Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
168s -
max time network
201s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
Resource
win7-20230831-en
General
-
Target
c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
-
Size
1.8MB
-
MD5
2fca3056fe70cf4b21120ee8633e29c3
-
SHA1
e1f0cf2a1e14242f855a89fe4e817d955fc4986e
-
SHA256
c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b
-
SHA512
19312c9a92dca0779fd915f87de3c37021cc9328cfa91b9f747f1ffdb84b9a5a488860f02422cb574db76385b930a1d6e830d3752aa9555edffebe45dc385f0d
-
SSDEEP
49152:MM9QPdxwfE7WlFwKAfzuTiDFUFkpAD0zO6LJnsvWyLA:M1PdVQFwKZCFgqAwzO6F
Malware Config
Signatures
-
Executes dropped EXE 27 IoCs
pid Process 468 Process not Found 2748 alg.exe 2840 aspnet_state.exe 632 mscorsvw.exe 588 mscorsvw.exe 2648 mscorsvw.exe 2532 mscorsvw.exe 2124 elevation_service.exe 2788 GROOVE.EXE 1936 maintenanceservice.exe 2720 OSE.EXE 2604 OSPPSVC.EXE 2588 mscorsvw.exe 2820 mscorsvw.exe 2136 mscorsvw.exe 2108 mscorsvw.exe 704 mscorsvw.exe 1712 mscorsvw.exe 1696 mscorsvw.exe 2772 mscorsvw.exe 2828 mscorsvw.exe 1628 mscorsvw.exe 3056 mscorsvw.exe 1988 mscorsvw.exe 1204 mscorsvw.exe 1656 mscorsvw.exe 1136 mscorsvw.exe -
Loads dropped DLL 2 IoCs
pid Process 468 Process not Found 468 Process not Found -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8c7bd3ab99022096.bin alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Temp\GUT455.tmp c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_en-GB.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_iw.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateOnDemand.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_bn.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateSetup.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleCrashHandler.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ar.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_no.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdate.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_fi.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_lt.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_gu.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_es.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_uk.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_zh-TW.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\psuser.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_fa.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ca.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_id.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_sw.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_el.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ko.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateComRegisterShell64.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ro.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_sk.dll c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2392 c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 2532 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 2532 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 2532 mscorsvw.exe Token: SeShutdownPrivilege 2532 mscorsvw.