Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/02/2024, 18:36
Static task
static1
Behavioral task
behavioral1
Sample
07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
Resource
win10v2004-20240226-en
General
-
Target
07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
-
Size
1.8MB
-
MD5
ae6b7e429e8d58bfd8595410c18f64d5
-
SHA1
c2d8d0d723935d4d7c4a2abf3fcd5a5d09ca63c3
-
SHA256
07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c
-
SHA512
f7f13afbfe1b0e5ea25d1a0998ae9f196f5ea92dda4224b291ef91699abfc7f34f1e15a5c08ab72afaf2669ad397bf3fa21a260a34fdd89ea7807b27ca51b73a
-
SSDEEP
49152:Bx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAICks7R9L58UqFJjskU:BvbjVkjjCAzJhC17DVqFJU
Malware Config
Signatures
-
Executes dropped EXE 50 IoCs
pid Process 464 Process not Found 2608 alg.exe 576 aspnet_state.exe 1512 mscorsvw.exe 1732 mscorsvw.exe 1940 mscorsvw.exe 1524 mscorsvw.exe 3048 ehRecvr.exe 2796 ehsched.exe 2912 elevation_service.exe 2252 dllhost.exe 2684 GROOVE.EXE 2844 maintenanceservice.exe 1888 OSE.EXE 1884 OSPPSVC.EXE 1700 mscorsvw.exe 2780 mscorsvw.exe 1584 mscorsvw.exe 2716 mscorsvw.exe 312 mscorsvw.exe 1084 mscorsvw.exe 976 mscorsvw.exe 1672 mscorsvw.exe 952 mscorsvw.exe 2412 mscorsvw.exe 548 mscorsvw.exe 1152 mscorsvw.exe 2908 mscorsvw.exe 1580 mscorsvw.exe 2628 mscorsvw.exe 2440 mscorsvw.exe 2792 mscorsvw.exe 1668 mscorsvw.exe 884 mscorsvw.exe 1432 mscorsvw.exe 2260 mscorsvw.exe 3008 mscorsvw.exe 2100 mscorsvw.exe 2780 mscorsvw.exe 1172 mscorsvw.exe 344 mscorsvw.exe 2616 mscorsvw.exe 924 mscorsvw.exe 1732 mscorsvw.exe 1664 mscorsvw.exe 2736 mscorsvw.exe 2952 mscorsvw.exe 1916 mscorsvw.exe 1060 mscorsvw.exe 2576 mscorsvw.exe -
Loads dropped DLL 11 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 1664 mscorsvw.exe 1664 mscorsvw.exe 2952 mscorsvw.exe 2952 mscorsvw.exe 1060 mscorsvw.exe 1060 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\14681c2b4501ed38.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\system32\fxssvc.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\psmachine.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_uk.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_es-419.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_fi.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdate.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\GoogleCrashHandler64.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_hu.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_is.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_pt-BR.dll 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe -
Drops file in Windows directory 59 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CB46DF4B-7962-4F27-864A-F4E0E14E8147}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9933.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9DB6.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3BE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CB46DF4B-7962-4F27-864A-F4E0E14E8147}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 29 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1364 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2184 07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: 33 3044 EhTray.exe Token: SeIncBasePriorityPrivilege 3044 EhTray.