Analysis
-
max time kernel
360s -
max time network
363s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-fr -
resource tags
arch:x64arch:x86image:win10v2004-20241007-frlocale:fr-fros:windows10-2004-x64systemwindows -
submitted
20-12-2024 14:06
Static task
static1
Errors
General
-
Target
google-sketchup-7-0-10247-GoogleSketchUpWEN.exe
-
Size
32.6MB
-
MD5
e055aaa430531273617f3176e232c373
-
SHA1
a4298c74666bb5da94c5f25ef202745b61b58808
-
SHA256
027ed0df016c1b2263aea59946f567bd089163f7cfefa03104a39d8ce63911f2
-
SHA512
84172744ab3c7e960f0e4674349770a311f22b5a713f18e2e9645f60757104cac2ed0ddb44257e31c518ffe3b30c902808608eafbe9e7d34fddd5ef5399cafc5
-
SSDEEP
786432:AVQkzcOHZEnQ74pMOUcZdpTvgXCShCxHzzIk:ucOHZEn44pMJcpTvgCxTck
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0007000000023f3e-1046.dat cryptone -
Executes dropped EXE 7 IoCs
pid Process 2288 setup.exe 1568 MSI487F.tmp 1020 SketchUp.exe 1540 SketchUp.exe 3624 SketchUp.exe 3276 SketchUp.exe 1536 SketchUp.exe -
Loads dropped DLL 64 IoCs
pid Process 2520 MsiExec.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: setup.exe File opened (read-only) \??\M: setup.exe File opened (read-only) \??\Y: setup.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: setup.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: setup.exe File opened (read-only) \??\O: setup.exe File opened (read-only) \??\P: setup.exe File opened (read-only) \??\Z: setup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: setup.exe File opened (read-only) \??\V: setup.exe File opened (read-only) \??\W: setup.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: setup.exe File opened (read-only) \??\K: setup.exe File opened (read-only) \??\N: setup.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: setup.exe File opened (read-only) \??\J: setup.exe File opened (read-only) \??\Q: setup.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: setup.exe File opened (read-only) \??\S: setup.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: setup.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: setup.exe File opened (read-only) \??\G: setup.exe File opened (read-only) \??\U: setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\mscomct2.ocx msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_J24.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_L12.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0100_SteelBlue.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_J16.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\eula.rtf msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0090_LightCyan.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0134_DimGray.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Color Sets\Mint Green.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Tools\DynamicComponents\images\tabs.gif msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Markers\Cobalt.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Markers\Sky.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\helpcontent\tool\23006\index.html msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_G17.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Fencing\Fencing_Picket_Concave.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Default Styles\09Design Style.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Stone\Stone_Granite_Midnite.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_B08.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_D24.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0002_MediumVioletRed.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0056_Yellow.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Translucent\Translucent_Glass_Block_Dark.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_D13.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_H12.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\helpcontent\tool\21126\index.html msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Sketchy Edges\Marker Super Fine.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\helpcontent\tool\10523\images\animation-pan.gif msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0004_HotPink.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Groundcover\Groundcover_Sand_Raked.