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2588 2648 mscorsvw.exe 40 PID 2648 wrote to memory of 2588 2648 mscorsvw.exe 40 PID 2648 wrote to memory of 2588 2648 mscorsvw.exe 40 PID 2648 wrote to memory of 2588 2648 mscorsvw.exe 40 PID 2648 wrote to memory of 2820 2648 mscorsvw.exe 41 PID 2648 wrote to memory of 2820 2648 mscorsvw.exe 41 PID 2648 wrote to memory of 2820 2648 mscorsvw.exe 41 PID 2648 wrote to memory of 2820 2648 mscorsvw.exe 41 PID 2648 wrote to memory of 2136 2648 mscorsvw.exe 42 PID 2648 wrote to memory of 2136 2648 mscorsvw.exe 42 PID 2648 wrote to memory of 2136 2648 mscorsvw.exe 42 PID 2648 wrote to memory of 2136 2648 mscorsvw.exe 42 PID 2648 wrote to memory of 2108 2648 mscorsvw.exe 43 PID 2648 wrote to memory of 2108 2648 mscorsvw.exe 43 PID 2648 wrote to memory of 2108 2648 mscorsvw.exe 43 PID 2648 wrote to memory of 2108 2648 mscorsvw.exe 43 PID 2648 wrote to memory of 704 2648 mscorsvw.exe 44 PID 2648 wrote to memory of 704 2648 mscorsvw.exe 44 PID 2648 wrote to memory of 704 2648 mscorsvw.exe 44 PID 2648 wrote to memory of 704 2648 mscorsvw.exe 44 PID 2648 wrote to memory of 1712 2648 mscorsvw.exe 45 PID 2648 wrote to memory of 1712 2648 mscorsvw.exe 45 PID 2648 wrote to memory of 1712 2648 mscorsvw.exe 45 PID 2648 wrote to memory of 1712 2648 mscorsvw.exe 45 PID 2648 wrote to memory of 1696 2648 mscorsvw.exe 46 PID 2648 wrote to memory of 1696 2648 mscorsvw.exe 46 PID 2648 wrote to memory of 1696 2648 mscorsvw.exe 46 PID 2648 wrote to memory of 1696 2648 mscorsvw.exe 46 PID 2648 wrote to memory of 2772 2648 mscorsvw.exe 47 PID 2648 wrote to memory of 2772 2648 mscorsvw.exe 47 PID 2648 wrote to memory of 2772 2648 mscorsvw.exe 47 PID 2648 wrote to memory of 2772 2648 mscorsvw.exe 47 PID 2648 wrote to memory of 2828 2648 mscorsvw.exe 48 PID 2648 wrote to memory of 2828 2648 mscorsvw.exe 48 PID 2648 wrote to memory of 2828 2648 mscorsvw.exe 48 PID 2648 wrote to memory of 2828 2648 mscorsvw.exe 48 PID 2648 wrote to memory of 1628 2648 mscorsvw.exe 49 PID 2648 wrote to memory of 1628 2648 mscorsvw.exe 49 PID 2648 wrote to memory of 1628 2648 mscorsvw.exe 49 PID 2648 wrote to memory of 1628 2648 mscorsvw.exe 49 PID 2648 wrote to memory of 3056 2648 mscorsvw.exe 50 PID 2648 wrote to memory of 3056 2648 mscorsvw.exe 50 PID 2648 wrote to memory of 3056 2648 mscorsvw.exe 50 PID 2648 wrote to memory of 3056 2648 mscorsvw.exe 50 PID 2648 wrote to memory of 1988 2648 mscorsvw.exe 51 PID 2648 wrote to memory of 1988 2648 mscorsvw.exe 51 PID 2648 wrote to memory of 1988 2648 mscorsvw.exe 51 PID 2648 wrote to memory of 1988 2648 mscorsvw.exe 51 PID 2648 wrote to memory of 1204 2648 mscorsvw.exe 52 PID 2648 wrote to memory of 1204 2648 mscorsvw.exe 52 PID 2648 wrote to memory of 1204 2648 mscorsvw.exe 52 PID 2648 wrote to memory of 1204 2648 mscorsvw.exe 52 PID 2648 wrote to memory of 1656 2648 mscorsvw.exe 53 PID 2648 wrote to memory of 1656 2648 mscorsvw.exe 53 PID 2648 wrote to memory of 1656 2648 mscorsvw.exe 53 PID 2648 wrote to memory of 1656 2648 mscorsvw.exe 53 PID 2648 wrote to memory of 1136 2648 mscorsvw.exe 54 PID 2648 wrote to memory of 1136 2648 mscorsvw.exe 54 PID 2648 wrote to memory of 1136 2648 mscorsvw.exe 54 PID 2648 wrote to memory of 1136 2648 mscorsvw.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe"C:\Users\Admin\AppData\Local\Temp\c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2748
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2840
