861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
Size

2.3MB
MD5

d8be08fab4e4ccff198edbf22d5c1c49
SHA1

d7459b0dddac7966f33442ff89ec68d98f3c119d
SHA256

861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65
SHA512

ed6a0e3ae4c3eb7889313f015ab07c11308c6e4f39dd5ce9f3d0e03119f8462fc3872b1294d55074219c28e5008491397fd65325a74832ab6997e566b4687af6
SSDEEP

49152:PHC+Rd3a1USycU+C52rwy3mCTbjjNvo8EmbP735YVYN3XmF+bmgb1+cxC:vCW1a10cU+C5OX3mEjjNvo8EmjOYNI+U

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 39 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exemscorsvw.exeGROOVE.EXEmaintenanceservice.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2708	alg.exe
2616	aspnet_state.exe
2844	mscorsvw.exe
1708	mscorsvw.exe
1096	mscorsvw.exe
1508	mscorsvw.exe
2244	ehRecvr.exe
2296	ehsched.exe
1988	elevation_service.exe
2568	mscorsvw.exe
2868	GROOVE.EXE
2992	maintenanceservice.exe
2856	mscorsvw.exe
1388	mscorsvw.exe
2224	mscorsvw.exe
276	mscorsvw.exe
304	mscorsvw.exe
2284	mscorsvw.exe
2516	mscorsvw.exe
2608	mscorsvw.exe
3028	mscorsvw.exe
2484	mscorsvw.exe
1368	mscorsvw.exe
2360	mscorsvw.exe
1440	mscorsvw.exe
2940	mscorsvw.exe
344	OSE.EXE
2512	OSPPSVC.EXE
584	mscorsvw.exe
1544	mscorsvw.exe
1180	mscorsvw.exe
2972	mscorsvw.exe
2572	mscorsvw.exe
2492	mscorsvw.exe
2408	mscorsvw.exe
736	mscorsvw.exe
1604	mscorsvw.exe
2460	mscorsvw.exe

Loads dropped DLL 4 IoCs

Processes:

pid process

468
468
468
468
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

Processes:

861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exemscorsvw.exemscorsvw.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\a6c52616c0d5d3a4.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

Processes:

861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exemscorsvw.exe

description	ioc	process
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\AsusCrashHandler.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdate.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_gu.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_en.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_id.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_pt-BR.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_uk.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_no.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\AsusUpdateSetup.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_fr.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_et.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\psuser.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\ASUS\Temp\GUM46E0.tmp\asupdateres_de.dll	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe

Drops file in Windows directory 28 IoCs

Processes:

mscorsvw.exemscorsvw.exe861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

Processes:

ehRec.exeehRecvr.exeGROOVE.EXEOSPPSVC.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ehRec.exe

pid process

2656 ehRec.exe

pid	process
2656	ehRec.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2808	861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: 33	2356	EhTray.exe
Token: SeIncBasePriorityPrivilege	2356	EhTray.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeDebugPrivilege	2656	ehRec.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: 33	2356	EhTray.exe
Token: SeIncBasePriorityPrivilege	2356	EhTray.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeDebugPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2356 EhTray.exe
2356 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2356 EhTray.exe
2356 EhTray.exe

pid	process
2356	EhTray.exe
2356	EhTray.exe

pid	process
2356	EhTray.exe
2356	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 1508 wrote to memory of 2568	1508	mscorsvw.exe	mscorsvw.exe
PID 1508 wrote to memory of 2568	1508	mscorsvw.exe	mscorsvw.exe
PID 1508 wrote to memory of 2568	1508	mscorsvw.exe	mscorsvw.exe
PID 1508 wrote to memory of 2856	1508	mscorsvw.exe	mscorsvw.exe
PID 1508 wrote to memory of 2856	1508	mscorsvw.exe	mscorsvw.exe
PID 1508 wrote to memory of 2856	1508	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1388	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1388	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1388	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1388	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2224	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2224	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2224	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2224	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 276	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 276	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 276	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 276	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 304	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 304	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 304	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 304	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2284	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2284	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2284	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2284	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2516	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2516	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2516	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2516	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2608	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2608	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2608	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2608	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 3028	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 3028	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 3028	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 3028	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2484	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2484	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2484	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2484	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1368	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1368	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1368	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1368	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2360	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2360	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2360	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2360	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1440	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1440	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1440	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1440	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2940	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2940	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2940	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 2940	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 584	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 584	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 584	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 584	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1544	1096	mscorsvw.exe	mscorsvw.exe
PID 1096 wrote to memory of 1544	1096	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe
"C:\Users\Admin\AppData\Local\Temp\861f1df97ed551f081dff1aefb072107b263fc9263c4a08a25ca3dffbe35af65.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1c4 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 1c4 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 304 -NGENProcess 2f8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2ec -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2d8 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 320 -NGENProcess 310 -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 318 -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 354 -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 318 -NGENProcess 334 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 218 -NGENProcess 20c -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 224 -NGENProcess 304 -Pipe 344 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 240 -NGENProcess 224 -Pipe 20c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 39c -NGENProcess 388 -Pipe 398 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a4 -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3a4 -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 204 -NGENProcess 218 -Pipe 23c -Comment "NGen Worker Process"
2⤵
PID:1876