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Metal\Metal_Embossed.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_H20.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_K15.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Assorted Styles\01PSO Vignette.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Tools\DynamicComponents\images\manager_tool.png msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_B23.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_I01.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Straight Lines\Straight Lines 02pix.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_E10.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Default Styles\01Wireframe.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Tools\Sandbox\fromscratch.rbs msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Roofing\Roofing_Tile_Spanish.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Markers\WarmGray1.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_I08.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Fencing\Fencing_Diamond_Mesh.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Sketchy\Sketchy_Siding_Scale.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Tools\Sandbox\images\tbcontourslarge.png msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Translucent\Translucent_Glass_Tinted.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Blinds\Blinds_Weave.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Default Styles\04Shaded with textures.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_C25.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Fencing\Fencing_Mesh_Blue.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Metal\Metal_Steel_Textured.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Markers\CoolGray6.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_D09.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_D12.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_K25.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\DD_AcisRenderer_2.04_8.dll msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors\Color_A21.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0030_OldLace.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Sketchy\Sketchy_Lines_Wavy_Vertical.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Styles\Straight Lines\Straight Lines 03pix.style msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\Styles.strings msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Markers\CoolGray4.skm msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Tools\DynamicComponents\ruby\dcloader.rb msiexec.exe File created C:\Program Files (x86)\Google\Google SketchUp 7\Materials\Colors-Named\0120_Orchid.skm msiexec.exe -
Drops file in Windows directory 37 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e57edbb.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.2\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.2\msvcp80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750578.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat msiexec.exe File created C:\Windows\Installer\{E5D52570-5EF1-4576-A434-6CCD92268F0F}\SketchUpIcon.87141840_2563_4894_A918_67E5C9B30163 msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750578.0\ATL80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750672.0\8.0.50727.762.cat msiexec.exe File opened for modification C:\Windows\Installer\MSIF59C.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.1\8.0.50727.762.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.0\8.0.50727.762.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241220140750578.0 msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750703.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750703.0\mfc80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750703.0\mfcm80u.dll msiexec.exe File created C:\Windows\Installer\e57edbd.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.0\8.0.50727.762.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750703.0\mfc80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750703.0\mfcm80.dll msiexec.exe File opened for modification C:\Windows\Installer\{E5D52570-5EF1-4576-A434-6CCD92268F0F}\SketchUpIcon.87141840_2563_4894_A918_67E5C9B30163 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241220140750672.