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeDebugPrivilege 1364 ehRec.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: 33 3044 EhTray.exe Token: SeIncBasePriorityPrivilege 3044 EhTray.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeDebugPrivilege 2608 alg.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeDebugPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1524 mscorsvw.exe Token: SeShutdownPrivilege 1940 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3044 EhTray.exe 3044 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3044 EhTray.exe 3044 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1700 1940 mscorsvw.exe 44 PID 1940 wrote to memory of 1700 1940 mscorsvw.exe 44 PID 1940 wrote to memory of 1700 1940 mscorsvw.exe 44 PID 1940 wrote to memory of 1700 1940 mscorsvw.exe 44 PID 1940 wrote to memory of 2780 1940 mscorsvw.exe 45 PID 1940 wrote to memory of 2780 1940 mscorsvw.exe 45 PID 1940 wrote to memory of 2780 1940 mscorsvw.exe 45 PID 1940 wrote to memory of 2780 1940 mscorsvw.exe 45 PID 1940 wrote to memory of 1584 1940 mscorsvw.exe 46 PID 1940 wrote to memory of 1584 1940 mscorsvw.exe 46 PID 1940 wrote to memory of 1584 1940 mscorsvw.exe 46 PID 1940 wrote to memory of 1584 1940 mscorsvw.exe 46 PID 1940 wrote to memory of 2716 1940 mscorsvw.exe 47 PID 1940 wrote to memory of 2716 1940 mscorsvw.exe 47 PID 1940 wrote to memory of 2716 1940 mscorsvw.exe 47 PID 1940 wrote to memory of 2716 1940 mscorsvw.exe 47 PID 1940 wrote to memory of 312 1940 mscorsvw.exe 48 PID 1940 wrote to memory of 312 1940 mscorsvw.exe 48 PID 1940 wrote to memory of 312 1940 mscorsvw.exe 48 PID 1940 wrote to memory of 312 1940 mscorsvw.exe 48 PID 1940 wrote to memory of 1084 1940 mscorsvw.exe 49 PID 1940 wrote to memory of 1084 1940 mscorsvw.exe 49 PID 1940 wrote to memory of 1084 1940 mscorsvw.exe 49 PID 1940 wrote to memory of 1084 1940 mscorsvw.exe 49 PID 1940 wrote to memory of 976 1940 mscorsvw.exe 52 PID 1940 wrote to memory of 976 1940 mscorsvw.exe 52 PID 1940 wrote to memory of 976 1940 mscorsvw.exe 52 PID 1940 wrote to memory of 976 1940 mscorsvw.exe 52 PID 1940 wrote to memory of 1672 1940 mscorsvw.exe 53 PID 1940 wrote to memory of 1672 1940 mscorsvw.exe 53 PID 1940 wrote to memory of 1672 1940 mscorsvw.exe 53 PID 1940 wrote to memory of 1672 1940 mscorsvw.exe 53 PID 1940 wrote to memory of 952 1940 mscorsvw.exe 54 PID 1940 wrote to memory of 952 1940 mscorsvw.exe 54 PID 1940 wrote to memory of 952 1940 mscorsvw.exe 54 PID 1940 wrote to memory of 952 1940 mscorsvw.exe 54 PID 1940 wrote to memory of 2412 1940 mscorsvw.exe 55 PID 1940 wrote to memory of 2412 1940 mscorsvw.exe 55 PID 1940 wrote to memory of 2412 1940 mscorsvw.exe 55 PID 1940 wrote to memory of 2412 1940 mscorsvw.exe 55 PID 1940 wrote to memory of 548 1940 mscorsvw.exe 56 PID 1940 wrote to memory of 548 1940 mscorsvw.exe 56 PID 1940 wrote to memory of 548 1940 mscorsvw.exe 56 PID 1940 wrote to memory of 548 1940 mscorsvw.exe 56 PID 1940 wrote to memory of 1152 1940 mscorsvw.exe 57 PID 1940 wrote to memory of 1152 1940 mscorsvw.exe 57 PID 1940 wrote to