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2244

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:344

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
74193ccf33a51e2fedad19055ddb9ee2

SHA1
b96f4e99fe94cea839a2c2d43afc4aaa11ab2427

SHA256
1273e689a44d3c78c4f92489e360abd2ec539aee33074a99b1ce3a398db474c4

SHA512
dd0c33afd2a66b284f60e05d3227b8a82f3df3bc20dcd1caa841d862329d63fe780a09f9de1f458b03f10170ce663f611314f0703ceba125a88e49f1f3ebdc2b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
3.2MB

MD5
4ffa728bd0c2a3a3015c774c27eed024

SHA1
59ccb567d59916b3c015f5a5901f0e417e3e1702

SHA256
1d9090f24ad352bfbe9ee2bdaa5ce0298e00dfab35e8e564e022a76b489fb6ac

SHA512
d87fce39fcdd4eced0249d14f1d1154a574055d7c925e2c8b360337ff0327b378b02fea5146d430ee2950bf79f18a5cc0137e4d49925529c38d26b5ce3531c33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
0a48f3ca237f2b10b1f147e99a5a9cab

SHA1
b268f4fef14bb42f8cfb2bf209f343ce93f965aa

SHA256
ca6ec858b3f5f7a8e2dc6d5e97676432ef6b834ac9b9b547708a456d529c853d

SHA512
81187aedfa3b939cbdc7f1ade77453f9193ca3df4eaed43081b6bd9c89d9fa3d2c78ce6eaad3c2a6eed337f49da28ede40595226fd704e18a4dad182079f23ab

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
2ce4e716d9cac1e887dbf01861b1388b

SHA1
b95f2c403ab59340caf5ea81ee15a1226be31e92

SHA256
33901431b05c2da143e35677b2011fc8c095a2ae55daa45c2e8b1c97e3537194

SHA512
9917db1e6f7c5173c11f6cd32700ac73f91710fa6ce1832056171f46088ab2fec4b27f47a6a18cecf8a54ce838574a9c2a2a135a35ff475f58d4fd364a715000

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
97bb0ae72ba24a8aedb84481bd946167

SHA1
8bde31fae9ea81685c7654c7c81808285e877400

SHA256
ce69fef13b5fff07d88d919eaac84ea20a98a3c7137c9bcaaed533c68706c95b

SHA512
b1164e4f1456b11986d037dceb19896ccd6e9837b4374a32d4fafddd39c698a3edf31cec0fcea5bd7fb4277e30e4ed9113a4abfd342d065f5ac2ffb338843a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
2b2ce3409fa0196d224cb38bdd887533

SHA1
18ed716215575c93adb4a21c8967e786d8c8713c

SHA256
dd447d2159b5c6983b37bfc17e2eb1495b75edb713de854ee6e3be6bb4c38545

SHA512
d94d80a9fd55584b5f86f3b4bef4b90dc1b2915bc83a523a5b7cba94aa7d541e7c639e7efb54f965c0f0e9d79626df821cfd0fd287ec8fa1d16f953ebb38abae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
fa0564bbff6f16fd168597b160158c2c

SHA1
4ca5e5ab91919c50d62070af4153fea239349e89

SHA256
6436b3a8b8c632f49a3040d4042ce3c0ef132c59429d2511bd0abf475e26e272

SHA512
e2013c9d237c421fe1e1204558b8e1cf7890dcb0996344ff4cb96e75c4868afaabcf9c248b77e2cba15f54269b0ac536767ac547ba956af1d2b6d324ecf17fc4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
320KB

