c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
Size

1.8MB
MD5

8f55c4cce6a93b8cbc05b35ec0f6cd3e
SHA1

3922ed3138683868befba999ca3dee44c945672d
SHA256

c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6
SHA512

836cbf60c617dbed0e2dec52ec12bc0e47e979b95def862a0e68dd7a7d2b56c04571e3705b2358ddc0ea704236fb342d7f2afe333504216d45fd21ad156486c4
SSDEEP

49152:vKJ0WR7AFPyyiSruXKpk3WFDL9zxnSlmYh:vKlBAFPydSS6W6X9lnum6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
464	Process not Found
2312	alg.exe
2760	aspnet_state.exe
2904	mscorsvw.exe
3000	mscorsvw.exe
2264	mscorsvw.exe
1500	mscorsvw.exe
1620	ehRecvr.exe
2084	ehsched.exe
1768	dllhost.exe
1612	elevation_service.exe
2588	mscorsvw.exe
2652	GROOVE.EXE
2964	maintenanceservice.exe
1976	mscorsvw.exe
1036	mscorsvw.exe
112	mscorsvw.exe
1356	mscorsvw.exe
1060	mscorsvw.exe
2732	mscorsvw.exe
1020	mscorsvw.exe
2936	OSE.EXE
2396	OSPPSVC.EXE
1980	mscorsvw.exe
1792	mscorsvw.exe
900	mscorsvw.exe
1060	mscorsvw.exe
2052	mscorsvw.exe
1032	mscorsvw.exe
1036	mscorsvw.exe
1472	mscorsvw.exe
2216	mscorsvw.exe
888	mscorsvw.exe
2980	mscorsvw.exe
1748	mscorsvw.exe
2100	mscorsvw.exe
2732	mscorsvw.exe
1652	mscorsvw.exe
2636	mscorsvw.exe
2616	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d40176383db14c9a.bin	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_th.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_zh-CN.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_es-419.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_et.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_es.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_ur.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56F6.tmp\goopdateres_en-GB.dll	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D999205-9AF6-4AD8-9E61-BC62FB19AC01}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D999205-9AF6-4AD8-9E61-BC62FB19AC01}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2884	ehRec.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2336	c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1500	mscorsvw.exe
Token: SeShutdownPrivilege	1500	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: 33	1452	EhTray.exe
Token: SeIncBasePriorityPrivilege	1452	EhTray.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1500	mscorsvw.exe
Token: SeShutdownPrivilege	1500	mscorsvw.exe
Token: SeDebugPrivilege	2884	ehRec.exe
Token: 33	1452	EhTray.exe
Token: SeIncBasePriorityPrivilege	1452	EhTray.exe
Token: SeDebugPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1500	mscorsvw.exe
Token: SeDebugPrivilege	1500	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1500	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1452	EhTray.exe
1452	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1452	EhTray.exe
1452	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2588	2264	mscorsvw.exe	40
PID 2264 wrote to memory of 2588	2264	mscorsvw.exe	40
PID 2264 wrote to memory of 2588	2264	mscorsvw.exe	40
PID 2264 wrote to memory of 2588	2264	mscorsvw.exe	40
PID 2264 wrote to memory of 1976	2264	mscorsvw.exe	43
PID 2264 wrote to memory of 1976	2264	mscorsvw.exe	43
PID 2264 wrote to memory of 1976	2264	mscorsvw.exe	43
PID 2264 wrote to memory of 1976	2264	mscorsvw.exe	43
