28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
25/11/2023, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
Size

1.8MB
MD5

0080804a9d931b5030d3b5d2ea59cead
SHA1

47f53768dd890951be4b1ee636aae6c528d7b1a5
SHA256

28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f
SHA512

5861c94f0c243390ff3536213e9ebf7c429a4d65e8bff8d69a5b57823630f3d52e9b06634410e7ce1f6a2e66d5a784f1ea246706d611bd3303226ce693dceef1
SSDEEP

49152:sx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA37GAK/tlRtYLat:svbjVkjjCAzJzRt6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
464	Process not Found
2080	alg.exe
2444	aspnet_state.exe
2432	mscorsvw.exe
952	mscorsvw.exe
2400	mscorsvw.exe
1596	mscorsvw.exe
928	ehRecvr.exe
2880	ehsched.exe
1292	mscorsvw.exe
2704	mscorsvw.exe
2128	mscorsvw.exe
2952	mscorsvw.exe
2692	mscorsvw.exe
2440	dllhost.exe
1940	elevation_service.exe
2204	GROOVE.EXE
1732	mscorsvw.exe
1696	maintenanceservice.exe
936	OSE.EXE
2748	OSPPSVC.EXE
1816	mscorsvw.exe
368	mscorsvw.exe
1808	mscorsvw.exe
1720	mscorsvw.exe
2600	mscorsvw.exe
1512	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\51d97954ea1ae02.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_sr.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_th.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{09AF65C3-6C54-42BA-97FD-BF91F7EA3A54}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_ru.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_en-GB.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_te.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_nl.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_sl.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_zh-CN.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTAC09.tmp	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_lt.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_pt-PT.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_gu.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_ar.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_bn.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\psuser.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\psuser_64.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC08.tmp\goopdateres_sv.dll	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1B610C09-B8E2-4081-B079-168BDCC9177C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1B610C09-B8E2-4081-B079-168BDCC9177C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2248	28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeShutdownPrivilege	1596	mscorsvw.exe
Token: SeDebugPrivilege	2080	alg.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1292	2400	mscorsvw.exe	36
PID 2400 wrote to memory of 1292	2400	mscorsvw.exe	36
PID 2400 wrote to memory of 1292	2400	mscorsvw.exe	36
PID 2400 wrote to memory of 1292	2400	mscorsvw.exe	36
PID 2400 wrote to memory of 2704	2400	mscorsvw.exe	37
PID 2400 wrote to memory of 2704	2400	mscorsvw.exe	37
PID 2400 wrote to memory of 2704	2400	mscorsvw.exe	37
PID 2400 wrote to memory of 2704	2400	mscorsvw.exe	37
PID 2400 wrote to memory of 2128	2400	mscorsvw.exe	38
PID 2400 wrote to memory of 2128	2400	mscorsvw.exe	38
PID 2400 wrote to memory of 2128	2400	mscorsvw.exe	38
PID 2400 wrote to memory of 2128	2400	mscorsvw.exe	38
PID 2400 wrote to memory of 2952	2400	mscorsvw.exe	41
PID 2400 wrote to memory of 2952	2400	mscorsvw.exe	41
PID 2400 wrote to memory of 2952	2400	mscorsvw.exe	41
PID 2400 wrote to memory of 2952	2400	mscorsvw.exe	41
PID 2400 wrote to memory of 2692	2400	mscorsvw.exe	42
PID 2400 wrote to memory of 2692	2400	mscorsvw.exe	42
PID 2400 wrote to memory of 2692	2400	mscorsvw.exe	42
PID 2400 wrote to memory of 2692	2400	mscorsvw.exe	42
PID 2400 wrote to memory of 1732	2400	mscorsvw.exe	46
PID 2400 wrote to memory of 1732	2400	mscorsvw.exe	46
PID 2400 wrote to memory of 1732	2400	mscorsvw.exe	46
PID 2400 wrote to memory of 1732	2400	mscorsvw.exe	46
PID 2400 wrote to memory of 1816	2400	mscorsvw.exe	50
PID 2400 wrote to memory of 1816	2400	mscorsvw.exe	50
PID 2400 wrote to memory of 1816	2400	mscorsvw.exe	50
PID 2400 wrote to memory of 1816	2400	mscorsvw.exe	50
PID 2400 wrote to memory of 368	2400	mscorsvw.exe	51
PID 2400 wrote to memory of 368	2400	mscorsvw.exe	51
PID 2400 wrote to memory of 368	2400	mscorsvw.exe	51
PID 2400 wrote to memory of 368	2400	mscorsvw.exe	51
PID 2400 wrote to memory of 1808	2400	mscorsvw.exe	52
PID 2400 wrote to memory of 1808	2400	mscorsvw.exe	52
PID 2400 wrote to memory of 1808	2400	mscorsvw.exe	52
PID 2400 wrote to memory of 1808	2400	mscorsvw.exe	52
PID 2400 wrote to memory of 1720	2400	mscorsvw.exe	53
PID 2400 wrote to memory of 1720	2400	mscorsvw.exe	53
PID 2400 wrote to memory of 1720	2400	mscorsvw.exe	53
PID 2400 wrote to memory of 1720	2400	mscorsvw.exe	53
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	54
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	54
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	54
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	54
PID 2400 wrote to memory of 1512	2400	mscorsvw.exe	55
PID 2400 wrote to memory of 1512	2400	mscorsvw.exe	55
PID 2400 wrote to memory of 1512	2400	mscorsvw.exe	55
PID 2400 wrote to memory of 1512	2400	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe
"C:\Users\Admin\AppData\Local\Temp\28543f58c16a23d8e96c9585298621a5e5bbada4fce5cc68b82610a8df153f3f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2432

