Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe
Resource
win7-20240215-en
General
-
Target
fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe
-
Size
1.4MB
-
MD5
a0b3478ba7d88729a009bfcf718bdc32
-
SHA1
a1dff40decc50ec571936748dea4276637071f13
-
SHA256
fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3
-
SHA512
36ff76038676e4243fbed563eb02f5d656592326ddbdf2ff030a7f0ecd3ac75d6f8a9be2e263206148e0b61cf063209b2949023a7f406f51191b6190f0b7cc7e
-
SSDEEP
12288:Y2zoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:lI2JOt934J7Z6bQaj1BvUm9J
Malware Config
Signatures
-
Executes dropped EXE 25 IoCs
pid Process 480 Process not Found 2904 alg.exe 2328 aspnet_state.exe 2264 mscorsvw.exe 2156 mscorsvw.exe 2820 mscorsvw.exe 2848 mscorsvw.exe 3056 ehRecvr.exe 1744 ehsched.exe 924 mscorsvw.exe 2520 elevation_service.exe 1352 GROOVE.EXE 1964 maintenanceservice.exe 576 OSE.EXE 2188 OSPPSVC.EXE 2284 mscorsvw.exe 2208 mscorsvw.exe 2656 mscorsvw.exe 2616 mscorsvw.exe 2704 mscorsvw.exe 2692 mscorsvw.exe 1292 mscorsvw.exe 1708 mscorsvw.exe 1968 mscorsvw.exe 2964 mscorsvw.exe -
Loads dropped DLL 4 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a29dfb18bfe435d8.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\GroupRestart.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alg.exe -
Drops file in Windows directory 28 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\ehome\ehRecvr.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1512 fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 2848 mscorsvw.exe Token: SeShutdownPrivilege 2848 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 2820 mscorsvw.exe Token: SeShutdownPrivilege 2848 mscorsvw.exe Token: SeShutdownPrivilege 2848 mscorsvw.exe Token: SeDebugPrivilege 2904 alg.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2820 wrote to memory of 924 2820 mscorsvw.exe 36 PID 2820 wrote to memory of 924 2820 mscorsvw.exe 36 PID 2820 wrote to memory of 924 2820 mscorsvw.exe 36 PID 2820 wrote to memory of 924 2820 mscorsvw.exe 36 PID 2820 wrote to memory of 2284 2820 mscorsvw.exe 44 PID 2820 wrote to memory of 2284 2820 mscorsvw.exe 44 PID 2820 wrote to memory of 2284 2820 mscorsvw.exe 44 PID 2820 wrote to memory of 2284 2820 mscorsvw.exe 44 PID 2820 wrote to memory of 2208 2820 mscorsvw.exe 45 PID 2820 wrote to memory of 2208 2820 mscorsvw.exe 45 PID 2820 wrote to memory of 2208 2820 mscorsvw.exe 45 PID 2820 wrote to memory of 2208 2820 mscorsvw.exe 45 PID 2820 wrote to memory of 2656 2820 mscorsvw.exe 46 PID 2820 wrote to memory of 2656 2820 mscorsvw.exe 46 PID 2820 wrote to memory of 2656 2820 mscorsvw.exe 46 PID 2820 wrote to memory of 2656 2820 mscorsvw.exe 46 PID 2820 wrote to memory of 2616 2820 mscorsvw.exe 47 PID 2820 wrote to memory of 2616 2820 mscorsvw.exe 47 PID 2820 wrote to memory of 2616 2820 mscorsvw.exe 47 PID 2820 wrote to memory of 2616 2820 mscorsvw.exe 47 PID 2820 wrote to memory of 2704 2820 mscorsvw.exe 48 PID 2820 wrote to memory of 2704 2820 mscorsvw.exe 48 PID 2820 wrote to memory of 2704 2820 mscorsvw.exe 48 PID 2820 wrote to memory of 2704 2820 mscorsvw.exe 48 PID 2820 wrote to memory of 2692 2820 mscorsvw.exe 49 PID 2820 wrote to memory of 2692 2820 