Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2024, 17:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mlsendfi.com/
Resource
win10v2004-20240419-en
General
-
Target
https://mlsendfi.com/
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-877519540-908060166-1852957295-1000_UserData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{2fec1223-1ef3-415f-9401-d4ec9600e6c4}\snapshot.etl svchost.exe File created C:\Windows\system32\NDF\{DBA3B473-82CA-4C77-83D1-20A7A7AEF6E0}-temp-04302024-1733.etl svchost.exe File opened for modification C:\Windows\system32\NDF\{DBA3B473-82CA-4C77-83D1-20A7A7AEF6E0}-temp-04302024-1733.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{2fec1223-1ef3-415f-9401-d4ec9600e6c4}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-877519540-908060166-1852957295-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1452 ipconfig.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 3264 msedge.exe 3264 msedge.exe 4880 identity_helper.exe 4880 identity_helper.exe 4448 sdiagnhost.exe 4448 sdiagnhost.exe 5124 svchost.exe 5124 svchost.exe 3508 msedge.exe 3508 msedge.exe 3508 msedge.exe 3508 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4448 sdiagnhost.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 2628 msdt.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe 3264 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 5020 3264 msedge.exe 83 PID 3264 wrote to memory of 5020 3264 msedge.exe 83 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4200 3264 msedge.exe 84 PID 3264 wrote to memory of 4612 3264 msedge.exe 85 PID 3264 wrote to memory of 4612 3264 msedge.exe 85 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 PID 3264 wrote to memory of 3836 3264 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mlsendfi.com/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdb7046f8,0x7fffdb704708,0x7fffdb7047182⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:82⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:1804
-
-
C:\Windows\system32\msdt.exe-modal "262682" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF85AB.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5856 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:5288
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1464
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4204
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:3680
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:5340
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all2⤵
- Gathers network information
PID:1452
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print2⤵PID:5632
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf2⤵PID:1716
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5152 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun2⤵PID:6040
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:5180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\NetworkDiagnostics.debugreport.xml
Filesize210KB
MD5cda7fc7c599dab950d8bd7bbde58f428
SHA1240e0c9d64fa0fd6949b9360f21e73b41be1298b
SHA256992bc99a7a69ec3bfbbfdbcbdfb885747f5c8dfbc98a99ccf5b3080c81a5e618
SHA512452541e3493979b5c5220f6f3249d8797a521601cb63a3868468d3540a6a8fcc07e013d2858b657b33fd05adf6088c2a9688ee4d2f987119ecde1e781e321929
-
Filesize
38KB
MD5e904d9b1bf92ce2b39bae96e146ef176
SHA18281775f8810c1e4838d5d57067bb970018b6afe
SHA25636507596c3b8797e35ba7424db57ad4d004e910e40e2cedc7c44a25cce95f60e
SHA512fcb01fe4598a6bf941a804f06fb5c6b25d62bb396252757ab07f0119e0c1b0d61541945dc2baef13f721c7382e8046e6518c8fe2ad84d4f09dfe0e74ee18815a
-
Filesize
47KB
MD5310e1da2344ba6ca96666fb639840ea9
SHA1e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA25667401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA51262ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244
-
Filesize
152B
MD562c02dda2bf22d702a9b3a1c547c5f6a
SHA18f42966df96bd2e8c1f6b31b37c9a19beb6394d6
SHA256cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b
SHA512a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9
-
Filesize
152B
MD5850f27f857369bf7fe83c613d2ec35cb
SHA17677a061c6fd2a030b44841bfb32da0abc1dbefb
SHA256a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a
SHA5127b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401
-
Filesize
6KB
MD51c635465fd211e4d6e8d3e2ec0746761
SHA11eabd8d6590397980d015607323a69943ef328ea
SHA25676eddb3a612211c7838664c144197eb06a47e513071b39e8cff68b55ebee0a21
SHA51295f0bdc06f9781a8ff34be70eb0e6152c2cceac162f2185c6757c8abe1069d7e51924225efedf84377e9a9c124983f8bf84576ac907bd0f879a95dc5b2ef6d43
