Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe
Resource
win7-20240221-en
General
-
Target
520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe
-
Size
1.8MB
-
MD5
bc56577e2d52df71394b539564bfabc9
-
SHA1
57fd99a67b8e88de86318ec6fe4d56653dd31e69
-
SHA256
520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233
-
SHA512
333a2e72dc5270b6c8ec5eeeba71839f6d439d4f5b6d954afd3dde81a7311638e29f82ee83597258b93605c070bf76519b716acd2b7f6335304f9b6a3e766db1
-
SSDEEP
49152:Kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAGgDUYmvFur31yAipQCtXxc0H:KvbjVkjjCAzJQU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 468 Process not Found 2948 alg.exe 2896 aspnet_state.exe 2724 mscorsvw.exe 596 mscorsvw.exe 1644 mscorsvw.exe 820 mscorsvw.exe 3056 ehRecvr.exe 1472 ehsched.exe 3048 elevation_service.exe 2920 mscorsvw.exe 1984 mscorsvw.exe 736 mscorsvw.exe 3068 mscorsvw.exe 2032 mscorsvw.exe 1480 GROOVE.EXE 2148 maintenanceservice.exe 1748 OSE.EXE 1632 OSPPSVC.EXE 1776 mscorsvw.exe 1704 mscorsvw.exe 2888 mscorsvw.exe -
Loads dropped DLL 4 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\42746d554501ed38.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_is.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_sr.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_sk.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_en.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_fil.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_en-GB.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_sl.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdate.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_pt-PT.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_gu.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_ko.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_ru.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\psuser.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_id.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_hi.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_hu.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2564 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1308 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe Token: SeShutdownPrivilege 1644 mscorsvw.exe Token: SeShutdownPrivilege 820 mscorsvw.exe Token: SeShutdownPrivilege 1644 mscorsvw.exe Token: SeShutdownPrivilege 820 mscorsvw.exe Token: 33 1724 EhTray.exe Token: SeIncBasePriorityPrivilege 1724 EhTray.exe Token: SeShutdownPrivilege 1644 mscorsvw.exe Token: SeShutdownPrivilege 1644 mscorsvw.exe Token: SeShutdownPrivilege 820 mscorsvw.exe Token: SeShutdownPrivilege 820 mscorsvw.exe Token: SeDebugPrivilege 2564 ehRec.exe Token: 33 1724 EhTray.exe Token: SeIncBasePriorityPrivilege 1724 EhTray.exe Token: SeDebugPrivilege 2948 alg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1724 EhTray.exe 1724 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1724 EhTray.exe 1724 EhTray.