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	46
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	46
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	46
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	46
PID 2264 wrote to memory of 112	2264	mscorsvw.exe	47
PID 2264 wrote to memory of 112	2264	mscorsvw.exe	47
PID 2264 wrote to memory of 112	2264	mscorsvw.exe	47
PID 2264 wrote to memory of 112	2264	mscorsvw.exe	47
PID 2264 wrote to memory of 1356	2264	mscorsvw.exe	48
PID 2264 wrote to memory of 1356	2264	mscorsvw.exe	48
PID 2264 wrote to memory of 1356	2264	mscorsvw.exe	48
PID 2264 wrote to memory of 1356	2264	mscorsvw.exe	48
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	49
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	49
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	49
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	49
PID 2264 wrote to memory of 2732	2264	mscorsvw.exe	50
PID 2264 wrote to memory of 2732	2264	mscorsvw.exe	50
PID 2264 wrote to memory of 2732	2264	mscorsvw.exe	50
PID 2264 wrote to memory of 2732	2264	mscorsvw.exe	50
PID 2264 wrote to memory of 1020	2264	mscorsvw.exe	52
PID 2264 wrote to memory of 1020	2264	mscorsvw.exe	52
PID 2264 wrote to memory of 1020	2264	mscorsvw.exe	52
PID 2264 wrote to memory of 1020	2264	mscorsvw.exe	52
PID 2264 wrote to memory of 1980	2264	mscorsvw.exe	54
PID 2264 wrote to memory of 1980	2264	mscorsvw.exe	54
PID 2264 wrote to memory of 1980	2264	mscorsvw.exe	54
PID 2264 wrote to memory of 1980	2264	mscorsvw.exe	54
PID 2264 wrote to memory of 1792	2264	mscorsvw.exe	55
PID 2264 wrote to memory of 1792	2264	mscorsvw.exe	55
PID 2264 wrote to memory of 1792	2264	mscorsvw.exe	55
PID 2264 wrote to memory of 1792	2264	mscorsvw.exe	55
PID 2264 wrote to memory of 900	2264	mscorsvw.exe	56
PID 2264 wrote to memory of 900	2264	mscorsvw.exe	56
PID 2264 wrote to memory of 900	2264	mscorsvw.exe	56
PID 2264 wrote to memory of 900	2264	mscorsvw.exe	56
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	57
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	57
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	57
PID 2264 wrote to memory of 1060	2264	mscorsvw.exe	57
PID 2264 wrote to memory of 2052	2264	mscorsvw.exe	58
PID 2264 wrote to memory of 2052	2264	mscorsvw.exe	58
PID 2264 wrote to memory of 2052	2264	mscorsvw.exe	58
PID 2264 wrote to memory of 2052	2264	mscorsvw.exe	58
PID 2264 wrote to memory of 1032	2264	mscorsvw.exe	59
PID 2264 wrote to memory of 1032	2264	mscorsvw.exe	59
PID 2264 wrote to memory of 1032	2264	mscorsvw.exe	59
PID 2264 wrote to memory of 1032	2264	mscorsvw.exe	59
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	60
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	60
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	60
PID 2264 wrote to memory of 1036	2264	mscorsvw.exe	60
PID 2264 wrote to memory of 1472	2264	mscorsvw.exe	61
PID 2264 wrote to memory of 1472	2264	mscorsvw.exe	61
PID 2264 wrote to memory of 1472	2264	mscorsvw.exe	61
PID 2264 wrote to memory of 1472	2264	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe
"C:\Users\Admin\AppData\Local\Temp\c4a98d2506c245c5a9d91ae7c0f0c39f5027c07ecf49f0503f427466c90547b6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2904