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241220140750703.0 msiexec.exe File created C:\Windows\Installer\e57edbb.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750578.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750703.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241220140750688.1 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750672.0\8.0.50727.762.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.2\msvcr80.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241220140750688.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241220140750688.2 msiexec.exe File opened for modification C:\Windows\Installer\MSIF28E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{E5D52570-5EF1-4576-A434-6CCD92268F0F} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241220140750688.1\8.0.50727.762.cat msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SketchUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SketchUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language google-sketchup-7-0-10247-GoogleSketchUpWEN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI487F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SketchUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SketchUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SketchUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" SketchUp.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} MSI487F.tmp Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch SketchUp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync SketchUp.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" SketchUp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" SketchUp.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch SketchUp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" SketchUp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" MSI487F.tmp Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch SketchUp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\SearchScopes MSI487F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\DisplayName = "Google" MSI487F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\URL = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7" MSI487F.tmp Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" SketchUp.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync SketchUp.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32\ = "\"C:\\Windows\\SysWOW64\\mscomct2.ocx\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MSComCtl2.UpDown.2\CLSID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07525D5E1FE567544A43C6DC2962F8F0\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32\ = "\"C:\\Windows\\SysWOW64\\mscomct2.ocx\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.FlatScrollBar.2\CLSID\ = "{FE38753A-44A3-11D1-B5B7-0000C09000C4}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\MiscStatus\1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker\CurVer\ = "MSComCtl2.DTPicker.2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.MonthView\CurVer\ = "MSComCtl2.MonthView.2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\mscomct2.ocx, 1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5214877-E8F1-47E7-95D3-3BD95C1F6D8C}\TypeLib\Version = "1.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\MiscStatus\1\ = "131473" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}\ = "UpDown Scrolling Property Page Object" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07525D5E1FE567544A43C6DC2962F8F0\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\SketchUp.ShellExtension\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\Version msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\ = "Microsoft UpDown Control, version 6.