2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe
Size

1.5MB
MD5

1b45a8422573bc214098aa3ed82a1aa0
SHA1

b5d4ff6c1dbcb7e2997161c74eca1a1a8a818375
SHA256

2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41
SHA512

6ac63905182a4d79b60fda9e1c7d66eef5c02466a2a0077661d8e7d1de6eebeeff1b13d9717946fd653beae8b6d6d5e5fdcb8a339d54abbdfa220fdf0105464b
SSDEEP

12288:p/nUHbY/V7ZSbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSXH:ps7Ymbl0fitGbna8FLk2m1X2D4brrH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 35 IoCs

pid	Process
476	Process not Found
2620	alg.exe
1152	aspnet_state.exe
1564	mscorsvw.exe
2224	mscorsvw.exe
1180	elevation_service.exe
580	GROOVE.EXE
1620	maintenanceservice.exe
2264	OSE.EXE
1092	OSPPSVC.EXE
2216	mscorsvw.exe
1148	mscorsvw.exe
2652	mscorsvw.exe
1680	mscorsvw.exe
320	mscorsvw.exe
828	mscorsvw.exe
1620	mscorsvw.exe
1376	mscorsvw.exe
2300	mscorsvw.exe
2612	mscorsvw.exe
2772	mscorsvw.exe
2716	mscorsvw.exe
2592	mscorsvw.exe
2552	mscorsvw.exe
2752	mscorsvw.exe
2872	mscorsvw.exe
2440	mscorsvw.exe
2828	mscorsvw.exe
1124	mscorsvw.exe
2760	mscorsvw.exe
408	mscorsvw.exe
1700	mscorsvw.exe
1048	mscorsvw.exe
2808	mscorsvw.exe
1568	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de16a5ccc1bd2e0a.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	1740	WerFault.exe	27

