Resubmissions
18-05-2024 07:56
240518-js2a6aaf51 1017-05-2024 19:50
240517-ykrjbaga59 1017-05-2024 19:47
240517-yhmscaff8t 10Analysis
-
max time kernel
1078s -
max time network
1083s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
17-05-2024 19:50
General
-
Target
https://oxy.st/d/BNQh
Malware Config
Extracted
xworm
pacific-ambient.gl.at.ply.gg:44633
-
Install_directory
%AppData%
-
install_file
WindowsUpdate.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 58 IoCs
-
Checks SCSI registry key(s) 3 TTPs 32 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 29 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.st/d/BNQh1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3752 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4748 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5532 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4816 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=4112 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4988 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5388 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6232 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6376 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5648 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6780 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5608 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6380 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6396 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5520 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7376 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7492 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\Downloads\Nitama External.exe"C:\Users\Admin\Downloads\Nitama External.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitama External.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nitama External.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdate.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\SystemPropertiesComputerName.exe"C:\Windows\System32\SystemPropertiesComputerName.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\SystemPropertiesRemote.exe"C:\Windows\system32\SystemPropertiesRemote.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6444 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7882⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
471B
MD501c5576b1f7cc9c711955af4885f93d1
SHA1b0cba089872af0dca5f2a22b37f72ed5345627c8
SHA25608bc4e90c79a32858b7b8b06793424143e1c7fe32c60e87501878f5104c25f91
SHA512cf93a69eb315c4f2e07760f8a0c57caa03e7693998fe2e8cb46f403456e8e9783a579bc481cc4504eff87f4a23bfdaa459e3ea55745fd3cbd143b0ccd8852388
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD5525e7f565cf9f144862cce5d91dca748
SHA10c5af5fbaf97c6f1efe9baff1c20a13f53d1dcc9
SHA25649b9578f1dc996ac9463c421c509dd97d8488b005f5866a84e0cfc148bec6297
SHA512a40dbb4a4440072f2a21eda13204197b45c8b3608f494ae7852ac2f417505f7e96b9a4e28497c55b6b70aefc435de6bced9ccf77f78f600ac6f1cab1dff2b324
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxFilesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockFilesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valFilesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsUpdate.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlFilesize
753KB
MD55a4c197a41750e1becfb390029599ba8
SHA177e001ce3fb78c584bee8c21185b15a3e97b0e1b
SHA256d88e85b1e54539b6dc6c56bafa20aa80ce4b8cf0adda8ec4dc7a03e431803686
SHA512e00ebd241e8412925c241b4fd07681fea2f28c174edb85c646bed5e4de91ea3605e19ba2de7acdba3bd88164ef256af08097d5d9f71f89ed35b10e14b31936a3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walFilesize
32B
MD5a0b8bf159d39c03d039a5a47717fc1d7
SHA15a2b7a67d83d48d9eadbec69768dc753d951fe52
SHA256160c505cc9913c9014d7f2928eae56660e7c109aef930c7bd9fb9517ca80ff9d
SHA51281a134baea01cdeda99010f03ba152c272babbc79c772e298a4a05e4dfe660f06d0f00115dac9cfaecb536e79fafbed3a26e3cbf13a3676b34ebc962f187d512
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresFilesize
2KB
MD5be840fe6a45b708c1fa9d9623a92c6ce
SHA184ba169eec046737c73046d97267c2d9bfc0d5d6
SHA2564ecdb3b5b0f53dda6af5cfbddb338782d33484983f1d538de04ee482449c5f4b
SHA5126d1dfe49b6847ea31d08ff1cbb9b0671aeb6f8241f100a1bf12346a32d502b11726bcafcc94efed2319fea0cbbc0363bb01793973c93e398d7de88cfb53d78c5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbresFilesize
2KB
MD580639e4d763415e66d773e759f1edcc1
SHA16f717e8c93eeb7d9a1f876e0b21788e5bc8c3fc2
SHA25643f5af0ad34e506297f947e74de971311f48b49197b6092c84e6f025ef0fcfdf
SHA5129943b705636b1d7f25929abd08e8c58c1855439f8e5b207f4a1af0323bdb345a28d3f0b1bfc0652ee450006794fa644c31010c236ac3116494c09ea860d0db16
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53235c0b45a0ee14bd4e5213339b30705
SHA149ebee3177d8bf7d2b1ce8df3f28f3cc576364aa
SHA256e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f
SHA5122e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb033be02578f9635ec47bdc1de5c3fb
SHA1ec356bc87381354a06baa9c30e8c3ac3d30e0f6f
SHA256bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063
SHA5124d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56e722800abdc44fc1ce4688ca490118f
SHA1f64a4ff6d6e9b567151260fbaa543c345565de3b
SHA256e63cad15f591e7898953167aa4ff8960500a177ad1bfa5e30229793b8b0af7e4
