Analysis Overview
SHA256
ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea
Threat Level: Shows suspicious behavior
The file ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 11:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 11:59
Reported
2024-04-03 12:01
Platform
win7-20231129-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_gu.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_fi.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_ta.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\orbd.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmid.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_th.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_bn.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_zh-CN.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmiregistry.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_ur.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUMFA.tmp\goopdateres_ko.dll | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{08BFA7A4-1C29-4C76-88CE-023324E0ECCA}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{08BFA7A4-1C29-4C76-88CE-023324E0ECCA}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" | C:\Windows\ehome\ehRec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe
"C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 294 -NGENProcess 2ec -Pipe 2f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 278 -Pipe 304 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 314 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 33c -NGENProcess 32c -Pipe 338 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 344 -NGENProcess 328 -Pipe 340 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 314 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 330 -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 350 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 358 -NGENProcess 34c -Pipe 354 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 120 -NGENProcess 204 -Pipe 224 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 378 -NGENProcess 184 -Pipe 374 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 120 -Pipe 36c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 394 -NGENProcess 184 -Pipe 390 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 20c -NGENProcess 384 -Pipe 39c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 38c -NGENProcess 398 -Pipe 380 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 3a4 -Pipe 20c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 398 -Pipe 37c -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
Files
memory/2064-0-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/2064-1-0x0000000001E40000-0x0000000001EA7000-memory.dmp
memory/2064-7-0x0000000001E40000-0x0000000001EA7000-memory.dmp
memory/2064-6-0x0000000001E40000-0x0000000001EA7000-memory.dmp
\Windows\System32\alg.exe
| MD5 | ec1c17c2b90b8107519dbf9cd42705e9 |
| SHA1 | 19af98212b623546ee239060541aa4775eb5345d |
| SHA256 | 663d3c8fe6e30be2cc7ef566dc645a969bc2d214f59863223877872fef4eb696 |
| SHA512 | c7d7332949164fdc2aa222b86300d356b8b2c01aa95822c6f4bbd73ad57992586c239124671f49507ce3a0f671c542d4521bf53f447f8247f5a4ad197690f404 |
memory/2680-13-0x0000000100000000-0x0000000100144000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 522218611368b8091ec79ad89711dc30 |
| SHA1 | 35010fb8e34d8d759b80ab9dbe48483e30b33a1d |
