d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 02:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
Size

1.8MB
MD5

e0b9c63849ebc27226616b3493720c84
SHA1

f83f82b3556c1c8427b3d2bbf7ad6003767bcb7d
SHA256

d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e
SHA512

5f0189f0ea1bcb3ddfdebda6c1bd2a7be818fc60f6a5bf644afef91aecfa444e38f01f0449f48f7aef261896a52a0271af9834770304a9e91135b859084dce33
SSDEEP

49152:Vx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAdaB0zj0yjoB2:VvbjVkjjCAzJlB2Yyjl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
480	Process not Found
2336	alg.exe
2636	aspnet_state.exe
2840	mscorsvw.exe
2432	mscorsvw.exe
2792	mscorsvw.exe
2772	mscorsvw.exe
308	dllhost.exe
2084	ehRecvr.exe
576	ehsched.exe
944	mscorsvw.exe
840	elevation_service.exe
1432	IEEtwCollector.exe
1676	GROOVE.EXE
2984	maintenanceservice.exe
1628	msdtc.exe
2672	msiexec.exe
2708	mscorsvw.exe
1712	OSE.EXE
992	mscorsvw.exe
3036	OSPPSVC.EXE
2472	perfhost.exe
2608	locator.exe
2024	snmptrap.exe
2036	vds.exe

Loads dropped DLL 11 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2672	msiexec.exe
480	Process not Found
480	Process not Found

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\System32\alg.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\System32\vds.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\94fc714aaad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{00CAE21D-42E2-4811-9584-54850BCC1AF8}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{00CAE21D-42E2-4811-9584-54850BCC1AF8}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	ehRec.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2736	d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: 33	1612	EhTray.exe
Token: SeIncBasePriorityPrivilege	1612	EhTray.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeDebugPrivilege	1744	ehRec.exe
Token: 33	1612	EhTray.exe
Token: SeIncBasePriorityPrivilege	1612	EhTray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1612	EhTray.exe
1612	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1612	EhTray.exe
1612	EhTray.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 944	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 944	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 944	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 944	2792	mscorsvw.exe	38
PID 2792 wrote to memory of 2708	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 2708	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 2708	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 2708	2792	mscorsvw.exe	46
PID 2792 wrote to memory of 992	2792	mscorsvw.exe	50
PID 2792 wrote to memory of 992	2792	mscorsvw.exe	50
PID 2792 wrote to memory of 992	2792	mscorsvw.exe	50
PID 2792 wrote to memory of 992	2792	mscorsvw.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe
"C:\Users\Admin\AppData\Local\Temp\d0983c06d38b62c9e04d4ad40991fde6d2e7b9db7ebc8483ec89946916699e8e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 180 -NGENProcess 1a4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:308

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2084

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:576

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:840

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1432

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2984

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1712

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
209a3b76a6f372319163fead073427ba

SHA1
39a8253240c1c83eb8392d68feda45d89dab280a

SHA256
f015e332c6d72b9e2b9149891600e7bd460104c18f97ace5c503b1da1d3463e6

SHA512
a33b83d22360f57fd9055c77d18c7585fd86983731e54584a62af645ae031f2252f0ae38cf857f7a9141fbdba5cb9c6bca250ff33f08417f9ee03338c1b2faf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
279ba85ba87a50568b9faf4dd6ad12f6

SHA1
6ca5886605e99c766b03a9481a283c64dcc781a8

SHA256
f92ebc802903270e21c00dbb320066f49dfc35d34a82c5f051b00d587b598cb8

SHA512
0c4629d4a2ec69112b545270967d1a4e4c66dad32665e2f1a3751a1a2172b239eda7a2f257b5686ee07a1f4488db479026fdf4350727e32b7617f610949ea271

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bfdcd58b68c53edb14bf6d8d6c18010e

SHA1
39fe95a06da401e08ffc5dba1de02fea947375fc

SHA256
e86b81fd1704ff3ba0a8f4c221abc502c06878a6ac2de9424794dc7d45e253e3

SHA512
4f4cdebd142407acaba5d51748c062ea926ad956117a91c2ffd362b49434745ada4d6dea1d78aff347e8a5f28240c6164517eadfa26b084f6b7ad7636fa623bb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
435cdd041863826ca8348786122cdfd6

SHA1
75448c65d2336c1e5f5511c0c1ba2a7b9b8cfe8a

SHA256
dada4c7a4c50838caf1487d4fcacbcd2b553c03c8e060bad8e78e2c964cab8fd

SHA512
498bc4a8a58c8083e13a57ecf3161f61c265dc0cfe3216b1bae6d8a493b30d0d47bc95aac221fbb3e250c8d2251f31ca1bb0e97aa58c0d0830990640efc5061f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e093d480300e01e8c706be2347c96dc4

SHA1
5b8eabc6a735abe23f471d04092f25d12be4a054

SHA256
05032018e0c3f5187cafbecbbab1975a13dcf08682c745fcb047064cccd17389

SHA512
b4b5835f95011a4d9d4d606968e889110dbbe4cc90c00462f92fd74d61e336c81e541b63916a226ef5d988bfd9112864a6ba29840331dd8a0eede764963b2fa6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5c88c0952e055a17b88fb811a9ec91a1

