Analysis Overview
SHA256
4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b
Threat Level: Shows suspicious behavior
The file 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Uses Volume Shadow Copy WMI provider
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:02
Reported
2024-04-07 23:04
Platform
win7-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\de208eacaad3ae89.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_ro.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_pl.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_fr.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\GoogleUpdateSetup.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\psmachine_64.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_am.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_bn.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_en.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_bg.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_de.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_hr.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_id.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_es-419.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_vi.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_nl.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_zh-TW.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_th.dll | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{813B91A3-058F-4641-89BC-308BA6BEFF4C}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{813B91A3-058F-4641-89BC-308BA6BEFF4C}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe
"C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| SG | 34.143.166.163:80 | tcp |
Files
memory/1688-7-0x00000000005E0000-0x0000000000647000-memory.dmp
memory/1688-1-0x00000000005E0000-0x0000000000647000-memory.dmp
memory/1688-0-0x0000000000400000-0x00000000005D4000-memory.dmp
\Windows\System32\alg.exe
| MD5 | e12b61da24e6b3bb92a4092ab5e4e6a6 |
| SHA1 | 6ee4bdc95c58c8877c1bd1b497d1f143bdfbc009 |
| SHA256 | 5bf88a11cd78e8177d6d90a32f1b2b2920ac33c0188928a0e4a071c6baa152a4 |
| SHA512 | aaf8c43164ebd79e0799ff9f9087666d0fb7430394662c74dedc521d88f9130515db2c5afa7dda6506247d3ba7d3087776803188cae7d4e6f3803f43e01f3fb7 |
memory/2172-17-0x0000000100000000-0x000000010018B000-memory.dmp
memory/2172-16-0x0000000000890000-0x00000000008F0000-memory.dmp
memory/2172-89-0x0000000000890000-0x00000000008F0000-memory.dmp
memory/2172-87-0x0000000000890000-0x00000000008F0000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | a72ecd810cd5ea78d84512ea7c2fbf16 |
| SHA1 | 8618043d305c61cace58c63eb6799be83c1e74d6 |
| SHA256 | a7edd3ec7633f938d0cba7d0841051fb83a96f4d7e0115ccfa599abe4e5a2076 |
| SHA512 | f7789150a147b28aa3394501a802aa289d5f22345c3494d490289b62102aac619afc4757776cee13f4b1846b14fac4f3e6e36bc7165e4529f4923b7bd4de9890 |
memory/1612-95-0x0000000140000000-0x0000000140184000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 298d934c3bd6c72e32b236f4d7a1a457 |
| SHA1 | bc628d3576b89815c2e8d4609a5ce6813f8b67ee |
| SHA256 | 87cbafd3cded0c01add4a7b7100635c676488742f25d2e1edc0b98038f1f7274 |
| SHA512 | 8a68333811941d693c071a24f393244178d50386a2512a9227562297e87642e31a6e25bb29b5653a42674073e88ad38ab3ac0ffab4b00559bc803d5a10294c8b |
memory/2540-98-0x0000000000410000-0x0000000000477000-memory.dmp
memory/2540-99-0x0000000010000000-0x0000000010186000-memory.dmp
memory/2540-105-0x0000000000410000-0x0000000000477000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 13cf2a44e88c250086e0b9b75334e069 |
| SHA1 | 486eba83b6482f3407e1e22419808f7b40faf616 |
| SHA256 | b0608220d5e7f8d33d2860cdc21014f481a7593300622935f09582502a7d2a3b |
| SHA512 | c44612fca646b73a682adcddffd8a8e3ad47e4074f93269a4933eeafd9bbf3c758809c86e736492e651f7f80e27d15e00e3faaa3393b7c19f880313870dc4c96 |
memory/1512-115-0x0000000010000000-0x000000001018E000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | d49cb2f6ff88b6537f1c1ffbd6ebf12d |
| SHA1 | 3102823ef27f61346fa94912f3f67e66ebfdf1bd |
| SHA256 | 8a2b165be7c5bc67438ca4011c17f9a58c89206eab548a85e23fc92fa1577439 |
| SHA512 | 27305438a21b43e5954ac7ba0891c92aa838ff4dcbe6d244651b3488dec865fdea785a2efe4b35ab336bb6886c36f318b2c5e7be74746d65838c28ed35b516a7 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 3d82440480f3a0b082d39575d29a53e5 |
| SHA1 | 21b6abf1b03d2be1b474a1766eb4d6533bb1ab77 |