memory of 1152 1940 mscorsvw.exe 57 PID 1940 wrote to memory of 1152 1940 mscorsvw.exe 57 PID 1940 wrote to memory of 2908 1940 mscorsvw.exe 58 PID 1940 wrote to memory of 2908 1940 mscorsvw.exe 58 PID 1940 wrote to memory of 2908 1940 mscorsvw.exe 58 PID 1940 wrote to memory of 2908 1940 mscorsvw.exe 58 PID 1940 wrote to memory of 1580 1940 mscorsvw.exe 59 PID 1940 wrote to memory of 1580 1940 mscorsvw.exe 59 PID 1940 wrote to memory of 1580 1940 mscorsvw.exe 59 PID 1940 wrote to memory of 1580 1940 mscorsvw.exe 59 PID 1940 wrote to memory of 2628 1940 mscorsvw.exe 60 PID 1940 wrote to memory of 2628 1940 mscorsvw.exe 60 PID 1940 wrote to memory of 2628 1940 mscorsvw.exe 60 PID 1940 wrote to memory of 2628 1940 mscorsvw.exe 60 PID 1940 wrote to memory of 2440 1940 mscorsvw.exe 61 PID 1940 wrote to memory of 2440 1940 mscorsvw.exe 61 PID 1940 wrote to memory of 2440 1940 mscorsvw.exe 61 PID 1940 wrote to memory of 2440 1940 mscorsvw.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe"C:\Users\Admin\AppData\Local\Temp\07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:576
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1732
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 24c -NGENProcess 248 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ec -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 240 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ec -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 27c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 284 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 240 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1ec -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 248 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 290 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 294 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 28c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 1ec -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 274 -NGENProcess 29c -Pipe 1a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 2b0 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 290 -NGENProcess 2d4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 290 -NGENProcess 2d0 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1cc -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 290 -NGENProcess 2e8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2e8 -NGENProcess 1cc -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 290 -NGENProcess 2f4 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1172
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3048
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2796
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2252
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2684
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2844
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1888
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5c27faa334495205adcad4ebaee3d9edd
SHA163b054fdbd8eadebcf0e532ff0242d8eae40b3f1
SHA256360dad15f2dc19ac9b3b609f7dcad75d65a9605f8b64941ebd70fd2009e00e7d
SHA51287c9681ba92dd0395a178a6951eb1930b6f98bbcb02c981dba4c28764b4f92eb77637c4023f2f6680cd607d85fe232909dbc61425fa5db1ed292a3052c76c789