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\mscomct2.ocx, 5" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0\0\win32\ = "C:\\Windows\\SysWOW64\\mscomct2.ocx" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\VersionIndependentProgID\ = "MSComCtl2.DTPicker" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FBD46897-D37D-484F-A4BF-B48EE41F0348}\1.0\HELPDIR msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\VersionIndependentProgID\ = "MSComCtl2.UpDown" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}\ = "Flat Scrollbar General Property Page Object" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07525D5E1FE567544A43C6DC2962F8F0\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07525D5E1FE567544A43C6DC2962F8F0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS7697.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\ = "DMonthViewEvents" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FBD46897-D37D-484F-A4BF-B48EE41F0348}\1.0\ = "ThumbsUp 1.0 Type Library" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FBD46897-D37D-484F-A4BF-B48EE41F0348}\1.0\0\win32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MSComCtl2.FlatScrollBar msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FBD46897-D37D-484F-A4BF-B48EE41F0348} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07525D5E1FE567544A43C6DC2962F8F0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS7697.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\MiscStatus\1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FBD46897-D37D-484F-A4BF-B48EE41F0348}\1.0\0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A86C8053-587B-4DFB-A5E2-54E9803E4463} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\ProgID\ = "MSComCtl2.DTPicker.2" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\MiscStatus\1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\SketchUp.ShellExtension msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.skp\SketchUp.Document msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\MiscStatus\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MSComCtl2.Animation\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}\ = "DAnimationEvents" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\MiscStatus\1 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3748 msiexec.exe 3748 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2288 setup.exe Token: SeIncreaseQuotaPrivilege 2288 setup.exe Token: SeSecurityPrivilege 3748 msiexec.exe Token: SeCreateTokenPrivilege 2288 setup.exe Token: SeAssignPrimaryTokenPrivilege 2288 setup.exe Token: SeLockMemoryPrivilege 2288 setup.exe Token: SeIncreaseQuotaPrivilege 2288 setup.exe Token: SeMachineAccountPrivilege 2288 setup.exe Token: SeTcbPrivilege 2288 setup.exe Token: SeSecurityPrivilege 2288 setup.exe Token: SeTakeOwnershipPrivilege 2288 setup.exe Token: SeLoadDriverPrivilege 2288 setup.exe Token: SeSystemProfilePrivilege 2288 setup.exe Token: SeSystemtimePrivilege 2288 setup.exe Token: SeProfSingleProcessPrivilege 2288 setup.exe Token: SeIncBasePriorityPrivilege 2288 setup.exe Token: SeCreatePagefilePrivilege 2288 setup.exe Token: SeCreatePermanentPrivilege 2288 setup.exe Token: SeBackupPrivilege 2288 setup.exe Token: SeRestorePrivilege 2288 setup.exe Token: SeShutdownPrivilege 2288 setup.exe Token: SeDebugPrivilege 2288 setup.exe Token: SeAuditPrivilege 2288 setup.exe Token: SeSystemEnvironmentPrivilege 2288 setup.exe Token: SeChangeNotifyPrivilege 2288 setup.exe Token: SeRemoteShutdownPrivilege 2288 setup.exe Token: SeUndockPrivilege 2288 setup.exe Token: SeSyncAgentPrivilege 2288 setup.exe Token: SeEnableDelegationPrivilege 2288 setup.exe Token: SeManageVolumePrivilege 2288 setup.exe Token: SeImpersonatePrivilege 2288 setup.exe Token: SeCreateGlobalPrivilege 2288 setup.exe Token: SeBackupPrivilege 1992 vssvc.exe Token: SeRestorePrivilege 1992 vssvc.exe Token: SeAuditPrivilege 1992 vssvc.exe Token: SeBackupPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2288 setup.exe 2288 setup.