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:632
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 11c -NGENProcess 120 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 260 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 258 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 23c -NGENProcess 270 -Pipe 11c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 258 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 278 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 170 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 284 -Pipe 120 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1136
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2124
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2788
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1936
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2720
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD526e1b5c658c7c3726056373b37c467d0
SHA1ae19ce347eb3755500daf6df2fd2eeb555bd7256
SHA2563bc8166b965d70f453022491244682e83ccfffdee4f88acf806123792828d07b
SHA51229d97a12b42c61d2232ef144e5fac5c7a25f8b7adbd7001a5b52eff0b49d20229544bfa85b87c5c21ef3804d465eab3e826bc4f15b9bf108378e65f7bf7a91cf
-
Filesize
30.1MB
MD5e06a09da136c2a6c39e76bfcb72cd54e
SHA1024413e2015eee70baf80dde0da0c670e1786277
SHA256d8c7c0973612fce97906c40a0879c88aa1ff432b2142477c3b19963e3a780996
SHA5120587feea5c7cc2a72fb8240f726b74a9409b57d014a1af9c280e5edd4318f728d94836c21555174c49467f2723002783be9f3ccbf240365e8cc2873d5fdc5f97
-
Filesize
1.3MB
MD51bcc5ff03cb9cc0e3ea0c2831b6ec997
SHA1e6a10fa70668a6e07d7eb9f7542718a0be017c85
SHA2568f1d3c713acdf0c9595940d6e18185a6bb7d2f10945c189f9af422721e3c7b47
SHA512e55b20be6dfaa9104d5c10d556386085706b085eeb8dba10cf43a6f7036cd4b6c32aa0622db3c7870bb8c04bb00f3b4421e3604cb79b847431f23152d70ab9c8
-
Filesize
5.2MB
MD5f7b60110d28b6f1a6a8e7aa8d0fe653a
SHA1772d4ffa93f0ad1f46231f05646a3218e2ff798b
SHA256251621bf4da4ae5953a2fc6c45e8a746360a4a815fae19275f324a164aa904a1
SHA512e28190151ef37347e5dc73b64cea79b2021990f895feebf932726be33b8ec70f0dabefbcaf189265e9ddf1a70d02627d219867df28f4dde4b70eed1ebd1c5372
-
Filesize
2.1MB
MD54e06d9a87e35ca6fd12b37b45e8c3290
SHA1edbf310dacac045e9321ee518f8210e2abab7f76
SHA256668d7cba15a82cdcdb480e57fe479a8b1fff5569c24a7badf50a85d0bcd68032
SHA5125f22259022625afb22c37647b4fbf8e679934e3af1dfefd5af5f4dd18e11e0f42a4030aa85df01888fcf8c7f1b98c6918318c1f0a4d552c33abac47a8c339983
-
Filesize
1.2MB
MD5c56de6b28f0e53b30e6963159f7da138
SHA19650e2da266e7ed708b50dd2259d808bd41e3751
SHA2564a07e0175d631c7252c2084ac5a1cbf441ae02c1fc2ebdbd34f1f3033266c67b
SHA512d03af1f2121a57fedee715b6f30b5df4b54cb24b6af9d24cec979692dc6cd54ab84b064baa25b9fb9759cd20b86ad864e7d3786d62d8a112f28e8afd5717a2bf
-
Filesize
1.2MB
MD5c56de6b28f0e53b30e6963159f7da138
SHA19650e2da266e7ed708b50dd2259d808bd41e3751
SHA2564a07e0175d631c7252c2084ac5a1cbf441ae02c1fc2ebdbd34f1f3033266c67b
SHA512d03af1f2121a57fedee715b6f30b5df4b54cb24b6af9d24cec979692dc6cd54ab84b064baa25b9fb9759cd20b86ad864e7d3786d62d8a112f28e8afd5717a2bf
-
Filesize
872KB
MD5f3a4d4356f924e3b1b687cf0066c14cb
SHA1b4f0373a17f433bd5c427becc0565ab2615a9183
SHA2568bd7c31705560ee3e8fce220795f53fe1d2ca3094fb6a1f805301fcd43cd29bf
SHA512379e3a39534d2c5ae90cd1571e323c2d809826489fe4f8d9a1ae3c2ee436f982938fba476024e9091c953bdea1ae9a426b02e106b850c4cb22dc0e35f66c3a80