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c0 -NGENProcess 2dc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c0 -NGENProcess 260 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f8 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f0 -NGENProcess 270 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2fc -NGENProcess 2ec -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2fc -NGENProcess 330 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2ec -NGENProcess 2fc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2f4 -NGENProcess 324 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 330 -NGENProcess 260 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 338 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 320 -NGENProcess 33c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 338 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 360 -NGENProcess 390 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 360 -NGENProcess 38c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 360 -NGENProcess 394 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 388 -NGENProcess 39c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 38c -NGENProcess 3a8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1620

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2964

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
e9308b61b34b92d4743415bfd6f169db

SHA1
dd7e3cc37b9152f225341fd619962063fb682145

SHA256
136349e3daca51c51e111d5ad5aa52fa6faa51bef3e9558e60ebae2d18f67016

SHA512
300bbb1522057f5a92b0803089e7f2a1967891aab291fc05ac0a86601febfbccb64b684ebd61b3e58a00bafa7e2b4af5f2fa03a4718f8fbdc91b7bb87b34529a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
4be6380a36d81369193c81e6f6d70a85

SHA1
28305ae1c52f47147ebecb7e94ce0c6b290fdf3b

SHA256
fe22afe31ffe45688a665a639d0aa90975a120b9432d79346c1bb50d94a13b81

SHA512
a609ac70038f90ce84299e8f2f048907e5b5a747d29d1b40ac5cc597eb1313d01ec9511db9829339bb04e1bd38ad9f4bb7737b2a1960094d06c927128b277bc5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
a762ad7630bf88f2c4e83f41e1ba013a

SHA1
3816277a82732fc1a04c556c020c1ecd12257613

SHA256
7c7ed261f9684cb7796a2c9bbec45aa28b94a30a3a1a1fe2e5395d9bc34d5950

SHA512
4ee0605bc177ddf1b74699c03e5a11dfe3ff5c693cb7d4dc436387fd147c80c2f7fa392a453d88fbcc96af69f9951b03a6e1790a65b5d29ab948e7deb8d1d9d9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
14d03e1d81632f488cb0e498436072e7

SHA1
2fbb4fc809007ce4a58ccf1400a1388dc9f0a6bb

SHA256
7d9ff1530ed0822283cafdcbd76006abe655a61e58bcf788abd72f6145730113

SHA512
e67a054eefaed7805fdfec831776a0015bcf7b4b3ca0e93e5ead6eacce9d684c81e3fd3f2d1d0a6c6521ffb96f7d4a7ed464645d37bc9d1ffd3fab22ca73061d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e4698a2039758b8ec520d6b1e2083862

SHA1
822da89d9efea2459a812edff2bd888b92d35271

SHA256
b0d34c9a911422b145ed639d0c1d491a6fdc7d8464cee29873b2acb696ffcc1b

SHA512
0cabad612df6db773547c6e9cc41aeb9b42c390469433c6e81efe3a8015e67e39c01e7c90d10277bb6617be5f36979b0cfa8754857022d9a234d5d478ad623f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
5.1MB

MD5
5ee862f66aedd3c44ea732b6022ae244

SHA1
75dfd224c7da7975d0e9390cb5ecbc6a23f7e889

SHA256
6d0553d44758cabd22f7c04a7273a0c5fe32b520a25202ae7d0ec9609da31128

SHA512
91085052bd73754b13a22eb0f1bd9ce7f0d38c340cba82e201e3012dfed4e31dd7849e7d313dda368e1e833e1d8fc36026e07f8b621fec91fbe2750cbcba1780

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
bdbaee42758ac8c3b5f69b9c1c6b9a68

SHA1
520d5b8cc4cefc0fa057fb0e3157c58f44966980

SHA256
fa53a00836c6bf82e8f1ada55f563331986c6a66fee4c75e895aa519eafdc8cc

SHA512
46a54ffe39a6035910e86c5f975e88d89e30777b9ff6a4f4bdf327e278cd3e116ff728d69f48dfb8c0b6535c7679873cd312dfbbe01d0bbe962ade720f074c9a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fa488ef3bd11035fe263042a51e36201

SHA1
d105f0c0319ad2a79ff5eb463e71952f098f4ca7

SHA256
275bb0d966b764b1d0376532b8a17b8c98aa6bbbdfbff1fe099f3090227c3ef5

SHA512
99875a0fd91f2f78e5c8265fd4a351e4cd04460efa6b736ccb85814b2526c70b387713490c17c2bf5ab855d7270554c42b8aa2cad2cbd69643282f9c65900f3f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2477fee969e620023f6292737f724d64