MD5
521648cf269dd0521184c850b127c74d

SHA1
915520a3abc70d6490078be0e6a03cc40d81cb38

SHA256
cfc0df26de2f282af74b83e2d89027df1c59f8c0844c84f0fc2cafdd093503d1

SHA512
96115a0eba986cf4375e7c3682dd45976f398ac454be605405602fa791d325ac1c212b1113e2d8b1c794c116a592f8ce51b54ff755891374d184c9ba0ebdc7e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
9f000aebe6e9488db278f2263d868283

SHA1
b60834c77cb80600c6538f1c9413e3987372ad33

SHA256
06ad8b93839a4393a5f2e3ff41b6654474b58ffc25962a6948032beef8d3d19f

SHA512
11a862455aea27ad45ac5f6be8686943deaa91124a758d85d1f3ca2d97ac0e061e9339eb583f17709166af5af6dced3556221dd9e0d710e32f2480e9db8afb48

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
5005a0656caff30e4639ae835c941c39

SHA1
316efdafe6bc8f88f44e29227b7edd81551069ab

SHA256
c9648190b00bc40ac3c3818e59010a6b838238a7d2e25363ddec2ccfe38d776d

SHA512
04528205cc03b95fb93b1352527cf7dd78218fea7c9b3f5b1684d3a58aa0c4dfd520b11c0c554e7a697c98a50faabd43256daec1c542539a4f2241f6fa0e0394

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
9447dc589d1392d2fdcd3048cb5203bb

SHA1
7401bac2b72d826e6fe9fb9a073f32b28ed445ed

SHA256
5bbe0a2741a7d2aba0eba8b0dbe37e3324cbdd1a969eb70b7145df63aea91a87

SHA512
6bce4004dea42225b32dd0091816a7977a028a6320678ddd504668c22c73487b6d32fe2c32bca4f1cf170fc1985d95a10cd4b3500fa77b526b7f7426279a79a9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
507KB

MD5
ef044b50891698c38a5a4385af637909

SHA1
af931970143d610437f31530c5f654f60679602f

SHA256
66f83e4ee40ad6898b7743aed77c4563b76f3e56d64d6944364d3ec4a015c68d

SHA512
00a211222051ad5fbfedf9d1f9d0f3959f9edcd3e2325b7363c219bfc3bc16f571ac4e9d6fab2cd59babb15a523a2fda06026a849a8cf87acf74390e2f9dd6db

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
553KB

MD5
4314eb83666fca9a412404e1ed06cc6a

SHA1
c96ce6bba39f63553346d083f7b2c4552b14398b

SHA256
e2b48ef0ea71b11048a03585b0fbba9bb09d51568f702851bc784517a90cfbf6

SHA512
a914a4c0057ef6af35902425a12f626d1638621a976a6ded860208ba74b7145d3c68b74a206a67581d13a97c648ab226e2453f7a89e25ac84108fa6761863e49

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
357KB

MD5
e63e029a472ea9754fef231c54aa933d

SHA1
da43531219fca68326915753d0627a69a2b48767

SHA256
a137915277128c0d11392067f68adc471075169654e8aeaac6b528934a458545

SHA512
eed2593a251d48eef944fccb33c3d4a4346e7f2c759e35dc6b4c1c900272397041873a11c52fec82489f36f137de980c6898cb13f31593cba723d4a4bc24ba57

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
64KB

MD5
1894e4fb11cb2040798428efa03e7535

SHA1
328c2214fac637934dd0eb1da96dd4e6bd622044

SHA256
876d7d7f714845acc7d169ac893b32ab61dcecf45bf6af3ee19c643274409936

SHA512
385ea15d63c783a7ad02a6d780c51530e537f4bd68afc2cd70aabe57db43f027c09a1089009e6a7659fb7ed5001aff7e778dbe8e160aef685968a51ad725786c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\a6c52616c0d5d3a4.bin
Filesize
12KB

MD5
5668b66b0a8c280791c4356ba6468cdc

SHA1
91bbbfb245e344ac1b2d4a51725756230d34e807

SHA256
9d1ea4fa0b1f8778face3b5d8cc8527a9f122342c4bc5c479894f67b9a451a37

SHA512
1689a45ba7283140ff73ef98d53cf68ae15ea193d3bdf37c638b6cf13ca31000acb73cb789f670cf149288ff9767e45f711b5612ff442a8a6ec0f8b976baa793