| SHA256 | 84241eb942fdb6575a547f5e9560f12c95dbcc184aff6d239f9e9959a746233a |
| SHA512 | 1714abe8a00aeb7ba628cb3bcc76775d55abea5d011a35b7a74410c4ae771f9c01aa50c46c3cc0a0dcfb66423556b58937f646eee9aecc6b8f4aeaa6c0f5d0cc |
memory/2564-74-0x0000000140000000-0x000000014013D000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 9a49438aca346f1fa30ededfe4bfbf39 |
| SHA1 | e4bfe7ab26dacf286da1730d290338ab9e946716 |
| SHA256 | 40a275485c7f26fcfcdd8f6af5c18d27d282061b5ffa9190c8c7aeea4f85c8fc |
| SHA512 | 0d0c0b0c8d115e201f80f70a20219a8fa2e259c367545927852f880de39e8a4cca9d950948211e6b0a393ce545e72d862170edc1bb1abd7c3f98a5e84f00a0c3 |
memory/2120-88-0x0000000010000000-0x000000001013F000-memory.dmp
memory/2120-89-0x0000000000260000-0x00000000002C7000-memory.dmp
memory/2120-94-0x0000000000260000-0x00000000002C7000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 78c87be04b7f4f8aab242393a1658d5c |
| SHA1 | a3f985b7743bcc147624fadaa21760a4085a8748 |
| SHA256 | 8395449026f079f2ecdf19dd1078e20348bd82aba111156e4c7f6c31ef458271 |
| SHA512 | 7ec48c8d2264e4a178e013c34cb34073b78c1b6fcb9268f5df628e18d794bae594c159c6f5d989392440049e6a813dc4137abbc1f6568e34338aba299ed9e463 |
memory/1348-105-0x0000000010000000-0x0000000010147000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 98c7a62ee92e79420f875403f72ae325 |
| SHA1 | 3aa54fa0f93a8ef78d94dee055d08dd273a3c1f0 |
| SHA256 | 78498e553b6630ac9d970631bb6729ae1e705e3aa5706a2ad073ab9ae7889dfb |
| SHA512 | 283ad993cca5e3137ad8b984166e368552e4401a5400fd605b18a4bcfab3f16d496de9a243548be43e8c72b42ebeb88d6994a89d8c4138ccabc4fe1d8db0a96b |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 922ad6a66033dbcb812e00e780127438 |
| SHA1 | f78a968c0dcf43588888d9f102ad320dcd92be1b |
| SHA256 | 0d850c59e7e6e46234839dc399189d16a8f6e5b1315c84e2c56b2b5c9ce9e1b6 |
| SHA512 | 346b6966fc71e9b7ffbe2b0a8e1c3bc1850cbe13dee455245384f7a83e5273268e7f29f93ce5b9f335f1f3d6e5c1161c9a3316678aabb96528bdf9f9d8f96826 |
memory/1480-112-0x0000000000400000-0x0000000000548000-memory.dmp
memory/1480-113-0x0000000000740000-0x00000000007A7000-memory.dmp
memory/1480-119-0x0000000000740000-0x00000000007A7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\e88e886856fe8faa.bin
| MD5 | 363c7e0023d0e718540175f7cc4adf92 |
| SHA1 | efee011900d4fec995ac0aa0d9f29c0a4707d531 |
| SHA256 | 76b3f89f28ceb8ae2446af0c0419e85823d126f8bd2b331fa6c7c998bca24b06 |
| SHA512 | 735a1af8796b74bea3ec40ea3d0c698256ac9d9aed36c4cff3b0124aedd9cb246fe28a10e74442811819b77ecf9b7858f51700c01983e0a6bdabd0316359107a |
memory/2120-130-0x0000000010000000-0x000000001013F000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 5e2ec383901ca553e2352eb75928f73a |
| SHA1 | 78b8765d4afcd9a26117df3b1c54e7bdc91badb3 |
| SHA256 | e4a26ebbf8a094ce24524af602acf023387ecdb8e30658b596116e7e7e66ea69 |
| SHA512 | 8764bab7ec402679394842126f6a4790c4404873f384e3723505754225839b4d32b602f02db162313c6c09941b528fbb65395e0b4726792da5af5753b298a96c |
memory/1988-133-0x0000000140000000-0x000000014014E000-memory.dmp
memory/2064-140-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1988-139-0x00000000003F0000-0x0000000000450000-memory.dmp
memory/1988-132-0x00000000003F0000-0x0000000000450000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | d248e28f66fff8a2840933df66a44752 |
| SHA1 | 4af320216d8a4f7ba620ca1a31b56b2180c3e935 |
| SHA256 | 5a2b9a583aeb645d67dbb36530067b755e16cd77ffb19bf3276f9bb492649164 |