-
Filesize
1.1MB
MD5bdd08007ef9b16206e22076dc1a0b58f
SHA11c181a1b96cd70f50b9a262eb1c733f5623d81d6
SHA256414ba389d76bcdfdc82d1ee53ad95c2d80c386a4129a3954bf04d6eb5e71e0a3
SHA5129ef83b82658c4053fa24e92afc7cc6821a6b1048bd5a048c1ed855a8e31c68a5f5c15906367cdb0d7498dadcb5c8ea9f88b6fdb695650c763db611c08e3b39cb
-
Filesize
1.2MB
MD522e5368a9cc6c8496e46856229c5b14a
SHA11126ba3085388c3498ada17d198be3fa7a7f5f62
SHA2564222b9d0d3f5701ea4b5c0bdb64e1e3d5602a107436e42d6fb3a7d32dc196dae
SHA5129564fc8e0bfa0f95d0b88ffa1f443a0c82d00035b056c705c1f33a09595f349c611910183cc21d158ab55997483390826599e596b70114c2862ca40c1c8c5db3
-
Filesize
1.2MB
MD522e5368a9cc6c8496e46856229c5b14a
SHA11126ba3085388c3498ada17d198be3fa7a7f5f62
SHA2564222b9d0d3f5701ea4b5c0bdb64e1e3d5602a107436e42d6fb3a7d32dc196dae
SHA5129564fc8e0bfa0f95d0b88ffa1f443a0c82d00035b056c705c1f33a09595f349c611910183cc21d158ab55997483390826599e596b70114c2862ca40c1c8c5db3
-
Filesize
1.1MB
MD59600d99f8593c8a5e83e4a3ef6696aac
SHA17d3aa5d24a5039637227e7e29dbeac15baa3b99f
SHA25639cabea637c82a1de17db52ed189b491738b9a3c01c84e210fa4937c96417c28
SHA512e3a7a3af7616db11680cc73931c69736658aa4f51616790ac0ea1493e8f8785a5fc20305bd2319543ba8326740814026c16b50deb14898c2ddd6f5b31660b7a0
-
Filesize
1.1MB
MD59600d99f8593c8a5e83e4a3ef6696aac
SHA17d3aa5d24a5039637227e7e29dbeac15baa3b99f
SHA25639cabea637c82a1de17db52ed189b491738b9a3c01c84e210fa4937c96417c28
SHA512e3a7a3af7616db11680cc73931c69736658aa4f51616790ac0ea1493e8f8785a5fc20305bd2319543ba8326740814026c16b50deb14898c2ddd6f5b31660b7a0
-
Filesize
1003KB
MD53a0ec59254e4c668113cb690e78d505d
SHA1bf8357fa95c17d1c126baba876ff02684ed5dbe3
SHA2560968c40ab9ba45b898cd25a7947b42e0cb810cc8f2618371ca32b0c1356a9873
SHA512e917532a5efc31c6bf479905a296a4327c23789c4167a62c494d7c2d1fd94252be45ddba750cd9685aac3e9e3a685f2ec63a6a30b55b5307cd525bb6e4e95cae
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.2MB
MD56b49a34c75144cba6ebf739092bd398c
SHA16388090ea94313b41dce159c72544e990bd0bfc0
SHA2563233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f
SHA51210d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37
-
Filesize
1.1MB
MD5facce527e7dcf0ed7f894f76315a5404
SHA132ed85dcab8a49a2f2ce4b5ed0f2f11b61d4f281
SHA2563b4145adf13417a2e0b3ca6784f2b3c0999001ab940eece46ff02e45ff0706ca
SHA5123f82f5fb47fef09252a98cfab75b98553880e937a59b76584e2208f0b30923965733a3ccdbbeefbc5f02f6705ce1b518bc3296ac233cf79f0bb309672b16390c
-
Filesize
1.2MB
MD5c56de6b28f0e53b30e6963159f7da138
SHA19650e2da266e7ed708b50dd2259d808bd41e3751
SHA2564a07e0175d631c7252c2084ac5a1cbf441ae02c1fc2ebdbd34f1f3033266c67b
SHA512d03af1f2121a57fedee715b6f30b5df4b54cb24b6af9d24cec979692dc6cd54ab84b064baa25b9fb9759cd20b86ad864e7d3786d62d8a112f28e8afd5717a2bf
-
Filesize
1.1MB
MD5bdd08007ef9b16206e22076dc1a0b58f
SHA11c181a1b96cd70f50b9a262eb1c733f5623d81d6
SHA256414ba389d76bcdfdc82d1ee53ad95c2d80c386a4129a3954bf04d6eb5e71e0a3
SHA5129ef83b82658c4053fa24e92afc7cc6821a6b1048bd5a048c1ed855a8e31c68a5f5c15906367cdb0d7498dadcb5c8ea9f88b6fdb695650c763db611c08e3b39cb
-
Filesize
1.1MB
MD5facce527e7dcf0ed7f894f76315a5404
SHA132ed85dcab8a49a2f2ce4b5ed0f2f11b61d4f281
SHA2563b4145adf13417a2e0b3ca6784f2b3c0999001ab940eece46ff02e45ff0706ca
SHA5123f82f5fb47fef09252a98cfab75b98553880e937a59b76584e2208f0b30923965733a3ccdbbeefbc5f02f6705ce1b518bc3296ac233cf79f0bb309672b16390c