SHA1
cc7b8edbebc7a6692afbeb53bbbc226ea28ee072

SHA256
fe47f798e117eb33a363690b3a3ace8a72a3eab8e5603a54f6c85eea2bcb1b69

SHA512
86e70315f52a8f8649da2f4c424eb683beebd8f67fac201001f6f4c8dfaf8f29c26c7c3a3a699029fb44f19e9ff11096548d5c7dd96e79b474b1663a982dcd63

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
1cd4c1670dee261d4a3c29b16759f808

SHA1
49570538b7c458f309740ed931a7092325409d9a

SHA256
66da462a2ee709c5cd8b71ffb5f51328721ed54611177f909de3f22100f9548b

SHA512
9eba0eb7a01fa8cdf6fd30ad9819be7e69894cee4cece170f52538f714376055641949a6ea1d4abba61714ae0ab1960f04531725f3de451fbd005a5ec2c9a2b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
2533d6f82813a463d1dab3e88d8f8e2a

SHA1
e8a927653cbe6d57c2aa9cfa260101e471d90ca3

SHA256
9dfb47d715a11d1fda53aa09431833fe14a63b13a199dd183cf675501ebcf24b

SHA512
13ca8bfd31841f78a8eb9849d7d8a0e2c6e7fe2edb46512470bbff77f1d64cd969d7d3c86f1dcb55b7b42539b6aae8dfd67f985ce01b3795d4e1761c10f1a4e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
0bf4decea047e40861826aa5106f6b20

SHA1
f44718f3f558e34e14d3cbbdc44d141c89eadd09

SHA256
5a26e8287916e91cd015342f5cbfc0b3988544e1430b252b80094f33922baecc

SHA512
1e5cc68f8456c20b100f060646a910a494f7df744fa692e0090afa45c82279e5e83361c01f14b121656860c26e88281b735e2d02c6f4ed1c6133dacec2ca91ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d298c2c8b54ff61f4af0cd9838ac7a59

SHA1
35e9f945c59bb9816fce510bd4c6b4bae667c32c

SHA256
59593a92a22b48fd5cb7d8584f86427935e43bfcd0bfa3e6f852236f24d508c1

SHA512
3480ce5385960b2a6f881cad16ff0d365006fad2379a733af5876a6958ff38c1ec65aa85c23cc71d823571a7ebf0c48f6ff8cbeee36967f36a013cc40abfba84

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
2a25ce8130bb49bbf055963f9828534f

SHA1
c18226b261448c7d3162fe26998e7acb71f3c82f

SHA256
c2b5f0b97312e7f4d6fe2d8a82840e5a0a7f4797b1197aa37b2a333eab5df59c

SHA512
33ea6da76639ad4ae2f46aeb56ef6d6cdfc3b70ead219e5440d445e1a6db247f32ffba9c40fa71da7e2a44a53fef027a02dcd2d05f470b6a7d5b3abead765cd5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d3c1680c1beeb082af60baec5045220b

SHA1
805aa403c273d0ee2a792085dec26092467934a1

SHA256
f6d752957ac87ccb7b1b134f351896346f75de804bb835c98e5c43559d3f0cbb

SHA512
5a2642a5470fe48414a2dab9f972f85dbd4051ae3ba5cf858240b966168e62402b589adcac3a5a8a6dd4e17abb383d2a8667c10faf4a3d56de3aee7f226f4c74

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c8dd70a47f4452306353062360a6c69f

SHA1
2e7a064da2c026747b0c2f88985b4dbe37868716

SHA256
124897f702c5a4f5c197ea4072b33685e849e74883ba5151a939f5ee145883f8

SHA512
851cbabcd4211700db4627db4b3630b55d5cbe81310f41c5f0ba6d7091f11cfb3d54bdddb7b5f9ca8e57c6ca2d756810ee758546e9192c164cbf836ca465245c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
cf4244662159474cf126f847776928ee

SHA1
08460d2bcc3c27b415b1c25fc1b40066fc5723fe

SHA256
a8c27ef7fee6260e4c242242778b7f7ac8ddc173d82359bd22b83a02ba70c73a

SHA512
cc45dfa9a4f178482169a88d96210355cef52704bf66f8e478df3b75e775792bf8ab056341adad577b47370092e10913304e71183c230f4505da7a8ced30799b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
954442bd693fd88b4ebbb018e632eb74

SHA1
fddc7356f044aff9bd616d5989a3f4a0847ed704

SHA256
c40ce4dd85ad10daf3e545933b4e5c0ded766778f2453917ec19ada61c2cf2ac

SHA512
d585b95aacf24571895737dd955bd48492b9926b15de752a0914e58123e01e247c59becee6a9444dc2a8ddda465e806481f52011166923ebbb296d4b8940022c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6cfe2659dd9dd0e7e470ddd855155e51

SHA1
886fdf7b3e2d8a56bca74c83077c2f4a9c976476

SHA256
1434eb95cb58b7e663caca8809de8eaffc29f7e4ae2a643422c454b9ae5c4e34

SHA512
966021329bfb2e48ee7a09d091367b9abc47490654d91f32fe96639fc8b8c8fe6c229522b9e4ae3cebfff91f3dc00eda439c6449746649dbf73f3f2b5f7ba02d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
441a602b686721a24382632593cda922

