Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe
Resource
win10v2004-20240226-en
General
-
Target
7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe
-
Size
1.8MB
-
MD5
b4a950b36a8a71d5e3769ae5454b6f76
-
SHA1
d8a5c3c34d909e918d20f10d55a9f2c1c8956d5d
-
SHA256
7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda
-
SHA512
7056c999d8152c8ed5ace3b1560e6053dbb2a8c39dd503db50c1f4e6aad970b4b45a406b75502f4fdd4a736392551f6668fd957db45b265f75e5bdcbacf1e59e
-
SSDEEP
49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA4Dmg27RnWGj:rvbjVkjjCAzJ1D527BWG
Malware Config
Signatures
-
Executes dropped EXE 51 IoCs
pid Process 480 Process not Found 2540 alg.exe 276 aspnet_state.exe 2716 mscorsvw.exe 1948 mscorsvw.exe 2140 mscorsvw.exe 2020 mscorsvw.exe 1228 ehRecvr.exe 568 ehsched.exe 2356 mscorsvw.exe 1644 elevation_service.exe 2544 mscorsvw.exe 2692 mscorsvw.exe 1976 mscorsvw.exe 2312 mscorsvw.exe 2372 mscorsvw.exe 2084 mscorsvw.exe 1968 mscorsvw.exe 2944 mscorsvw.exe 1800 mscorsvw.exe 2612 mscorsvw.exe 2444 mscorsvw.exe 2320 mscorsvw.exe 768 mscorsvw.exe 2640 mscorsvw.exe 556 mscorsvw.exe 2932 mscorsvw.exe 2244 mscorsvw.exe 1708 GROOVE.EXE 1524 maintenanceservice.exe 2076 OSE.EXE 2528 OSPPSVC.EXE 1800 mscorsvw.exe 2952 mscorsvw.exe 2132 mscorsvw.exe 3008 mscorsvw.exe 2404 mscorsvw.exe 2504 mscorsvw.exe 2284 mscorsvw.exe 1312 mscorsvw.exe 1200 mscorsvw.exe 2436 mscorsvw.exe 2952 mscorsvw.exe 2600 mscorsvw.exe 2432 mscorsvw.exe 2148 mscorsvw.exe 1080 dllhost.exe 488 mscorsvw.exe 2948 mscorsvw.exe 1920 mscorsvw.exe 1524 mscorsvw.exe -
Loads dropped DLL 11 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 2600 mscorsvw.exe 2600 mscorsvw.exe 480 Process not Found 488 mscorsvw.exe 488 mscorsvw.exe 1920 mscorsvw.exe 1920 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\496597a078a61a12.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_sr.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_bg.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\psmachine.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_sw.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_ta.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_es.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_iw.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_zh-CN.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_kn.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\GoogleUpdateCore.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\GoogleCrashHandler64.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\goopdateres_hr.dll 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM18FD.tmp\GoogleUpdateBroker.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe mscorsvw.exe -
Drops file in Windows directory 56 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C7EFDF59-F9BF-4F31-A211-3B63D9780C6D}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\ehome\ehsched.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCEE3.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP517A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A3A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C7EFDF59-F9BF-4F31-A211-3B63D9780C6D}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2604 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2724 7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: 33 2880 EhTray.exe Token: SeIncBasePriorityPrivilege 2880 EhTray.exe Token: SeDebugPrivilege 2604 ehRec.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: 33 2880 EhTray.exe Token: SeIncBasePriorityPrivilege 2880 EhTray.exe Token: SeDebugPrivilege 2540 alg.