550faa94d7011
SHA256cc279c70fd986fea1d3ea4e991562fd6750b55bfb7aeccc0fda0604b0fbcbffd
SHA512ce2e9f7ec850a19c0c9f1a18c4cbbd78753c327df50e9e5553e24f5b77a6868d80ed86935f34eaa1e287e94798d6bc3cdf4a36c0578820494affae4e598da70d
-
Filesize
1.5MB
MD5cd86912c0ad581b83288201233b4c0c8
SHA1ac678a5c1af6553e36678b1274fe8184de46bb78
SHA256315d16da57473580d047144bf265625141dd376188f523e71971821ef86ca0f0
SHA512461be40c7219c73b94d79b1a9ca6cdafc494696fff4293e72611f4b834fe8308da83284de18c2cbae04fe163c606ec887f943b9a009e4d2c5cbe105697ed1b28
-
Filesize
1.4MB
MD504f52cbfb3cf83bb5222feea30f8fd50
SHA1717bffa2a8452e0f77e39b1218117a0daf7319c5
SHA256e8b3b6275da093fc3d4e2b3762cf607221f5ffee69e5a405c43b06412c36d672
SHA512aee40a8934ff2f4d64d3c1a12fed1babe3e5ad59302e52408034897ef2de4bb361bb9aa0c8878584ed017f4fc9ab69b08d71621b3ad71ca8437a2d6288aa6233
-
Filesize
1003KB
MD54e1adf66313e5365983abb3178e9988a
SHA10605bbd91c181877326b9d1e156ced33f458ee2e
SHA256f0d5d8d1e4f76af6994ad5ca767761bd52f81887db35790204680721b9b21be7
SHA51224ea5d3e0f3719f07221e6703e74aa1e396f9bcadc3dcb1d49dae8cc31ca5dc8c1759dcb094e98831df6a22484608674e473c8de31e0a7aa4785fe7904c69fed
-
Filesize
1.5MB
MD54ad9f0c1ca05a74b150e2d57c9da9daf
SHA109af5480351240501cceb030a148013a61fcddd5
SHA256b76878596fbb81f02858ac067b0f28843987fb7f273c0d2361dbc7cebd160941
SHA5120140727c35da3ce994c7b343d2d72a39242279469edbf33477449ba87299769e2a2d8ba556fc4905bf185a8cd538ae8133dfcf54e8db75297ff29f5be74d49db
-
Filesize
1.4MB
MD518884b6c226777db9a2de9462fa391bb
SHA1a91f301df269d727df2cd920ca7aac77e6702f24
SHA2560d34613071037a89c308556e4f184377622f4f8db8b7984aa0895fbf84979f70
SHA5128c03aafbd6b33b075706c9703e8096542d9c84218432b37c6103c834ebc38cec1b6356b46846cf5234e36971d7c2bc76fd9eb012f1096045b5b94076deddc019
-
Filesize
1.4MB
MD5d0305e082b96909d86819362e1efab6f
SHA18e7c8378300b5165cca466d81d2eb171f5d4be0b
SHA256ccf378aeab66606d17d63613e7cb2a6b402ef4ba76de7398a2545eb14b11cf42
SHA512274e3f20f109996f1fd91f9a52a8e73dfbdd2cddbc028cc631ff09a48a3dce9d93a8393a065764df1b01e35373c5394025d598c17c7cd895d2e0b9ca4a5e008e
-
Filesize
1.1MB
MD54db1f4465cf800ebdc1c49923011d0c0
SHA1e89ca4432023d2c08689f9ce7ba79227860abc7a
SHA256f7bf1478a6a7e13548e124c14d55f33eb01e646849e21e77c9d10fd72304b30d
SHA512733ac5b4c091939ec29a5fd88ecf44db5ec6a1932b3d2b07b067b9e3fbae70f646637569276c1b68026dc593984f355040d849dc5a33e17c022a1c939541aa17
-
Filesize
2.1MB
MD535f90810553cb57f9b1ce3bd0d723a23
SHA1af3411adcd2b19192c3f1cdb7d05226906002403
SHA256db46894f7e84707e2a35dcf338e01effb4dfe27fbc7a7d3a88390532202664df
SHA51208e5944465d8478f8c8074c030af0ab9c93d157b28e0f6304cd0f9fbb20a882bfad60b4712ff91a4c85eaa6f2ec6c2c6c49235db40877616e9fc78549df1e049
-
Filesize
1.4MB
MD5f27ff3e66f02f0b03e14b36bbaeef5c3
SHA18c0dd9ff747ff82f454c66c6150d3e93cd0d7632
SHA25613e1273d02da53b62ce8af8d6dd9392a41e4ed8c46cb24f3a973e3b31dc617a2
SHA512954811e187d3503a58fc283a668488bbd877e5a05a257cde467654f555f0944c9e1972d42f87dca38f5b817829fa3931e4ba581a797f5cda2b44f70f1864268e
-
Filesize
1.9MB
MD5f94b5e8544b5d9f50ddcb221a69608e2
SHA1446cbd8627d2878086df41908d56aa9a76987697
SHA2569d539286369ea621adb4f284ed2e195677e0456a617f8a416eff490ddd22d06e
SHA5123c31832a10ebb6a20797530ad3c0503b359c5da2cbb13ea7060f5e96829992ce1078d5a5e7873ca66086c0c6bf424d6ad6745ec823c02abb83f8534ab9220941
-
Filesize
1.6MB
MD5836d5d1c3b0d474bb253b2cff6081aa5