SHA5125b4f0da0561a1cc5f36bad93b1f0d9ce225e86464a4d1a5dbefe5eac8e339420446c9300b1362992b06838a302a8172944557e2c202bf980f5a22b98b9bea13b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qvvtwx5.vxw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xslFilesize
325KB
MD558aafddc9c9fc6a422c6b29e8c4fcca3
SHA11a83a0297fe83d91950b71114f06ce42f4978316
SHA2569095fe60c9f5a135dfc22b23082574fbf2f223bd3551e75456f57787abc5797b
SHA5121ebb116bae9fe02ca942366c8e55d479743abb549965f4f4302e27a21b28cdf8b75c8730508f045ba4954a5aa0b7eb593ee88226de3c94bf4e821dbe4513118a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD51b5be1b939d373b3af1b93ef4bb3b152
SHA1f1f135fe9a9df6f9535311f44609a92d7d6069d0
SHA256d6acb59e909a2c3506a1401d83733eaa5d94e52e18024b5ac62dc17feb1bea7a
SHA512e1acc5c03ea52a41e0df2304c16979b613e0fc1264349493c1d7ad22ac4f63ce2b892ae4d740ab9f521e1986fa75064c3e4b72819ee7442b713612b5f0d57429
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD537f1f4efc161fbe246c65d4f298baef7
SHA1bbec3bd39df4d32de06def69af4001d4ee5d98fa
SHA256d9e9f273aa26a90428598d018446241c48278d3bcdaf52cf99deda3645ceddcb
SHA5125cd80742bb48612094185fda1e503ed815411905f937305af3d363ea1ff5695bebfa8ad1a1ab60bf64634a7489135469d8ffd6c14aa2e6276b1fef4e49086ad4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnkFilesize
803B
MD54ccfef6e49530939574febbbdc6b71f3
SHA1c64a58f712feb8f9efb840c7b4d6eb68676146f9
SHA256a9d02770e44d4718a4e113dac3568ad116867c0e9cc8d1e8c0ef087a119028ec
SHA512fac66c109e5fb6cc189128ea239031ca69640d37998945333ae0fc26592d602178bcc7cd86b5315f8414f4a41f4d659a1c82618ebe4d6f8c7d6365417ab86665
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeFilesize
289KB
MD5b0cc9c8ebff00267407dbe987c1afa16
SHA103602c8e30331fb298e93e3a509d10e143cb79d4
SHA2569af52592476aef1e492a4ddea56cf6be617ee60b82c673bea29f4ee7a7d83718
SHA5127e3510442d889a87f819e811c5f55c08667ee05bd020c8e422fae3a095779dfc8b011730bc82900216e0478fbcf3c6221a31ec41994ef2efacbc5404a71dc9d2
-
C:\Windows\INF\c_display.PNFFilesize
8KB
MD5716a1b21d16beae0405cc08d35d137cd
SHA1a013a0d39efd59a831edfe5194dd182af25109aa
SHA256e3170e44d159d924bd7884c4e0fd6b590ffd93b0ce2c1eebd0d68606039f7df5
SHA512bf6664be664c1675b1038afe91d108a0d0f487f158cf6d0b183ab5ac5cf10836270c71687b69a220bd7ef8383bd2aa1cc9715edcedd4fde1735c7af50ac103f8
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2108-292-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmpFilesize
64KB
-
memory/2108-291-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmpFilesize
64KB
-
memory/2108-295-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmpFilesize
64KB
-
memory/2108-296-0x00007FF9C8570000-0x00007FF9C8580000-memory.dmpFilesize
64KB
-
memory/2108-293-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmpFilesize
64KB
-
memory/2108-294-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmpFilesize
64KB
-
memory/2444-25-0x00000243A1BA0000-0x00000243A1BC2000-memory.dmpFilesize
136KB
-
memory/2884-160-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-156-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-157-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-158-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-159-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-152-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-153-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-151-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/2884-161-0x0000026A53DC0000-0x0000026A53DC1000-memory.dmpFilesize
4KB
-
memory/3080-6-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-10-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-2-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-0-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-1-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-7-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-9-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-12-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-8-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3080-11-0x000002266E5C0000-0x000002266E5C1000-memory.dmpFilesize
4KB
-
memory/3272-15-0x00007FF9E8AB3000-0x00007FF9E8AB5000-memory.dmpFilesize
8KB
-
memory/3272-14-0x0000000000860000-0x00000000008AE000-memory.dmpFilesize
312KB
-
memory/3272-13-0x00007FF9E8AB3000-0x00007FF9E8AB5000-memory.dmpFilesize
8KB
-
memory/3792-69-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-76-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-70-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-68-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-80-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-79-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-78-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-77-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/3792-75-0x0000016669460000-0x0000016669461000-memory.dmpFilesize
4KB
-
memory/4128-363-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-362-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-361-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-360-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-359-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-358-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-355-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-354-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/4128-353-0x000001FAD13C0000-0x000001FAD13C1000-memory.dmpFilesize
4KB
-
memory/5184-305-0x00007FF9C8570000-0x00007FF9C8580000-memory.dmpFilesize
64KB
-
memory/5620-454-0x000002AD0D070000-0x000002AD0D080000-memory.dmpFilesize
64KB