Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe
Resource
win7-20240221-en
General
-
Target
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe
-
Size
1.8MB
-
MD5
1bcddb3f1645fc4fadfd03a26ce9bb74
-
SHA1
3851a53552f2bc56976cdd19bf6c99a0f42846c2
-
SHA256
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13
-
SHA512
8547f61c107b4c1775b96af4ee51e16b8c710537d0306065e8466cf94463b90f955b8883953436bbd684bd49bb86db44a1a55a70bbb9e0bb3356e4abbff5bb3d
-
SSDEEP
49152:zKJ0WR7AFPyyiSruXKpk3WFDL9zxnSUisGcnlQHPxi:zKlBAFPydSS6W6X9lnpnlS
Malware Config
Signatures
-
Executes dropped EXE 40 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 2552 alg.exe 2408 aspnet_state.exe 2540 mscorsvw.exe 2864 mscorsvw.exe 1508 mscorsvw.exe 2764 mscorsvw.exe 2228 dllhost.exe 2220 ehRecvr.exe 2072 ehsched.exe 3012 elevation_service.exe 1064 IEEtwCollector.exe 3004 GROOVE.EXE 1740 maintenanceservice.exe 2912 msdtc.exe 2688 msiexec.exe 1496 OSE.EXE 2864 mscorsvw.exe 2752 OSPPSVC.EXE 2036 perfhost.exe 1624 locator.exe 2996 snmptrap.exe 1900 vds.exe 2604 vssvc.exe 268 wbengine.exe 2836 WmiApSrv.exe 2568 wmpnetwk.exe 400 SearchIndexer.exe 2768 mscorsvw.exe 1916 mscorsvw.exe 2012 mscorsvw.exe 2448 mscorsvw.exe 1640 mscorsvw.exe 1100 mscorsvw.exe 908 mscorsvw.exe 2808 mscorsvw.exe 276 mscorsvw.exe 2964 mscorsvw.exe 2376 mscorsvw.exe 1788 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 468 468 468 468 468 468 468 468 2688 msiexec.exe 468 468 468 468 468 748 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
Processes:
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exealg.exemsdtc.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\system32\SearchIndexer.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\wbengine.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\locator.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\System32\alg.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\fxssvc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\SysWow64\perfhost.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a25780414501ed38.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\System32\vds.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\vssvc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exealg.exedescription ioc process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe -
Drops file in Windows directory 33 IoCs
Processes:
mscorsvw.exef7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exealg.exemscorsvw.exemscorsvw.exedllhost.exemsdtc.exemscorsvw.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C6606122-6B51-469D-B687-7FC2AA924C60}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C6606122-6B51-469D-B687-7FC2AA924C60}.crmlog dllhost.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
SearchIndexer.exeehRec.exeehRecvr.exeGROOVE.EXEwmpnetwk.exeSearchProtocolHost.exeOSPPSVC.EXEdescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{DB7B78C0-B840-40B6-96B1-57E3E1A5D25A} wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exef7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exepid process 1372 ehRec.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeShutdownPrivilege 1508 mscorsvw.exe Token: SeShutdownPrivilege 2764 mscorsvw.exe Token: 33 1592 EhTray.exe Token: SeIncBasePriorityPrivilege 1592 EhTray.exe Token: SeShutdownPrivilege 1508 mscorsvw.exe Token: SeShutdownPrivilege 2764 mscorsvw.exe Token: SeShutdownPrivilege 1508 mscorsvw.exe Token: SeShutdownPrivilege 1508 mscorsvw.exe Token: SeShutdownPrivilege 2764 mscorsvw.exe Token: SeShutdownPrivilege 2764 mscorsvw.