4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0

Analysis

max time kernel
153s
max time network
161s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
Size

1.8MB
MD5

02f4e95067e45481c1023e54027770b4
SHA1

32342ce6781ec362a6b44144335532d9c9ce43d3
SHA256

4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0
SHA512

b91275620285a718e6fc25da56daec90e05d5a2293e387271b6396389bee98135a1c2d87155dfa052b31e220c7d0f129d0ffa74b8a55ee188ad7b86ce9ac0c9f
SSDEEP

49152:tx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAPkQ/qoLEw:tvbjVkjjCAzJQqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
468	Process not Found
2828	alg.exe
1556	aspnet_state.exe
768	mscorsvw.exe
1664	mscorsvw.exe
1748	mscorsvw.exe
1980	mscorsvw.exe
1208	elevation_service.exe
2492	mscorsvw.exe
2284	GROOVE.EXE
1912	maintenanceservice.exe
2768	mscorsvw.exe
2016	OSE.EXE
696	mscorsvw.exe
1292	OSPPSVC.EXE
2220	mscorsvw.exe
2540	mscorsvw.exe
1120	mscorsvw.exe
1632	mscorsvw.exe
1816	mscorsvw.exe
1544	mscorsvw.exe
1744	mscorsvw.exe
1984	mscorsvw.exe
2908	mscorsvw.exe
2720	mscorsvw.exe
2328	mscorsvw.exe
2588	mscorsvw.exe
580	mscorsvw.exe
3020	mscorsvw.exe
2544	mscorsvw.exe
2240	mscorsvw.exe
1816	mscorsvw.exe
1104	mscorsvw.exe
1532	mscorsvw.exe
1616	mscorsvw.exe
1160	mscorsvw.exe
2572	mscorsvw.exe
1700	ehRecvr.exe
1828	ehsched.exe
1664	IEEtwCollector.exe
564	msdtc.exe