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 1f4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 268 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 1dc -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 1dc -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 184 -NGENProcess 254 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 250 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 294 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 11c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:928

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1940

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:936

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
3128523c5ce11bc723866c34e58671da

SHA1
4d11eb432e26a2c17b1d4fcb5b5a117dd3a04b82

SHA256
53676efabeb1f095357b58452675e631bf5016dfdde2140da0f0af9653ae4abe

SHA512
da92c45a29ee11a4ec917220e1b2aed93c7c93828c6c6901134b62e6ff376e930ab5e3675e4d07f4abb0fa0631201291f7f5ed572884fb8df880e25fe4766dfd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7e6e2d4c8621eb52c947a942d43c8c0a

SHA1
2522f03ad2e87204fec950f9ebe4f4830e6d89e9

SHA256
c98d20bd279faf4f29c6f52fb9eaac23ec0ec66fd2fca4258d64ee9d7d61aba6

SHA512
8ece45b04c55a7b67df3dd4fd5bc78c966a702c4084c908be44fd5c36d8a917a8b56ebd895668b754be61a3f03be28af56ec65120b31597e03ac4c232430fd0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
afdc277f437c69bedb064661bc869129

SHA1
936915113e99c33bb04edf638c45be1713398afb

SHA256
04d34a34a6f59f2f94998fd9f757b104762574cfa7c0975c95feeabafe20f1bc

SHA512
1cb7bae365ebe0affd28d65efb2d2f9d4071f6d06b0a65835c1b0836bb0261265534232abc75b6790725d88aa072e12ef235c0bba190a271f7f607e6233d7510

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ab5c600e474656715b90e747abea4969

SHA1
82efae03a1c2dc7b2872f0044c2bd2cce7ffff79

SHA256
89f6fa5674ca8d24d42ee4b193f0405fa72db49954e04e9f56dc1f0fd91ae7fd

SHA512
3817c9d9e60d045d28f1c1a7711483bcd4136d316549714c50ea7d2c60ae6f3796657cdf010f4ee7af82d5fe6110b9a9fb60226b8c3efa9afdf6078f94fd4d92

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0fb414afe02c257aa4e2b6225a6509c3