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeDebugPrivilege 1372 ehRec.exe Token: SeBackupPrivilege 2604 vssvc.exe Token: SeRestorePrivilege 2604 vssvc.exe Token: SeAuditPrivilege 2604 vssvc.exe Token: 33 1592 EhTray.exe Token: SeIncBasePriorityPrivilege 1592 EhTray.exe Token: SeBackupPrivilege 268 wbengine.exe Token: SeRestorePrivilege 268 wbengine.exe Token: SeSecurityPrivilege 268 wbengine.exe Token: 33 2568 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2568 wmpnetwk.exe Token: SeManageVolumePrivilege 400 SearchIndexer.exe Token: 33 400 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 400 SearchIndexer.exe Token: SeDebugPrivilege 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeDebugPrivilege 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeDebugPrivilege 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeDebugPrivilege 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeDebugPrivilege 2776 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeDebugPrivilege 2552 alg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 1592 EhTray.exe 1592 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 1592 EhTray.exe 1592 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 2052 SearchProtocolHost.exe 2052 SearchProtocolHost.exe 2052 SearchProtocolHost.exe 2052 SearchProtocolHost.exe 2052 SearchProtocolHost.exe 2052 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 1508 wrote to memory of 2864 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2864 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2864 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2864 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2768 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2768 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2768 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2768 1508 mscorsvw.exe mscorsvw.exe PID 400 wrote to memory of 1460 400 SearchIndexer.exe SearchProtocolHost.exe PID 400 wrote to memory of 1460 400 SearchIndexer.exe SearchProtocolHost.exe PID 400 wrote to memory of 1460 400 SearchIndexer.exe SearchProtocolHost.exe PID 400 wrote to memory of 2628 400 SearchIndexer.exe SearchFilterHost.exe PID 400 wrote to memory of 2628 400 SearchIndexer.exe SearchFilterHost.exe PID 400 wrote to memory of 2628 400 SearchIndexer.exe SearchFilterHost.exe PID 1508 wrote to memory of 1916 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1916 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1916 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1916 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2012 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2012 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2012 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2012 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2448 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2448 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2448 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2448 1508 mscorsvw.exe mscorsvw.exe PID 400 wrote to memory of 2052 400 SearchIndexer.exe SearchProtocolHost.exe PID 400 wrote to memory of 2052 400 SearchIndexer.exe SearchProtocolHost.exe PID 400 wrote to memory of 2052 400 SearchIndexer.exe SearchProtocolHost.exe PID 1508 wrote to memory of 1640 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1640 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1640 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1640 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1100 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1100 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1100 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1100 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 908 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 908 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 908 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 908 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2808 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2808 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2808 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2808 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 276 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 276 