Loads dropped DLL 6 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1407b8f03f41c52b.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_ca.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_hu.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_ml.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_sv.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_en.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_ur.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\GoogleUpdateSetup.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_fi.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_vi.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_fil.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_tr.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\GoogleUpdate.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_uk.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_is.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_it.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\GoogleUpdateComRegisterShell64.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_ar.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM757E.tmp\goopdateres_lv.dll	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2084	4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeDebugPrivilege	2828	alg.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1556	aspnet_state.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2492	1748	mscorsvw.exe	35
PID 1748 wrote to memory of 2492	1748	mscorsvw.exe	35
PID 1748 wrote to memory of 2492	1748	mscorsvw.exe	35
PID 1748 wrote to memory of 2492	1748	mscorsvw.exe	35
PID 1748 wrote to memory of 2768	1748	mscorsvw.exe	38
PID 1748 wrote to memory of 2768	1748	mscorsvw.exe	38
PID 1748 wrote to memory of 2768	1748	mscorsvw.exe	38
PID 1748 wrote to memory of 2768	1748	mscorsvw.exe	38
PID 1748 wrote to memory of 696	1748	mscorsvw.exe	40
PID 1748 wrote to memory of 696	1748	mscorsvw.exe	40
PID 1748 wrote to memory of 696	1748	mscorsvw.exe	40
PID 1748 wrote to memory of 696	1748	mscorsvw.exe	40
PID 1748 wrote to memory of 2220	1748	mscorsvw.exe	42
PID 1748 wrote to memory of 2220	1748	mscorsvw.exe	42
PID 1748 wrote to memory of 2220	1748	mscorsvw.exe	42
PID 1748 wrote to memory of 2220	1748	mscorsvw.exe	42
PID 1748 wrote to memory of 2540	1748	mscorsvw.exe	45
PID 1748 wrote to memory of 2540	1748	mscorsvw.exe	45
PID 1748 wrote to memory of 2540	1748	mscorsvw.exe	45
PID 1748 wrote to memory of 2540	1748	mscorsvw.exe	45
PID 1748 wrote to memory of 1120	1748	mscorsvw.exe	46
PID 1748 wrote to memory of 1120	1748	mscorsvw.exe	46
PID 1748 wrote to memory of 1120	1748	mscorsvw.exe	46
PID 1748 wrote to memory of 1120	1748	mscorsvw.exe	46
PID 1748 wrote to memory of 1632	1748	mscorsvw.exe	47
PID 1748 wrote to memory of 1632	1748	mscorsvw.exe	47
PID 1748 wrote to memory of 1632	1748	mscorsvw.exe	47
PID 1748 wrote to memory of 1632	1748	mscorsvw.exe	47
PID 1748 wrote to memory of 1816	1748	mscorsvw.exe	48
PID 1748 wrote to memory of 1816	1748	mscorsvw.exe	48
PID 1748 wrote to memory of 1816	1748	mscorsvw.exe	48
PID 1748 wrote to memory of 1816	1748	mscorsvw.exe	48
PID 1748 wrote to memory of 1544	1748	mscorsvw.exe	49
PID 1748 wrote to memory of 1544	1748	mscorsvw.exe	49
PID 1748 wrote to memory of 1544	1748	mscorsvw.exe	49
PID 1748 wrote to memory of 1544	1748	mscorsvw.exe	49
PID 1748 wrote to memory of 1744	1748	mscorsvw.exe	50
PID 1748 wrote to memory of 1744	1748	mscorsvw.exe	50
PID 1748 wrote to memory of 1744	1748	mscorsvw.exe	50
PID 1748 wrote to memory of 1744	1748	mscorsvw.exe	50
PID 1748 wrote to memory of 1984	1748	mscorsvw.exe	51
PID 1748 wrote to memory of 1984	1748	mscorsvw.exe	51
PID 1748 wrote to memory of 1984	1748	mscorsvw.exe	51
PID 1748 wrote to memory of 1984	1748	mscorsvw.exe	51
PID 1748 wrote to memory of 2908	1748	mscorsvw.exe	52
PID 1748 wrote to memory of 2908	1748	mscorsvw.exe	52
PID 1748 wrote to memory of 2908	1748	mscorsvw.exe	52
PID 1748 wrote to memory of 2908	1748	mscorsvw.exe	52
PID 1748 wrote to memory of 2720	1748	mscorsvw.exe	53
PID 1748 wrote to memory of 2720	1748	mscorsvw.exe	53
PID 1748 wrote to memory of 2720	1748	mscorsvw.exe	53
PID 1748 wrote to memory of 2720	1748	mscorsvw.exe	53
PID 1748 wrote to memory of 2328	1748	mscorsvw.exe	54
PID 1748 wrote to memory of 2328	1748	mscorsvw.exe	54
PID 1748 wrote to memory of 2328	1748	mscorsvw.exe	54
PID 1748 wrote to memory of 2328	1748	mscorsvw.exe	54
PID 1748 wrote to memory of 2588	1748	mscorsvw.exe	55
PID 1748 wrote to memory of 2588	1748	mscorsvw.exe	55
PID 1748 wrote to memory of 2588	1748	mscorsvw.exe	55
PID 1748 wrote to memory of 2588	1748	mscorsvw.exe	55
PID 1748 wrote to memory of 580	1748	mscorsvw.exe	56
PID 1748 wrote to memory of 580	1748	mscorsvw.exe	56
PID 1748 wrote to memory of 580	1748	mscorsvw.exe	56
PID 1748 wrote to memory of 580	1748	mscorsvw.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe
"C:\Users\Admin\AppData\Local\Temp\4c1dd93ce4eb994ad0e2f78d3b8c5245653ab204948a247fa2241517109389f0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d0 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 260 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d0 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1d0 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d0 -NGENProcess 234 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 284 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 24c -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 290 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 28c -NGENProcess 298 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 234 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 27c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1a8 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1208

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1912

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1292

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
495KB

MD5
3d88c64a6dab7a0ca6bbd9d79bbfe0c6

SHA1
a082d881a57eb025fd84693b9795509d41fa77dc

SHA256
345d1d4ccaca8a5313d288baecb53d0c6c73239430c58f453873a4c433c543c3

SHA512
d688130ff90bd798256272829cf210a9dfbe4b0a9775884a54188a577314d9159035dcde09cb5fcd099e32112838cc27633be188c77511767022c709d23372ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.6MB

MD5
4142c88a63e23c096bb26631788159e7

SHA1
9aabf81a6f004b812d7017b381cc063eefb39619

SHA256
4bbd929700fe08cd05c56ef875896822e84ad28525ccbb47d9205030720cdabd

SHA512
0fe5270bf07473abf12181b5d4aff587f770c0aecafda0ff948edb2f95514194728b2112c9d41a9dd5b28f8e68405f98d8e5dc24b400e7ba09636580bc565ab1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
1a16cc1d7a03aaf78e233229d56a9b84