SHA1
38ba69faf7552b66a637d287892dc28bd8d55fc6

SHA256
0e6af84b03b8f66f435b8ee92094d204e130228e035241d53474298bd725879f

SHA512
6780cea61625ef234aad5d9478f6a2d4b8d68917ebf8e77ac6d20cc5a5200218aef19ecc28d0d26736726c7fa559089c3714c8a292e04d470282a39ad35e302c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4c6860cec672b356eca8d5196744e255

SHA1
8ee90230458ba3789104b7fc1c8b5660ea8acc75

SHA256
35aaabdda0828a2c8b2b8785dd3fb021a53dfe79bc45daf61a1c3aa67bdd5217

SHA512
999ff098bc2f4732ecb1f1858e0acffd22113a4021d278688113d1d558c7ad0189234fff0fc99635cb7209c4a91169a247385142513005b3b0ebbe1d5a140fe5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2a66b9eb8f65c7a9b26caea875755ba0

SHA1
ac7bb0555740c36e48cf3880741ddd5d62fa131a

SHA256
64b5590e3fd967b5c9f6af5a8bfaef36224adf91a002fa01b6e66ba7197cd146

SHA512
3f7aaadb1edc9f96ad2289cbcec78efe459d707691418285974c23b50297096156e46ff468a8277b199f78477a3fe480c63d7ee592cc9723acd9def14749a201

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
1f4e831b7bfabcf8bfb03b184a66f6bf

SHA1
16cfe6fc37b8b976fba01859132d2d7137f81539

SHA256
cbc292b1b36fefda68b86bb937f08b44cda81d6bbb31befd5ad880b26fc8c786

SHA512
1907ef9be20716daaa63fdc02af93d605d0d89a34df65f4aceb5592df199595d534ff870f7964bd3116ce7422d23dad5cefe346364c375228b8f21face7969fd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3b70cf57a4f7ba413ec6fabf4b581138

SHA1
ec49bf0151c66159a5a056d29a846932227174e9

SHA256
ea3153b02f793d4ea38977da264b9a2c5ae086829547cf0ebf3cc6306fce2dd9

SHA512
e62ad880b9690df54fc4462ad291374ccf0f8dcf433a28f5841cb800be1fe250095afb3768681300b321b063dc9c949f5785709dafd44b60e1bf024b3cedbccc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
c5ee4c11053533afac384e8c84d0a94c

SHA1
9f4da8984c90dbae97ef3cd34a2b4fa2d0d91765

SHA256
c3e428aed6c2f61f88492d520cd5df22d31a47092aae1f61980ea8a804d36855

SHA512
afab56e1c8f9e3b3ffde691b0a10b72a7f5bea8e817426e14a1d83334b42552b8450876c338b564c8e9f40c32cfa8a8d1e0ba5c0687d45ba8075954d02b794f1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f30bf336e1c161f96588be01e7b18eda

SHA1
056250a7bb46bbc57ba8c4febf146864b8401b50

SHA256
baaf07410ecc9262cb62aa94665ccf0b16428fec7de96d3a5b7e3cf71f5c0d32

SHA512
c3aa84d97680bd2de667911d4401a4f913bb9f412a1f80628870aeb33c92126bb63f2c09199a31b84a413322185cb1b9b676a8238c2d7adcd25d8896ee214752

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e4dfc7a10801a42fed91a6e8e20d12bd

SHA1
0056be0de7140f6b8712527badebf9930338c1de

SHA256
47b4976b86039e2c1dc43db6af8129e4fcc02c9eb1e84fd067daa4d96ee911c4

SHA512
bfa32b8366de80cf02774c71b16cfbfa8a5feaeeab6f8d659bb431835054ca39a56144e707b3466ede4d52dfd52124bd072a08ca98fa34f1cc9436b56822cd10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fa0d0dc7edf5e679a4c451065ae1af05

