8daf5ece43161efd1a70e412dae34543c3202bd3dfea32e8832c3e76fbb5832d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe
Size

665KB
MD5

6c11b679c0bf69cbc3b30ac097816f50
SHA1

708ec864f2f252ff9890f8c1a0800554c5e00906
SHA256

8daf5ece43161efd1a70e412dae34543c3202bd3dfea32e8832c3e76fbb5832d
SHA512

1d6ec3e32b62639ae1038197e5db891763ab699ab3f433fdc20307dad79cc05514e3ecce27c0923b3397c9894d45f2d55f74b2aa4890f015157c213f000f4a7f
SSDEEP

12288:U/nUHbC/V7N3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:Us7CT1N3RUDHNmdPCAaq8Nozgi/rE0TY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 34 IoCs

pid	Process
472	Process not Found
1504	alg.exe
1244	mscorsvw.exe
1552	mscorsvw.exe
2084	elevation_service.exe
2848	GROOVE.EXE
588	maintenanceservice.exe
2252	OSE.EXE
1744	OSPPSVC.EXE
2556	mscorsvw.exe
1864	mscorsvw.exe
2024	mscorsvw.exe
2576	mscorsvw.exe
1300	mscorsvw.exe
2096	mscorsvw.exe
1892	mscorsvw.exe
2348	mscorsvw.exe
604	mscorsvw.exe
2304	mscorsvw.exe
2944	mscorsvw.exe
2420	mscorsvw.exe
2624	mscorsvw.exe
3016	mscorsvw.exe
2764	mscorsvw.exe
2596	mscorsvw.exe
2720	mscorsvw.exe
1432	mscorsvw.exe
2044	mscorsvw.exe
2016	mscorsvw.exe
2368	mscorsvw.exe
2912	mscorsvw.exe
348	mscorsvw.exe
2072	mscorsvw.exe
1988	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f59117843e3c333.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2208	WerFault.exe	27

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1552	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1552	mscorsvw.exe
Token: SeDebugPrivilege	1504	alg.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1552	mscorsvw.exe
Token: SeShutdownPrivilege	1552	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1552	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2576	2208	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2576	2208	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2576	2208	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2576	2208	6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2556	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 2556	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 2556	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 2556	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 1864	1244	mscorsvw.exe	40
PID 1244 wrote to memory of 1864	1244	mscorsvw.exe	40
PID 1244 wrote to memory of 1864	1244	mscorsvw.exe	40
PID 1244 wrote to memory of 1864	1244	mscorsvw.exe	40
PID 1244 wrote to memory of 2024	1244	mscorsvw.exe	41
PID 1244 wrote to memory of 2024	1244	mscorsvw.exe	41
PID 1244 wrote to memory of 2024	1244	mscorsvw.exe	41
PID 1244 wrote to memory of 2024	1244	mscorsvw.exe	41
PID 1244 wrote to memory of 2576	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 2576	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 2576	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 2576	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 1300	1244	mscorsvw.exe	43
PID 1244 wrote to memory of 1300	1244	mscorsvw.exe	43
PID 1244 wrote to memory of 1300	1244	mscorsvw.exe	43
PID 1244 wrote to memory of 1300	1244	mscorsvw.exe	43
PID 1244 wrote to memory of 2096	1244	mscorsvw.exe	44
PID 1244 wrote to memory of 2096	1244	mscorsvw.exe	44
PID 1244 wrote to memory of 2096	1244	mscorsvw.exe	44
PID 1244 wrote to memory of 2096	1244	mscorsvw.exe	44
PID 1244 wrote to memory of 1892	1244	mscorsvw.exe	45
PID 1244 wrote to memory of 1892	1244	mscorsvw.exe	45
PID 1244 wrote to memory of 1892	1244	mscorsvw.exe	45
PID 1244 wrote to memory of 1892	1244	mscorsvw.exe	45
PID 1244 wrote to memory of 2348	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2348	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2348	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2348	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 604	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 604	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 604	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 604	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 2304	1244	mscorsvw.exe	48
PID 1244 wrote to memory of 2304	1244	mscorsvw.exe	48
PID 1244 wrote to memory of 2304	1244	mscorsvw.exe	48
PID 1244 wrote to memory of 2304	1244	mscorsvw.exe	48
PID 1244 wrote to memory of 2944	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2944	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2944	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2944	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2420	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2420	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2420	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2420	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2624	1244	mscorsvw.exe	51
PID 1244 wrote to memory of 2624	1244	mscorsvw.exe	51
PID 1244 wrote to memory of 2624	1244	mscorsvw.exe	51
PID 1244 wrote to memory of 2624	1244	mscorsvw.exe	51
PID 1244 wrote to memory of 3016	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 3016	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 3016	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 3016	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 2764	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 2764	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 2764	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 2764	1244	mscorsvw.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c11b679c0bf69cbc3b30ac097816f50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 344
  2⤵
  - Program crash
  PID:2576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 238 -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 1dc -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 260 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ec -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1dc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 274 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 280 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 22c -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2084

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:588

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
2247661ffe0432db0723b61287c52544

