d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90

Analysis

max time kernel
14s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
Size

1.8MB
MD5

e59cc19536f7ba10e02a929e52b949d0
SHA1

c714037fbc650a032a968114f719c636b42acdfc
SHA256

d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90
SHA512

74e05df4498c3e8488a8dbf50a42be562a98d06a4a0105468540b0c2a22578f2daf5b64f258bcbbb2592a3e0abdbb6329530c329a6e8af92f2ed0fa54426ad8b
SSDEEP

49152:gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WABgDUYmvFur31yAipQCtXxc0H:gvbjVkjjCAzJ7U7dG1yfpVBlH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
480	Process not Found
2544	alg.exe
1564	aspnet_state.exe
1228	mscorsvw.exe
2388	mscorsvw.exe
2044	mscorsvw.exe
1912	mscorsvw.exe
580	ehRecvr.exe
2152	ehsched.exe
1536	GROOVE.EXE

Loads dropped DLL 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c171abfc3d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_sl.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_uk.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ur.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_da.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_hu.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_lv.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_lt.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_vi.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_id.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ro.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_sr.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_zh-CN.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_zh-TW.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_cs.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_gu.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_hi.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdateSetup.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\psmachine.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_pt-PT.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_iw.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ru.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_te.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_kn.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_tr.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdateOnDemand.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_bn.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_en-GB.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_el.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_fil.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_no.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_hr.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_it.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdateComRegisterShell64.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_en.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_et.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdate.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_mr.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_pt-BR.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_fr.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ta.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleCrashHandler.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\psuser_64.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_fi.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_sv.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_sw.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT8E.tmp	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_fa.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ko.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_is.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_nl.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdateCore.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_bg.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_es.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_pl.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdateSetup.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleUpdateBroker.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ca.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_ms.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\psuser.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\GoogleCrashHandler64.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_de.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D.tmp\goopdateres_sk.dll	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1992	d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: 33	2892	EhTray.exe
Token: SeIncBasePriorityPrivilege	2892	EhTray.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe
"C:\Users\Admin\AppData\Local\Temp\d8177854743de8a8dc2c0ae508c33cfa7d1da2ebfddba3a12960c3172f11ca90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1228

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1c8 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  PID:1612

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:580

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2688

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2864

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:280

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
6dc4460ce9808be1cf9aca13948778db

SHA1
a1322df795d6b1a06292bc246fa5017342e2998b

SHA256
cef7307309053709d3bca5125f7153407f72a9ed89502b102bbaab92c06b8fce

SHA512
f1b3a984ff74b2f2622444f71bab0aa0b766c8c782d5a50af3d9261a5f884d06702d6f9054bfcad951d1007c910cc66e706e8011b479c2f28e378d0610795893

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
86d3a5c22983ad924b4291e7741f212e

SHA1
1db7093005ae53fc221e5ea536a0ddaa5b18b8e2

SHA256
550cdc20de74af4f7a7d29870c2a2891fc6d8c630684842c58936716bb459439

SHA512
0bc703cf8cb6ac53e9c56f344a60eedca0083b24c6fae6ff48122c6510eb7090d713b68357eb0d1dffec2fc2688b46dca6e1d00e6d4170c1267347143d696487

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
ac31b4af947e8e4005743418247b7724

SHA1
ee5bedb3eb41c2c9d0fe74a6b503319f4acba430

SHA256
f714431281f63b1dd37980fbe81895c5dcfce07f42e049bb9bbbab8a559282ad

SHA512
1718e60e44cb2e76036849cafc560ec7bc4a0c558236b5d53370253546eabf0c8b2be651f82d60f3f9fd8ef2ad440a1cce9e985d53deeffc00bc839a31ed34ca

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9ec19b1407e282f2d3363b1e05736b99

