Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
Resource
win7-20240221-en
General
-
Target
783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
-
Size
1.8MB
-
MD5
4ae053d809ea918291171fdc4fbb83f5
-
SHA1
33fdf45ad8b05cd4752a5d421d5b28bebd3d2752
-
SHA256
783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2
-
SHA512
3d06d995d00b3aabd4ea4c7f5ddb08263038d7306b5837e8f9d34293d6bab2e6b4e3b9479d7b0a8eaf938aa09783449822e2ced03c06e3a8f82cbac682cf8848
-
SSDEEP
49152:gKJ0WR7AFPyyiSruXKpk3WFDL9zxnSg6KFdi2Ga9x3Ek0V:gKlBAFPydSS6W6X9lnNHFdi4VEk0V
Malware Config
Signatures
-
Executes dropped EXE 23 IoCs
pid Process 464 Process not Found 2808 alg.exe 672 aspnet_state.exe 1716 mscorsvw.exe 2952 mscorsvw.exe 1336 mscorsvw.exe 2724 mscorsvw.exe 2308 ehRecvr.exe 2256 ehsched.exe 2272 mscorsvw.exe 528 mscorsvw.exe 2768 dllhost.exe 2472 elevation_service.exe 1720 GROOVE.EXE 2608 maintenanceservice.exe 1752 OSE.EXE 2668 OSPPSVC.EXE 2240 mscorsvw.exe 2464 mscorsvw.exe 1992 mscorsvw.exe 2084 mscorsvw.exe 912 mscorsvw.exe 2916 mscorsvw.exe -
Loads dropped DLL 5 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d1490557ae4ef42b.bin mscorsvw.exe File opened for modification C:\Windows\system32\dllhost.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT7C62.tmp 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_id.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_de.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_is.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_es.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ta.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_fa.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\GoogleUpdateCore.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ms.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_nl.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\psmachine_64.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_it.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_cs.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ml.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ro.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_fi.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_fr.dll 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mscorsvw.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9CDEE438-5ED4-460B-A260-49A4796054AF}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9CDEE438-5ED4-460B-A260-49A4796054AF}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3048 783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe Token: SeShutdownPrivilege 1336 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 1336 mscorsvw.exe Token: SeShutdownPrivilege 1336 mscorsvw.exe Token: SeShutdownPrivilege 1336 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeDebugPrivilege 1336 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2272 2724 mscorsvw.exe 36 PID 2724 wrote to memory of 2272 2724 mscorsvw.exe 36 PID 2724 wrote to memory of 2272 2724 mscorsvw.exe 36 PID 2724 wrote to memory of 528 2724 mscorsvw.exe 37 PID 2724 wrote to memory of 528 2724 mscorsvw.exe 37 PID 2724 wrote to memory of 528 2724 mscorsvw.exe 37 PID 1336 wrote to memory of 2240 1336 mscorsvw.exe 46 PID 1336 wrote to memory of 2240 1336 mscorsvw.exe 46 PID 1336 wrote to memory of 2240 1336 mscorsvw.exe 46 PID 1336 wrote to memory of 2240 1336 mscorsvw.exe 46 PID 1336 wrote to memory of 2464 1336 mscorsvw.exe 47 PID 1336 wrote to memory of 2464 1336 mscorsvw.exe 47 PID 1336 wrote to memory of 2464 1336 mscorsvw.exe 47 PID 