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2920 1644 mscorsvw.exe 39 PID 1644 wrote to memory of 2920 1644 mscorsvw.exe 39 PID 1644 wrote to memory of 2920 1644 mscorsvw.exe 39 PID 1644 wrote to memory of 2920 1644 mscorsvw.exe 39 PID 1644 wrote to memory of 1984 1644 mscorsvw.exe 42 PID 1644 wrote to memory of 1984 1644 mscorsvw.exe 42 PID 1644 wrote to memory of 1984 1644 mscorsvw.exe 42 PID 1644 wrote to memory of 1984 1644 mscorsvw.exe 42 PID 1644 wrote to memory of 736 1644 mscorsvw.exe 43 PID 1644 wrote to memory of 736 1644 mscorsvw.exe 43 PID 1644 wrote to memory of 736 1644 mscorsvw.exe 43 PID 1644 wrote to memory of 736 1644 mscorsvw.exe 43 PID 1644 wrote to memory of 3068 1644 mscorsvw.exe 44 PID 1644 wrote to memory of 3068 1644 mscorsvw.exe 44 PID 1644 wrote to memory of 3068 1644 mscorsvw.exe 44 PID 1644 wrote to memory of 3068 1644 mscorsvw.exe 44 PID 1644 wrote to memory of 2032 1644 mscorsvw.exe 45 PID 1644 wrote to memory of 2032 1644 mscorsvw.exe 45 PID 1644 wrote to memory of 2032 1644 mscorsvw.exe 45 PID 1644 wrote to memory of 2032 1644 mscorsvw.exe 45 PID 1644 wrote to memory of 1776 1644 mscorsvw.exe 50 PID 1644 wrote to memory of 1776 1644 mscorsvw.exe 50 PID 1644 wrote to memory of 1776 1644 mscorsvw.exe 50 PID 1644 wrote to memory of 1776 1644 mscorsvw.exe 50 PID 1644 wrote to memory of 1704 1644 mscorsvw.exe 51 PID 1644 wrote to memory of 1704 1644 mscorsvw.exe 51 PID 1644 wrote to memory of 1704 1644 mscorsvw.exe 51 PID 1644 wrote to memory of 1704 1644 mscorsvw.exe 51 PID 1644 wrote to memory of 2888 1644 mscorsvw.exe 52 PID 1644 wrote to memory of 2888 1644 mscorsvw.exe 52 PID 1644 wrote to memory of 2888 1644 mscorsvw.exe 52 PID 1644 wrote to memory of 2888 1644 mscorsvw.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2896
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:596
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1d0 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:820
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3056
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1472
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1724
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3048
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1480
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2148
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1748
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5265dc44f0d794400e5f67c9ca17c9360
SHA13785eaad7fb95c3c5897daae86f84024ef30896b
SHA25638223a7141e5dcde3081c8d6df5d0ffa69553519373c370ea4a1550a5b39b4c2
SHA51200b045d7eec1a8556eb2fe3039bdb247c9c6fea00320e3d50e05c23c5af41301a37d6fa63eaec1fb5aff9225145a559baf430e00ec04a96db61b002be6f47921
-
Filesize
30.1MB
MD527c95818648fb0cdcd6f32c0a8877716
SHA1e6728a45c156e7ae47390713e8fa75bf45e3fcea
SHA2568c56270919b2f7949c2cdeecb1f1068d79159e7ea77d5908396141582e1dead8
SHA51291baf4d4a17a0c13489404a54f5d10fd16f60ec99fe80cce6448dd94ecdc9698b1a9e1ebfb88cef1416ebfa52d5efd6c1f785faccd9df2872dbd8420491f217b
-
Filesize
781KB
MD5319f7e43a9ae3b3735204065dcbd79f9
SHA19f63cf2c99ba51ac2cf09d3ab4d9d319c0c8184a
SHA2561fbedeb538c9129707b83fb006d1b1752ec32f3e1b9cea2da5ddde0e9c22e9a9
SHA512b2df7d79fa5d2d84905a919190c3b77cd108ce30e4fe8ca341e000d335f98dd941ee21050e1c09cef44f30b0cf5199ce88d5a54d0820bce674d06f8d20472098
-
Filesize
5.2MB
MD56abc21e2915ce98788f18bb74f0291fc
SHA13290650e08d516c6e16425defed28938979deefe
SHA2560c9aa17d8847e8c5a9a118aa09c3f3eb6fcd89586d7d76e5e8f7558873308c5b
SHA51274c3bf1b8791be443ced3cd56f691224a65d5f5816022ac037005099381b0029f81284d1aa88131a21927d919e7174ba5ed712178b8bb8333614c344c6d78921
-
Filesize
2.1MB