SHA114e550525996cb7d617424e1f2aecf9ecbaa187e
SHA2565ce779c0486750899a067bf7551d1b6808c854771a1ef65406d07257425e04f2
SHA512ec1374070246c4ba8293f3ad0c6b178b84d628356d021eb2731a0efff02566f62ee94515748e646ebbd908355f8d3761d1f7282a59fe6e9807a50a7d51c78646
-
Filesize
1.5MB
MD53560418defb863c75f2bad822837754f
SHA136e2906a1be754406425e9f248ec519acf6db449
SHA2567f24227fe944791e1dd121ec37328d33c0793103b0f2abb27b4f8896a1d9fac1
SHA512c2ccfa5c5f54edc10ad6e1659812361da731f2bc6e49e6061fa0870d6c6eac47674b77cbc87bf464f05a09be118b600ab0eaaf981a4553e194d3351e9c214cc4
-
Filesize
2.0MB
MD5701bde7da72b881f6d9572da021c3986
SHA18c5f25eedab051f207ca77ea8c2f442c64e6ba83
SHA256a3ad726cf15a617364ccb3541af372c42a83f5c7e7f5ce8879c02613a628eacf
SHA512f1e0f1cc7fb060e51059ceeed4e26f34e9ae807d925c9f70b87cce5791bc06150bcbba2ce8b554dfdd15e6964071a7f242a284b85fc4724fdc668ee6f3849bb7
-
Filesize
1.4MB
MD585476c282326cfae2b7b322f5b48abd8
SHA1f2dfd396c20f3d9690ce767cc71fdc58c9d46448
SHA256b66cc14a16afa1f07876dd973e6849d42f2fb9667a1ebfaca877726276a84ccd
SHA512a2ae34ddc7d928cc03957671fc6ac2a97e17f33a354d0b6bc3779282b7f6b7137b093ecba741ce17bb82f962a300889d18b41a427ac5bc2c390cbb7c53b10d6d
-
Filesize
1.4MB
MD5dba4c7646739569e602ce8de96cb988a
SHA160f1be6983db8f5497903b154814c9a3fa45dcf1
SHA25617eb223dda163bec1765e59499d041c0bbdfc4c80ec1c799b00fb06f7ade61e3
SHA51257545a5295dd7a04b741742d6a2d84b5154935f96159e00ad249acf220ed9224e8d2d8df2997ce32ed2f6c57dba4deb681a22a77d7a6487f936e9a6fd268c1d5
-
Filesize
1.4MB
MD55890724065b96a144c075a1bb8455492
SHA1890b8fac7efc7492bbf9d88679c6a5e47754e786
SHA256c78c33ad62db97a35646feb910036f5ba902592c09c74e3bf22552686d884177
SHA51260ec420885f18b0f8686c0f459e5e43050ced142cc89b2fc743fa2d716dea47aacaf1b6e7345b88a51d086c2a9667609957e233f604046cee158c4ddc08c18f6
-
Filesize
1.5MB
MD5e8dbdc9ebd466c4344f3581fcb194e9f
SHA10f19b75631d8afdc937baba8ac41cba548a19915
SHA256fe0af34a0fb581729ae5f2936fec8398b841c9682cbeef4973816620bf58ecaa
SHA512dc838f34197ca4d8352d69851c0bb288ad36b58a2e39d55b035a2e2a24e23f8643786db9eac6e775a34eb5db4884e2afd666b57ecd45fe1e4b80e2007bb136f3
-
Filesize
1.5MB
MD5f54a7d00a8d96a163d72ada068bd48f8
SHA157bac344635b88d1919fa16fe79334b67774244c
SHA256c1cac1bcb80a2e2e297b415c9b56d2746fa0e2935ba8a8aa3483f4a83de3462f
SHA5128c6cd70987194237d90a939071cbe979c431ab739cf3a1f666f0b4fc847dbd190c090fb27f69c915f443e34731ebf42ea0defa7214210b6d8bcf945b7cd5d477
-
Filesize
1.5MB
MD5ee67c0a8a0ea2695b713a5a8c2542771
SHA10d8b0e48b653a19d2db341d7425b3042c25b27c6
SHA256e73a172200cab215128315b09c4f09cba35ce23345c69a1a5c76383e1fc99d36
SHA51296d594231e2dca917fc05edb028db3e517b35947bb7b83150ea43922d4c91d5d7144d54f84aee2bb3298e93d712863fdd1ee48bf10c67f48ab8f5c74cc18a4c8
-
Filesize
2.0MB
MD5bb56b78214334e39cc154d94bb6fc37e
SHA1b103f27def34ec7e47ddf48116c4fcd1653c0720
SHA256386b3ed7ca18c5b72167de9c66d8fbccd0478303fa92871ec5983d8bf4f97bad
SHA512f5a6d798e1a50f4689d9508ccb7633f2f3d0183e8bb23c98884b5034d8cd03dfe9c3b265a0bf25ec3c77ffaa2f511ae4555a84c5a3cf4b85f747d246d67b8eb2
-
Filesize
1.2MB
MD5d058eac7ee8e6bd381e4d32ba1366372
SHA1339704fd8ded7f127c79d2d7f96763ecea10447e
SHA2567177d6d04c275b1b8c0e89161be5fddd7411761013fc303b8615726920f1a779
SHA512a2b6e197d30398e33a4e9687dbb6443668394c5db2571b40a840d20c83c02f08cb2bb5078798c70d059a122e014a4b8df7db6a6eee0e8d734b053eb651bd79c4