SHA1
ca513eee665a0f8813f116ab40799b3e164d3720

SHA256
a3c128e313ded61bf6dd099c17cee8ec21c65cc498ab9275d4b084e74c275ffc

SHA512
7946c7a819b0b99b7377cb4504704659bd7c7ac5c495738d9eb6a7de16c96cef6ccb323a8be3364c2e0aa11a6a0264568c9b9352372421697b3a676774f1012c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2ca9f4d5944583a8d0bcac6e775e7c3a

SHA1
334e8d35a45e47117580bc436b9f5a97a85282c5

SHA256
a10072a89f5578f5f4b4d16ba59006bc234f32fd9e573f2394b23a4946d6ce28

SHA512
12da86b9675623131b80a0e20b31089d153b7bce558b83808160d03e596d1f616cb81fe44601e57c10f79187714015db2a1e4db7614cdae408dde5d4bf5c8ffa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
6873fd60114bd0e89fab2b1441a68235

SHA1
aa29251b7b27bd727c6c3e67b8b2dbb685c78f7c

SHA256
aaf176320a4fe1cb8c0d92b15858d03f41483fd7fbc2d875287c1d08704453e4

SHA512
cb5430ffe750e80f5698b9b2f59e68f87005c5a23a4f8184acac77ba37579b71a8786cbf48c17ef80f905c6e13ac8f308b385615c4676a2a97f848ac0b3b93b0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fd757ab856515cb59d9084850d987e85

SHA1
4c58d43962b81e6ea64d843c1d2cd24fefafcfae

SHA256
0973b1359f1d98e88a6b65dc8113bebd3beabfb3619c390c12df2b00ad9a05c7

SHA512
8e7056facdef505febefbffcac0c876cf41e5de3d3b95d2e2d522ac0d7abde29e687f9adafb48650204fc6767841a133fe91dcb4d6d78ac692791d24a713fda5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d093dfc142cf067fde94db1b9c8f5a3c

SHA1
3404c6d6e4fc5519d3efe8a7a3f861c037e02acc

SHA256
c86a1fe683c9980c84e3a89581dd3478cb7efea5e7290d8937b03ec09532e613

SHA512
b1d460bcc5a33cf3ca17428e8f24a4c128ffaa7a222a40563c7e9cffc14f4685d5f4cf18736385ea2d17d0c5ee9b43e282deeb034e560c7ad99061dcc9f80835

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
beaf5e69a7f7850d8ee1fbb11adb3555

SHA1
5c99c7951ebe6cfd5db5a0810521ef561b907110

SHA256
48672e61f45558b19f5e8f0576dfe7d8a55df91d41f9a4c1aaaeb5d3f6fb96ef

SHA512
67766aaee3f2ea0aeb308b4a14e67d7f8380fa4b735c6adb39061f71ede37255b849c401e1307d318e04f1c2f9c6196caf33f9911d0b7a2277f96bb2107e5062

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
343941e397d7a8e9858527477159fcee

SHA1
03fc262980e895c3026c64f0419bdec5bb494e04

SHA256
9d792789828d15630f5f399f063f23569836d8f8a842fafad89117eb3a17fd9c

SHA512
b2750caaedc349eb3a32e1d5b747e9e861e1679f6ef5fe72a2b4e593ca5795fee172cbae467dd2dfea5a5d6a0f6ce376edc571fdcb260e356820cd4b951e1655

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
f17fe5c1f7daaeb4963405575bce5ddd

SHA1
9f31699db78df3d3b3a62fba3b1a69a432d0018a

SHA256
a17058e5bfdcf3d43003e1663e67d9d2f935f27e8421b61ef3d422df0d10d218

SHA512
9cdaa732f0a334f61f36b8ef4a1ccd390a6ea6299c63e11196a5f6cd623fbf74eb31fdc174c503f266c1ba591406756d1b353dab12064dbf18bf8a1bad653b72

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
8429ca683867c7f7e17218fa36f3c1aa