-
Filesize
6KB
MD5900371caa1bd6ccea262c0b0d5a5de76
SHA150fee0450bb739ee13dc5bef5d3e0cc7c2f90662
SHA2566d9b1fce3182edd0b6ae4496ac8735a9db8e3fb4fb1df294bcd16be171938a1e
SHA51245392113a6ce11ab46c131b447d19e633bd0c29f4b386b805e38c3f78b8e1f69f46c02fea997b54e081bd6d94b68cf805d895c326ab462f74e4bb14df73e4ef0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD59bbf6334e72ccff3d42df46c9061ceb9
SHA1c3892b81d6bf1d3950f2356875620071b180f141
SHA256802e4576cc058eedd44dae2873cce991a83614168ccedad0586c55313281506f
SHA5123a48b23b12b33420b8274f892cfe7217ffac9d87e431753a7b6c678db84d8864f6dc51a3634ec1e56d1cbb9d89861de2b9ebaabc05853e5036a37242e2cc36ce
-
Filesize
8KB
MD54231cdbb038ef50fbe046efcae4a090b
SHA1c20f1b8c577698cbbcde2ce088baa0e07043531a
SHA256170d3ed7a1af8676b0d3c4a3ff84ce77a5f4ac7cd374a0cb59fc30ae7c7924d8
SHA512a9179c5268c71f520aeaded18e4edf723189b1e6f72aa789aa505eabaa705a56ee36b4378f2eb02ecd2876d976749697dcb2948648fcd8f51fa8c918fb31a48a
-
Filesize
192KB
MD5b957bd0351335e21a21442f7d6747ae7
SHA1f4b026910541c473382527c39100a1e07af2bba0
SHA256c62539f6fcd788f84c1dc2da159b89072d2b09a66e67e88cbb4cedbe790e41ae
SHA51274ecc78167895a011449fcfcb0c8ae5941a05232bd0ee703d2622ec377e14ae6b98011c77d73235a898e3340c6005bca4efa68b49378efe6e419d6d1b785b8b4
-
Filesize
3KB
MD51e4aeed16b58d7f5b68077a6ff08495b
SHA1c07398433d7c101d7fafcaa6ab912443d5f22228
SHA25618e2aecdb7998133de161a699043c3f5bdfc89b7ed7df24557f409a345f0102a
SHA5128809a08f08bd280eb433592f610bcb0d3887c6c29c3b59aef3b46c0a858dabec08ee8b17e3e1c0d41804b6a384a10179ff56aefcfdf38504349e3c4a7f73e076
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD533ef3fec724efa9f57c72415d9f5aead
SHA1328d792d3cb07c0f0d65cf17c5b8e9bea583ba31
SHA25647c3e128eb44fd368ae6307f5efda9b345b70e81c2c7292cdd1224ab4871177e
SHA512e74eec156fafcab9c96f2c9b978fd57f4f8165dc5cf1a5d041e9a1640f9601c15815a3db5d8a8588303824222b96fdd6a96a8a48c53abc91f978fa8e44677e1a
-
Filesize
231B
MD500848049d4218c485d9e9d7a54aa3b5f
SHA1d1d5f388221417985c365e8acaec127b971c40d0
SHA256ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e
SHA5123a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9
-
Filesize
1KB
MD52c1e7e6356f29f9ba06cd0dd570795a1
SHA1a276e1e3e365065efc02330138f223625972a60d
SHA25613f31ccc1a64a00bd5f66547fce903ef467d13d2a64233e4b55e932ed67f09b6
SHA51237130e599fe12a8024beff82523f3d7936a404a0bacb9b71dbf3899570c30c2b7b53456a9bcf1b4c371e2593001afc625216b63a60be3d1c87ef99ac0b9260b0
-
Filesize
4KB
MD5c85a2d17dccde0e73f70bc9caf679c23
SHA10e4c9fcd19428c834b53b4e0862ad6d9232f23c8
SHA2567ce9a245b6780842a83abec5fea522f1889749a697b97be13c70d8297f26e563
SHA512327b323fc688fc45f0c883c026aeb965908f24ee8f516a766c4ec594d46bb1ad42b7f460f91ee40335817d6f4fbf9643075c63b6bc5a197c184bd7031d78b87b
-
Filesize
978B
MD5b54c726f10f813188953aa79b7bb7998
SHA100d96f679af01e9430a7120a701c5d2aa4d2347e
SHA256833f0701f761707e33744827446733a4a10dd80706618b0be251ebec36b00a57
SHA5129a6a5c2537130c42411d1556bab153ebf03dabaa7f7772583114d45b0fb4de41419c5feced46251ba6184d7054c219171d0bb289f510542aeaf7f748df9e56d5
-
Filesize
283B
MD5cfdb1c89d10025ee3a81e17076ed76e6
SHA1448e8ffccf455a3fa529ac8158fa8379ecdc883d
SHA256f67495abad5b2379399163846d84ad64f472e28d531483562d3ea4213e42e3d1
SHA512de90da5673aee79f12d61ff208f50e552582b27e9fb0d350291e46e5033d84af3771509c1628ed7643f8b6c31ed77015c1d775d718d7682a670e0f3259f233af
-
Filesize
11KB
MD5d213491a2d74b38a9535d616b9161217
SHA1bde94742d1e769638e2de84dfb099f797adcc217
SHA2564662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211
SHA5125fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104
-
Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
Filesize
10KB
MD59b222d8ec4b20860f10ebf303035b984
SHA1b30eea35c2516afcab2c49ef6531af94efaf7e1a
SHA256a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc
SHA5128331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67
-
Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
Filesize
5KB
MD5380768979618b7097b0476179ec494ed
SHA1af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA2560637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302
-
Filesize
478KB
MD5580dc3658fa3fe42c41c99c52a9ce6b0
SHA13c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA2565b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA51268c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2
-
Filesize
17KB
MD544c4385447d4fa46b407fc47c8a467d0
SHA141e4e0e83b74943f5c41648f263b832419c05256
SHA2568be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005