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1020 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 1540 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 3624 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 3276 SketchUp.exe 3276 SketchUp.exe 1536 SketchUp.exe 1536 SketchUp.exe 3276 SketchUp.exe 3276 SketchUp.exe 1504 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2288 1500 google-sketchup-7-0-10247-GoogleSketchUpWEN.exe 84 PID 1500 wrote to memory of 2288 1500 google-sketchup-7-0-10247-GoogleSketchUpWEN.exe 84 PID 1500 wrote to memory of 2288 1500 google-sketchup-7-0-10247-GoogleSketchUpWEN.exe 84 PID 3748 wrote to memory of 4544 3748 msiexec.exe 108 PID 3748 wrote to memory of 4544 3748 msiexec.exe 108 PID 3748 wrote to memory of 2520 3748 msiexec.exe 111 PID 3748 wrote to memory of 2520 3748 msiexec.exe 111 PID 3748 wrote to memory of 2520 3748 msiexec.exe 111 PID 2288 wrote to memory of 1568 2288 setup.exe 114 PID 2288 wrote to memory of 1568 2288 setup.exe 114 PID 2288 wrote to memory of 1568 2288 setup.exe 114 PID 1532 wrote to memory of 228 1532 cmd.exe 130 PID 1532 wrote to memory of 228 1532 cmd.exe 130 PID 1532 wrote to memory of 436 1532 cmd.exe 131 PID 1532 wrote to memory of 436 1532 cmd.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\google-sketchup-7-0-10247-GoogleSketchUpWEN.exe"C:\Users\Admin\AppData\Local\Temp\google-sketchup-7-0-10247-GoogleSketchUpWEN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\7zS7697.tmp\setup.exe.\setup.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\MSI487F.tmp"C:\Users\Admin\AppData\Local\Temp\MSI487F.tmp" -setds3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1568
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4544
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24077D3981AAF5731B33FEAC09DFA9C72⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1020
-
C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1540
-
C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3624
-
C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3276
-
C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"C:\Program Files (x86)\Google\Google SketchUp 7\SketchUp.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1536
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\shutdown.exeshutdown2⤵PID:228
-
-
C:\Windows\system32\shutdown.exeshutdown /s2⤵PID:436
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38fc055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD535a611fa16786c125db4fb511f2ba352
SHA1c8bd45f999bb42e2a17110693f27dd0a4e38b6f0
SHA256258e1b92882e9063104f4076c2f2f98a3e3da67138e39d313a57f0c4c644729f
SHA5124431f3a3cab3c1ab5a43d3108e146c6de251b3a42fbfe839f395eabe5bd3c1ec53c8e601ea6fe67d683f2e3e0da4327abdbbce733db72eb44065d9a03c676153
-
Filesize
104KB
MD5ef7f23961b54e39ad3631677e140d260
SHA12d07d699edaeb70e6ed94732fa3d84aa3eab8381
SHA2567484221b0cb35971ce2628d451ddbd4a39379a6ccf11571c4bde5f769d0d0149
SHA5121dfc8638967d7e6ce5e47e5e12e642cde2cb2c907ca32d1cc56661ad5af4ac7e3ec3ad353669a15eef9cf4aeb926c556e12771bb391fefec001a64253a15d153
-
Filesize
14KB
MD5ac6b5bc268ff2a8a6420bba3975efed0
SHA1c3037104e9f1b71479705b322aef5c9124bdd295
SHA2569b5135620b7aa3294ea63b1c66d24e2114620db5b997f26810d31f23cd55c06b
SHA5122c920824253e9b51efa5f249ae8d2d25781e3bc66e29695b2c07b9c329a26a0aa63028ddda17d35177b50ac6dc95f04adb88ff418308c8428aeef71c79eae872
-
Filesize
6.6MB
MD54345d63e22af579e98f17c0e024ab60a
SHA194630f676e298faa6a9945b42045aef5c378a35a
SHA2569fe828ecc1862523f7900b210d583b56d013d968f971b8d473ef42033a521c0d
SHA512b794d1577221a6a75d81ed0addd59fb7e745ceac6dd557ef9a2710614481e5e1428ddfe322aaf0a759d20a7cb933999e7213281908aa1d47976ca7984d53f7bc
-
Filesize
596KB
MD5b0d64108cef72cd18765f068cad32927
SHA1c5914fad4709027828b9a6a35536b2e57bf8f459
SHA256350cda677678cf809ec73af545888afe087f9ac01c4f16aac97ca214b20d829e
SHA512330f150657b7a2f9cfa59598afcd616767ea22caa56ef8c01a142731d4033c76c19e4f288df29e3270cda9df0fba76ad6fdb8f0e630bac9e83dc7d27257f0b5d
-
Filesize
468KB
MD52e688c93086bf5eecd17df0d7de8deb9
SHA1d80ec005de7ada5eec6da2fc58655c47c549a702
SHA25637ddfc70b1546171e752195193380ad53251dcb45622648459d4552ffa4f7e4f
SHA5123817fb04f88d19550079759c6023a15af3a0de5b40a84e1d41081d7dfa35e648dc0751c8575dddc021d6c3a007b4dc33ae8cebdcf8e7cf29c1e93397375c3114
-
Filesize
476KB
MD50ccea18e3ed49d9f9f520909b8f91200
SHA123483ba7be0cab563f278ab0b74b07176324f6f2
SHA256de7160a8e33c86f43be0d7f126b852a02eb4f1bdc5282cee86177cf273acd8d3
SHA5128226eee6b54be8917601225ed109283b783b0d1db35afd95e75494e4fe7263e70a9e6ff59572da2cd0afb0cf0e643c8e0c6ef5dd003ea973081277b1745956de
-
Filesize
40KB
MD561639a89c2cfab0b1c1a9aa43adf7997
SHA19fefc7e7785a947a71d16746526ea048b9866046