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeDebugPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2880 EhTray.exe 2880 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2880 EhTray.exe 2880 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2356 2020 mscorsvw.exe 36 PID 2020 wrote to memory of 2356 2020 mscorsvw.exe 36 PID 2020 wrote to memory of 2356 2020 mscorsvw.exe 36 PID 2020 wrote to memory of 2544 2020 mscorsvw.exe 40 PID 2020 wrote to memory of 2544 2020 mscorsvw.exe 40 PID 2020 wrote to memory of 2544 2020 mscorsvw.exe 40 PID 2140 wrote to memory of 2692 2140 mscorsvw.exe 41 PID 2140 wrote to memory of 2692 2140 mscorsvw.exe 41 PID 2140 wrote to memory of 2692 2140 mscorsvw.exe 41 PID 2140 wrote to memory of 2692 2140 mscorsvw.exe 41 PID 2140 wrote to memory of 1976 2140 mscorsvw.exe 42 PID 2140 wrote to memory of 1976 2140 mscorsvw.exe 42 PID 2140 wrote to memory of 1976 2140 mscorsvw.exe 42 PID 2140 wrote to memory of 1976 2140 mscorsvw.exe 42 PID 2140 wrote to memory of 2312 2140 mscorsvw.exe 43 PID 2140 wrote to memory of 2312 2140 mscorsvw.exe 43 PID 2140 wrote to memory of 2312 2140 mscorsvw.exe 43 PID 2140 wrote to memory of 2312 2140 mscorsvw.exe 43 PID 2140 wrote to memory of 2372 2140 mscorsvw.exe 44 PID 2140 wrote to memory of 2372 2140 mscorsvw.exe 44 PID 2140 wrote to memory of 2372 2140 mscorsvw.exe 44 PID 2140 wrote to memory of 2372 2140 mscorsvw.exe 44 PID 2140 wrote to memory of 2084 2140 mscorsvw.exe 45 PID 2140 wrote to memory of 2084 2140 mscorsvw.exe 45 PID 2140 wrote to memory of 2084 2140 mscorsvw.exe 45 PID 2140 wrote to memory of 2084 2140 mscorsvw.exe 45 PID 2140 wrote to memory of 1968 2140 mscorsvw.exe 46 PID 2140 wrote to memory of 1968 2140 mscorsvw.exe 46 PID 2140 wrote to memory of 1968 2140 mscorsvw.exe 46 PID 2140 wrote to memory of 1968 2140 mscorsvw.exe 46 PID 2140 wrote to memory of 2944 2140 mscorsvw.exe 47 PID 2140 wrote to memory of 2944 2140 mscorsvw.exe 47 PID 2140 wrote to memory of 2944 2140 mscorsvw.exe 47 PID 2140 wrote to memory of 2944 2140 mscorsvw.exe 47 PID 2140 wrote to memory of 1800 2140 mscorsvw.exe 48 PID 2140 wrote to memory of 1800 2140 mscorsvw.exe 48 PID 2140 wrote to memory of 1800 2140 mscorsvw.exe 48 PID 2140 wrote to memory of 1800 2140 mscorsvw.exe 48 PID 2140 wrote to memory of 2612 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2612 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2612 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2612 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2444 2140 mscorsvw.exe 50 PID 2140 wrote to memory of 2444 2140 mscorsvw.exe 50 PID 2140 wrote to memory of 2444 2140 mscorsvw.exe 50 PID 2140 wrote to memory of 2444 2140 mscorsvw.exe 50 PID 2140 wrote to memory of 2320 2140 mscorsvw.exe 51 PID 2140 wrote to memory of 2320 2140 mscorsvw.exe 51 PID 2140 wrote to memory of 2320 2140 mscorsvw.exe 51 PID 2140 wrote to memory of 2320 2140 mscorsvw.exe 51 PID 2140 wrote to memory of 768 2140 mscorsvw.exe 52 PID 2140 wrote to memory of 768 2140 mscorsvw.exe 52 PID 2140 wrote to memory of 768 2140 mscorsvw.exe 52 PID 2140 wrote to memory of 768 2140 mscorsvw.exe 52 PID 2140 wrote to memory of 2640 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 2640 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 2640 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 2640 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 556 2140 mscorsvw.exe 54 PID 2140 wrote to memory of 556 2140 mscorsvw.exe 54 PID 2140 wrote to memory of 556 2140 mscorsvw.exe 54 PID 2140 wrote to memory of 556 2140 mscorsvw.exe 54 PID 2140 wrote to memory of 2932 2140 mscorsvw.exe 55 PID 2140 wrote to memory of 2932 2140 mscorsvw.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe"C:\Users\Admin\AppData\Local\Temp\7456bad45e6eb13416c4110685fb6a365adf88e99806e9e2d497e6f3acec4eda.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:276
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2716