1336 wrote to memory of 2464 1336 mscorsvw.exe 47 PID 1336 wrote to memory of 1992 1336 mscorsvw.exe 48 PID 1336 wrote to memory of 1992 1336 mscorsvw.exe 48 PID 1336 wrote to memory of 1992 1336 mscorsvw.exe 48 PID 1336 wrote to memory of 1992 1336 mscorsvw.exe 48 PID 1336 wrote to memory of 2084 1336 mscorsvw.exe 49 PID 1336 wrote to memory of 2084 1336 mscorsvw.exe 49 PID 1336 wrote to memory of 2084 1336 mscorsvw.exe 49 PID 1336 wrote to memory of 2084 1336 mscorsvw.exe 49 PID 1336 wrote to memory of 912 1336 mscorsvw.exe 50 PID 1336 wrote to memory of 912 1336 mscorsvw.exe 50 PID 1336 wrote to memory of 912 1336 mscorsvw.exe 50 PID 1336 wrote to memory of 912 1336 mscorsvw.exe 50 PID 1336 wrote to memory of 2916 1336 mscorsvw.exe 51 PID 1336 wrote to memory of 2916 1336 mscorsvw.exe 51 PID 1336 wrote to memory of 2916 1336 mscorsvw.exe 51 PID 1336 wrote to memory of 2916 1336 mscorsvw.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe"C:\Users\Admin\AppData\Local\Temp\783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2808
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:672
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1716
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2952
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 184 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 11c -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 254 -NGENProcess 23c -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 120 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 218 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 340 -NGENProcess 348 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:528
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2308
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2472
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2608
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1752
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b426567d620f2e052637f051e58ed7c2
SHA16853eb24ec61943feba2bdf36af286eeaf4e047f
SHA256eb3e37e7e8d3666fe6f572ea7fd2c8b49983127ec98c6f14b687a4d158c605de
SHA5126bec744550c745802a58ed1b86657091168b32495a182b86a86bc03b0a5417ad2943d785baa40210f399e4fd50fffa60f0da140df7853c32e196bfe75ef760c1
-
Filesize
30.1MB
MD515cb73c24e9c499377b4620aec06d51c
SHA16811b98564390fee508510af6cc9b236229808ae
SHA2564f16d518f9236037a8f196751ffa8e1f4b9be42a9ffd090f0fcb063296bcb975
SHA5125ddfa2a26c62e3a7561d8ba83379c52369faf5b40ff7eca43f769ebdcb599b5b2e879179648fb8f72d4f04fee33e65f9624f06586e7314a0cb6cfe580f795bf4
-
Filesize
1.4MB
MD585f706753ee9d7425328efd8dc5b05c6
SHA13d348aa0e291906e027622f23c2c16d67693a69f
SHA256fe78e3bc082ae756aadc78999d037b854f18cfdfd5a03b1ceab3c1cd3d9c9b4a
SHA512c3f8cf823049dd8437c24d4c4713ff8fcc49c7649c6dc681eb272a7882cf278b57c6ae32e0f0351479f08664629096c01b6bdc0d8c0bf33e227e5a374614c9fd
-
Filesize
5.2MB
MD543ebbf725fa89b3dd0fa62f869ea50e0
SHA1a5ffe818dd72be2f0195c474993dd3575fad515c
SHA256c7d6e6e63b5d1643d848885348064e0e8e8059a343e28ef485941457bcc1e144
SHA512201e010ad120554343ca116ef394cb3ed4cf2b9769c993e6e6e70275145c37de4b354606ff21204898ad0d08f9b4c63b0a07a60a9fb826c23e10ece0bcf9287d
-
Filesize
2.1MB
MD5b67ea98fa175b1e9650cc3a8bd60cd2e
SHA1c2f089051d45a1b8c0caaf053f3645d0c7aaed50
SHA25637febb53703c4fd3781f0ec8bfe105a447e3d01510c84e0909d6ad64659c266a
SHA512dc5f9e608bf7989d584754abb4fb61ffc7785b766ba097739a35c0064432019ebcae37da96fcbadee3960938763ff5016e6d96ba56c7c8612f06bea24e529e0b
-
Filesize
1.2MB
MD542dffd2e4f3103fee2defcf031be4d75
SHA13e86505e15f9f582f86d58b8b425e5ead360f250