| SHA512 | 0f2ea6313f89b0b7d1702ac28db07cacf014a6ec80a0b823d169ef3e6920ed87a6f6ff1754682429494d8ad7c56bb4ee46e4795b026f37b36d59ef5cf245cf51 |
memory/1348-149-0x0000000010000000-0x0000000010147000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 23940d29ed8e973a02a1c9bae8507f0d |
| SHA1 | 613eb28b9d18138c7dffda1662349fc54a4ec019 |
| SHA256 | 7fc7927024597c5704e8ee1b6c0e6fef76a6f62a7e843751507d3dc3f77543c9 |
| SHA512 | 699fcc121dbd784d04451909400b8cb2c617fbb18b52f3bd9fb94056d8c5a746befaec2b1bef9e8e09103b65323917e46c80e684b0c8a59c2d0731271cc20be2 |
memory/1720-153-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1720-152-0x0000000000AA0000-0x0000000000B00000-memory.dmp
memory/1720-159-0x0000000000AA0000-0x0000000000B00000-memory.dmp
memory/2680-160-0x0000000100000000-0x0000000100144000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 77142053d70d2cb618309a73f1428c3f |
| SHA1 | 41f05b194bb0ae512ac2200f4ec497b8f83eccb4 |
| SHA256 | 2d2e691fe280d4a7ac9a709a3249c13b773fc4aa7784056a5fd8b8adfeb50bf0 |
| SHA512 | 3125b5c307ea5caf37d84e17b28de6b266d7545795a9404ea4fcec052a9eae038f9cfaedfd4f9453c262eeb54460b24f44c0ab5ffea5395c371c223a121e39c4 |
memory/2564-165-0x0000000140000000-0x000000014013D000-memory.dmp
memory/324-166-0x0000000000B90000-0x0000000000BF0000-memory.dmp
memory/324-171-0x0000000140000000-0x0000000140152000-memory.dmp
memory/324-173-0x0000000000B90000-0x0000000000BF0000-memory.dmp
memory/1720-176-0x0000000001990000-0x00000000019A0000-memory.dmp
memory/1720-175-0x0000000001980000-0x0000000001990000-memory.dmp
memory/1720-177-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/876-181-0x0000000000300000-0x0000000000360000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | cb85be69bb7551388dc0bcdcfee433a0 |
| SHA1 | 68a0e6913053043477c8329916db3a74a0166261 |
| SHA256 | f7e0c4ba9cedba510852db641fb997b2b82407ef3345ab9017ee9cf650a82c34 |
| SHA512 | 076dd4a57b0678d233ede0f9c424c676e45195829fc9e9d997be76721e3cd1d2b2860645c5c44137f9d7854ed20e88223d8cd3de8f2f07059702df9de06f7133 |
memory/876-184-0x0000000140000000-0x0000000140237000-memory.dmp
memory/876-188-0x0000000000300000-0x0000000000360000-memory.dmp
memory/1480-190-0x0000000000400000-0x0000000000548000-memory.dmp
memory/1988-192-0x0000000140000000-0x000000014014E000-memory.dmp
C:\Windows\System32\ieetwcollector.exe
| MD5 | 66a3494038a877fa75c113a00ce6ed7d |
| SHA1 | c41b4117501e6c42745fecf5709f0964697b5692 |
| SHA256 | ee702554ac54273b6fe881f7b3ede9a19033ea8124362d7440373395ccebbaa4 |
| SHA512 | 720243c39c5cba71b5349406e0fe2bbe40990e50c64c3dfb95783557af965605aec6a83c302fb09863d825925a459529affdfbd15106085502ae2591b99e36ba |
memory/1724-196-0x0000000000C00000-0x0000000000C80000-memory.dmp
memory/1724-195-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
memory/1724-197-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
memory/552-199-0x0000000140000000-0x000000014014E000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | de71fe0e495d0ff7d04b86c02f55f61e |
| SHA1 | dbc700c27f39170ae74a3b263d0e01d3466a1cc2 |
| SHA256 | 049ff86475fdbbdcf23a81b29cee6787e13c2697d43bdb10fa1088bb952c5a79 |
| SHA512 | 8596e7161a0c4f41907cfdf04ecc63c1c276c9855535904b79d6158bec89325faaf5fb5601187dbd4542b3ce34f155b283fb2ab2d9f0068df6df221d23ee8b6e |
memory/1092-201-0x0000000000290000-0x00000000002F7000-memory.dmp
memory/1092-205-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/1092-208-0x0000000000290000-0x00000000002F7000-memory.dmp