SHA1
29cb5a492dd013356c6f6f5855d865fba38327b8

SHA256
e811e4f3eb050b73d6a5287408be0578f66dc472e324a0f4ebf4afb613c75d7d

SHA512
e7f2317668f5f41c8909d10c2ef71499661a1e0a3d7a07ad812b0d52775b4f34aea0a516a2c8f9abca092613d5313d2724bb7e06a1f18896196df237ef0d4e20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d75cefa7c4390e03cd8e383ac517961e

SHA1
181564d57dd6507f239bf681e296363024959169

SHA256
e6a19de924aca03ec3333d7970307d70d7f27b114a735456170e062409b62e50

SHA512
d444f4269235ed096f97f971e4661a409a0821589d453054cc84415f8ebb19f5dd4b63b5bf473d643470a5c849f7cbe5b844bc2694ab1c37d026dd8acb362288

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
ffdaf4012130d749aecc1617cb0a3923

SHA1
19f0011d97b53ebb60b7745fcdb4ba96a7068c55

SHA256
2c25f0e6bc2a0d4063ef5b690fd719e399b8885a3ddab55c088c13de3b69f6e0

SHA512
1ecd520e8efe2c16149efb0039afac7dbb0f6bea81f782810fbc9b061a143c40d9d144587baced55e42f4a883813a66abb9b8fd53f74ea88dc80343b560f1a3a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
5e2a115ad8ef1110d5ef8b72107f3e70

SHA1
a33fef0662cb653d3daa498f8168e09e195702ff

SHA256
4d38dcfc5b34638b7c77023e68afd581b13ae43eef0227a492d9275207f607e9

SHA512
b43bb10b775b61dd7da21f732cf28eba1a2c868ca3bf978c255475fdeb8fe2214c0d685d9d2abe62e0e4320b2d300c4b547bc7f89c9665fff268e1cfe28c69a1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
13b19bbbf00d3c898851814e3d023273

SHA1
dc747cbcadaf4d3a3695b46dc2d090636d8088b1

SHA256
69ce23d1ef46948d56d3af2d0b9f1a4796c1909ca9297020a6a46979f45b7580

SHA512
f87d3b9d889d8c522653b3770881fdc3ebe209f3f2dc4fa18e7011baea7ea47abde7c1049047ddda1921f09d8cf83f745878e471f1d9f781b4a62c34e3f8153c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
ac0dff88e2c62b4df38c352a5ecfb3da

SHA1
d049cbd9b687c3dbe5792885f4821108f12147fe

SHA256
58b1652ff0d82b2d64571e1304b267f2a8b6ce0e0de833856bbdfa1857ee6692

SHA512
80982f67ab2ebb91e202439b46276564dc5aab40536436152bbb9036ee03e3f39405e39fd0c3b4ddafee8f4140bb3b0d86050dcdfbebc5ac3a8a038cb8fdc7f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
6457bb3894203965a6a827b2e04f7fe9

SHA1
ac29e7ff99f3db7180ac895f8d1be0e50b750005

SHA256
8e54015b10c3cf2dbd2290f96d655c3b48be89e635fbf307c1ae773b6ed0cf64

SHA512
7f38125958f622e5c98b1100ea1e735236e93798e12a6afa88f2692d7718cd6dcad0f81b44fe4e9f4af63e9d83873601da31136a71fa80c510a5d12c40255173

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
e76f0c5002b904178fda044179e3d1ed

SHA1
6928a0e06b4ce8754cf6bd98e54968ef9a82205e

SHA256
f7c8d4b22841ca53b546e7427821da18024cbbe16036b5348510cb61246ebc62

SHA512
8cc1665c48d1940056a43348496be594f4a7484ee4e33f199042e1748101f702a18ac19a23b2772f26b755c28747e950f5280d447ace2a05cb0eaeecf9b4e14e

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
b8121f2202a0fc44bf1fe47a29529f55

SHA1
4c29d705570ca0491a4ad2e4ec2db141e84f4ced

SHA256
190da3f8509296fafaad62fdbaba7a608fa76092efdcd319fea5af13d537f019

SHA512
5d7397a21803879bbc0ccf44b699eabf81c1eda93ad14242bb80bcdbffd023603d5020ae1b68e47bbbb1f0227737af3c66c6d067b8cdf5f4bd61627299c6e2ab

Download Submit
memory/348-541-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/588-88-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/588-94-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/588-92-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/588-82-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/604-386-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/604-374-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-31-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-32-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1244-275-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-39-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1300-334-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1300-338-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1432-487-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1504-14-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1504-25-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1504-22-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1504-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1552-46-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1552-55-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1552-299-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1552-47-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1744-369-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1744-115-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1864-294-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1864-306-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1892-361-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1988-563-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1988-569-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2016-509-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-312-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-305-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2044-498-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-566-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2072-545-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2084-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2084-324-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2084-70-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2084-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2096-349-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2208-8-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2208-1-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2208-0-0x0000000030000000-0x00000000300AA000-memory.dmp

Filesize
680KB

Download
memory/2208-24-0x0000000030000000-0x00000000300AA000-memory.dmp

Filesize
680KB

Download
memory/2252-102-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download
memory/2252-104-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2252-97-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download
memory/2252-350-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2304-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-375-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-370-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-520-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2420-409-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2420-417-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-295-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-276-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-320-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-332-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2596-470-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2596-461-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-436-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2720-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-449-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2764-453-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-448-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2848-73-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2848-78-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2848-96-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2848-333-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2912-531-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2944-413-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3016-440-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3016-435-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download