Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
258s -
max time network
247s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/06/2024, 20:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/luxusergrabber/Mercurial_grabber
Resource
win11-20240508-en
General
-
Target
https://github.com/luxusergrabber/Mercurial_grabber
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3001105534-2705918504-2956618779-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d6a20725-923a-4d7f-a888-c54d3a22f3df}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d6a20725-923a-4d7f-a888-c54d3a22f3df}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3001105534-2705918504-2956618779-1000_UserData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF svchost.exe File created C:\Windows\system32\NDF\{7CAC81D5-7DDF-4D15-AE00-446C6EB915D7}-temp-06102024-2002.etl svchost.exe File opened for modification C:\Windows\system32\NDF\{7CAC81D5-7DDF-4D15-AE00-446C6EB915D7}-temp-06102024-2002.etl svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3852 ipconfig.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial\Default svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial svchost.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4620 msedge.exe 4620 msedge.exe 2324 msedge.exe 2324 msedge.exe 4160 identity_helper.exe 4160 identity_helper.exe 4900 msedge.exe 4900 msedge.exe 5792 sdiagnhost.exe 5792 sdiagnhost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5792 sdiagnhost.exe Token: SeShutdownPrivilege 2468 svchost.exe Token: SeCreatePagefilePrivilege 2468 svchost.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 3192 msdt.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1360 2324 msedge.exe 80 PID 2324 wrote to memory of 1360 2324 msedge.exe 80 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 1228 2324 msedge.exe 81 PID 2324 wrote to memory of 4620 2324 msedge.exe 82 PID 2324 wrote to memory of 4620 2324 msedge.exe 82 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 PID 2324 wrote to memory of 3284 2324 msedge.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/luxusergrabber/Mercurial_grabber1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc23583cb8,0x7ffc23583cc8,0x7ffc23583cd82⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:82⤵PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:3184
-
-
C:\Windows\system32\msdt.exe-modal "197138" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFB19.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:12⤵PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:12⤵PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:4564
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2304
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4636
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5792 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:5956
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:1044
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all2⤵
- Gathers network information
PID:3852
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print2⤵PID:2756
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf2⤵PID:2504
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:3836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun2⤵PID:5356
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
Filesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
Filesize
5KB
MD52cddd6ef5adf655b80184d268cf23b9a
SHA165210d388863f93956a0c751d4a4b8a44c735271
SHA25606ea83b627c4c7ca6feafa99c017f610ac4f4d54169b2d8dfaf7bcc7ce804c54
SHA5125db24112cc0e06b6f1c0265b863503a0395c3f1693f14a63ace3b17e3764f09d324d60a0264cda84445e61f36df32f6ad1baa975fb40dcd862548233827af364
-
Filesize
5KB
MD585c994553d04363d4609ce80c8ebbf5d
SHA1128d3ebafc38e8a74c4da78c2e674e6fdb50bd4f
SHA25671155e3268fe33950159b02aabff8f523610157147ceee21c1fbe0c53ca48a44
SHA5129a47f966b710a41c4a599c303230a0f2f49b436b228d335973e3fb6cdb9b7ee9438882d92536edf6b26aabb9031776b9c0eb8399ea78e61f6215c0a0227531ca
-
Filesize
5KB
MD56b3692fb25d5858b3019c0239a8b4bae
SHA1a76850336f3e15af615b6e7de3fcad446a2ec4cd
SHA256247f6e6fb6e8a5839626b5d37389a6b056ebc2b3c74dd594938f7a2a4e919893
SHA5127ea2d4673f97ed2f90f6745fbe038d2bb1c879191a96d410c2489907090d6b89e14860836a25ecef52d9cd890fd126a36383d5c199aee3db0d1e11336c43cf2a
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD5b2e9f7024ccc9ee93feb08f3532a66d9
SHA1872435123121476ada180ade2a68b55208d2a36b
SHA2562d41b4ebb5c0ff281773c3c40d7bb8bf8e4df73cd1cf410a40c6655aca7bdf3d
SHA51239f364d250b1135652d5aae5df0fd68c28e1f99462d1a86873fe0354821d4f31b92aa7b375039235dc2f9b73d36517381fe23e304a0b16cd17bf62deb16afaa5
-
Filesize