SHA1
74714617d5bb9ef3907b1641bf9175d373b2602e

SHA256
ff3771f388815317b403485364878eb7beedee4290aed1910dcd6e34af9b50ef

SHA512
53c4f9971d57d01f03746359f31d30137c7f5922e04677f4124537f2920f57531256bf0ce619bec2cd140088b88469d612081e78a497249834abe772f53aa750

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
892c750771d2c69b347666a5ae2d3700

SHA1
dc3b51c9b71148f1afe0dfc57df5250619bf88f4

SHA256
e6778cb5d84418c64d54bf5841d8793aaf5d95411109e7f8af69683f66d88c46

SHA512
2dfa096dbc2d9a9d022cf210c2d590530db60c24a8897b2d60a6ebace8c8b88fabf01eae88ffd6838fc073a3534c20d6e9a6dbb56a535f9bc8aca81abe1d5284

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
fb0fbd3ba5df4bc1b42955dca849f137

SHA1
5a26dc82c3995277a10ad4ebf642d9b30417ef9d

SHA256
81a4134d1571990aaeb97d65927d24d1f0b886a216cd91f4e75ea7d71133535d

SHA512
33d30c443e691b28c394d847e8a7e991c044b73cf28a4ce282d33256c37029b952f52a9ef1d9390c51e85eebc363b37289eeae5b57c18bb6a3cadabb50e66115

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
682baec16ae939893b9a75f0ba23f5fd

SHA1
9f804ec8943af453245673681799d11bab8b3d59

SHA256
4fa69f8df7b8c68f0deeac14cec5bfa648612ffe553ab20806f05ad07f2d0dda

SHA512
25bfb3efb7c5c5536ad7f15a755dedea9454d67bdeff36f495cc7ac167f6f2b99650386b3d58334df023233afae44795045790311cc881366da2086d6127398f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
78934b79d17019e867e25883545cd91c

SHA1
03fedd42ca56d65e2c736f58a476a08d7c5b86a9

SHA256
f420ddd548d98b28d3447925c15dc4f3677aab6a0f47e3fbb4de04a1ac884092

SHA512
aa07c2c7cf09b2a6d5388aeb180e508e1cad0695d41c0b9b1de0dd98a3cedc910e08cf261011eac6481637f615403bdc63b3fc2198bde3fee6f540539b11e0bf

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cdaac717e7a9c75475ec00760b0e82a4

SHA1
2baf71b59fba512da4149141e4e3518c8bbf41aa

SHA256
3fd41f84337bdc1661f6eaca9f8563db151b42f7d154b48ee08ce7353ebb31df

SHA512
3522560bdeb5c18b16f8c4096407c4f44229f3a7e11c85289ebac6a13137034986a3148008f84898696780f24757892ff185d58a86fc8a27415a5ce85be5cd0f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a016349474649e828d1fca0c5b8c7c92

SHA1
91693f7a7a26cfd9d424c42183f118755fcb450a

SHA256
290a2ef89331c34e38747390f5f73acbe8b4bdbf485fb842ad4779967e4249ae

SHA512
77822092cf9174d3b9a44af64675d8d1204a92995ab24fa95bacc0f10e8ec01e7e9032c21123d41150641cd1d88df5195767100ced8a7157d1e56926c802b8ae

Download Submit
memory/308-118-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/308-114-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/308-110-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/308-176-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/308-119-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/576-140-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/576-252-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/576-146-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/840-266-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/840-163-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/840-178-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/944-265-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/944-286-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/944-215-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/944-172-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/944-158-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/992-284-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/992-294-0x0000000000C30000-0x0000000000C97000-memory.dmp

Filesize
412KB

Download
memory/1432-277-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1432-278-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1432-228-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1432-240-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1628-234-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1628-243-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1676-232-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1676-229-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1712-292-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/1712-275-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1744-225-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/1744-235-0x000007FEF48D0000-0x000007FEF526D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-223-0x000007FEF48D0000-0x000007FEF526D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-280-0x000007FEF48D0000-0x000007FEF526D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-268-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/1744-233-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/2084-236-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2084-169-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2084-133-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2084-125-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2336-14-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2336-12-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2336-19-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2336-89-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2432-53-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2432-107-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2432-59-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2432-52-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2636-111-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2636-33-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2636-25-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2636-26-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2672-248-0x00000000004F0000-0x00000000006E1000-memory.dmp

Filesize
1.9MB

Download
memory/2672-245-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2672-300-0x00000000004F0000-0x00000000006E1000-memory.dmp

Filesize
1.9MB

Download
memory/2708-308-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2708-250-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2708-257-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2708-267-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2736-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2736-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2736-69-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2736-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2772-98-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2772-92-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2772-90-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2772-97-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2772-166-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2792-76-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2792-70-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2792-72-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2792-156-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2840-44-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2840-43-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2840-37-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2840-84-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2840-38-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2984-230-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2984-231-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/3036-301-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download