SHA1
1ba7db7a0c5456e15b05d88adb261e21f6936399

SHA256
b1d3643d3f658a0db642b289be102ea8dfac3a0e6344ad1f949d2f7f933441a0

SHA512
2446061425a52f0cc4f8d60d880c5b3831ee6dc6d938c7323faa83caf766c8c40d70b02b5096a5d65349376cea946174f635f306b1fa41cbbc2e6a354f649cc1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
524KB

MD5
bc0e44f6c26040054f70558f60faa6a3

SHA1
498af6ad3837d9e2447a6dd2defb42268fd082fd

SHA256
3fd3d81b76c6865b382bfda403f2fc01e05abd3c7dd3c9e20a7fbc050d8514a2

SHA512
50843103004b03257da6dbc9c1d8de172a6f9322a79885faffd02abe97bc1abf4066090d6257c46638781268df6bd30e8ba7ef2e9a49521a78900d5cf0593bd7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6d84016bbe99bea93296fee5a659b9d4

SHA1
3c9202239e89a7cd8722cf40dc278560863b4b59

SHA256
56ae8813b9a6572e12a3e11c0a911b9b08fb24213f9656c42cfafe51ad463898

SHA512
b7683eb97c040923a6e3444b1ffbe6b302703ae5b71e340f55fdcb2ac45d0b1f555fa2c39719ef0a7d8f89bdc62363d467090475bfc400d87df642349d139eb6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
36bba59cb9233ed17f8ac9d4b14c6826

SHA1
6d6335943ee3a2a29d0cb001cff4026853ce6fb7

SHA256
35ce0c0e37fbd20b871581917b801b7976aaa027e215ff8cc72f0e57b9bb6e80

SHA512
65cf48d9f87297a211051ba9b38844dfcae1c51971dfceff5c8a7301e122a01a49187244351bd62a267d6e213438b8d0833c0066bb0052c3eda9a4a10e8714c0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
9f3b059ae19248916a9ed25df1504e7d

SHA1
77a3d2849accbc3f0a0ba452d032d45009412f6e

SHA256
d49340e6a6837c9c206d39893e96c37a32858e97fd0ab379f7dd59b4f1ef8448

SHA512
51e6f07ca6095579ecab98f0a12e52e38d606eca982711007bc6d0f9d1957e30634b3b3e4f1b13e95ff26fd2f0e08c25e4cc81a021ee6b6925207946cc1ba187

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
3d0ed79d6369eda57a274c978d93619c

SHA1
e843af2784a9dcdf1cada504a0786439a8a83fc1

SHA256
aaac3745f3a27114fa94041dcac336156f29f6fd84de48b27c8b560f96863b90

SHA512
f1a415e19a2aa13a99024d0e36a3510949d6a164c25bb5fd7efc20b63b01b5f539c78629ef202aa6a9dcb53005ffd3bf40579dedbd6a3492e76c50a9dd9b2484

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
589f65d61cbf0bcaf176831d9587dcce

SHA1
79117f32575489316db9f4ad3563a315080b8163

SHA256
404161b023e0e7ce7b8530378f39c40be959d0060b166a40cb555d1d9f4d2088

SHA512
04f75b8f07938c9d2e4c345005e009c046a9964603c0471e2e16374abd56512a006b6f3d14a5f92a0d61e5484914d10afa58950d0e208a2a4fb0ae667681bbe8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
5da131f5c8621ec2e7cf60339102b0a5

SHA1
c27cac2b737d868f0436ce7956619bce552c10a6

SHA256
fb15321b759ea32b0297d05086c46910c9d7e1c3b791d764525c4688731e6d39

SHA512
b9744af26e12e120e929431224b52939130677a46481941445dd0c3fb0a40408a47c032981f0987214695f53a346f0de100a019abb7bad9bb4145ecdf9b6df9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
310KB

MD5
136b43926553993a093755e51b9aa906

SHA1
f834360b3a75d7f0617e1d916aef3fea52e46e84

SHA256
c5035eab1f122714b761559459424a549ba2902f9478b2f21c630e1a43283a4f

SHA512
e5a8c5ec3c6605de30c7af1aa97cc9b66d0d1c2b11eb9374f37fb61fbf858d12ffeaecf3c4f2aac737eec2fc90405fbd13746d8ac033608b6bc1a0665373278b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
17KB