| SHA256 | 6968260fb4f5830e63964bc29ba77f40396580f1c5e6ea45d0f781946493b9eb |
| SHA512 | c77c5431dfe49c5fe35c7aa07ad3d055c96d8cd165fa08ab7f6632518af5e10341457c9413ed37070a6b230c9411759edcba33c9531d4cdda49bcdc6b8901aa3 |
memory/1032-122-0x0000000000400000-0x000000000058F000-memory.dmp
memory/1032-123-0x0000000000B50000-0x0000000000BB7000-memory.dmp
memory/1688-129-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1032-128-0x0000000000B50000-0x0000000000BB7000-memory.dmp
memory/2540-136-0x0000000010000000-0x0000000010186000-memory.dmp
memory/1408-138-0x0000000000480000-0x00000000004E0000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 41a5670930e57d39c842cffc5d108add |
| SHA1 | 5a8e6a765d8a297df64282b2c3f757a633357ac6 |
| SHA256 | acc6ef48546c04d8bb72319c217365110beb4e638ecdd1ebc8c2ecdc799bd9d8 |
| SHA512 | 9e3691668b00c37f21f9d731e121cde6ffd06effa1b64ccc96d1514e966f01a4c2332dd936cd996a3abeb438f3d68e8f134ddb8e21319415ac7929f212adf5e0 |
memory/1408-146-0x0000000000480000-0x00000000004E0000-memory.dmp
memory/1408-145-0x0000000140000000-0x0000000140195000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 78cd264e35c9e415ec40be9f2e431c79 |
| SHA1 | bbf44efc08101898cd1ac8603fa88e3d5e48f0db |
| SHA256 | 694ecc4ce520143fbfbe9bf2198b88548790f65ef8c0fd123f03c90cff90573e |
| SHA512 | a224eaf594b1ab57e5dc27e5df995694f36c453aba70a404eeed8f9c205ece60688db61eb82a70ea30f7f1d0a01767bce7dd610efe293395d99eaf062cf5a6c6 |
\Windows\ehome\ehrecvr.exe
| MD5 | 88f72595181689004835456047bf6d9c |
| SHA1 | f52d34588b6136bcff140914aa59084e7d016771 |
| SHA256 | d383be7a26b86a78a545f7b84155b88c93d42e895ea703217d8c8745c7f8c8ec |
| SHA512 | 7392f67c48576093ca4370f69e59f28a201c2a99bdefc848e67d2951113f2e6cb3327e1c63fd39b1d34196eef1648924680671748fb0d99e4e955147a9f6f870 |
memory/2172-159-0x0000000100000000-0x000000010018B000-memory.dmp
memory/2768-160-0x00000000002B0000-0x0000000000310000-memory.dmp
memory/2768-161-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2768-167-0x00000000002B0000-0x0000000000310000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 058f3010c6f6dacd8c889e86d8804ab1 |
| SHA1 | 528a0dd521e06c941e11c5c78ad4261d1eb13958 |
| SHA256 | 75c0431994a6817890f887243473732f61794d2e9aa83fadf7b3cb533f22e696 |
| SHA512 | ebe8ec0dfe9e2cf8f9475e9b41704966208dc56601caff3124da68457de9666a0161c21a4e8b7be2c6d2bb06554857e7d481a5aab21dd347c88b0e75e23b150b |
memory/1612-172-0x0000000140000000-0x0000000140184000-memory.dmp
memory/488-173-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/488-174-0x0000000140000000-0x0000000140199000-memory.dmp
memory/2768-176-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
memory/2768-178-0x0000000000DF0000-0x0000000000E00000-memory.dmp
memory/488-183-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/2768-185-0x0000000001A30000-0x0000000001A31000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 57c069f8fc0b254ea4513a0c1f9b2845 |
| SHA1 | f75956e1b7bdc4020157fe1379fea6cf7ea62325 |
| SHA256 | 5dec75dfe39b34c05f6032028a04447f8f6632831b9cdb35c70e61f41ae38adb |
| SHA512 | e7572cef648bcc2668da93d812e24291a31f9ccc3c8e81c1e57b1a756743f148397dccac56bb65523596c778a0ec439dee94325f16e5c0e80c24232034c52800 |
memory/1460-189-0x00000000008D0000-0x0000000000930000-memory.dmp
memory/1460-190-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1032-192-0x0000000000400000-0x000000000058F000-memory.dmp
memory/744-268-0x0000000000220000-0x0000000000280000-memory.dmp
memory/1688-270-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1544-278-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp
memory/1544-279-0x0000000000E30000-0x0000000000EB0000-memory.dmp
memory/1544-280-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp
memory/744-281-0x0000000000220000-0x0000000000280000-memory.dmp
memory/744-294-0x0000000000220000-0x0000000000280000-memory.dmp
memory/744-295-0x0000000140000000-0x0000000140195000-memory.dmp
memory/744-296-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/1408-297-0x0000000140000000-0x0000000140195000-memory.dmp
memory/2500-298-0x0000000000530000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/2500-313-0x0000000140000000-0x0000000140195000-memory.dmp
memory/2500-314-0x0000000000530000-0x0000000000590000-memory.dmp
memory/2500-315-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/1544-316-0x0000000000E30000-0x0000000000EB0000-memory.dmp
memory/1544-317-0x0000000000E30000-0x0000000000EB0000-memory.dmp