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1ec -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1ec -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 24c -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 238 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 254 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 284 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 288 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2356
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 204 -NGENProcess 1e4 -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 254 -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1200
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 22c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 230 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 268 -NGENProcess 22c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2432
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1b0 -NGENProcess 204 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1b0 -NGENProcess 204 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:488
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 204 -NGENProcess 1e4 -Pipe 1bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2948
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 1dc -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1920
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 22c -NGENProcess 1dc -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1524
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1228
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:568
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1644
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1708
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1524
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2076
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2528
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52c9c15fc716d378364a13578fabf5646
SHA1e20d4dd1588c49f160b4bff002b45f77847da6e8
SHA256952ec439ceb3d3a1f2fe4734cb3af5583ec036bec65fa2ce1b60340d3959b911
SHA5124d2b8d76561b5e3d96a15448cbe306886a8a83b583ac9ded43f02a80f9704ce0b1b110955538ca83488ebb6fac2d10e2ddff5ec78c5cf75db9a4934bd406b9d2
-
Filesize
1.3MB
MD5525a7eeb10109d1f10f04a885a5c2725
SHA17595f222898d529d7c2b76665b495832e95bd970
SHA25686a2749059e5e7ce7a266c2bea0e8e906affe6deda0d08d7d83610f42338174c
SHA512604cb69c6e31ed749bf6fbd66d3f97c72e9bc04145dac861c92fe984060ffd2104d6b2484db6e3dc8a50802a10d13cf3ba91fe59d4d8aa293ffabd583a04a8ce
-
Filesize
30.1MB
MD5ad0b9f99f439f016e749842587e53129
SHA1fdda5472fb42656b106ac2896c7ce764e8ee5986
SHA2567327a9a8d5b07676a6f207fa02f3a4d937fdf9442bedbcce20b5ef99b8607d2b
SHA512dc1f618a27da9683a200d4eefb79a65ace9aab5caaeb36e0be3221371005831c0513e43206424720268c5f40a1a7280ec1b8c58e2ff3cb9c0ac35f7e504a9331
-
Filesize
1.4MB
MD54384094d9accfa80e182239e0c48e524
SHA1ef74476b48434906ecd29d8f6593c9b2c29c23a0
SHA256f246a0f776e7899a17d85267f92318178826aa8e96e3e197d2b13a84e1a9b4f5
SHA512fbb43316bf523d50ac0109a614c65a35c30bdb276c6c42626f5272f06ee1bdfe492731d23a6e855205d434b9569b7088c7f36381c8ea5f002b258b8bc105d7bc
-
Filesize
5.2MB
MD5b1df58a56062699f5b9ff929340adbc7
SHA19d4f3598d2484f3c5b6a58322d156858809c8d41
SHA256c1f25f7489c0d04b13e8ade39060c1be5c442ab5ee6cf60a586b8b6dd6457a5b
SHA512457614d017ef129ad040916bccc1cf39bddad438d8c519a9ec75047cf1eabbea002b29543d4906626e57f4c5e39126d2561735aced1fc2c38dfbb1bd24218964
-
Filesize
2.1MB
MD540a781bf935f7bf4fc6bf4827404838c
SHA17c292e7f8b622bf1c37496a1a3fe193f88ea85fa
SHA256e058b7f94ca12ca6abf5347eee728538ac0d9c15b3200d74632a9b3fd26f801b
SHA5129e80085f22cd49cd80c49832710b87ad501819dd41c3966a47c69d35fb566ea845a6ad875839c671b3497d14dd98bb9f77391bbfc779a78a9124efb797d47a2f
-
Filesize
872KB