MD5282fe11fa77fe76e635a12cdf4790d0f
SHA11042b8b672afce073d7e3e0f7c2761ec44e0033a
SHA256e093620acb26b5c89ae2e28482274ce08856f57d0cf21d22f9286c5c6292908b
SHA512b05d1e53c21bb6f763dacc6313e66c3a59a6dd507c0c08507c80250d2ffe50fc72d9b16db8ecf842cc067b385b28eec862f15e11aa4d4020e6c5b8eacb7f7ac7
-
Filesize
648KB
MD5978dbf6f14458e0811de59593aa18a5e
SHA17d43f38bd2bb28076e61fc91c7712ed5fe9c2a79
SHA2565c42f7658069f48ea754c6fe49054f64a240f31485aebb0e78e3e99c1aa58c44
SHA5129d659f7198154b4464736cc0b2c6ea508b7b2697b9b5f8543e0f5ca98c5b7e1f1982ca75556bab17f3099ab0d9b1a4450d67eff631a6277716e856a1dca27d27
-
Filesize
872KB
MD5a30873eaff0fd7ed9d7bcc24c2f0f856
SHA13427e19fb2bb620b1ae3b44b09d27f9fa5474e63
SHA256c6df266f197b34b3df7adfde12848f1dff188ece106099e1e2d1bfad29f42c78
SHA512e4c735f2ad7591c8c71601c9377191c39b4452d30c8734538dae4d242407b4a92f579a33306e52efc1e8482a13d76c079b77c121c1d218a65827142bcaecacfe
-
Filesize
678KB
MD51f2353793a4150c18662250c93356952
SHA10ba133351a031d5a7c239ba3260471c92d4341c7
SHA256023839ef116a5b957d0c1838be26aff5ea39ab893edfc6af7e27a12abd71c4fc
SHA5129be68940c15b9e731f46f388c01cb176b3b2506d0015eb5d7bb496b6a0b7325b01706527d7458e3e9e3112410774d70383f17290ed042d538506f355eb050f2f
-
Filesize
625KB
MD56b483882d3efaaed6197639f1fc0d5fd
SHA15a12a294297c4468d3e7fcbcaf4b2046c70ce511
SHA256537c34a4476f7554b9dbce90ea769382cbdd346d7a1bc725f8b301855cc30db6
SHA512529aafb521a72146ee5406205454360bc6705c9960142f9ad2769491279036a683050e52426f5d597f97bc1b0407262a46c0822535ce04c46e41635480b3915b
-
Filesize
1003KB
MD58a8143fa57125e9700d009165dbc8337
SHA187148248cf27767f7d9a2cc208e130c840a6e22f
SHA2567c22945dbf12ddd63eadee8cf5bf6cc310411754b014419cd5bc8c17167ec407
SHA5123b8f93773b79aba21b8a9fa15e4f296102ffa490f494abd52b6e1c94d5d0e0777233021af9b1d48b96bab4bf142496dc772f117417f699b5a3895a77d4aa7dce
-
Filesize
656KB
MD51896464795dc0ff77ab5e801afbf6e68
SHA1cc165c79038cca8144b65aedb2b23abc14582724
SHA256005a1a88d39684c44e4029cdc047f6284d103bee2badcf9ef39fe94d491d7ddc
SHA5121b1371a67d4673bf5c0a9feb81c5d69302f4717b8b56baac6ab67d87a15d344b92fe78347016149497193925d3527d67aeb126f363130cffb26a19b0999fbd70
-
Filesize
603KB
MD54a2ecdf6f04540820add878b23b14f9f
SHA1f4a2e5b8b89193c20997da47fa46b0c2863055af
SHA25676f7182915fbfdb185988523cafb33099e13b1d08a36c346beed128f52ab7c97
SHA512e35eb09d1296472b7642370c67090efdefc3957e8fbbd5c6f098cbf98dec358ef7fdf420f3c00a43a9b1f17e30ed5d46d776150dc745975785247b09a3a59c86
-
Filesize
644KB
MD5fe9a827770762229edb3cd42f9b78d72
SHA18c66a49fbce6a3be013f8f4b02eddacf13ec1a77
SHA25636b785d31a133a33da6803235d79090eb5943f8f52807e1d4bae4dc9f90f5740
SHA512d07674e8d2914d4910fbff029e160c4cb3da6503ad43fc983a0f2466d5a8f81a88969acd2e76fc7049ca41900a36ed61a03f5a7aab6696e5647e43b6f37303bb
-
Filesize
1.2MB
MD52ab88eae2c80df542a7d86587ffd902b
SHA1d2222ede2781dcade86946ba4c757c16ae32b39a
SHA25645be59e3423c89d58ff10b5500c6769faee4053d92e0b8467d5e61a9f3958f12
SHA512e1e95d6972ea7bb36ede3d7877de6f73357b0774a23c65fe84a3662f9c6bed45180bf0206d66b6e1ca1cf59f0a72564450ccabd27d5c8863b2a34e7701f8063c
-
Filesize
691KB
MD5cdccc0c01076277aa45a302ebdfd4a83
SHA1f669cb064aac2615567ab7ea73aa079123c51432
SHA2564accf740555536b10f2f8425e2fdbb241d09bb833323ef3d4d4cad7b590a88cc
SHA512d9e631b6f35147b1eeb068c2ad7d9b5e950354ca7102afaaba657de4a04a9a308df6a4e97650e1dca377d0ea1b430a13ecafbff58cf7fb2d032d1f4db2228009