memory/2552-326-0x0000000000400000-0x000000000058F000-memory.dmp
memory/2552-327-0x0000000000600000-0x0000000000667000-memory.dmp
memory/2768-328-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2552-329-0x0000000073A10000-0x00000000740FE000-memory.dmp
memory/488-335-0x0000000140000000-0x0000000140199000-memory.dmp
memory/1028-337-0x0000000000400000-0x000000000058F000-memory.dmp
memory/1028-341-0x0000000000AD0000-0x0000000000B37000-memory.dmp
memory/2552-342-0x0000000000400000-0x000000000058F000-memory.dmp
memory/2552-344-0x0000000073A10000-0x00000000740FE000-memory.dmp
memory/1544-346-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp
memory/1460-352-0x00000000008D0000-0x0000000000930000-memory.dmp
memory/1460-354-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1028-355-0x0000000073A10000-0x00000000740FE000-memory.dmp
C:\Windows\System32\dllhost.exe
| MD5 | 81349d8fb3d131db56a5af455470ade7 |
| SHA1 | 3261d12bdf15e4235ff154823ec9ff0f08828926 |
| SHA256 | b703e81b83a86f0aee36e2073e9d40683c96aeca30d14de6d449ba7856b9fef9 |
| SHA512 | 65957ecf30b089d448b8aceaa4c7bf9eb053f76249d336623205f6b246949cb2f78e701bc8de664cd1ecb81fabcaba63ecd79c5bf7da53f0553795fd9dc43e62 |
memory/2500-359-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/1284-360-0x0000000100000000-0x000000010017C000-memory.dmp
memory/744-367-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/1284-368-0x00000000001D0000-0x0000000000230000-memory.dmp
memory/2428-375-0x0000000000400000-0x000000000058F000-memory.dmp
C:\Windows\system32\fxssvc.exe
| MD5 | 8435100289ad9c5b8b6fbcf07e39f9b5 |
| SHA1 | 236f3e270a1b6412e0640f2213d0a4c0e94efa30 |
| SHA256 | c40c98f0e57a8b63b5d6068cb6b913d6102040e59487f2776d19d0f10f0940cb |
| SHA512 | 857fcdda6f7c8e4e2f2e16337ec197c2e346f758fed9d6a076de0ac21fc7e53bb2e3c08e19246fa650e7921ffcac370d9f905eeed9e0be20fad7758cee5f09fe |
memory/2428-383-0x0000000000800000-0x0000000000867000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | e47d7614b7bd9d9f71c9744e0387560f |
| SHA1 | 55b80dc123e6b07b831e047f6360cef594bf4694 |
| SHA256 | acd3883418e72939ef7a7482fdd3a6c43158423f73c12804cab0360ff34168ef |
| SHA512 | 98f816a07f107a1cbfc2dc9f59fab860dc1a11ed9b8c1f2f39fd3ac0971a3d9a16f86cf422e8046fbfe6485a1df02d28a286c9ecc96e2dd39b12dc7badde7261 |
memory/1316-386-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/2428-388-0x0000000073A10000-0x00000000740FE000-memory.dmp
memory/1028-390-0x0000000000400000-0x000000000058F000-memory.dmp
memory/1028-393-0x0000000000AD0000-0x0000000000B37000-memory.dmp
memory/1600-395-0x0000000000400000-0x000000000058F000-memory.dmp
memory/1600-401-0x0000000000230000-0x0000000000297000-memory.dmp
memory/1460-402-0x00000000008D0000-0x0000000000930000-memory.dmp
memory/2428-405-0x0000000000400000-0x000000000058F000-memory.dmp
memory/2428-406-0x0000000073A10000-0x00000000740FE000-memory.dmp
memory/1028-411-0x0000000073A10000-0x00000000740FE000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 8cb7b0e44e8ebf16e2bc15c1dcabb605 |
| SHA1 | 335c98843c7b579c40c2692360136eef0f51f129 |
| SHA256 | 84b3111500332f45679c64479d31809293f167b25df37325713724a2e41150f0 |
| SHA512 | 27f6540c6492b68ad294554e56d2909250b4cf283fbde186ca8b7c3cf1c28409e838a00d0c955adc9162d77b2fbb3b9d7f00402cb5db7becbd062134d137ff56 |
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | da88b29361e911330a4b347b5395ca84 |
| SHA1 | c11a45178d23ce49f9ae6b223f31559d6136d656 |
| SHA256 | be531bdc1def8f2c2e2bc2456e351633c180c1bb91b8efab9af9056224ed5f92 |
| SHA512 | 3a344fcd761eec60642db4551ccc3cc4c9390cfcc727f3c1474066c885352948ad009d4a7081eba5ca17e8731e33572e106be435d96db411c344a8ae8832619f |
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | 92ccd06a4b2e43872f0b2b0dfc90d528 |
| SHA1 | a4faad5eecf91fc3201ab90d5c8fbcad78e021fb |
| SHA256 | d58f052de6d285b823324819552034975da1df2c3c7d9893f57b3b551149fae8 |
| SHA512 | d2335c31d8ee92a03ba87a2125cb21a17e1d65c9ee306006aa1cf200c90dae538b64bcc824aa85d7b407c9b23a32da5dc7eb2fa3454ea58a8b089fc9df9305f2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:02
Reported
2024-04-07 23:04
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
123s
Command Line
Signatures
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe
"C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3420-0-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/3420-139-0x0000000000400000-0x00000000005D4000-memory.dmp