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 276 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 276 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2964 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2964 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2964 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2964 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2376 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2376 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2376 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 2376 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1788 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1788 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1788 1508 mscorsvw.exe mscorsvw.exe PID 1508 wrote to memory of 1788 1508 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe"C:\Users\Admin\AppData\Local\Temp\f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2408
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2540
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2864
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1dc -NGENProcess 1b0 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 280 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 1b0 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 258 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 298 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 1dc -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1788
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2228
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2220
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2072
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3012
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1064
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3004
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1740
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2912
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1496
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2752
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2036
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1624
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2996
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:268
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1460 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵PID:2628
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5233731fc18a4b0d0f2111774eb6f79be
SHA11d2da5e011fec5f7ca6e4947c14b3f8f90eb852c
SHA256e288ef0e3b5f87224bf2c36060561ae63d565a5b8737498959503d3018784afa
SHA512af46f29732d71480fa0f4ba1a7b9afffea0f8d368a485259c2852d6957589188fdc5f7537400ce2f9fe3e2072896754c48e7f0d5c64f396c9d56fda29e9a2381
-
Filesize
706KB
MD525690827f3353b92903f19cd8ad01b09
SHA17e30d9a2dd1b8d3909fb42cc4b1d17d2903330a5
SHA256b2f46fca860ddf44c52a76f05df91903b84ae4f215e4f0c7ae787f437ede6224
SHA5121b209f6ddad26aa99db7c787317a78f21496dd223dce52973752726d3bfaba7cbbf815534aaf246f3548a5aec157c03a3eb86af9e5b2acc13a72eec17329bcb0
-
Filesize
30.1MB
MD581d57cefc9b49a534f8baf87dc0421fb
SHA1b868870b4e0ab0218a0223b98b54e227c21559f9
SHA256ef0a2faa42df7dcf51ade2d05e8eedaa765cd4ecd92d48fa1320e064766a060e
SHA512452c54daa5123e40ac779e86519e2613e7bf4a3795d589fb26226a59333aef7f9b6728f49fb41da6c62b71b64b62ede9f1edcff2521f94669e96d83a5b877af6
-
Filesize
781KB
MD5c553cc3c615f33e1a1c07f59123425e8
SHA13aa7bd6d6e8824e434de8ef82507be76405ca600
SHA256dda163e676c696a2ea3d352f9a11cbeb91779c60e8800a58027c4a0e9904064a
SHA512f104e4bc354cd71823700c09f8f96744034e04002f5fab78eb5fee9e2bdfebe814b00a711993ef4f4c54db6480f055506fb730392ad9ff99f4b0cb8077583c81
-
Filesize
5.2MB
MD5e17be1a616254471e9ab89c58d62a783
SHA1fc38c9b5f548df69ef79541659f2316d6e8771a2
SHA2560c9528bf6bbc848f205120121fabbffcbb88881b2751eee92bf0275d6d25d84a
SHA512fede34415aaa4e745c8b053f94da7d98cd40e145b07b4e2bdbb779e48eec35063ebea7f490a59ae14f00b2d69a0043d7cf6051f1bb7562e787986aa7ddbad484