mscorsvw.exe 49 PID 2820 wrote to memory of 2692 2820 mscorsvw.exe 49 PID 2820 wrote to memory of 2692 2820 mscorsvw.exe 49 PID 2820 wrote to memory of 1292 2820 mscorsvw.exe 50 PID 2820 wrote to memory of 1292 2820 mscorsvw.exe 50 PID 2820 wrote to memory of 1292 2820 mscorsvw.exe 50 PID 2820 wrote to memory of 1292 2820 mscorsvw.exe 50 PID 2820 wrote to memory of 1708 2820 mscorsvw.exe 51 PID 2820 wrote to memory of 1708 2820 mscorsvw.exe 51 PID 2820 wrote to memory of 1708 2820 mscorsvw.exe 51 PID 2820 wrote to memory of 1708 2820 mscorsvw.exe 51 PID 2820 wrote to memory of 1968 2820 mscorsvw.exe 52 PID 2820 wrote to memory of 1968 2820 mscorsvw.exe 52 PID 2820 wrote to memory of 1968 2820 mscorsvw.exe 52 PID 2820 wrote to memory of 1968 2820 mscorsvw.exe 52 PID 2820 wrote to memory of 2964 2820 mscorsvw.exe 53 PID 2820 wrote to memory of 2964 2820 mscorsvw.exe 53 PID 2820 wrote to memory of 2964 2820 mscorsvw.exe 53 PID 2820 wrote to memory of 2964 2820 mscorsvw.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe"C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2328
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2264
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2156
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 184 -NGENProcess 1ac -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 168 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 1ac -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 1ac -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3056
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1744
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2520
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1352
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1964
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:576
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD55316f7352a798a98b8edb310530e90bb
SHA150ae0a494ed4665fdee7c2e36784efc86d0a7560
SHA256a0b6968bc151f8a0ee88dbe896def785323741a20b68a1d43496336f33b50515
SHA51209fb223cf8a514e33d6c27d9a2c694b18b5a6ff9a162df2d933ccad0289d745ca5c01a2db0e6224b0b0301731fd6255f5c2c4828d0dcfc7d62a17db6b41eb832
-
Filesize
30.1MB
MD5853928770926e96ebac017575c43a613
SHA109bee156119f2975fb1bc5db1e2c3adc0bb1d7fa
SHA256412bde204ab558ea483c858b2f8e0a65481c41be134b54692099ddccff24273c
SHA512e97c8f0c08ca9b3d90511080ad373baaebd65021fc58b1c1fefc07329db8425cf5181658ac4301e59e1b0fe2a2f57859a3d5a804c4129b252c59d337cf8f61dc
-
Filesize
1.6MB
MD5eef7d6294fffcf46d0c7196d624cc33d
SHA1d85c8d3b0cb5a24274fcbd66ce7b7f654a12bfc6
SHA25664aa889358b3633d64fca7d532ffe99de7031d4a4f3b26188303adb95ba41f78
SHA51286bdca824d143909b00c05146d5045944fbf0f31ffceb7add98a2bd2f8663a4c59be8c1535e4d4c9bd26f12c9b916174d6985227c93b77638844ee141394aa30
-
Filesize
5.2MB
MD5c82c866e31f170629d91c95e1526a0c9
SHA1f282de47399a908c427253b7afdb6c2ac229e66d
SHA256d1c6027480a6f8efced77573f7c49afc86525d869bce1adfd292c9a3107bf34b
SHA51232b2ee69fcd869c24b80313263fbbef340d4b1ec840e7ecfb6ea380cfed0d9ad3cca4ff8750979468a24c7da4938bdb1b23e33317a8494c78df958972068446e
-
Filesize
2.1MB
MD5fcd99b6bdbfc826b2e57a7c8717fab6d
SHA1ef46829347d8c75d37c1cace1bf64dd8bfb3c362
SHA256316e6d8e49b1d101fd9af2fd06c434acecabf41148584734df9ea8770e9e264f