MD5af901fc78eafa2f8d24dbfebf108863a
SHA1d049976aceddf160c22b2af0e5bd7cf58b41d288
SHA256f141cbdd8f643cf869bc0d48fe6e5487544e3372c5a5d0cbf9dd9017f7e0ee53
SHA512c5fc1d1821170eec48eb3388bf07e56ba567aa57d43766caea091197d4bce9ec4e3ab0608a56be46eec017b73f5e8f22c522540706e675d206543cdcdb765571
-
Filesize
1.3MB
MD560852a44909c11dcfea9cd9951876faf
SHA1ac224a6e39a19bafba39d9a4f556a64fba3404ae
SHA256b1fda08fa153a8771e6deed08a529a99a43aa39de09bbe010cec2835eef9d38a
SHA5129c62f54929edc0716e5e3e50954965d3618680326a2b4458667c9af3eb4fcff048b30af2462334af139cd673060d4a380db8e9d68f6612a4f41f11ad6237eb2e
-
Filesize
8KB
MD58804835fb71ad482679c97d1a767cbf6
SHA19c5031e7245a57883de199c72f142f15aa156412
SHA2568752635640ff0d51191c33a91a8b3a7c1ba5f57af860471d288c9549b301f827
SHA512ba209979712a3059cc91ab79096318d21bf764773f0c4c517408f02ed621ca54bfcfbe760b8dde4a6651af289fe99b7dcc739883f281680ba7241a41a016ba97
-
Filesize
1.2MB
MD53bb514157d03efe49848151c4cc15b95
SHA152752b808b209496e86ba99133f0ffd2fabfc683
SHA2566559339dd340db887063d4104aa01987e4384b686472d813f96ffa7c88006eec
SHA512d19ef771211db4b16f6193fd77b59a60743329bf074792c0d6bc23b35bd8eb5d9a672e1db996ca739f0568da39c1024bb76cd754898a15236759dd72df5b1569
-
Filesize
1003KB
MD544c2c379f4fac49e09d5d97d6fefbc19
SHA18f135d2f16edc2065bb748fa2b99a0753f4e8d1d
SHA256b5d08f4e4697aaeef01befd6feb5ea59d3e25bcf16818b41b3b95dc4c8de2651
SHA5122916ed2d57b4b3137332018ce97a0159db7aa4eef28a33a7ed260f4af909c4f8809a8aa4799b0b68bd9aeff1acf767fb1593decd6b7fcd9d935637bbbe670c9c
-
Filesize
1.3MB
MD5dd64d7d0ef550daff1564299cb986598
SHA1353c52da98ae664d19d7ba8374603a71d82eb393
SHA25603063760f660c87af11661c2ddd00547f8d9f1c6a0922444980713c959e49745
SHA512de6169ac2710934ddfdaf696623bf2a97c37125859af2fa0425bc7fbc7a5ee4e4f933ada6940feca8bf3d94bdb6c171fe58d558f41f43bb9903a7e2a2374caaa
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
Filesize
1.3MB
MD50354d2c411aef97b1d2889d8eee6b777
SHA1918ab3d3d43369ce927e6cc5d804d7c03bc74726
SHA25630e49cdd76f8b343d5a15068a8b7c74b1b9fc8b33e8ba61d945681e63e2759cf
SHA5123e02b754bfcdeb0ebbd1bcdd6cd9cc2cb781f30bf920f7755d68464cdbcd403d98a3ed6dd3cb0556654f57be46f2605c1483aad2bdb4736defa4edba43791ef0
-
Filesize
1.3MB
MD5245cd3d10f21cd331f164f0c8b1ba655
SHA1f6d0a11d76a2a4ef561236100225b22bdda59fa1
SHA256a0bdf6d60a699f04b7f8e7a3a415e78cfadda4d954d37fca18d2fdebf952911c
SHA5127b8c7806cc980ff625c58fb481640f161b9859eb39eeee68254a5eb7da2b84c5b023bf1a3085cb231ea0fa9787bc41cb527929bdccc249a21792db6fa7ec71b9
-
Filesize
1.2MB
MD5181c7a44276d7732c1527e6ae4c8bc3f
SHA1b585335903e6667227f8a603e3b688b138ec177d
SHA256223a02978c1312c683a849090b9dc5f31bac7891778eeabf573d110de7dececd
SHA5121ff033d915eaf1a6e98c4edbb39295befb9d186b9a2ba9a72923990c0a7f54683f0d630437da3faf6dbedb0790118d0216065c12a34630d353168838ba84f0da
-
Filesize
1.3MB
MD5e4d53eb18d1a6a3703fd44f75c1ee595
SHA111c606b2e03666ffe33c1e08c16821f1f9df24bc
SHA25670c24dbc3ded0acf08fdf4f5277bc4f5ac390d772ee4ec31a20ae7854a86633b
SHA512ee9309317c4da07367ae3d46929f556e8303fb5b5e2340cdd71a26a780ac3d83f715e78e1cfe9b06c39aafd57db29eb1f3bd9297c74b1fcf34724195828c31df
-
Filesize
1.2MB
MD559a15037577598563198fda62104028e
SHA13e703825ebecd5b668d1658017c382d7ba1ea60c
SHA2562cfa6a0bed59a8457077d89d3b4282ca0887599b1f97a57b79cbd2d7b89f2386
SHA512408471194acb3288f29d5f4244df3cbf5bcae836c2db3bd04a5b3c558ec16e932a76b84eba1673809091a19aae45b28bc2172b46b92137158ec422e8e595f29c
-
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCEE3.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
Filesize
1.2MB
MD51bdce016f4c4f494807a43509b0d2f09
SHA185d29385f33eea0c92d5e9fdc04f16a864fddf8c
SHA2568fd57800bcaded554c49120d8655d0ab9e354512e9805baee1b24cd4b0546f9d
SHA512300fc6361f772df72eb5b606d18250f971729bff6a09f71c47f6fbcefbfa2498785a2dee365584db9b416437931a4b951d52b4ea2161251f378f671342ff3281