memory/1720-210-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 3a558934fc4cf9275cd94decbd267d6a |
| SHA1 | 46e0381416cf7b93fa86d1d71633137589cd3e56 |
| SHA256 | 8feef3ff5e158754dbc98d0941e4d4214ceb1051049066e2faa30f8f4c9eef9e |
| SHA512 | d514fb3a6bb5e5591016665a015cb9802ca2658443d50a4c1e2e66c2ce2ed4a79c0e794f64ade4a18503d64bdb1b969a958f5093609d80135bb319d7f6641b83 |
memory/1724-215-0x0000000000C00000-0x0000000000C80000-memory.dmp
memory/324-223-0x0000000140000000-0x0000000140152000-memory.dmp
memory/892-222-0x0000000140000000-0x000000014016A000-memory.dmp
memory/892-225-0x0000000000FC0000-0x0000000001020000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | 15e4ba6cb1b143e8f1e5137c3489e7c7 |
| SHA1 | 2f18d1ca160384969ddb95f5142c1d07fcd6b897 |
| SHA256 | 9e86a2277416fc1082a43bfb3801a907a716b851a4311231c02d25094441a378 |
| SHA512 | 8fcaaab73d63ab46e13078399f296432631aff24a0dce032790b1ba566d54a6af36e31f2289dc2287fb9168c90d5d30f272d1b12ac82f7bad1df39a7eab988da |
memory/2200-229-0x0000000140000000-0x0000000140156000-memory.dmp
memory/892-233-0x0000000000FC0000-0x0000000001020000-memory.dmp
\Windows\System32\msiexec.exe
| MD5 | ffa511433ad82f92e96a8c2c8947454d |
| SHA1 | 820503bf512e81f630646f2fe3d622ca0c3f7df7 |
| SHA256 | cd15ccc823d948c871f2d4df90db71c946b9486d8ff706992529e5a230eda5a7 |
| SHA512 | 87f73a7d0f6c281c27d02bba19772cf10fe8d0864f7fd6dddd32fd19ea86bab60e76315d53a57b976e16f6f9881704595f28423ccbee556ad4deb783a913ab28 |
memory/1720-238-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/2972-240-0x0000000100000000-0x0000000100152000-memory.dmp
memory/2972-241-0x0000000000560000-0x00000000006B2000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 1d2c07d7431150504cdfc2faa21bd813 |
| SHA1 | 66d55853cbb6e185e4f0a2f02a81aeb233e6f118 |
| SHA256 | 4c05fc5d019ea529b765c25f6bd738b35a4efd1defee730b348fd1e63fe2a747 |
| SHA512 | 8a863cb61445b5b6c5583cb4a700510bbd6d5c43d9c4c2cbfec5c19785ace401b6dddf85748ba37fbc8a50770bd722363b321a62b5768f1f071c91b5855352e8 |
memory/876-244-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2676-246-0x000000002E000000-0x000000002E155000-memory.dmp
memory/1724-251-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
memory/2676-253-0x0000000000310000-0x0000000000377000-memory.dmp
memory/1724-256-0x0000000000C00000-0x0000000000C80000-memory.dmp
memory/1724-257-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | 3df10f4b8d00b65ab552298aca40b23b |
| SHA1 | 2ba5fb902869b5bed2a0ff9475e95f87d239b03d |
| SHA256 | 2b28b274fbf50eeba502f9f3d3482e9c237014136e08e97c9bf48fe3ccf2f93c |
| SHA512 | e8d59b5e8760d947e26a428b6e8db9a108ba43c5f776c712fc810cd9568d54d05f6ff65a9eb39dbd7c16112fa4421ba9e50ee808979206158f8fab028f7b059b |
memory/2800-258-0x0000000100000000-0x0000000100542000-memory.dmp
memory/1724-262-0x0000000000C00000-0x0000000000C80000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 2c290d14f78fc1bad8ef67ab525e9391 |
| SHA1 | fb0339afa608ff3c0fa2fc233b82cac954634712 |
| SHA256 | 3e365cb6d97626d76ab8d1cc24968228b0487c7165e1a7ca33f4ec5752ed9e0f |
| SHA512 | 03240a438d1a86dc8514a53e3baeb1d2ac8e8f7c24696753275f57a15b1a4ec9cff6985fc795a3daa9a5345483d1627778fa645b3102038da398cbbcd25aae09 |
memory/1092-268-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/2520-271-0x0000000001000000-0x0000000001136000-memory.dmp
memory/892-273-0x0000000140000000-0x000000014016A000-memory.dmp
memory/2520-275-0x0000000000240000-0x00000000002A7000-memory.dmp