SHA1
6490f0e35275c1720e2408f10665239f74dd789a

SHA256
9a3a5ed8a35b40f2baa03e70c0f39695105d9f1b21b10c6a63f5a08d7d2025cc

SHA512
c62b48a62bdd0459b7208bc0d1b0e4fe88c3e93f298216508f81f0e19065a7d4a81c462bbcafa5cd2b2bbd2a742daa2905b4d069d1f530ebb52b6e10d911ba05

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
f35c5cd676f335aa1e51a633b4aff8d9

SHA1
6561901ec8859b4fbe729de243009553957f0254

SHA256
e39027e138b99ce805e1b7000b24eba42847b71fa33aaaab8590ab75997c995f

SHA512
b0fd3991cbe7659afae2c4f448c049004fabca64c67695e345c33906acde77e6e3c350d5e8ba7a5fa1c742f5bfac6f2b5848a739744882cfb89436f51fa9e7fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
1318ef67d4c957204084e11a6de12167

SHA1
eace43e4423fae5260ff8604f590d9ca35da1dd6

SHA256
b6ef838171752a8f618cdd7fc877523c020109d61b0791c6c0d9c8027674a841

SHA512
5cbe783fc151156a574c81445d3471f367626bb670f3221be963ed0523070644c2d46612bb6e9a8852dfbcf4d7034d4d03810a76168b4141fc9ccf73f742b921

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e96a2d9383042215949b50d119234434

SHA1
59ace31774ddf99841d19de7b6ae72a19b932dae

SHA256
731d066dc2e46d027acaeed820e6c4da6445f6c50a57704261559333811a6718

SHA512
3d5a4bfdafaf6a88b6ff05fe6faee5a319daf06d6e12479ff03abcaa7a984a71d0a9e62334b17e88fdc4e9105154485b2f647b195707a296558dbfb1f07df154

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
bf106fa97d3113f1a3dc401e4965f3a2

SHA1
580f0e8540407643bc6775380b61ad9229596c12

SHA256
70c7a22b5db440fe3b7e1af0fab0470f51f346536bb4f96f4c990839567d27b3

SHA512
ad3a31177a08582115b3772d23329f4c80c85278f57d2e12c319ae6f92bc485d8b8d791d97796ff999122a223339e35dd389b498e9ff438bf372304eeee4cefa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
ed604fc4045145e046d1588b73d87803

SHA1
e88b06996d6fb45be683cd744e47e107662ad128

SHA256
3893795567742bfc2a04e9f6de03483560e7763c885c4e3494ec628d89ca1979

SHA512
9ae6d15c2a0d6fd754be07a180ba64bc9b3ed1bbc2c5b8914948c929227d6b92d3babc68a1cabd96f76f6f8068a9f8c21c606a662fa53c920ae2bb166832847a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d40176383db14c9a.bin

Filesize
12KB

MD5
0069a404ae714e0ff98150e31ebe13f2

SHA1
970070a6554d5fd75bbce1e8c0c09aa67ff27ef3

SHA256
b7ee97a5ec9a9174f861f22ce23f2215fb4e3fb886a0488cb414eed6f3bacf37

SHA512
77431922569ae007eac964911b348b4ad62a45a19ff063478c0a647bebcbed97d1eac63a1807285b918db9edc1bfad1438f9f496ed8f5d4a376add6312406797

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
497174f037f122bea9be6bbfdbd16f21

SHA1
2783ad71a01c55dc245af20addb519c0274ce796

SHA256
6cc0abbea73faa9ad7eeb7bb10158988b04700b6daa0110013ca49b503518d88

SHA512
1836380f66ac8de4db796a0a897383a74975db3084d5085a1a52a8d5630c3b43be106df708f2270f697b9a8b5b291098d20aed8cbaca844940bb5b6c0bec97d3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
89280f9f97a09cd0b2298d78e7e2897c