SHA256630b26ac6112d0ae01c98e9d66626ea340fe28d137fdcfa7ce91100468a120be
SHA512fdb43501f76b6a756179e67f80b8b0c0ef3b5f8ccd32efb9beb1925220c3190eb683b9e02c09164809faefb35bec94da294dc8e4a17f14dba4a3f280307a3751
-
Filesize
39KB
MD53d58a0e4f2bff52018ff07f4c06820f4
SHA1fdc474844e200a9fdb05149c766f418920d29e52
SHA25682b9d5a51784a03e636711a6de6654ad05308bdea489aa46fd40468ef26d2058
SHA512a7dbd432db9f719643a8bd8affa561d193098d5798e2939286f6997b63c14642904ff981972ff043f2306b10e8f2c6d5cecfbd2500791b19b4bf14fca537a3f0
-
Filesize
40KB
MD51eb4ce9cb965d403957b3b3e616f8a5f
SHA1b87e3c4f1643fc589f98f3bbdc92f1643304b240
SHA256bd69c15d2cefd74f49d944236aa0590b99a52cac60c34861206ee2d55486f6ba
SHA512d333b52ce07c488c5483817fef206ab2a72f76e94b441e2616bdc607223b5043bf9c7c3541e3d08194152d67ad612d0bca03a109b1f1d5807e0ac81698a55528
-
Filesize
39KB
MD5c7b34cac81d3027ad1703124abe6ff02
SHA1bcb418a934244d27d7f32016dbb5c6aede3c13e7
SHA256b772f99cf69613e2836e941437be0d8746d7b10c4bcbadf9a80fc623dcf47d55
SHA5128e09f8dbd2726e0a0d5dc3e86bd8fb6536534d39d08abe646f12f09b594dd62906b4f460ee58fc0cefa533790179d557c152fee906928fa630a8276d1eabb2e9
-
Filesize
7KB
MD59426e5d4700300f439e7a76d9ea368be
SHA1688000be4cf149dd02197b760a275194f35a3166
SHA2565fd79ad1c4300a0f29a762959434a2a40095b2971f8a06452447b9f824cc4749
SHA512167586338ad6b93ac7c5cc145069db464046fea9d552d2956a208bc54850c08ed07855831e0c59d88da5893e58e9445539b00151e9fa095865b59ec7f0b633d9
-
Filesize
7KB
MD585605f2bcf96357a4e4ae3afb6068da6
SHA1ed57c6cb9e3dcf654f628caabed245d30a283592
SHA256f2d3b51cb6b03aac9facf2aa306335198ba0a65300353124d3ab6d8a76125de7
SHA51246bb9a713dce0c1a8e321964d27799c45691f6d33abb617759149f4f8e73562481053064d66ed44cf8d1aa29b6d2bf784da9dfe4bb96cc8ad42c7d16de9cfb63
-
Filesize
39KB
MD5f62da92dbc5e7e933300fe4817c56d70
SHA14dc98e91fdbd3251a7081d4459a84d5a46315d82
SHA2563589ad721b21118cd8f43b04e7b6dd0a1d0024d4670dea7dfb740863954ce6c3
SHA512c8130f43262d62ddc62dddb5c89bc28d6b33aa5d920448c845f129befee28ec8cffc6a6f595c344571336d67aee5182262a03331be0a35c00f14d9b9ea76b366
-
Filesize
39KB
MD5b08086766d05b66f93fd7992240735b6
SHA1016cd733d1b30c8fdc81021b749e6b7b2c77f17a
SHA2569b93531f93427e7be202ab83208aa1f7c452c6c798e98209ec4eef17d5cea312
SHA51257e3891fb89a657ae57062dda96f20c6620a808c69cdfd70a0dd976fe9e503575a7210ae2c575067888cd09ea082858574fd62730445768d1a96bcf968c96322
-
Filesize
8KB
MD5955312917b58691356b8b6074234c1a5
SHA11640365c71a264c67b434b4eccfa0bfecb9cb237
SHA2566aaffdbc0aaf173bf0b732395156f767479dd02d62d26a6639b930c8786aa954
SHA51253dd4c4ba2293496b6c5b5c7cdb499bae513e38cc7748bce0a4c84529012639754079c41ce722592d1a1ba32531b04fc7cb046782f88d246c7cf675e42f6f649
-
Filesize
8KB
MD5e3d70b75f8bc1acc6cadd6beef3f993c
SHA1748195fb06ca6972ba532aefca17eb8ca8e31c6c
SHA256654c6b607472cd0721aff626694f5126db4fe6710bfae79d753a003be49e4673
SHA512d5202cc12357e77931770baa91d2902df488ce674e50794affefb4044bd7cafddd6ce531438fc3199dd3d0240061a377a42e1d6c3390343c57502cf64569a2ef
-
Filesize
6KB
MD5c5f4a99ec31c313c5c919903b2560a30
SHA184a04d2c08c24a7e075469d6f293fc1b67d26948
SHA256e16046bd8b4dc55626bf3b7558da543711173300cb503be1ab2f23ba1b2f1cbc
SHA512a373dd06304c6b903bf2c404d131191e34c40f53519522557e0da34aaf83cc99a62b94622098add3131fb7c7722f315aec7a4a26de0ad75a6f3cd7f2c48a1195
-
Filesize
6KB
MD56dc90aa080f6fe9a4a49c0487f610e6d
SHA1d58e23c4bd74723778690d647ce24fb843f59494
SHA256e01c98ae879a7dcd39e59956325171fa0cc5436abc5a66616b4950b89d260d7b
SHA51288eefec20c64a7af92b1e849c7c90fc39c76a78b9ed9a73e51f084ac05e0050e9ceb419ec5501c6316736aac0b92a8cf3c24f6aaf6d6ca664a927a0f7638f065
-
Filesize
2KB
MD59031a6ca6290bee6310ec730a638e189
SHA15d0c208127a1f18f84ad436ec8b528b930b221d3
SHA256ceffb68ca8c5c8ff746b5c8e758dda5ca7d08e2f9c543435ff5325af685c4bcf
SHA512f4853059807b0ad1b5550a4707ed52abbc315b73aa0ccdb73390e32e253f3af7ca92b8e33e1b86e46fb6596bae6510d334a9267aba173f80a59a049990a8c55e
-
C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\welcomescreen\images\sketchup-welcome.gif
Filesize154KB
MD5ba58a41dffad0550eef13e119ebb20c1
SHA1008fdfedbf68c5246c5e172ab1f22d0f3b71305e
SHA25637571b06315bd7c50ae67963e9c1fdab8617460b1c479b96852abede5ffa9717
SHA5129b1282165e2afec58e26b6e568b9e74444be7584ab1574db5271c2c3b70aec128079eaa6b71790b53bb3d9c0c0afe3f4c88204261134b6d5a4a2a0de76e61279
