Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20/08/2024, 04:23
General
-
Target
https://dld.standard.us-east-1.oortech.com/Purchase%20Order%20PO1612%20%2C%20PO1613%20%2C%20PO1614%20%20MKS%20Instruments.xlsx.iso
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
ModiLoader Second Stage 59 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 6 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 15 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dld.standard.us-east-1.oortech.com/Purchase%20Order%20PO1612%20%2C%20PO1613%20%2C%20PO1614%20%20MKS%20Instruments.xlsx.iso1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe7d49cc40,0x7ffe7d49cc4c,0x7ffe7d49cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1860 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2400 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3640,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4932 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5328,i,10875015370434540621,1377897343624366142,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5316 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rjctzbcB.cmd" "2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o3⤵
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Public\xpha.pifC:\\Users\\Public\\xpha.pif 127.0.0.1 -n 104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows \SysWOW64\per.exe"C:\\Windows \\SysWOW64\\per.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SYSTEM32\esentutl.exeesentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o4⤵
-
-
C:\Users\Public\pha.pifC:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension '.exe','bat','.pif'4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW643⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl.exe /y E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe /d C:\\Users\\Public\\Libraries\\Bcbztcjr.PIF /o2⤵
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 19082⤵
- Program crash
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdcboddluoitodxudihmsfihjkgpnocqb"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\tfhmg"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzuehozh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 17802⤵
- Program crash
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4720 -ip 47201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4268 -ip 42681⤵
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 11842⤵
- Program crash
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 17762⤵
- Program crash
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- System Location Discovery: System Language Discovery
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 6722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 8122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 228 -ip 2281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 228 -ip 2281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 6044 -ip 60441⤵
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5608 -ip 56081⤵
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- System Location Discovery: System Language Discovery
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
-
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
-
\??\E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"E:\Purchase Order PO1612 , PO1613 , PO1614 MKS Instruments^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~0.exe"1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD5968aeb4a5c43c6f921edca37041d5de4
SHA17d1cea02ce1d57b080c96a751ea129ecbee6f337
SHA2569f33f70bedadb59219f0993d0cf2cdfcee85a227c10bc9198b9d7852e2447a03
SHA512e4bd8a681b7dcc520b12458f1e3649bb00366b2005406be22f2e896f5e38aac577063648c161c9ff4c0f5ece780f580afcbe197d40af7476eeb531b304a6fcc0
-
Filesize
649B
MD5a3a030715e212f7171c1b8c981b22b10
SHA14df5cbb9ff995b3ea85516bbd7d96f0e1e9d8eb5
SHA256364105d04581281216e35dfdef353e4d0a0de48c0a32d9cc2b6670b69bdf9b02
SHA512239b1bfe902de358ac7a0610cae4fdf73eda41fae267917a52266289932d7a8d6df94935bf27a66386efd13ecd79634b43d8ccf81a2e42f92acc832c7864a8ff
-
Filesize
1KB
MD51d25789848f8c482582082892bac6a74
SHA126bd6e59ac27fc24aea19415cd816ff6d41bf559
SHA256dcf7d5b25b3f58bfb5c45f4f834b0324dd7230debf71da85cde9861c4570f8e9
SHA5124253c8837faea3a21b6a3126a1b39fb63a676fde5779fba517806e86678b48415d25f01a6ce7132a3f08c9325c54623685e0d13f4b6616f986dfaad706a0c1cb
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5bcca7025b6bebee092f9bd52225f66a9
SHA1913b0259e0e7f113cd5be4d99b7e42041c40840c