-
Filesize
2.1MB
MD5db4f93828a819d56d0314d676a12fa62
SHA1b749868895e12741322b55ed03febc66c4ed8fbd
SHA2563ec7e0883b71075c3ab7553038dc4e976c6ac7a0a260250821d84b15c9c609ef
SHA512efce1d86235ab6494198e8ff626eccbb281aa9ea903d91194e2d68a35180abe6156482483abdd6e8583216375ddf4c46ced933ac78b4c04c28a5617fd831dd47
-
Filesize
1024KB
MD540077e58c61fad92519e140e0dc34022
SHA12cce66177530344f88e37eb84f0043be701bf444
SHA2566e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0
SHA51220e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f
-
Filesize
872KB
MD534bb7238217d0c3b7a392f33037db1b2
SHA10a3a4873f4f81ff0b06199e3047d5a22ed5db69a
SHA25666c8c40d5b9671aa20bd89ee28704a1c5a5254f447267aae818cbf10fa463c41
SHA512307797d55595e8269b4adbd6765e8ac77df5e3233bf4bdf03d65aae2e39d02a032070c89debe574168baca17e9cdf414f7d84a2cdc1e7b443fb97e87b97795b3
-
Filesize
678KB
MD5eb9361ba715c9931e921808548e25395
SHA141965eee94d13973dc04904d5ef59f81390a776f
SHA25611900b6d9a0bd72fcb5a200894d5f48fa9aaaa1da4fd50cac81a2cfaa04d3359
SHA5122f5f6151d966a11ed21ffc311b2aa5020f87d43dae4ddd63fa4ba9a71c7962ba8350b212dfe25e569617ce2b090f8443a343d5e715fb67906395a7f635b3640f
-
Filesize
625KB
MD57bfd38404f1dcaccbbc302971f952c66
SHA149fb174f96363f7e59a2889225da386c6c99bb8c
SHA256ddac52fef2660587f7b5e7722a972e1e8f585d93e6ba598115166a8ad0d2bbdf
SHA5125211bef0109ce3241155b78aa6d0b870b860738182d227a5c3b1355a76b253018d833ffe28193af51163099ddff404f924aabfd9ee86900a6337a57a5554b066
-
Filesize
1003KB
MD57d9bf98055ca9f84c5c259d1a6f6eeb0
SHA132403a4f65305beebbcb857fa6176dde0e6566a5
SHA2562cbc7c3798711d88fe783f99c993eacf5de922081134850db1aa9edcd4616a9a
SHA5125bd4d7a90c5661ba1404d0816f75b72ca62977743c8f6220060c4c7616a312b22e2b14bd698bc18c683e3e203b14ba5943bfde850e1c0ac23fae9a2c1555ba3d
-
Filesize
656KB
MD5dbd953cc03004f6386cd55df93c85587
SHA1b6fa7b8d56165946b2b56cd65e907d0d41c093fe
SHA2566b7733aed4fe997bdbf58e3f5a12b5bd95d1cfc39c1703a3a32d7433fc676dff
SHA5120eca875344a830b27c5f546928d3eaa71275a54af47cc172730b8b2edfaaf8c5ad4ac470782c495e07b82fc28c31aa635e819227f6d4b4b26616dda375aebc31
-
Filesize
587KB
MD51ab87160c05ca41edcdddafb33f03508
SHA138d1bac95599b0f0321d0374bebd1d43f6f188b8
SHA256eea16af54f8363aa8714b00517f0cba984d7f5a75eab36924abcf4b5f6382b52
SHA51203eed4b23ae7aa1dc616fcf232d8a01692f2c02eec8b2816c4d926240cfe860181ceb8c240a7e219578d48a9884f5dfd08d847c7941eed522f23eccb4ef92cb3
-
Filesize
1.1MB
MD5fa0063c09856b36b878234328103fcb0
SHA11cbe6710514e899ec3935c2078cc9f724f78f5e6
SHA256bcc27c4f97da27ed8175112485ef5958ac56385bf1a5cd34a07e56a9bef2a38d
SHA5123d45fca2acdadebf65e6c899ff51b3113d9a2bf47a6612a2bef6b9e9dbe319e3b246dc5c55c74e4a318e419f4c7048c9e878c8d0b86dd30a67c09bfc8ef4af94
-
Filesize
2.1MB
MD5d36d364f84db78d28288500e1556a1e8
SHA1625d572f3ac8fe1153c4795d6289b14d704c8a4d
SHA2569200828c89d1a9f5ac682cbe2c2ac1b2f78740e209214f2d79422c72b4aa850b
SHA5127fbc6c2a621caa0275cea32a96a5b91176ecbf31306833350b6cbd0b4c3e58f2636899e351fba9459461c7dc581cff87a21bafc688af85e07f9f6a9fb63f7338
-
Filesize
644KB
MD5686a92597fff471e2ebfbba95265284c
SHA1673b0f50501d998adf0fe666a32cd617dde7f167
SHA256f56bc238894a32fcd77c224e274a780c810c2ddc87f4b5b129d985d1e1ab6756
SHA51233d79608897f84e970dd4ec013bb56a726c0b1ac69e24e898f1a9653c6601dbe0b354f89e589661ccd2331b62c88a903e37c211abd280dec05390df4e91b1752
-
Filesize
674KB
MD5b829ac0fc1063e9e9d015efcc9ead7b4
SHA11a957a3a8e7fa41fbbf5a68d5d2b774affac4501
SHA2568fb3cdfcf6ca2912411a9320fa9830c2bd91560a8c3aeacb1bedcd836b4b52e1
SHA5129204f52949a3d6ac517394a6b09eb6c96746b3270b0b6fd9346479f43aa68b2859d94a23fe130f689bb5aff4e25337b6cdd69b9629dc8ec5d4ec346f02f3de90
-
Filesize
705KB
MD50b734dbad3696e6575910e8cfd4e4238
SHA1b6560b9bd96281564a70ebaf8e007642aa1fd838
SHA256d1283fbc816d3d906a6a9f7004f07d35033c863a69f9565806e470f1302e6e8c
SHA512a5f32036ca4c151af7260f6472c3e9301feb6be8f81bd9e5ecbc29a966e382d45bc2dc69144c7f27dfa90eae131c5940a1d6108f84fadea1e7b3fb38dce6fc92
-
Filesize