8KB
MD5a7ee34b8de045bb5d72ea8d0c2bc5e1f
SHA15033645b076cab0708e10170939bf1c59782b7b0
SHA256d0405dbe2de2ffc54721bc7ace38fcba6f4c966b97fa91bd2aa9598e36d094eb
SHA512cc3e5f8ea9b2bea32ac7b9e7a1865083528c29251f077c55f360e5fa2c32c62a08161732b89e07d61963ee9d30ffcb1bf04040b161eb900c474631126ed4ba3f
-
Filesize
8KB
MD5ff56a7d65ea42041d5d299fc9a62dad2
SHA11cad6559984b1180f524b821c9f2823a3fea80b4
SHA2561ddd86eee1718eaeea3f921425c9a6a113d658edb8c578415d186448c8ab1ed8
SHA51229d1baf77b5f3f50eb12cd5e23d734ff09825ea1ba9bd4315b732967fff2a6d999f29fba951f7e65353102b6b04ce83b8928ac02f849ac0f5dd10e7483616579
-
Filesize
3KB
MD56ff85fa3620c93d1f09d0ebd7988a388
SHA11b177af264d3e8509ff0ca9d743037aacdabe465
SHA25645d558e920ad621af239561b7e1a203616dd2b07b05d4472ebbc6521b3b54a6c
SHA512f3f6e3d4c7cc8361226556e6c2b19c219d19951eb2fe44b019ee78c924f072e843ad2cb65612d5c5b6a08fb8e77b9eeeeadc002022209aa4d6b9f8b159c3b813
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5c78fdb8c48c012f1e9070b720f4abda8
SHA1cc3bcb411bbd37c54b4eb4d7780f9bd76d7dae5a
SHA256c5a916b3b7ea0bc4688ecb5a4a5555e2f7988cea224a6f2eb516ac2e3a5f437c
SHA512c5ed669e4950c3ff3ea9d027f62f0aef1c40a176611f0a32dec0ae4a8c346bd91cf3e6d85dddd26e64a53454620c3031fe4b461beeb8cc1d790c330c84eae82a
-
Filesize
231B
MD500848049d4218c485d9e9d7a54aa3b5f
SHA1d1d5f388221417985c365e8acaec127b971c40d0
SHA256ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e
SHA5123a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9
-
Filesize
2KB
MD5c4d185d0befddfafe9665669e1592cf4
SHA1fa191feb5b0f7910d877faa76203b0a42c69f586
SHA256fcbd63f1f774cdb5bc0c0081517d37a55ab374575c2edc3e8b49e14793dd4887
SHA5124058459f8341d01ddc0b532473d472b5daaa1f88154a7023788b2a7b8dad545950ad68e49eac495860f7cbd12af0ebdf16dae8f9682bba7240afb6eb70bf4caf
-
Filesize
4KB
MD55848b21c91b531e59caff89beb5d734a
SHA1930a7947f8aecab42c6e9412c06bc050137e6633
SHA256c625d0b268120c39706c1794602cf6f0d843ec4d27d3db3b2f0874f35b7bd520
SHA512dbc1309381455d818f9fc226415b2820904dbcca88c702b2d5c10651961152a4701a02e95c2d2057f87995e18f8760bf10846139f4c2e19a700c7905c49a3371
-
Filesize
978B
MD54729d44d6ceab0443e74223ee5e58a19
SHA1017910fe70da922bd41bade4da44b935373cd804
SHA2565932a37e4f2e8ff633dbe5226088366b363dfb63a931ab6dd6247b95f06441b7
SHA51246c403abec51915af00f289ed552aec7f733f80750e5f3e2f424bce650c224ba27125694dce10b7bacb5ac6a78cd856a54d2284dc1c927da0a858520afbcfb16
-
Filesize
283B
MD51e8383285599f408a11687df88b7629a
SHA1003591664e5db808b61e07db96a68b784a0f6b25
SHA2560bdaec4e4d38b28265f25fcd0582a3f1a9bd2ea1c9959167f35ad97387d085c3
SHA512fe11338e59101b01943f56faaf8a1d16dd43e504206a21a74b6da0208e959c18409ec53b56bfa071444a2d3d70f83100f55c92c681be2e766924003d3d723b49
-
Filesize
416KB
MD54f7925a1c6f04acf6506b2d79fb87486
SHA1f240921fbda9d640894d4c56b58869a000f653cb
SHA256c565094836cf89f1f98987bfe383ea2beed25b3f8d8e5e08d29d08521ee73f76
SHA5126d8f95ee760aad2bb22edccb60266104b615d7553443c51dbf6296cf61ffab4ff69edb0344afab0d085cb390d12ed6b5c6e4024a785a0b04edbddae9ff8a3e57
-
Filesize
11KB
MD5d213491a2d74b38a9535d616b9161217
SHA1bde94742d1e769638e2de84dfb099f797adcc217
SHA2564662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211
SHA5125fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104
-
Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
Filesize
10KB
MD59b222d8ec4b20860f10ebf303035b984
SHA1b30eea35c2516afcab2c49ef6531af94efaf7e1a
SHA256a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc
SHA5128331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67
-
Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
Filesize
5KB
MD591f545459be2ff513b8d98c7831b8e54
SHA1499e4aa76fc21540796c75ba5a6a47980ff1bc21
SHA2561ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff
SHA512469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911
-
Filesize
488KB
MD5ec287e627bf07521b8b443e5d7836c92
SHA102595dde2bd98326d8608ee3ddabc481ddc39c3d
SHA25635fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694
SHA5128465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903
-
Filesize
17KB
MD544b3399345bc836153df1024fa0a81e1
SHA1ce979bfdc914c284a9a15c4d0f9f18db4d984cdd
SHA256502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d
SHA512a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4
-
C:\Windows\Temp\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\result\7CAC81D5-7DDF-4D15-AE00-446C6EB915D7.Diagnose.Admin.0.etl
Filesize192KB
MD5dd11ca8a1bf3c1cb6951c5ae5ad56ee1
SHA18a005c7a03eb792f9250992725b97a297714106c
SHA2566746879f4cc00bf131a06fd242d72861d406794eefb6679516f601e0c0f711a8
SHA512ef56fd210afc8f6226ff7e63f38982e5a174c95f0439ac1fbdf8dcb2dcd8734b18576f638c02b87344dcc48ade7aa152afa6faa574a84189b31df3a8081c40b9