SHA2563f00bcdef24cecd9c9b6f102c7dc5a7c2a56ad41be1131fb68c4d885a266d088
SHA5127fcf2cb289f5242c90e749267fa311d62b684cd1561e45d7c42d6d6e7bd0963c9fab7f9f4ad31abbb20a508757e765dcc55eee0da54e796881947578da6802dd
-
Filesize
8KB
MD584b75a7676e6b2bb2a7f0393a9ee0472
SHA1131b7aba1ade2ef1a97ebdae35575ab5b70241d6
SHA256720f905fe196c12583f47750a1ba0dc8480a99c94ec2cd9413b4d5ce0c1dae35
SHA51260be982022519139b79f6626ee049c548a2c4141451ec674274ab41f479b024665f506171f9594115e7ecc7a2a0f9e6638538bdfb9ac51b54f6067952afb4c28
-
Filesize
9KB
MD519c79670aaa9bdef59882b56182bb9eb
SHA112ef7f5a6689882116c75dbf8c4c6c97f822f8ac
SHA2567365d2de1a8a8ad4b8485fbcf1f15936bed8f9cd0b73f88163eb9a459266fd81
SHA5120c4f1a5bf66eefa43ed2197fe9e3430b8ab95d5fdcfefa13807708e141700d273779961bcea83a320275f5210041deb481f6049008f5b3c4d9aa407ee788f96c
-
Filesize
9KB
MD554dd0574bf05f3169cccb819134ec4d5
SHA1faa9fd4bb9eddbda06cf21f585b953ff85a95b53
SHA2560960a0db1388c1f91d30a2d185eb38a364ef073c1333d9de9bc3e21fedf1f0d5
SHA51295dc68e483881d72e9cdf02c12261cd4c4dfb9a7f3b4ee1089ac487299158232c7978e3173f8999b8d7957e19c84095ab2bbf047e6257f3cacff7f070047e177
-
Filesize
9KB
MD55d814c7e682992c087f920019b09a3d6
SHA10599ee557bbf54ef5e337399472df68f0289e728
SHA2565027e61ec0fdd681a03c6dd0c6d1f1e6ea6215fe72bb8630e068f477fa51b299
SHA5123b1e07f3700f1af1bb4dde9264cd1cd1d295cf75768530a905d44678daf09142ac1d7da4abb8454deb62a8531a2b194cfef36bff340415ffe8dd27311e7b099b
-
Filesize
9KB
MD572dbf92ee262d90c60ec889e31deed19
SHA1e8463989134c1aa0b786d8d944286a8dcdaf912d
SHA2569626eccfb26906a2f57945714034912b56c1ff7c74c775ed9c65d5b3b6210315
SHA51277e8d4304d71898075d3151bacaff61074d00f3abe61531bbed54b4dc01171d98c8f261cf1bfeba8efe43bc622232ca822ad14da194b6c042d035bee78ce27f5
-
Filesize
9KB
MD52b27b8cd827c507c316975a0674aa5dd
SHA16912f22d14276818c5ad486e82cbcbf4ccb19946
SHA2563234bbdb4ea8ab8d48cd3e959c2d15a673b0734366780c766892e03942ded1ce
SHA51251c4b618dc04836b3d12ed2415a85398b0842eea8166b4d7ba61d965244715587b585216d88b382e7d7758a8f64f59a32e709bc63ef665cd3c1a1aa749dd7d54
-
Filesize
8KB
MD5712f106567ddd47244e2efd076f5e1f6
SHA16704adaf0146f48e9058569ad48ab6167a7c8fa1
SHA2569993a64ab98d58d65af5d4aaeda5e4e57d8fa9639a6f0d2ad0b3c12259565669
SHA5125e1e0b30398993c4cd2b600eb6137d4cf66b106e82df55ac42b6c10b4c01ed72d3e989d07ae19bc7697fe1d48cc0ae7149d704ece6b62dc11eab83d79e451138
-
Filesize
9KB
MD5612ad4adf23e4ebe4d3b617c38b6981e
SHA1a2b48ba97e3367084d87508ed4792bb3a509005d
SHA2561bb2c7f9632203142085e9754f6d761bf9271332521ab07c22dc3cf6fb9b5dd9
SHA512f73f01104a41fed7c782c3f831ab7b9a6297601e7ae6b2b24dfbe6bdc42a03a8cc58a76e8c1ef6cc7ca1b733173e8d81380c051502c99144bf7f85c6f1cc20f3
-
Filesize
99KB
MD53bafdbed9e67f22fa7466d86208c08d8
SHA1a59b7da890869f66ce5789c74521c495a4cfadc8
SHA2561250c36005a7551a9f69821060762739a8c3a1daf3951874571b6f1f83dc165b
SHA512162d60f23d9a38ebe20a1507b428317dfc09e01fdc941e860d3fa2e2da6d9e8239c8a0ebc19cfed81cc32410879d999c2006e9513ed824e5bc1cdd026a8c7cc4
-
Filesize
99KB
MD5a1184ac60f3baaf4b1c7d024c9099011
SHA13ff264c78ca00d8a3934f77ec38f36e36c0c5027
SHA2561e6854604b4549aa673e4d62e4e319cd6e13401156c7e40a289fd86de09eeda7
SHA5126ec36832070fdc8b21cb3c91451c98737ff715806bb9783f3fb3e0904873d134044ea3bb9edf4c63223305dbda3f730b43f0aa826b7f79c7ab0389578025b8d5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5c0ab2847671ed5375328c5127a02cc72
SHA1dc2bcb51562fb17e5c8787833bc0181d88a5b75e
SHA256e961f466a0638bc99182d0056245e2d8bf1ccc13a189b802aada981f379e2384
SHA5120b8b634d21ac71e02cef86687bf84b6fcecfd24dafab8130f42ce8b4b3f308a2e1b1fa7bf8d37f2eda76efae2b30b8d39f41d808d771562d8545ed144241924f
-
Filesize
1.6MB
MD5aeca8dddde9e303e0e5ae89cc93315f7
SHA10f85989df8c6b6286c4915dab2ef81448b7c8590
SHA2566e56f2a46b218ddef4dc09f43513f83e7fee53813903bfb7860d98b962a5ebd9
SHA512068deda56b14a5c1dec5b2010e030b9b88c5db5c4d407eed26b323f0fea6e31990d1344b947e798f785a172d5f037514c03d1031324afdd338033a6ed8f3bab7
-
Filesize
60KB
MD5b87f096cbc25570329e2bb59fee57580
SHA1d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA51272901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
18KB
MD5b3624dd758ccecf93a1226cef252ca12
SHA1fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA2564aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838
-
Filesize
115KB
MD5c5db31551cb21105e3f0b3e467b91cc7
SHA1c66fd7732973d9803ba0fd4323e8507876892310
SHA2563fa23d8f7b7eeac6443e107bd70d0c6371afc1f8082d3d58fffd8685cf9e2193
SHA5126d1ee4b55fb74dc093f52caf1e093ec2742af263ff8fa264cd61eea48c021c3438150ba12a8e9d694e7246fe296ea011d8b6313e8ee4476a63c7072c2990685e
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
136KB