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe
Token: SeShutdownPrivilege	1564	mscorsvw.exe
Token: SeShutdownPrivilege	2224	mscorsvw.exe
Token: SeShutdownPrivilege	1564	mscorsvw.exe
Token: SeShutdownPrivilege	2224	mscorsvw.exe
Token: SeShutdownPrivilege	1564	mscorsvw.exe
Token: SeShutdownPrivilege	1564	mscorsvw.exe
Token: SeShutdownPrivilege	2224	mscorsvw.exe
Token: SeShutdownPrivilege	2224	mscorsvw.exe
Token: SeDebugPrivilege	2620	alg.exe
Token: SeShutdownPrivilege	1564	mscorsvw.exe
Token: SeShutdownPrivilege	2224	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2872	1740	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe	28
PID 1740 wrote to memory of 2872	1740	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe	28
PID 1740 wrote to memory of 2872	1740	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe	28
PID 1740 wrote to memory of 2872	1740	2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe	28
PID 1564 wrote to memory of 2216	1564	mscorsvw.exe	40
PID 1564 wrote to memory of 2216	1564	mscorsvw.exe	40
PID 1564 wrote to memory of 2216	1564	mscorsvw.exe	40
PID 1564 wrote to memory of 2216	1564	mscorsvw.exe	40
PID 1564 wrote to memory of 1148	1564	mscorsvw.exe	41
PID 1564 wrote to memory of 1148	1564	mscorsvw.exe	41
PID 1564 wrote to memory of 1148	1564	mscorsvw.exe	41
PID 1564 wrote to memory of 1148	1564	mscorsvw.exe	41
PID 1564 wrote to memory of 2652	1564	mscorsvw.exe	42
PID 1564 wrote to memory of 2652	1564	mscorsvw.exe	42
PID 1564 wrote to memory of 2652	1564	mscorsvw.exe	42
PID 1564 wrote to memory of 2652	1564	mscorsvw.exe	42
PID 1564 wrote to memory of 1680	1564	mscorsvw.exe	43
PID 1564 wrote to memory of 1680	1564	mscorsvw.exe	43
PID 1564 wrote to memory of 1680	1564	mscorsvw.exe	43
PID 1564 wrote to memory of 1680	1564	mscorsvw.exe	43
PID 1564 wrote to memory of 320	1564	mscorsvw.exe	44
PID 1564 wrote to memory of 320	1564	mscorsvw.exe	44
PID 1564 wrote to memory of 320	1564	mscorsvw.exe	44
PID 1564 wrote to memory of 320	1564	mscorsvw.exe	44
PID 1564 wrote to memory of 828	1564	mscorsvw.exe	45
PID 1564 wrote to memory of 828	1564	mscorsvw.exe	45
PID 1564 wrote to memory of 828	1564	mscorsvw.exe	45
PID 1564 wrote to memory of 828	1564	mscorsvw.exe	45
PID 1564 wrote to memory of 1620	1564	mscorsvw.exe	46
PID 1564 wrote to memory of 1620	1564	mscorsvw.exe	46
PID 1564 wrote to memory of 1620	1564	mscorsvw.exe	46
PID 1564 wrote to memory of 1620	1564	mscorsvw.exe	46
PID 1564 wrote to memory of 1376	1564	mscorsvw.exe	47
PID 1564 wrote to memory of 1376	1564	mscorsvw.exe	47
PID 1564 wrote to memory of 1376	1564	mscorsvw.exe	47
PID 1564 wrote to memory of 1376	1564	mscorsvw.exe	47
PID 1564 wrote to memory of 2300	1564	mscorsvw.exe	48
PID 1564 wrote to memory of 2300	1564	mscorsvw.exe	48
PID 1564 wrote to memory of 2300	1564	mscorsvw.exe	48
PID 1564 wrote to memory of 2300	1564	mscorsvw.exe	48
PID 1564 wrote to memory of 2612	1564	mscorsvw.exe	49
PID 1564 wrote to memory of 2612	1564	mscorsvw.exe	49
PID 1564 wrote to memory of 2612	1564	mscorsvw.exe	49
PID 1564 wrote to memory of 2612	1564	mscorsvw.exe	49
PID 1564 wrote to memory of 2772	1564	mscorsvw.exe	50
PID 1564 wrote to memory of 2772	1564	mscorsvw.exe	50
PID 1564 wrote to memory of 2772	1564	mscorsvw.exe	50
PID 1564 wrote to memory of 2772	1564	mscorsvw.exe	50
PID 1564 wrote to memory of 2716	1564	mscorsvw.exe	51
PID 1564 wrote to memory of 2716	1564	mscorsvw.exe	51
PID 1564 wrote to memory of 2716	1564	mscorsvw.exe	51
PID 1564 wrote to memory of 2716	1564	mscorsvw.exe	51
PID 1564 wrote to memory of 2592	1564	mscorsvw.exe	52
PID 1564 wrote to memory of 2592	1564	mscorsvw.exe	52
PID 1564 wrote to memory of 2592	1564	mscorsvw.exe	52
PID 1564 wrote to memory of 2592	1564	mscorsvw.exe	52
PID 1564 wrote to memory of 2552	1564	mscorsvw.exe	53
PID 1564 wrote to memory of 2552	1564	mscorsvw.exe	53
PID 1564 wrote to memory of 2552	1564	mscorsvw.exe	53
PID 1564 wrote to memory of 2552	1564	mscorsvw.exe	53
PID 1564 wrote to memory of 2752	1564	mscorsvw.exe	54
PID 1564 wrote to memory of 2752	1564	mscorsvw.exe	54
PID 1564 wrote to memory of 2752	1564	mscorsvw.exe	54
PID 1564 wrote to memory of 2752	1564	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe
"C:\Users\Admin\AppData\Local\Temp\2a23456d0877a7a6e9a8191e2b7bc0349ea20b191ed722f245ab17566926aa41.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 344
  2⤵
  - Program crash
  PID:2872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 244 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 1e0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1e0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 1e0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 274 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1180

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:580

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1620

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2264

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
e103be07c04fb984feb0c920d72228eb

SHA1
009a530b62824f25d0d7a35130d5fa8bb778935b

SHA256
e7c9c87f07d640b87af12a0073b081709e65d98641bfc9aefbafde2ab3833a0d

SHA512
311dea6f46365b1fd8e4d79958375b38517c5e98c65a063b32089aeb00463bcb82b82c73d8cf4515c5c656b436bb7e36f4287814f9cfa22593959975dd5d843b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e4cfb5b49cd06ad1e9d645451c872643

SHA1
9563b2a9b3884d273ea776d101e56b8920317008

SHA256
f3f45df326fe1eb21485de5312bd31e7bfcfa7381c43d11f6c84e238916d75e5

SHA512
324861dc8c3cf5ab7642e1e1b0c75c4a58cc661bf021f44ddf63f60ebb0b923a01db7e5b4be661228ab018fa78bb8ce3af142ba29134c6841222adf03d8f629e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8406eefb8d21481c52b190da1eadb8c1

SHA1
d66b128262840dcaae9f5043847080790137ab9a

SHA256
a81758aa1b28eea31d9a444ecc1b49b4c0121815e56a2d215cab01fe034763c3

SHA512
8880b16951620b4cce7a08f8f42ef3dac5c1260c77e276294f35954c78ef0e8406d2ca0ebff5901e76af655b3de4bcdf5931b108679ec54c295737f6b4576fc7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e39f832a3e3d15472e1da918f3b8dd62