\Windows\System32\Locator.exe
| MD5 | d146089941a41f8ea3838e5f31620b24 |
| SHA1 | 675998649d16bec66181e5fb8f93bc19ac6295a0 |
| SHA256 | 00b5ed7b0936005940c35189a80310ec106d96e8957b75c4faa462f691ea0f0c |
| SHA512 | a2e2b96b52c77e5cb1635133594a909bf89d20c00b3d9c2213bb7d7c6f6b48d17e24ce6ab05ad3d54e14dec485b5060267fd00a2ab862c526e6e1e367bcccc1f |
memory/1724-278-0x0000000000C00000-0x0000000000C80000-memory.dmp
memory/2800-281-0x0000000074618000-0x000000007462D000-memory.dmp
memory/2064-355-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1932-354-0x0000000100000000-0x0000000100135000-memory.dmp
\Windows\System32\dllhost.exe
| MD5 | e0769b977f2431fcd84fca648a943eae |
| SHA1 | 6da0e5ac4f529743e8477eade4767e8929fd220e |
| SHA256 | 87a35134f783c1882960c14c518020b06eee6b05ed54467e73a93ebce6aa9cd8 |
| SHA512 | 4c8ef3b954ea010767ca79ddd6c283de7fea0033b9df0a349dbc2d24692482122f626a0a9a79bc01263162f594fa4114bd9d3067a666ac173656ec9718d8a6ae |
memory/2200-360-0x0000000140000000-0x0000000140156000-memory.dmp
memory/576-363-0x0000000100000000-0x0000000100135000-memory.dmp
memory/2972-368-0x0000000100000000-0x0000000100152000-memory.dmp
memory/2972-369-0x0000000000560000-0x00000000006B2000-memory.dmp
memory/576-371-0x0000000000910000-0x0000000000970000-memory.dmp
C:\Windows\system32\fxssvc.exe
| MD5 | e071dd52a9f82217ad1742e360ebe8a1 |
| SHA1 | 4d093bb5a014b749eeffeb95041fe3fbb27b825d |
| SHA256 | 61190c4e498b6203ac95ad630619bfd443d3acd4ae6fda96b6306e7130c397d7 |
| SHA512 | dc2316d4e0c6138e03a3f3034fa8ce2809ba49c276fc00b42264e5e35f3abcb8c42a162341be562772aa940dca4784e2309a4a6276696c503807953d776a441c |
C:\Windows\System32\snmptrap.exe
| MD5 | 9229819d1a4f5c78074b58e13b8257c8 |
| SHA1 | 8483fffdb864e47469f3b24a118f6ff029d87a39 |
| SHA256 | 429248b14d8ba7c6ab84ee1f85efb8818cd083cb75679537614eae85c0d1641f |
| SHA512 | 0cc110c7b8e202aedeffdfd5a4b3d462d04b2e543e07ae5876fdd789a5d952fe73d3edf5a5fffaa41c1b2eefe770c00104e1953c29b78e133d6f61c4b7657e05 |
memory/2676-447-0x000000002E000000-0x000000002E155000-memory.dmp
memory/2832-452-0x0000000000400000-0x0000000000548000-memory.dmp
memory/2832-467-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2800-473-0x0000000100000000-0x0000000100542000-memory.dmp
memory/2832-496-0x0000000073230000-0x000000007391E000-memory.dmp
memory/1724-515-0x0000000000C00000-0x0000000000C80000-memory.dmp
memory/2520-517-0x0000000001000000-0x0000000001136000-memory.dmp
memory/936-519-0x0000000000400000-0x0000000000548000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | cc49905fb5e15090a4a46127f185bee0 |
| SHA1 | 7f243a2c253b2be4e8e87953e96f2901eeabfc1f |
| SHA256 | 331b89b079be485b00ee0621ce2c0f0d8392bf224205ed80b640f0c83c0e3830 |
| SHA512 | 9b3ebb7679b09bf12965360af16983811177652e2307b846744f5759e441f41247f43589f84a7cf477198284e583a02e2c695c37cf736f42f97095ab412377d1 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | 30eb8b1d43987aa92c0fd18e5eec080a |
| SHA1 | 73f691df68ea8d5af27e0315867097066a5e6841 |
| SHA256 | cb77fca140b31f911f856dc447d7787c9dc02e10e9f271b6f13cc95a125d2308 |
| SHA512 | 3cc5e13b6f39920c9711362a9fc4fc09d369209c61e6819a8019892ba186e9be39f8d13d769311c3fe987fbb38023d5da0282187e4d9210daaabc6bb09566eff |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | 108989333002efc1274f74a01f44b325 |
| SHA1 | 6a8f360e978bd068d6460cc76ddb99bd8a6078b8 |
| SHA256 | 6d7d54d50606c93e93ddc4449f078238f5646e6581996150572f2dc67e47a11d |