SHA2564bcbe0c3f5b078ca10ba62ffa67c36e64f3b9d12eed358fe0eb8f783e29aee42
SHA5121e328a0850a334af374168986b0fdf77cf9de70bc8e436f9c7b4c645a52f9f5b353991a84cd3e6a5a96e1a7fb69f2a96488060a6a8006c9f874263e96f281c23
-
Filesize
872KB
MD5fc4290a9adf5d4beb1169469301e8f80
SHA14052b223e07208bb942e9c65e8834e6dad407bd8
SHA2564a2b23d0dc1ebd3336cdb13cfd38f0994e4d98e077b0372285e3b2e347cf9080
SHA512e01ea48c50d16b15df85b96504457434163507c7cf7e370142ce056bbfd6dd1dcf98b8b889a5f7f5a9667d91c60b744e8000bb5c2694d8af984fe8a5bb388a5e
-
Filesize
1.2MB
MD571dd03934ca53c547eda6dad426eaba2
SHA16394a73c1e04057939341f52ee01c7f34538678f
SHA2564c5e4ee5c122ecf48c94518d50c4905cfaf3844c635fa0996e917f3e91500cec
SHA512a2e0f08c278fcde0f99808ad305d6edd7920af72c7ea862c2beccb9d80112c806a1236e36d1ceb30a673f1236323d369d95cb94856beb0be447fcc0ae76f773f
-
Filesize
1.3MB
MD50ad2117222004414dbb2005fd0682cd7
SHA1f99e07e655435626cb039490c4cb50d3fbe7ce7d
SHA25694a1e2399520c733e1bf5c4ba2f1cda6b6ace5fa863c8d2c23e456e2c7158daa
SHA512a026d8750604e0a7d55b842442d8bc42f941269bc084afcc3b373ff2bac846c71be3d1e04867930c93f6bd0fd1032286e8f8ad60bbb14f91288443593ff46df1
-
Filesize
1.2MB
MD5b362e4ba1b2d1dba93a640ef4ca40a05
SHA16ac3b28e15526b381c6f603aa59b3599ea75d28d
SHA2569fee2189cf5756f7aab71859b838860c577f16ae51d1f8637cf371d92270f0b8
SHA5120b2a22af2ae23af917385e1154b80a2d008202fd0e73549b99e9d03f645034e62c1a7fccea3a2ed3af52a7966040a9d7b7f24a8ba48d7695d173931e6af2b4ae
-
Filesize
1003KB
MD5ee3ad528d1fe66815a3633fdc4120c33
SHA10ae05ba119ed42c0f713d239fbfe37a3dc085349
SHA2567f8244fe280b9bf5604b01eb0eebc30fe0a61eab7ecd6e7be6eccfe0cd961f42
SHA512f2390a1b7c9bceff5b25f1da229c92d2697f1c32b02dcd30f30e96340749d784caf871cd586ba468f8e958d344140ef4cf1011ae6a47b9aafa27e0d1f1872a55
-
Filesize
1.3MB
MD56c8c69cf2af4a82b86071bbf1fea1cf2
SHA1a4419023eed124a4e9b2e61b607bc40fffd63ac4
SHA2569c23cb9642eaeb3aa6b6453f6ad603b09a8754255a91daaedbc21b7deb90f1d0
SHA51253c16180a6679ac4ce9f9c1af76f15bc5cbceea7574adbc5a31c191622d3cee725b08a0ffce756475271055e7a8581b37ef7b920f72c209b7cee78225a3011ec
-
Filesize
12KB
MD5255a040c3fd598938449807c9eab1f7f
SHA18a5af351818882fe0954c18a8c2b04026afb29d7
SHA2562b87fc05b553e0992a214ce098ce9686c1cf87a4e1f4560fcf8c7fb73b07ec82
SHA512775adbfcdc2f6e7203c52ecf37e16d78c4f4d45de6edf4e3c098ec4b6016193f3a2e7cf657fb4226c6b1d21f921ab76af51089f0cd9e3baa4a76f2e6836e5bd7
-
Filesize
1.2MB
MD54d3826665c51f2f14a781c3c55e1bbc2
SHA1d53739a956958a7613e6fdb5f923d87def78d6c1
SHA256e59fb177f1e157bf6636756c71742d88b06dc6e186f217815e85c7631b051281
SHA5123d8fb78889b70815025ac7aa39b5c84373a90d861d0d565dd78d151ba22a871641c6173ce97c61c006abc9b4639c23760e74a15c93a470d812b9886678329b7c
-
Filesize
1.3MB
MD5c2d154f113b25e8c9f6aa2eab549357b
SHA1949a66ef7b989a8179a1f56dfcf53faad4c6802c
SHA2561e6527a067f05bf745afa5db6d157c34b4e1e8d009657af387d67f695188a0b6
SHA512b8660d25df5c182c8addb44827a61b84fbbc0879590ba2b65f8432bbf5bd67d9663858aa9f0d674118776ea1a5f52fc3e96d2caf38ed2d6a64db2606f7929f20
-
Filesize
1.2MB
MD5d0fede2ec1760d9c76862e1f787c031c
SHA179edc239fb67940b921895e5282c7c5ae68ace87
SHA25665e3891c61f8500ab6e694f99a2b623d42a9ae2bfad76d37aaebe788a15616b5
SHA51286d6adde21e921582d6a21f334ad9376d547df7a7fcf1e34489c71662308228a6a974a83dbc76a0bfc2718b89fcfbb6062b71cb884a17fb82770f5e99ec5a5e7
-
Filesize
1.2MB
MD5a3f1e5f17ad36d54328f62e94384377b
SHA1e5a804348106209ffc40c1641c954e6b169087fb
SHA25632c8f40c3a95a139ee29b33b2ac73149533f4735e1b6ee0f9b7640906c4a34d6
SHA51231d7ef616a3fd8b446d8b37b5780bbd40d247f0ece36b6bedebc5a1cd91148a7cfff80674b2be50f68fb85e21eccca0ffa1f3e3dd86726210771af7258690d47