SHA1
0724056eeca2bcef4af2c94654556cf3cf1099cf

SHA256
f10efd6e8aa01aeedb12f4df097b22fa9b65cf417b54afb03a0f2eb52a18c730

SHA512
59a1c86c336a7570d2fbd0bd765a8cc7197a59c1e12be3d6ca9418fefaa8abf96682de2d6123162f39d7b2782e9b43912380db0e6594ff3a9434b73e5ece2111

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ef6191bdf7b9cc5f41831eed2e8c0bf7

SHA1
bd6240e9f86b969e71d57e5611c13a37349c950f

SHA256
98a47491c9d3c76e5eb22ef3d310dc2fa8a3c937678cafe314e67520ca6224b5

SHA512
248168efca1befd554706f62c2e8b50a37bb8a3365dbbcfa0edde4f1d4a98ef16b93e72963af52e724f16f9e5fc586f923cab2545eab5afa120c79d5f1897b20

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
a28cf06a59fc66f0076b98bc76639d8f

SHA1
73d1eb8f0f353c814520d4476e044dc322d0881f

SHA256
2e2c782ce8a140cc69664a2a889b998358e5dcef98c6e13ac0d5c6812bb263f3

SHA512
2271bd6c149f379747fc86395af30cf1c39cf076ee9de113e898678934a1508d7cbc3061aec231c2df56afaadd6fdd807f3e10587a21f28f4710c6d5f1f4efdb

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
41fc2663ec576dce164b228c3243730d

SHA1
f00ac5e419b8d319cc1f8f52a808786b741796d7

SHA256
1ab94e4007f58688aac47715a33acc5a573b3fbe193442f4bca4e7237f80aab7

SHA512
27cfe8f283e73323864c389c02942d6856c5e8720861ba205fd6bda11843c812f5251e42740b63fd3285fa41b18e4994fdc80d60f449957ae40a6d50a08afa4c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
15d81a1e583fb0016f40b71c6e4886dd

SHA1
5ba45a9cde32d003ad8a9f7fd75d7f644644febf

SHA256
00c5611ee82d15afd768ab74569764a8a1c6694f88a3e3c3e0bac241094e090d

SHA512
d5ae413f414f60a9c06e2dea284fe27f75c03b3336cbded50ff026181db19e20b1600655256a1bd74b2478b6903c03d31ab013db9c568a585417f3e82a53969d

Download Submit
memory/112-398-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/112-385-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/112-395-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/112-375-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/112-373-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1036-339-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1036-347-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1036-379-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1036-352-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1036-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1356-392-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-387-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1356-391-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1500-135-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1500-134-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1500-276-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1500-142-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1612-266-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1612-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1612-278-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1612-353-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1620-240-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1620-323-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1620-252-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1620-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1620-164-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1620-332-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1620-152-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1620-158-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1768-261-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1768-254-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1768-255-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1768-345-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1976-321-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1976-333-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-350-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1976-351-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-322-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2084-167-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2084-329-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-242-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-249-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2264-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-263-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-118-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2264-124-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2312-18-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2312-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2336-6-0x0000000001E70000-0x0000000001ED7000-memory.dmp

Filesize
412KB

Download
memory/2336-7-0x0000000001E70000-0x0000000001ED7000-memory.dmp

Filesize
412KB

Download
memory/2336-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2336-1-0x0000000001E70000-0x0000000001ED7000-memory.dmp

Filesize
412KB

Download
memory/2336-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2336-244-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2588-324-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2588-320-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-336-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-304-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2652-372-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2652-325-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2652-302-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2760-52-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2760-166-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2884-298-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

Filesize
9.6MB

Download
memory/2884-389-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2884-371-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

Filesize
9.6MB

Download
memory/2884-397-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

Filesize
9.6MB

Download
memory/2884-328-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2884-354-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2884-374-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2884-291-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2884-288-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-115-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2904-94-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2904-89-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2904-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2964-326-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2964-327-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/3000-144-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3000-105-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download