-
Filesize
1.6MB
MD542786eb4375f8d6c243b3908500672b1
SHA1819f7fa686a5dd25a82ce9acc13c84a6728baab4
SHA256c6407c9aefea920c2d975c11ef2019f9cce6637a48076e336504863180292166
SHA512fd6eb1b0d01fce57612b48f2cd57e572d9a5317bd1a9e01bcd667e07bcef5b521a3b1ea40ba34b40316f80f430a8249057eb6a9a3f64d341222308616c66d7de
-
Filesize
1.3MB
MD5811a28471fca50c3a67b564f22af6729
SHA158e27765972ba98d110fed97802819d8d9f0f4c8
SHA25645f344b24e26e1e6f735c2f0ab475d0560e77c1fccca6fe2ddebc2df1d2922a2
SHA512f391f1af394ee87b45dc73333772308421765206a0b5115453561719df0075688b95b3e279d0981fb4d0b7e00fdfcca9f0eb49fbbbcb1a52a09c5165418e9542
-
Filesize
1.9MB
MD52c52e83f1c24a591350dad5ad3b94135
SHA1f420554736fc3a05465a43ebe9fba799312b2d35
SHA256504521d08a09366c55bb16e5c15b1ff962a25901de01fac1618bf0f04c75bb47
SHA512f1d0a50ca4ad4751bee6705b61692d06f49a4216d006530510be74b24c5ea700e024029b0d43c206ec9133f25637e87e8da2baa11910c23a7c59dfb4d90d8a2b
-
Filesize
1.6MB
MD584dae9f314d9638da215135b99cbd278
SHA154040f5749b162f09df7d3a5a515dc3b3827a0f0
SHA256f8cf3d367ecf3ed6e8c772b502ba8dcac355d489b6f8124195c87b03c0707957
SHA512c8aff798bf68136c0e62e8462c0ed4b427750f339dd85714329498ba280079d2dbd5cc5eea708de13491f20470bff51369124be1bf01211d97bff2afe5a3ac35
-
Filesize
8.9MB
MD5c822b135c199d69e676ac5da5f7d0ceb
SHA1ff34f8a04024d25a808e91390d387d02ef638a0d
SHA2569e3ff335c93647c5ca0c1c77ce444ddf714472c644bf1a9d9f404cde1c718a75
SHA512c24570ccf5591044c5631da9d29a7dd0eaa9e1b9022ce9725825c81ae75a7e14177079d9029d7270a516d99b91e5146c91dd4e56eaaac1d89666993e0b419614
-
Filesize
1.6MB
MD56acee5c575e61ed6a24559f4ff67d7c9
SHA177fdecf342d4980c13f8ee89512ccf4669539be3
SHA2567badd86a7b94abc413d841c1306e3695e291b89f9f4621dd54dafa5b84b0f106
SHA51259d411675b3fd2eb02824403c4331367bac343b7cd8fd78d60d2ccbe000b0dc8377cc8e04c535726156f663f9ca5f8149291366a206df73d4958c24dc2f57de0
-
Filesize
2.0MB
MD5991e35a82825b8277ae1489cea34ee33
SHA121a0df9b780b6eede1a973f80fc51a944e21cf2d
SHA256cc7b5bb74aee33fb25da9ff839339d7950bbe7d6bc634b30b51c21d4ea462be1
SHA512189ee174792469689bab2dc5944437c9a1374180ffe44da5567b5c8025548174b957017f49d6949bbeb9350035e1e24e9176f7c81a0316b5e8f7d62195d281cc
-
Filesize
1.5MB
MD558a864aaee84bf668535873c9fd2b7f3
SHA1bbf2b9529c48a81ba36ba4a9fda6a25e0da57bde
SHA256a37e15670ffaafda321b98327039bcb2fe3cd03d751a3065593dd458a86c84b2
SHA5126bc3a265b4462e5964f5b3ee4c05db4267d4ec6df19553862303d03fd8dc8f44115d6383a3141d920cf05dc9e0c793c1d97e1f0abd3b9f14773c170c7801d6fb
-
Filesize
1.2MB
MD5b7b53d166e523c9b4c10629baa0ca1bd
SHA1618027c2ff74f9dd168acde2efae8b248d4074e5
SHA256464ccab337b63e23f1885546707d07bd91a78e9c719f2f113786accfcf21ee00
SHA512e35136cf0b9f9f38d777757ae8db7326d54b1f7c3bca855f99319fddf93220d9c51d6ecf044acc56803fd13f64f274513467376e2773f77456e99a0f9da8284e
-
Filesize
1.4MB
MD56a6363fda57c4fcbda5676ab8fe4bfdb
SHA1c2c6910ca6873ced2a87cd834377e02a2605df07
SHA256d3701290a844cdcc16566469de732e1878ec77a0b99854c5075602dd0d9eddba
SHA51252489671f407ea278cc0ce1cc16a57c654697ec168c0da4eb138d2bb01c3bf89ed4287aaf1c0f6233850c84d802527f23d4fedf602256b7f6e1c45127c2a2c4a
-
Filesize
1.1MB
MD5dec84c4031d7e81950df669cb322c17b
SHA15bf95670eb5eaff07e787a80462906249e9c1d96