SHA1
4645ae1bfb36dc9d405e40dd6538054a67a20588

SHA256
00ad949013eda0c93c31cde24c805f0f28b20d17780f8440578a00fd7c5110c3

SHA512
e0bccbf346de28d93a3a643760a416e015ca77735f7a603e7f548c62d937b71e10b595e47c7c5d9650259c3b27d6c27797e31f1890494f03147b7ea4badbbd8c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9ad3058dea4e7791b2b0e4170898db73

SHA1
f9c257164a620059e9c58c7fb941abe7b77195bc

SHA256
48ad02bb50b37e35a9ee81aff9fff1c11f3d3fdbf8e6dcd9e62473c37255ba69

SHA512
a708d5b91951f5cffd16aceb93c5150fc7b73e46c25a71f2eb09da7e82100788acf2295f95cb520ea458c765eca4ff4f1e9f41db723ca3653c4047795abb7679

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
06814f7ed746d31b2d35ff9bcd90d2d4

SHA1
e473401bc6dde133d66fcf43906c1bad6cf257d2

SHA256
3a418f5a41e61c0d651897f8dfc81a25e5ac7263d40838475745940ee9a150ea

SHA512
61f3af95aabdd40f688e771d45a8e82e8af7d647a93d7afd8187d815b4d0e0853740f3cdfa9b4de7f0bcad1a8126f3d0576b89cf9c6618765f3a0108cf61410c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
2ebdf22e297fa670db57bab5ff99d557

SHA1
a20c71d4b6c55ee1a0a594a89109e5502abe6b1a

SHA256
c75d6660a1d66c569557d4a46861f7bd981051356950844d4a181845a668479a

SHA512
a43465e19768d97e4ce8bdcf85a5596467946bd285a4a65356176e2419d2b5b263000ae2ffa0efd2a2bd2d7b121350bf2a5e92554d7f176726243eed1e8efbba

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
8cb694c37aa45b9e5dfde66c75ad8d6d

SHA1
7f57f3b994a285ca7d54d9c08daba64c06c83f4b

SHA256
8208563893bacfbb7ab1f8df3cc436a5bf31ce3517cb437f412f103aa0ffc1de

SHA512
6d29797fa02781d5c07b0db93fdd1620b11174a7529b42b2867fdca8c882e9f829a55f6a46f995f490e9cdecba979142557d85435b123d23d4793e8489930c79

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9b275fc4190330626def7e649f5b6218

SHA1
e0b565cf9359601ab65b4be5afacf18b57c6cfbf

SHA256
8fe9ef14cd72a0c4ff836e9cbf85c0f50e422b50dd971a20b4972fe46b0df009

SHA512
2ebf007d1f8f02827cd6c936e5b1d27507096ac8cfc6925a90584d24e6df5b5a3cf6f2fb7622a3a331df405242b7c7f10b9f65fb2f9dfa7305c7a98a048c181f

Download Submit
memory/320-348-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/408-540-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/580-101-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/580-83-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/580-88-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/580-332-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/828-354-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/828-360-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1048-560-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1048-563-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1092-126-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1092-379-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1124-517-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1124-511-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1148-303-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1148-310-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1152-31-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1152-33-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1152-39-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1152-278-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1180-79-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1180-80-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1180-331-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1180-72-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1376-380-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1376-386-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1564-42-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1564-285-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1564-50-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/1564-43-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/1568-591-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1568-578-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1620-92-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1620-382-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1620-369-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1620-115-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1620-98-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1620-102-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1680-333-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1680-337-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1700-557-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1700-546-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1740-25-0x0000000030000000-0x0000000030189000-memory.dmp

Filesize
1.5MB

Download
memory/1740-0-0x0000000030000000-0x0000000030189000-memory.dmp

Filesize
1.5MB

Download
memory/1740-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1740-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2216-304-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2224-318-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/2224-65-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/2224-57-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2224-63-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2264-105-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download
memory/2264-110-0x000000002E000000-0x000000002E194000-memory.dmp

Filesize
1.6MB

Download
memory/2264-368-0x000000002E000000-0x000000002E194000-memory.dmp

Filesize
1.6MB

Download
memory/2300-394-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2300-398-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2440-494-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2440-487-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2552-453-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2552-464-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2592-444-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2592-441-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2612-410-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2612-406-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2620-14-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2620-26-0x0000000100000000-0x0000000100183000-memory.dmp

Filesize
1.5MB

Download
memory/2620-23-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2620-13-0x0000000100000000-0x0000000100183000-memory.dmp

Filesize
1.5MB

Download
memory/2652-319-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2652-323-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2716-429-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2716-438-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2752-478-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2752-466-0x0000000003CD0000-0x0000000003D8A000-memory.dmp

Filesize
744KB

Download
memory/2752-465-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2760-536-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2772-421-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2808-573-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/2808-588-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/2828-514-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2828-502-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2872-490-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2872-477-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download