SHA1
d231eff36816fe41e3ba1cfb843c0a388365ed85

SHA256
709aa6cb9dd47ed4abce7dcc968f8a412d98b93116b4f70362f71300b3dafca4

SHA512
0680875380ccbec945e42d5261d96d187f4383afa25f1f3f762d3d3d991567fc03810b5fd86c05aa850b6986a7889698e36a0e56ba94c7932f520890f4618c99

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
f62c699d30288762754d83cc9641ca2b

SHA1
97f9bbca2e92c26ce39879ce4196f8047c57c0ab

SHA256
e4ff061f102a82dadb3812190b079d35652da67a4cd87a9205e04c6a28307402

SHA512
a505947a63d19769d29b4f21f9f782eb186346dbc10c4db4ff5daf75f748a6a4c37572b398567534a081660056901436bbf7fe621633731b72fef99019636c0a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
f62c699d30288762754d83cc9641ca2b

SHA1
97f9bbca2e92c26ce39879ce4196f8047c57c0ab

SHA256
e4ff061f102a82dadb3812190b079d35652da67a4cd87a9205e04c6a28307402

SHA512
a505947a63d19769d29b4f21f9f782eb186346dbc10c4db4ff5daf75f748a6a4c37572b398567534a081660056901436bbf7fe621633731b72fef99019636c0a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
646b5e097b333e404912694270ba4f17

SHA1
37f207b2df2dbc4eccc50d1d66e86347b3225499

SHA256
d6ef6d449c6614cbdbadca3c4f575abe2b97a04768d3b2bb6abada486e1ec49f

SHA512
6c4f5501d185d4e6d80f377afe0e26cf526f650cc7f8ddf4030ea32e30a9a93099116f56c2dafc52db8f4a15b57d27da7c2e86350c019520eef8d460b97bc4b5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
7c362c9962313cb21ab6cd90bf34a952

SHA1
8ca9f89695dc8ff084b1c7425206e166182e0d5f

SHA256
f5b9dd0ca06ee2a82babd69fef3f237b1d07ad6b8cda1886b749b92cf85d647a

SHA512
24c409f2788ea1586f42d53cfe2d85cfee9e2444be3b480b8ef1b35532f6f973e9c4c21e87f321211854a886e7bd795fdbcbfe2f32d7cedd14036d44e43c4ede

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e7150f783ba53f10b7650494f9aa031e

SHA1
d4ca547a537fa6b6a3e5ce57181f5cc07ac97c5f

SHA256
2924e88e1be90169f396722f0954fddfea41035141d01104acd27a574b3dd7b0

SHA512
dd34c34347ac1b48e09863dacb577b7129cc6986bcc0abe07b6044f3f071825160dbc67f1d1ad324ce11d4286041242fd63c1179347dd5c2466d1d95b79f29e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e7150f783ba53f10b7650494f9aa031e

SHA1
d4ca547a537fa6b6a3e5ce57181f5cc07ac97c5f

SHA256
2924e88e1be90169f396722f0954fddfea41035141d01104acd27a574b3dd7b0

SHA512
dd34c34347ac1b48e09863dacb577b7129cc6986bcc0abe07b6044f3f071825160dbc67f1d1ad324ce11d4286041242fd63c1179347dd5c2466d1d95b79f29e6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
b21a6503388b92896ed123196af8c88c

SHA1
3268e067e02677f80246c047540e44c9a02841c9

SHA256
a5bc8c9955eea01d8b79b04386936ce96f4531f3c5bf9755192fdc4de2bb5316

SHA512
02b91fad95dcb5aa1192d1a4a3612aedbb174badd5049bc776320f4ad45f7f4168cccf1aefcbc9954fd62fadd158316c8b2e37910f53429331dafa1d785de6ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
b21a6503388b92896ed123196af8c88c