SHA1
5a3e73de0d32d35d77c9ed9254f3121b3144117e

SHA256
c57997b46576581acf77310ac98b8eb4ba016b40c282b42da9a3f5c12b2739c4

SHA512
5d15f351321e7aa4651d22d2647b4a8fdfca4d44919c29575ccb6d0e4fbabd9e37c01bcdaa23a79f1f7acf1a41f219e76dfaed501447a90d9c3a4290becaa4b0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
4c596630b18852cea9a14286d65c326e

SHA1
44bb60d72f9a7f90ba0fdaf827725a75ecc7646f

SHA256
225b524095d238c5323e727b8b9b687b451ba8ad46bc58ce44e22ed6850bd771

SHA512
ce4736b2f95f58cbf5540651789c4eb07a7b3a9a982f3e547f31701f46915e75aed4b529ac0c5580992e4808fe2e9a12edbfe08892504b71c0ded92515391737

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
60eef82a816be2b1f318e6d6b806fa10

SHA1
5a6041d08594557cc735a5054f08fe68743a224b

SHA256
d5757afeb1a9dc83ed928a9d2f1172e831be770c084475d61e40e19889468d75

SHA512
81556c9f1489345884534dfe693f8ceefe3f8b76331e318963feecc8986dc83333aab41eec43023d7306135b0015d4e6ffd874adafcf147130ae8d034ae3269f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
92ff2fea77b77f372abef1b7b9032fa9

SHA1
d3bc3f04aacecf568a7b3755d3ea4175ac142995

SHA256
0a09fc8521baf2b1f888f66c9b6b7f74b351eb5f0bb389ddb66b2940f2915807

SHA512
dc4bd4654d0d8436f469a94ae3c1b09c88c7f36da648aee943f6f227818d2996682a488219275a9fdcc68ee847de99a76df49f84a3b42660d49e12cc5cbf1030

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
dc7142211f673d96cd1276e08fb187cf

SHA1
e329edeb2187f452ea7d76e140d1730e867616ab

SHA256
f9f0f0712fc2e900ac8f06031fa17e785a770350e7f75a2dd25324041d2c1c74

SHA512
27a002d77b5889ecd92c7700a6c1462a5b2b18cdf3a97fefb03f53a00217671e0a5f2d79b78837ee3a7fcde58c9a1d93b5c6a3a0d9e8f1723ff577b9abb53e96

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e7aa02ff49e60b4b04366e56fbe60262

SHA1
ef481c42c64c5e43b62af5908625dff256933755

SHA256
512961cfde44de3433ee4eba132843aacd2aabbd6cf7adbea32f451fa02dedf3

SHA512
142609c600c779692b015b25da081b9106b7a6fa4c48d2b5ee15828f16ae7660f71ec79bfe411e36ed38230830aef9bc61ac5e3803796c2bc4db7aa07934e797

Download Submit
memory/280-427-0x0000000073BC8000-0x0000000073BDD000-memory.dmp

Filesize
84KB

Download
memory/280-542-0x0000000073BC8000-0x0000000073BDD000-memory.dmp

Filesize
84KB

Download
memory/280-410-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/280-524-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/280-408-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/580-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/580-284-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/580-426-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/580-506-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/580-188-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/580-179-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/580-187-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1228-107-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1228-112-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/1228-155-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1228-106-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/1536-292-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1536-296-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1536-513-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1564-102-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1564-180-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1564-95-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1564-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1612-537-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1612-541-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-538-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1708-567-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1708-562-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1912-165-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1912-166-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1912-157-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1912-164-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1912-294-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1992-282-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1992-138-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1992-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1992-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2044-286-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2044-145-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2044-139-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2044-140-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2152-514-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2152-497-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2152-194-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2152-201-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2152-516-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2388-130-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2388-129-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2388-122-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2388-279-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2388-123-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2544-12-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2544-16-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2544-80-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2544-159-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2544-79-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2664-521-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-546-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/2664-523-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-522-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/2664-398-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/2664-399-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-397-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-428-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/2672-519-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2672-536-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2672-539-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2672-545-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-324-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2688-325-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2864-401-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2864-400-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download