1.1MB
MD5626f4b19a9bd4a80f734cb63da1b358b
SHA15fc9405b6fc3d30824ce96668181d5f2eb09c5e6
SHA2568ebcfb5943868cf74b0757947631b2703151f58b0aa7eabbfb6c58fad1397196
SHA512605281109b8a56e5bd0d07bab8ef3602fa8a955524e7b9c19d56f73e64f668409a69a9bccdbf9f9208725f37d54ab5f2481e0f03fae1210654a2fd85abdca217
-
Filesize
1.2MB
MD5cb0c4400d317eee4cd37d38499b229a9
SHA1e13618597dc41f64a2f79cbdc29d485b7d0b72c0
SHA256166224f821b15a4ad25dd2d28cff3923afa2555f3dc56cfb0e50a85984158fa5
SHA512f2f8e337a3da9aa985aee22ba946b8f09d911c5995a4788265cdf4035c6ec93a1b67e44e15195d7a5d6c1b40ea7b870985750d7cd44b1bdfd68ad61e6869f52e
-
Filesize
2.0MB
MD5660b22edc672be226f28d3c0d9634be0
SHA10c7a4df01c5905f69c76bffeceda872661595bf5
SHA2562959d0b0cb64b35f4efcf5be978ff4f5fe9bfe4acec96ce59e1b1367a1ada13d
SHA512a5af8988e847671f01386320b4bc4a93b1353f40c3155269d9fec98165209754abde4949289a9aeda51e172fa11483bdae763814976fefeb088cf29bfdfc7598
-
Filesize
648KB
MD5b4ee16a0a095f2b2f9e30e7af5639ee4
SHA17d76985c941db9dded919a29e2e0762df7b3fb34
SHA256e3d0f71acc842f3a0939eae4dbb74ec85a77b1f2550651e446556d1dddba1891
SHA51215484d51d3f331ce4e59b1d586a9034f52db0dd20ea065a95412b19397bc4c7eb1d1d5e6f4267ec35621f0b850dca56fd5adfc41c1ed533a68c4e9e7d263fa08
-
Filesize
603KB
MD5de71631ebb829398e155036a2ccd952e
SHA1d104295306db9731b0d4f5532a07992cb5bc904c
SHA25657a1118dac31726e5b7bf4aace9ddbadbd0b4fedce405800e4f74fdf5f0372c0
SHA512d1e94b057ead0bf3d7bf6f81fb3cbbd7a4bf57fbe037ce8c160805a86bbd8de63b84721c2f8a7d6c36132c4c420e3ed18afccb2bedd611ce720e55b533dc8c93
-
Filesize
577KB
MD5b30338f54c712996c0a566b096f0da1c
SHA192cdd0edc069411189ce6d9b902c776e83d3d36e
SHA256d114cd88c730ed91e753d6eba8e28a1b80981d19a069b5c0a72d87379feb840a
SHA512cb126b30adc22c29041a9e845b82ff06b4f76ddf7859b27d54b22eca88bec7e4d5357c987862bf1fcc335bf19dca195a2ecb6073af24e3a3fd542bd1c186ec68
-
Filesize
577KB
MD5fcc12dc0cdeab0e3d5ae08e5e603b60a
SHA11c76a606c5a04125339909cb45c0587fdf3abaac
SHA25602154fb52686f9bb0f4e0832dcecaac53aa122bff4b6dd3e0387ac48017cb90a
SHA512d89deaafb5fb387c5c671180a395a615c09ce24d3e82cc8d7af250fae642089c1361cadc718e550b88ef4d2b4468e5d5c4d17f07a1faa6a73d0878eeb7732957
-
Filesize
691KB
MD59afec9dff49b2f6e1e5e2e4b9c62df91
SHA156ad450ea9654297a5e2eebc9f3e2b256c756f4c
SHA25687297bffd28dec115c48348dc7351131a57c01a6b3bb05bacf78667bffaee36c
SHA512d4a7e5fadda3f14029c989c15e7b25e8a56a1814ff3b632b244cd993e9add25d2d5a44e868304bef064035d17250c43cd21fa09c09fa71f2060d4e56a8431fe1
-
Filesize
581KB
MD5443d2d2e5ca1452e5b843ccedfa9b97f
SHA160e41afdc6b9c76a53edda61da7cc2a37a501fcd
SHA256b77794f1d0019b7784bda193eb79849dc3bd3088fa1caea086d7fac2edf09fb4
SHA5121eb3fef8bec3a5a26c01a33f96db27562e187cad54201ddec7230ab0a3cf65f8f122d70c013db9cab413a2b792ef699c0291eb3ad22b52e0e6bb9024054ef00c
-
Filesize
765KB
MD51760a5ca331e0e987f482e189b7dd9f0
SHA126c1d2c0052d8ddfba8dc6728acf33d514b768b2
SHA256da379944eb8f7f5c2d27cbd37c36fa9406002310f67a0979c9ab507d940e2901
SHA512d543abcc6666703f6fc328f18c320c74701c5fbd8bf1a6f30bdc2308b720435f84f15e81eafabdac3a146609006fd00f0b97ae8c7687d86e57f395d694cf777f
-
Filesize
2.0MB
MD5baf5cf1b53bbc8b2af90484228b9d2ae
SHA136cda3fc14160e9c54ee44a38209595b2d82a1a2
SHA256c4fab25edec93af7dfe43773445fc28440d6c8dc55b5487c5255eef971ecde2a
SHA51271da084ca92a0511f7eca917feedc6f6b648a9fdbfa7b35e83aa6d6b93c4fbedb244999b8d03ec418fd748efb038a5377b5348ac6786ba4d8fb108ea9703f3da
-
Filesize
1.2MB
MD51d8b7e4c8d71d0d20a650c2a8bba2037
SHA17f633a1bf0874e878a6a6616e4566a6bfddf48a6
SHA256dca0d5bffbbe5d51f393f892edf42ce3c3bec418992db4df0909b1382f1cc4c4
SHA5121c8332dc8d00d52fc56bda9a7d7ed4c1bdb547fe2e8a988fee10c96673a6b526e4738f34abf60a596f413f89c9e5a25d9a4e61a0896b86184c5b7897da4c9df8
-
Filesize
691KB
MD5d0a52e9de51d1c266b4bb891184f1aed
SHA1d32b7f1e792ff6887bfafe906b2cfa0d608a8cc7
SHA25661b5cf89f76eeb4279fe291e4a58102051afc14849d4730d62a0e756010cccd7
SHA5128bd2f6c7d30d7b68e1227e2fb69c56769b572ce82ed6489fb087af6bbde61959259e4d83913239569817a4e64dd18804920a776c595d1b4c8d9fed5ed9de8032