Download Submit
C:\Windows\System32\alg.exe
Filesize
644KB

MD5
f89f6d17c7c6c3cac7a0951114da1053

SHA1
d0a99df5a7822a96969b5aadcbbff64dd0b427f5

SHA256
0fe8ddaa6b1f6d4f21a944e3d9d1081375fa10c54798f510f04babed2952dc32

SHA512
3a4ae453dc27b02ca4f793f19e90cd6c6c316f61ee80b9b4b081df8145380cb7aaa2162383e1ed9de76b2f77a87b1e8736866164cb3f8945775b5f6d0b44e55b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
c50777be68285b4a65b4ac083360cc26

SHA1
836350b0286f5f7e8a9ef5e2f6c414ded5d5ed9b

SHA256
6102ca2bfbce2577e0868e50cde595a6e75463124b934492f2102b1d42d88731

SHA512
5fa143f8076281ab199c3c7ca91cdb3a6b454a2a8ec7f091047dc861245dd02550392da9b4cfd5178afdf76f41409aa4707b553ee60b17a1f22a3a950afbdac3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
a42f2a505ab92808fbbabf90cafc1e76

SHA1
716e2f73de033c4f9b5d1cf0b5dbee8d37eb5307

SHA256
e944d949943c9c53846fdbd5602bd0abaa89c7417e00798b9cc65855de689d8a

SHA512
fb3dd9442ad62405bb1dbc2aab93a5700abc0efb1bf82681a6e71a08a204474c3367e452f8af96b4351e61ab159e93fe0ec76b66a2484e4baa3de9a9dca580ee

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
0124c8011fab3422e04dec5d2b896b0e

SHA1
04823dc4c008ccecb9a748bf75b464dfab4931a6

SHA256
11aa5e568c55bedf29a702f527ad823d57251c69ccc8343fde4c2baad80f99c8

SHA512
cad790f0038add1972ba98bd03935eb79027a0099241b353977fde37717c2873c9e7173a1876915b1818e4e92d6b5156d9eb62a1117e0ddbf8edb22c2babb2f3

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
15788aa15a2418d02b102689557af9ab

SHA1
cc361e429a7c73adf39466c16a49e70724fd84a5

SHA256
1459ad81ff2a58b0078037988a04c0bb27ff9e2d5b2612766adbaf879adc9cd8

SHA512
9d58f21ed04425cb08d6e78d1d6b4fcdfd869930a36644ce2b4a48c1d07153db898e39af934dbcb8160115707123c07501d264ef9929d343b4249a410cd26049

Download Submit
memory/276-397-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/276-400-0x0000000072C70000-0x000000007335E000-memory.dmp

Filesize
6.9MB

Download
memory/1096-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1096-127-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1096-121-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1096-273-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1388-385-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1388-368-0x0000000072C70000-0x000000007335E000-memory.dmp

Filesize
6.9MB

Download
memory/1388-345-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1388-386-0x0000000072C70000-0x000000007335E000-memory.dmp

Filesize
6.9MB

Download
memory/1388-352-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1508-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1508-139-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1508-140-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1508-146-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1708-149-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1708-111-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1988-266-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1988-265-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1988-344-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1988-272-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2224-398-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2224-384-0x0000000072C70000-0x000000007335E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2224-399-0x0000000072C70000-0x000000007335E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-379-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2244-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-158-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2244-179-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2244-165-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2244-295-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-337-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2244-259-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2244-262-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2296-180-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2296-181-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2296-173-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2296-334-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2296-172-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2568-278-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2568-326-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-376-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-325-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2568-324-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2568-292-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2568-287-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2616-171-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2616-63-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2656-281-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-383-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2656-282-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2656-349-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-330-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2656-359-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2656-355-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2656-358-0x000007FEF47D0000-0x000007FEF516D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2708-166-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2808-261-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2808-1-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2808-7-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2808-6-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2808-147-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2808-0-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2844-93-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2844-94-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2844-100-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2844-137-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2856-329-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2856-354-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-328-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2856-356-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2856-357-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2856-332-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-304-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2868-374-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2868-331-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2992-333-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2992-327-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download