SHA1
3268e067e02677f80246c047540e44c9a02841c9

SHA256
a5bc8c9955eea01d8b79b04386936ce96f4531f3c5bf9755192fdc4de2bb5316

SHA512
02b91fad95dcb5aa1192d1a4a3612aedbb174badd5049bc776320f4ad45f7f4168cccf1aefcbc9954fd62fadd158316c8b2e37910f53429331dafa1d785de6ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
f8309a4f773a41de666cc34687e988f6

SHA1
188cb16d7e4085fa4f344b3e0be7021ecf514cfd

SHA256
d0fa5123a455cb61fb75a097a0da01618987beeeb893467fd4f8f47d30fe5144

SHA512
aab8d680a237997fa9cf0cb346fcb42a8dda100582e6b21f9909c30962dd5b16f9f0090f8cdd0e9de1215f82d7eb0fc941a1505d25bb4f6ff8b38a4f5f4e6c49

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f36051e738f070317915acea6d8ac98d

SHA1
d6b637e6691efbfab7ec1f3558a7014618625f11

SHA256
b8364226a4c4141aad746af1d1ce6c90621d45cf288080595dae07237ba0a6fe

SHA512
15f8baa3ae3a288a46964028f44bd89a8f6ed4cb59d1d7c429f057ea9ca5db4c0b88aa4d805d15bd1fa703a375bd6c46210c8fa42385e0f83601249fe186f070

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
5a250bb294636638b6cb3548b60f215d

SHA1
800cef130b6b8b380e9694ae3ae86c3dc8b257ca

SHA256
92c3bac76f1fb701a1c4feab0bc4516996a4cc050dd1d419cd7310be90b6fcec

SHA512
1cc024810f77dad04cdfa044365b1231df5c26300eaaec498f4ea83da6b832e8a8709505f85c12235e90c5a1af0253c5bc6b58a0e3eadb9e622cdb653215eff0

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
e906a318bf364c02f47470b7e574f656

SHA1
b8109d6bba83dd25797b432d80c2161e32a431d7

SHA256
9b51de3db9880f3250a060f0bc2cc2f9074c9ede690216e9cd30c7a8dc9bbd8b

SHA512
208e66ab39f231a9911a96431cafc112ff464ea6e214b6c0429bc0045c1eda3d27b0155094ad2d5e209ed3ab8bb6a737aeb24fa1ea60a8d663977f06fd6518c1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b8c3c7015fea48e7a010cf33b5216563

SHA1
c2f90f03634ba510d161033cb60ec7491555b701

SHA256
fc3a04dc4c410afd3f96a019620ea066b8724b614375ea8500b793af0bceecb2

SHA512
a8e5b64d58a280f92d80fd72605f3c8297d3519608baf5e9e7638d6690348890d1dd2434962d3a2b5d6df4da17bb14cfe6ad2e1f81b0175a1f75b49e079155c6

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
67fbd8de6e91818041ba9afad29a4537

SHA1
34cee860a28bbed7bf3346d735c91b450020fca6

SHA256
3195924cdafc2543e891d1c834c2dadea46094a786adc468babc50146af91072

SHA512
781b3e8b345969d3d72a6db49569087cd2d7aedfac7abfa3ad694cebf13162a14e4c80254ca9110ccf54699efcdd3781302229e283e0ee22b9e7a99959f3cb86

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
f62c699d30288762754d83cc9641ca2b

SHA1
97f9bbca2e92c26ce39879ce4196f8047c57c0ab

SHA256
e4ff061f102a82dadb3812190b079d35652da67a4cd87a9205e04c6a28307402

SHA512
a505947a63d19769d29b4f21f9f782eb186346dbc10c4db4ff5daf75f748a6a4c37572b398567534a081660056901436bbf7fe621633731b72fef99019636c0a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
7c362c9962313cb21ab6cd90bf34a952

SHA1
8ca9f89695dc8ff084b1c7425206e166182e0d5f

SHA256
f5b9dd0ca06ee2a82babd69fef3f237b1d07ad6b8cda1886b749b92cf85d647a

SHA512
24c409f2788ea1586f42d53cfe2d85cfee9e2444be3b480b8ef1b35532f6f973e9c4c21e87f321211854a886e7bd795fdbcbfe2f32d7cedd14036d44e43c4ede

