7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e

Analysis

max time kernel
0s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
Size

1.8MB
MD5

298e3a06c49f7ba78038968e4ac03d66
SHA1

7fcd07e04ac0b402cc1e6a17de9f59bddd1e3cdc
SHA256

7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e
SHA512

329bae6a3c59c7ba966ea4ace7599a8dd1a40de53f46b99ad7b680acd105bf0c048e1f2c6bf65b06f1da3e6dfc4d2f97812193949202d4ef5e895bfafdf4981e
SSDEEP

49152:sx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAjCks7R9L58UqFJjskU:svbjVkjjCAzJOC17DVqFJU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
476	Process not Found
2160	alg.exe
2720	aspnet_state.exe
2092	mscorsvw.exe
2032	elevation_service.exe
2348	mscorsvw.exe

Loads dropped DLL 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ab58b80a323b6587.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_el.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_it.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdateComRegisterShell64.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_de.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_hr.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ko.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_sl.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_sw.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_bn.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdateSetup.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ta.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_vi.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_en.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_hu.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_mr.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ur.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdateSetup.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_bg.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_fr.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_nl.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_zh-TW.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\psuser_64.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_es.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_is.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ml.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_no.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_th.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleCrashHandler.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_uk.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_pl.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_et.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_fil.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_sv.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdateCore.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ca.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_cs.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ja.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_kn.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ro.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_sr.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdate.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdateBroker.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\psuser.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_am.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_iw.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_lv.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ru.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdate.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_te.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_zh-CN.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_en-GB.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_fi.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_sk.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\psmachine_64.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\psmachine.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_es-419.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_gu.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_ms.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_pt-PT.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\GoogleUpdateOnDemand.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_da.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_fa.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_id.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Program Files (x86)\Google\Temp\GUME72.tmp\goopdateres_lt.dll	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1672	7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe

C:\Users\Admin\AppData\Local\Temp\7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe
"C:\Users\Admin\AppData\Local\Temp\7e7410e6d6bc1e50f5488b2bd2854e563ec7b729ecb6eb67fe1906ab8119168e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:1736

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e8 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 1e8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 248 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e0 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1e0 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 1d8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 1e0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1e0 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2a4 -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a4 -NGENProcess 1e0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:620

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1780

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2012

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ec691e8eb002cdfb7a8ecf398baf35e8

SHA1
5fb3e7f10f88d11e215e0d29e69f8b93861d182c

SHA256
641223aad7bb7b6a797067c8d39074c1d8172a2feace8d3c748c52a4760752ab

SHA512
48bfdf6f45e9e2dde1986218c842a9c4b3668ce6a3d81d5d9c3d42cd17a6577f90923d0d198ae887ab6ba7b028e39832ddc431e7332ef0979b36764955a41203

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
896KB

MD5
3f4d3e2d01852df2df76ef87cbfd8752

SHA1
0615b6cbb92517b0521d7d181491a26fd9cd9970

SHA256
4bd075e4b2575723f4af94f622611f327220b5a9767d28d8d9a50c0edfd6daa9

SHA512
ae363c18064273015c2835c8388a81a7d4a1f7b6b60fd9af6db8da283198a1b831b25b080acb635a0b018691ac1eff4705f0a0437807df7e526d642a3693ae48

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
751KB

MD5
6923f59be706a7c6c62bc9959259231b

SHA1
59950cf2156b941058799c727fcd360208d5f5f1

SHA256
3fbfe7cac1de74a839c2adf571954e78eac186dd7c7ab07194c15355a499d074

SHA512
a01a836ee41f0e20403e9eb2bebd9e4585246c7c989f944da7fd8b6ab4042d973d65f7798f80db4ce41bb8560c54a70bdc57bbab0d1416936fa3f563d220ddd4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
692KB

MD5
172740ca9b9a68811924812c009fb618

SHA1
26ee3e9c8bc88360b50609dcc8759c3ce0f4d733

SHA256
0497847d0d3062a12fefa3e0a99ab8e6236a54f7c51f34f9914fe5d97449b79b

SHA512
280234657f327ecd431bbabea669b7a65d469d5fefc57b4824a8fe38a97eabdcb9628d6ead5cdb2acad1be7f14e390543e7bb18d66f3baba47f32e17974c5a76

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
ed10eb8d80a8a43e4840b7e359032dbc

SHA1
bbc268da4554b3e148dc7030cc54347967e8f1dd

SHA256
7b2e035f5ba52aca47c883c0aa35a1856605b8bd93a975431027b020b3e43873

SHA512
1585f02d4f0ea6e2e3427d72c5c5e419e20690d123efd32e9bee93fc88f8bf0adc2ed4f1cc2c6c1458841edfbae094d48d4aa55ef1ef28a926cf3cfa8d1dca60

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
916c5a2c021ea86a6511f082e806c207

SHA1
72998c565dfcaa2dd13cd88fd9d5c1cd6904ac30

SHA256
ce41ad9ef2da9a9779964a16d1769968f577d8acac22a902584d4987fbf25e75

SHA512
3087c9a876d39271e0f8f98e5b599797ae8c25bc54c9dcbf28ddb8e690a24906ae14bebab73fb6701ca211669caac9ad917d9f854ab4fcf2d0611ca0bd7ad2dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
646KB

MD5
f8fcac5044845ba42e4c9cba9d370b55

SHA1
0cafe6184cf2f37fc2f0c6407d0d6ab202afb897

SHA256
30c2b9a26e244f2c45c059d0cc33ad776fcc10e33a9277271c83f54a3a77b275

SHA512
d988980f2601a58b608a3bbf3a7956346f232aa7402c040d5c4b21684927baaa292d6cb96502d42af1890522829d73a37fb28253af8ddf7692538802a6ca2053

Download Submit
memory/900-289-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/900-290-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/900-291-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/900-284-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/900-280-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/900-279-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/900-268-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1056-345-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1056-348-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1056-337-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1056-361-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1056-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1312-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1564-282-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1564-281-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1564-278-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1564-264-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1564-258-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1564-257-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1672-254-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1672-0-0x0000000001E10000-0x0000000001E77000-memory.dmp

Filesize
412KB

Download
memory/1672-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1672-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1672-6-0x0000000001E10000-0x0000000001E77000-memory.dmp

Filesize
412KB

Download
memory/1736-177-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1736-171-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1756-360-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1756-363-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-377-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1756-351-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-316-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-317-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-303-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-294-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-301-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2032-150-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2032-113-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2092-103-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2092-97-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2092-121-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2092-96-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2160-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2160-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2160-12-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2160-26-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2348-124-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2348-266-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-123-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-129-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2356-283-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2356-140-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2356-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2356-148-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2400-387-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2400-393-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-381-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-321-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-329-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2452-333-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-347-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-346-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-314-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2632-332-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-331-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-307-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-318-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-174-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2720-71-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2736-300-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2736-157-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2736-175-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2736-173-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2736-255-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2736-160-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2736-165-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2832-391-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2832-392-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-374-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-372-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2832-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download