| SHA512 | 54e98da2ff40f5c6b21cd00d06c6c78c469b1327534019c68aa9e87a42688b35c06b0ac04ac483dec534c5d3dd80b146d02bf9bba8e6eacbce269d838fda5824 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 72397b8b7ff74e5e6ef09ca57e6377ff |
| SHA1 | dcd8f8243befb02dcb3a8ce65aef95e57cd81242 |
| SHA256 | c08a1239f4f79526733b131278d70442e9296f0a67056e50e8df5275676381f1 |
| SHA512 | 5852447a8025befe39bd2bcbc11ea76748c8f0ee166b0503747b7cb6ec440ad23ca7e2352c591eaeb8330bc17658fdc426504f9efc0315363a570d2447587d54 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 8af2b2ece768ab1295900b15394d9fc2 |
| SHA1 | 2fa01f29c3e5907ca32d4fa24fa27798b2ecbf10 |
| SHA256 | e5ffe6d9105b100cab8fa2247c0e42f9d962b821b76bb937aef5aafecf1ca1a9 |
| SHA512 | 5542d1ce4c3a9c2c296061030ea9cc6651edcef8db6b7199abd7e9e5f5b30bceaef6e040537255afe1a2b86cff3de90f9dee9eba2013a1249465bdf1c265d590 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | fa474a9e59f715d0000baadcda4ed4fe |
| SHA1 | 57c488e060f9a4bb15db73d4703ed5dd9852b1f1 |
| SHA256 | 867f4fb2f1a104c96888252cde89502ca8bd091149bf078000f0731505a37a96 |
| SHA512 | 97bfb1f682bdab38c2044621723608744fbb94d999f6b428d3dd69e41fa9ee1d4a2e1812a9975ea9256d1d763b91a74b6ac58cab998fd7dc61f25267b27ea749 |
C:\Program Files\7-Zip\7z.exe
| MD5 | c78f56b551bba87f56a6c547a6447ce6 |
| SHA1 | fb997ffbc44de471a73e5ed26cfb68a61015fe93 |
| SHA256 | 66f67539815578c4015ad279ca04d2a37f698a4f95acc56400c8683832894541 |
| SHA512 | 266be2e60c82d848a88ed2fd1b768f69a8cd9a0d5c90b2d0d8873e2ff7903a3c74771c593b0b7f543ec6a0bd2897b63dbe9a6a285ec11e95bedefba3751e397b |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | b437e0f6d3002977c9f6643389ae73f1 |
| SHA1 | 9d4f92292e8747d07a2df6726f049480e6ba2e17 |
| SHA256 | a267f8f8832c348fef9b0271417c630188af7e7b2bdfe2146df977592f02d81f |
| SHA512 | 39db4fb184068ab8bb993377776df4dae4d6483f53f37752bf9d4ff03b024511050dc4e2238ff9ff7501aaff1db75dd42ddb6bd66e3548829a22189213d8a57c |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
| MD5 | e7f04e7dbd2295f5fde25a08cf0a5c85 |
| SHA1 | 0fc849204bf0fb0cfcfd7a320f60562055c4a689 |
| SHA256 | 75b81a097c9464d16ee24ca0a1847ff1fae23dd3638a91c6f0f7c6a842ab33aa |
| SHA512 | 8649747552a16dd769c715699a4cab875fa3b6576d36c97dd891620a9c1ba4ddb0603439ef30a25080d6ff587236ad0fbbc5bc56d950cdfee105752736fb06eb |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | a539edda3e266bd0891bf06c8176fc96 |
| SHA1 | 92e5aea096f88847f837d337abbe4849a88718b9 |
| SHA256 | a2dde70cd1b1a7ad85a7386f359486fb0752ecc39964f3539497acea17d89e56 |
| SHA512 | 2aa8dbb8bab968c2135191846d4aeb3093eb86465d6d8bf5d3cf37de47e9f42b0306c3073b083e926d80600207a41697b7aebed878a27941880cc21100cd5295 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 62d8995c5108b3f8fa688ae389129ca2 |
| SHA1 | 1dd5e1a98f7d302ea29a5414be849a3932fd5e1f |
| SHA256 | ea84fdfd7220ba9e473e4b4bae5e4781acb187d85330bb097a2fed028b6da10f |
| SHA512 | a3a5858defaccad776c91a19f68721dfde17af25851e21fb63cf0e207702958ca139dce3e16d46ed7b553e7d238474af66a73603bcc97b3c9519ebb45a352114 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 11:59
Reported
2024-04-03 12:01
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe
"C:\Users\Admin\AppData\Local\Temp\ce06e36a53da8b27603df0381db1e6494bcb4a10103ace9452f2586661a502ea.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4880-0-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/4880-139-0x0000000000400000-0x00000000005D4000-memory.dmp