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
5a250bb294636638b6cb3548b60f215d

SHA1
800cef130b6b8b380e9694ae3ae86c3dc8b257ca

SHA256
92c3bac76f1fb701a1c4feab0bc4516996a4cc050dd1d419cd7310be90b6fcec

SHA512
1cc024810f77dad04cdfa044365b1231df5c26300eaaec498f4ea83da6b832e8a8709505f85c12235e90c5a1af0253c5bc6b58a0e3eadb9e622cdb653215eff0

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
e906a318bf364c02f47470b7e574f656

SHA1
b8109d6bba83dd25797b432d80c2161e32a431d7

SHA256
9b51de3db9880f3250a060f0bc2cc2f9074c9ede690216e9cd30c7a8dc9bbd8b

SHA512
208e66ab39f231a9911a96431cafc112ff464ea6e214b6c0429bc0045c1eda3d27b0155094ad2d5e209ed3ab8bb6a737aeb24fa1ea60a8d663977f06fd6518c1

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b8c3c7015fea48e7a010cf33b5216563

SHA1
c2f90f03634ba510d161033cb60ec7491555b701

SHA256
fc3a04dc4c410afd3f96a019620ea066b8724b614375ea8500b793af0bceecb2

SHA512
a8e5b64d58a280f92d80fd72605f3c8297d3519608baf5e9e7638d6690348890d1dd2434962d3a2b5d6df4da17bb14cfe6ad2e1f81b0175a1f75b49e079155c6

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
67fbd8de6e91818041ba9afad29a4537

SHA1
34cee860a28bbed7bf3346d735c91b450020fca6

SHA256
3195924cdafc2543e891d1c834c2dadea46094a786adc468babc50146af91072

SHA512
781b3e8b345969d3d72a6db49569087cd2d7aedfac7abfa3ad694cebf13162a14e4c80254ca9110ccf54699efcdd3781302229e283e0ee22b9e7a99959f3cb86

Download Submit
memory/928-165-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/928-164-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/928-159-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/928-152-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/928-153-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/928-272-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/928-162-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/928-266-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/936-431-0x000000002E000000-0x000000002E139000-memory.dmp

Filesize
1.2MB

Download
memory/936-381-0x000000002E000000-0x000000002E139000-memory.dmp

Filesize
1.2MB

Download
memory/952-114-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/952-141-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/1292-270-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1292-255-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/1292-258-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-249-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/1292-250-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1292-271-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1596-144-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1696-366-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1696-420-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1696-421-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1696-375-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1732-361-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1732-379-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-407-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-404-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/1816-414-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-327-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1940-334-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1940-387-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2080-23-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2080-22-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/2080-160-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/2080-41-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2128-282-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2128-298-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2128-284-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-275-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2128-348-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-403-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2204-343-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2204-346-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2248-7-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2248-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2248-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2248-6-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2248-245-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2248-1-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2400-131-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2400-125-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2400-124-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2400-256-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2432-98-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2432-97-0x0000000010000000-0x0000000010123000-memory.dmp

Filesize
1.1MB

Download
memory/2432-122-0x0000000010000000-0x0000000010123000-memory.dmp

Filesize
1.1MB

Download
memory/2432-104-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2440-376-0x0000000100000000-0x0000000100119000-memory.dmp

Filesize
1.1MB

Download
memory/2440-322-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2440-315-0x0000000100000000-0x0000000100119000-memory.dmp

Filesize
1.1MB

Download
memory/2444-168-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/2444-94-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/2692-310-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-373-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-359-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2692-308-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2704-299-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-260-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2704-265-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2704-273-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-297-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2748-405-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2748-408-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2748-389-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2880-169-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2880-170-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2952-295-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2952-300-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-314-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2952-340-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download