SHA512edc22ec8ac5ad5ee2ecc4066ed3820e7a9d400407555cbff62e0694024b0567daf5e9789343fd1a64f7e805fd5fcd0b620449e59fed69c42c3a6b3b0333c3729
-
Filesize
1.4MB
MD5d702a3f4daa8f3067c56be45c0b58350
SHA1f1989da282426b123ce222756d4912ea81402722
SHA2567365f98bbe1a84293dc9ef21881a1769cbdb14ec0dd316df54872efc61cc3262
SHA51269a5f0041036cb220db81bd8ccf08e3446e6374460de310c590cdb19d1535bbdf2a0b4f359ce19278ccadf360fb6730b00a5fdfb9b5b4e7d8f0a0eac4a233e39
-
Filesize
872KB
MD557a02430c02d0de605e4084be47d6e67
SHA183b4222b0a68ff3cca92634cee1bf31477f07f1c
SHA2567f54c87556c2b3d72e7e12ca4822d95bac9e9f7aafb5fc09ccf0b0183efe0b59
SHA512405b9128b77bc1cdf1a72350c512da6ccc0c45ab1b6fc4450cae275e0b2f9edea394f0cca4e1cd2e31960ac634483ee063b1d55ca4c0507b2e5447c6f46c0229
-
Filesize
1.5MB
MD5ae3d8b79a0d60efde07616c76b0b5591
SHA1e251acd8c053b94b3ba123922a16d22456cb4cd0
SHA25641aa5042f21d0acdc800951add6e5cc28cd4de1a553e47bbaf333051d1358782
SHA512b620be2d14ba5ca5538e63d7eb700a0d01736777b679a1c9541bfad28fa1a0a6bfdec32431ae32014c575c0e1ccdef89e508ea7909560b8e9398f7a39927aaf1
-
Filesize
1.4MB
MD585af0cde15c7ed17e1f23df5cb082861
SHA1bf6c1ca0215d0c564b0c1e48120b75e353276604
SHA2560bc1ef9f47700ce7b209ef7483a259e4ec254427e6046753b1adad731d2917e7
SHA512b5ab471d07ea6c7af8180629b056cedbf381245ea4dd4039270efd8dd3b83b8cea85163218556e9c6c7028b73a60648465eb814b1466861d96dc7d22f7dfa139
-
Filesize
1003KB
MD598d20b6abf3b45fbe2f39ddc68148731
SHA1e3c6c6b80b6238038586ddcd21700a8187393372
SHA2565e629cc966dd4c71039c686e62446f4e0447400d6f3d2039539f47609bc91af1
SHA512624ad3ca000219f449225405212ee42f7f92cc794581ec7c72c80caa1e314f46a3c3fac6790770cec2a0a8e921c72065d45700f29dc40bce7fbdc4af4963d863
-
Filesize
1.5MB
MD5efad8b55fa20c21ecc68ff0c0660e2bb
SHA120524a32e213192cbe6b3e38f4b3461d70c279bc
SHA256485fab5b574d70edd741818d747bc1f0f325e3166c65873b9ae8c68db9eee130
SHA51221505d89f7a603e5b56097c4aaa5b0aa2bb42131df5222a076b7f45359ddec2a6fab943e573089a471065e580039012599b036086f8fe20aaeb8cebd0566e390
-
Filesize
1.4MB
MD57d27db19c2745ef7ee139f6570022ebc
SHA12a89788889f3b7ab24ea3802a306328c4c66cb9e
SHA25689c724fde6e5e22d5be0c3aa6853fb13977d637cfa235ebf1637df2f82279426
SHA51264c7ca5cd3bf0fa6d5dfca126f454f585b7611540f1cef02940ffd5c4310ed1dd50739df43272c0a3b4243962206a488a0b1aaf0d3f71d37619a993f31557e63
-
Filesize
1.4MB
MD52b813085a52b96dc9d9193a1485475e5
SHA10d6f69ec33cfd0f025ef6ab921e5501448d6a21a
SHA2563fe171deab290cb4b05febddfc8cbb87d0a379341fdb89d276d8e22a229b4431
SHA512640e98db4147153f0b85276fa69d0764a11ef5fd9340df440e7fc5d22644cb0e66c22bd7992656b75c8f894fc4a20a66d8641bd0e4a953afbd1c220b956d87fd
-
Filesize
1.2MB
MD5d25b55897f8f1f1fc187647616839850
SHA10fcb604885146b656a765fbde1cf65521af548e1
SHA25632c9c3d68e4390785fa8ff36399770cc36c707fc0872e878567203029c5a9e3e
SHA5120033ab5133ad4a5418e05a537643c6a614270ff90fc309f4c8a4c15e785bf3a251fdca14ce87cd1924706c622473662e2866878bb8e98346a15b99af386e0323
-
Filesize
1.5MB
MD57ac612461f69049830867ad29ae92f6a
SHA1507f05c58441168668eb1f631a041b966f16a6a8
SHA256e893acbc438fc31ff3c18ce68e4e887c8ef16d38186bd48a3db3b6654741114d
SHA5121ca662b5e3d8621e3f2c85ad99b56e50cd1f6d386ee2d18a9bf2a3cfb6b6068bf366db985089a52099a72ed7e18bbd288c1ea893c660ddd2db97e76cc4e8172c