SHA2569c013a2912023fc96361b553ce3e9df6fbb224f2f8bbb6ca28a018968afe6e93
SHA5120744404c4a5b502cafe6cb7d673afad75ea63a6b65c61df654ac73487ee7a8e984ec6f44ad29ca6ceac3b3fdbe785b24b32e396752a2941309c14e68d3d61f81
-
Filesize
4.8MB
MD5737de0eaa5436fc1aff70c65ea6d5b04
SHA122df3cbefa21a00cec714161de8a27da8298ca85
SHA256ada0e09ce44bc873ac14de829f738d14e8536fbbf33e64552d311a458dedf4d2
SHA51228cd3a2df4cffaf9c8a9cb067d23031150b013b99feae64c139eba7629b82296708941c67823b0fdacb2320f5e0daf54cfed50f9fb0a9fa8278f821744f43be2
-
Filesize
4.8MB
MD5b3b68440c953ad4a9d2f96753e703f89
SHA10686cbf6d6cc1787074523a3853d8d7978b35ba1
SHA25645554a77588a23142dc75a9d35053a49546aeff4d987a88b5fa1d408cf9f7cbe
SHA5123091a76b51a6fccf5be0e442ef895de6278978f6f4d91f20f76950b69397eaee5d21699f30cddf18506b04f30c7ae95795bc00c160a63076d0484b976c2a9909
-
Filesize
2.2MB
MD55f34f9b712eac58d4c260f070c5c302e
SHA19938dfa33d534c3e477e0283fba923f922987311
SHA256aff514d7e36e748c039ffb92839889e980a449837358b7fcdabfe3ca2f3e826e
SHA512ccfe59d614322ce4b53093fda890c1d5defdb6dfd326656bc8af11b7e3d24602576630b884102c233bf30463db53a21a0d6e0a6c82729fd83703feb437ab096b
-
Filesize
192KB
MD5b6114354e5a8aba85dfd92be6df7f97d
SHA11969f564712f60e458e399c7caa860943b73fcb7
SHA256ff04c47ebab19e057706849b7d7fa67c1474560783e677d810d167f88749a032
SHA512b89eade430aaa0517235bc6e121861036af38c4b3c3542f29a34b2a59959c6e8fe02017c480c24de7fe3a4738107f2ea989e7da75c12b358248ec108bafbe2a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.5MB
MD5a7470496ca1b05dbed5f967647da773e
SHA11b1d0f919f3c5ce75fea4dc057c2b7fceb863086
SHA256af5e8a75545dba92a8c3e12647bd166ac284bf0edaa4f790984bdc9c63398997
SHA512119588919d6d6e83414059ef7e809952641338b03cc3ffdf8d7e1887f1fbb08971633664fe5f5e4257dac3eb8c756b5933f84de85a5bf0108b0a2b914cbcdf9d
-
Filesize
790KB
MD514f7c190756e9835a71f877d5d9df30f
SHA1c82d5218660dde2af17ab713b9a1b9c2fb618ba2
SHA25618db8cea91f93cc29a498d2bc5feb20d0758e56dc0f37bd4a5a867acb4bbbd28
SHA5122ccd786d32866e04d8d0eee4596179a1a515884743b130b7fb6b37de3a8e7a08bd85885ccc5c08290a49c80c376abb7921821d17f235ff0d5e6b0499abf1808f
-
Filesize
1.5MB
MD5d36b5731ea98c00cced4a901c9fc5ef9
SHA17f575521d3866c257659645161277981150c994e
SHA256c0d5d1176b4673a8690e3f42054aaf583d76fd9320920a15d4e2458c5dddaa8c
SHA512eb3c953bcd3818d6fd054a8c382289c4e0cfbe144a98e523782bfe8907dd4fe6936fcf10608191a7668c11069c5ba70461c9489eed0825ef656445b549ac234b
-
Filesize
1.5MB
MD5a9fdfa45822c151f38eb980c5e38598a
SHA177dd14c6a690ed97ee764398033b327c5fe95d42
SHA25663a95585d970c0ab5b60d16343ee571e178e85ce78827a5bce04910861e568e5
SHA512653b792e174ff093554a747d72ab89806a24e83398cf952a7401a1fea87d4ceabcf4082f7785b4c828fddd53f5d1f5c01a7ae9051e7ca81bfb03aa022af4f3ff
-
Filesize
1003KB
MD5153c7c5f75ad964b8393e2333ad604f2
SHA1bc84ff9f60dda5148a7965075cad4be2eb3fc403
SHA2569b92025a322ed1a2e55bbde7d275b627321eddb7359c528bab672e3a8268540e
SHA51294d5be728d470eb4515679086d3bba6a87f21c7e0c07090bafb3631d93d8ad7ecdcf1948ddc982f34195735ac3097c19ef1756a4507ff4d1b94413e1a96bfe01
-
Filesize
1.5MB
MD5ffbbe3931ddf5d22b302bc171cfab0f3
SHA1c33b08bd11c57ae50dfa8e767d9dbbcde6787631
SHA2561a824b4c200990b29ace35f713185e7bd46d5b9a2af457c190d0d83271b93edd