-
C:\Program Files (x86)\Google\Google SketchUp 7\Resources\en-US\welcomescreen\images\sketchup-welcome_back.gif
Filesize17KB
MD55e9676c4d1452321865e64395d3ddea7
SHA15bcf7ba960d762513c22885bb575b52fff53a961
SHA256b14edc9e4bbfd1b5f8d5fca17ab60e425f599de00abf44a76b2912bbc33ad36b
SHA512d832658e79fe992c1e12e372f4636d92f0f29abc8233e71e844be70dcb54b5dada1b21854e8d9dbaf30e1fff5e5112924e6bb2b39ab63cf183a1f7d50d7e02f9
-
Filesize
3KB
MD5a4d1fc9ea1b11054aa3d9cadbac17a41
SHA1993ca08a2b6b15fc6946c13f27ec856e5e87eb7a
SHA256663a70f3feb421878fb10b1c6480cd254a32142916a90b212ddd24ff510268ad
SHA5123f117e6b907cac2b2effb36a982e5efebe3e12527605ef5d1fe47b9ee1788ddf83b863b4da6065642f6ad75b15056a839ceca3052a785ba8b6f998f1f1a8e57b
-
Filesize
10.2MB
MD567478319968f6ddbc900d6db43ea97a6
SHA11f5631a308cd4e19f402a9f4261012d2033d04ad
SHA256d899edb32093065a9f411a96943217e84c6e383562d0dc5fbea5870d3e9f16e5
SHA512d26285c9e12ac7c920f0e0bdca435344a712248db474bb358cc54d252ca7561718503788b77f86c0aedcb1c222060a1d53b445903ea14b7ae20d22f87ad42013
-
Filesize
3KB
MD5ae2c5cfbdafca40c36e7ba1b8fe2bfd2
SHA1c1ee2458b7b5d17f1b9b5e8b404485c0ce17ca1e
SHA2561e209d91610801472ffb56e54f1b849d80e62320a85e3825603ac8e1fc489d5f
SHA51262c0c9b584430d8adc23310d1f3aab44de12df7d78d9e6e61bafed51ac19969388e215dab2fa19509967288b2a21284e4ebf435f0d633d594d22704b4c8fb4f2
-
Filesize
2.4MB
MD5efd24408a5ec262ccc17258038f8b1b9
SHA134a3538b0bf8f3e98eb7fb3b0725ccbb0f879b64
SHA256afdc8ef298c882bf7faa954a90ee1ceebefc3f333841bb240fa3911437060543
SHA5129fa133f1be6337af518b9dc97bb30043c3f403636a02f254a0786ceb77e513231643b05cd0c8711f8f07005e7927f4924b6d55fe109d8cddc485f07205dd8c73
-
Filesize
332KB
MD56222ef293b72c508b79e7cb4add80572
SHA13c08ef5b784c19266c8ee875ca4fd847985c9f02
SHA2560c02a79007edb36703d79ae79a356cf2b0ccb117ab16ff429cbbe3ef5bf96a30
SHA512bcdbed88e398ef238a22e8f93c14603da012228124218be945f0a2c177ede233bc30bae22d77c431e7d7726a84e6acaad7288b4b03d0fe1c7bb1bbcae752669f
-
Filesize
792KB
MD527d691b625cb3654bf7134568712a7be
SHA1beb19c07c5aac8176b3a9585312d41989c971170
SHA256287e94328841a0f71ef0159595255de8b67f0db9e05289652875d43dd110afc5
SHA512d9fdef5f5edf5963c06f3492b979139e4a022bb49bd8376f58aa8ecc1d6bb6307c8f3b432214fb3b702511eb47afcf225038bdcb443bf90127a62a7f6e76e887
-
Filesize
2.2MB
MD5fa735f5185b29ea5f3c3ce1b412a18c4
SHA18bce2f8e505281f370b209abb5dd9d5c36954083
SHA2566fa7bc7fffa7d13f926b6837a739f8c6e81a50ff32903cf4f45f825cd27735e1
SHA512b96e65f4524b70b17cf57aafcbca4ac504184fe627ffffa644b4143c03ea67f112da0e723e48bd0d05151e98fbc6e3d0b79f2c1a9387502c2afa909e8ea3600a
-
Filesize
41.7MB
MD544f5ade09c2a1d78a91e0f5fc46025d6
SHA1f14a6c9a20f776720eb630b9f83e59f7a6a70965
SHA2564cb1c3d1db0ea5892ad5781dab782cc795a2404be74c16a64a7043afda10f53c
SHA5120a7ce48e7b97dfb2efe4b9f84a2a66626868578d2386f5617414947152db1b45a6a601d26d0964456fe10b480fd6bc92a3e070bef1aeff2cef1eed1bb65cc868
-
Filesize
368KB
MD5c2a4f08b839814809c3dabb7bd8f7dc7
SHA1100f1e31465b1c660a7d4ce8f4b650d96bc2a9a0
SHA2560cd9f4ddc4b8be1edf85eea0adb52ca635d16ac371240d6599f7e5051a3c663a
SHA5120f54d8435668a791edea56eb153db4cf7bb70f8cdac987f8cc3f217a041ad76a298cd5b5cf5fc21bd683b67d64e9ab8c8816ebf2987797a83c606551ddc879f9
-
Filesize
367KB
MD5d8228a92a2e41c9e070fd9a41e65b28d
SHA1134d1723955ca405d31ebc33602ac2908b5fd254
SHA2563d95becf182fff5e8d6f8fbda47c7ae062460d4e84830e74295924201a8d24c5
SHA512db869809b18c004b69d435a93cbe1220a094f18a5f2ef9ab82efc301e40d6d7424c07bff064fdfa3e855f10ee3edbf702543e450c66c80fa2d0acd30b45228c2
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
24.1MB
MD5ca83265c9b6106a089fe7198ef88003b
SHA11e184ef3f281aa4befb4df3629bb02a8da38261a
SHA2565df1601038f63f20d1c063b0bf300fc43adb9d4ec6a41321605edc94076abc97
SHA51252d469eff63d288cdda307d8d2b50fea1383c71142ee5d6d29c226d60cab9c0360e8c834a854da4e40f3a426f532826e41aad0335d93cc94cf8d672955079402
-
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6f3d0e5f-121c-4b03-b2b0-07972df40cdb}_OnDiskSnapshotProp
Filesize6KB
MD559e4d2f8543e8db1e9e8b863b6e9e4d5
SHA187eaac7bc2ff32d9dff0d0e15163517d5867f635
SHA256ce6164b0d4d641a2f8f63ccdc94ab74c28519209357ff9079032152d831b6377
SHA51249cfd45c7a90e36764f7e51bc4f057d5b2b0c6924550e80b5dfd21121e12e2a30b2aff2be381cd32c58bf512d960e74fe529be3952cc0d5bb56f21e625ebd2b5