SHA512dd515169ae90c9a6ad557c965ec3fa70e302cd19dace10a5ab05b43a55753907111476d03121d513f267bd6bde47e0a510fb47dc1128bf2cd81593441621b70f
-
Filesize
960KB
MD51099290630e0b05a4378b4ccfa4c5ea1
SHA1520f4bd222ba625af7c27b4172dd2827966ef48e
SHA256f03e3adb51223bafbc3bb1b8e34c6dddf1db09c18c902455eb67e85d820c007c
SHA512e5745ace9c345ac1f17800a8f7d1dbec7b5338cd441ae00d2c88998e8ff5318db4790639c5035f4c2367dd4929a8b0fdd51b9d2a0d0296c7a4bd388e282e623e
-
Filesize
1024KB
MD5be910414216654780ee18ff6d8ffdf83
SHA168c260f62d742d09738d14a8acad2500fa77cef1
SHA25670a60efa81ad64b170fcdc932b25123744c11fce95c2e18f7e44962ee3736f49
SHA512cae4d28df4f415609064372745fe3b5190ab87e8a41c46a2b16a9087e640d24f29c932647010561e25fe969cb9b19289a8ec7b4c5c4becc47be6493623078e1f
-
Filesize
8KB
MD53604f10912a2f48aff9285d9033ba7df
SHA164f759f82a164cc30a5aee46aa6d4456b14efaca
SHA25692f315a48a1aa1883123f546b2be22db5eb7f2f46c05fb7586a9bda49554b950
SHA5129ad04bf87d530e6e62a1e2436fe0c3331afe710e63ff720d822ac77c09a00649e3920eef881e3a8364e34e760ed9f6299e5389c055f583dd3b005d725d86559a
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
Filesize
1.2MB
MD5bdc04215898732770b30731c1f31b12a
SHA1e060619ce3f808eb27491d06a278f96cf85ffd55
SHA2567bf9622a0e9c45b914f835886a0b05f1bdd332fd70b96ea6da86b29fd82344fb
SHA512d9636be7669e7db8a7d43e82b123e44a615531bac83857b92d56ecbd33fb9fea9855da7f511d8a89a7e6483fbd9f23e2813148adb381716fa458c8a688f91d09
-
Filesize
768KB
MD5e495d530c5ca90425445968d3efa702c
SHA112e543fb4040fbbb6408c8477d53e860095b0afa
SHA2561273f022e32142f845d84f75b0e0591a505f9d50984c6772ce3fcc19297ad81e
SHA512746242aabe4a0ab93e38c0ab22ba1a4595816e800c235a211ab858966cfd62c82611f6edb2dd8537a0c674389df3424f25ca692cc305a7346437ea6a6d184624
-
Filesize
1.5MB
MD54aac2028d5c6bd6356bb0e692123c439
SHA1de4f4e0ce73ebdaabb16d53d10eb72ebae8f493e
SHA256d5d629f7c577bfbb3f3e18279e282a4c0820b25ea20de0edafbe8d89ab0f72e9
SHA5120d62bddc32b27a2a0a686bce0f7239a9cd161f9ef0393fe55bd84d6a1189180570af7233bc306b4385db3c785214ac2aa776f0c56b1394905ddd548da8f53813
-
Filesize
1.5MB
MD5ff94c63c4aa15626ab7299cc68d8ef98
SHA14d14137134799e6526b5e7e671d07c5db1662a30
SHA256a42cd15520d9d63417775aa20424764ec80401083284f0f2f58b4fc4607311cb
SHA5122fc8aa820fcbcc073c0fd08ac82f43060078a5987f52450c6e3fb1550b53f0d7d377b78fa6419fb985b77080f1b674fc33693f2d3057767cb9d5823633e575f8
-
Filesize
1.4MB
MD5f9fb5fe966817b3156715296e7b5942d
SHA1ef8bec3adbbecc5693d09bd8ba7afac3b04cd412
SHA2566e7b8aa1cc64506c111dd77d31c71049c95759502a82cb1ae972e01b78554839
SHA5123dd44b57476b04e381e2e13f05d22cbf50c7dd491b2614c26388f1cdfd630432bfaba2582bf19efc17ed4724968b4e5025ac7252a4a6d1dd018386e86d029cee
-
Filesize
1.2MB
MD556e21b45891cdc42df762db1cc669008
SHA1a8a982591d860c343e37315f32cd2101d9fc5a44
SHA256c481c6f8721c0f898f4852d98ce14a02f84ffc31971700ade563ad2ed79ecce8
SHA5127b1216b9bdc7ee850379a4e33c1fc2538b0c0f8d741beab33fa245be909a34683e5750c4064c399c2bce7dcdbd31f09df415faeec8f81127956e70c65f45bd53
-
Filesize
1.6MB
MD5247b1bb56d3110de57d40c8da8a0c3d6
SHA17199db8bee4682d12b4895caf73de852c779728d
SHA25686e7b4fedb62bb338a60f3e0197b879695fa0fdabcb762babebdfa306adada03
SHA5122c1e43f2fee05a984a951d8c512be30e4a4185af3973e78546723ebbc575973fd238f719a26529477dd7dd651442f5b23e0343d645819638af2376d821185596