MD5
96cf4786fd15e778ca354f3e35190119

SHA1
69ec86c9bae905a71845a65cc6550f243efdc33c

SHA256
d1b0c9b9a5f3380cbcae6ffb11317089aa63d85ce85b07c78b673b74d78f2713

SHA512
45e2f3185d7ecc0efdaadf9a13d4c6ee299b6df44f9fe2fb6499b817f62ea57c55af5f995b445954b41e388a8b316e0261fc1990c5407b0bc95c5040090a167d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
584KB

MD5
be6d69a41aa2ef295f79f93ea30972e7

SHA1
ead8597eb03291db3e9ff0ffa185e3ddf6f616b6

SHA256
f809975754fe7dcf529a38a5fec5b6b8feca2e4db0a95ea268204adf43c50496

SHA512
f80c0888aab51e55583ca01e56043c59762d15c18cc697a4e2162dac627855b2d865af262e4827e330753fdfe38e7bc928ea52d5214e68faf44551626e57ce1a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
c6ca86b2f7c2a29264aca2b251f14633

SHA1
9a9e494b439ef46b0f9f96a65fffeb8b61f8de20

SHA256
79852fa6262cff26b48e3e3948fa95ff7fd3ab942514c3304bf764f41920066a

SHA512
2110a287d018617932248688404a3a1c85499c8f2216e8aa0e9bf9d9d48e34cc20ba7798f4a505091209a63b60c548aa1efc2a440442c26e099a399a41469969

Download Submit
C:\Windows\System32\alg.exe

Filesize
45KB

MD5
7e92bfc2e69729deec171b8274e93ba0

SHA1
bf3a053b5024680beaceeb37d47529c0b505ec46

SHA256
91141755adeeefbfd699eb18f76f151ffc4e58e36b96868ad7e797a9a2fe4a88

SHA512
eaf2cf4fb1acebe87b7af8dec9b07e83039d64517402a90155f2037fffeba0c57d89117281a0e5481cca007db0f77938a34961e613efb02333563dbc69581d99

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
d2154bad028c50559a1d75e53413c992

SHA1
9d3777df7e70b6b1fdb35b1e3d82e3743360a1e6

SHA256
5706b6ff8635c63894e7ab3f733292d68c837fd1cbeef95bbd72d2310cc39c43

SHA512
bd7769adae4d70badbaddb3b6e24f0ea7eafe965667eff1e8026fe83a20e7cf71f90127b4a8e341e3302fd7382eefbc2f88e10f813f7c499a817ea88a64ae42d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
64KB

MD5
491d3c7a4f5cc7dd235aa7bd558b0009

SHA1
955e58d83dc1c767a02d44a4e7389c2c1b867e58

SHA256
3d1db662e1b83aff3ce248205e6cbc496961eda5dc7d702183b2daa799382b30

SHA512
c37c7ed51297b8644d9d1fba12540aa332bd284a0e35d986014fed822508b08fc7f24f46295fec838eda382c3a1c8e096b2c8a351a2ab736fe8fe2824f29f765

Download Submit
C:\Windows\system32\dllhost.exe

Filesize
577KB

MD5
ba606aee645f13c510884a7948be1206

SHA1
c439757c5ffe2502c6750ff1a5d4c8b0a2f99c3d

SHA256
d09be68608a4b8cfd52507efe69da803b296d08b59d9dc5a403e061d3d41bccb

SHA512
e9da78d948b111e0fe928b5e50d766df2eeaa8ccd1041fb9ce8da43ed16aa31982fc6a34c1d6bd7335d33ed0b67976dfb3576daec4ca273f14078a6d3b191dc3

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
0ce5d6688ffd1d8f87a2407a61e70f85

SHA1
b03bfb2411636df24e8fc6a048ec4ea11d09acea

SHA256
6691958d551cebc940072d2257008a2db1b28a6fed631c6a966066d12ec2e966

SHA512
14e41ece013d88d45aba15f154cff33f9732d0aac203dc2f78d18f3bd022bbc7eb5bf96746e6d02c393560ef0bdc9c2a1f66e6f62b0643227ef6012702405368

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
577cbd45dfd28c30b004b2e066290180

SHA1
461ca88cc4bae90320cc7ce9d925c2b11c3538be

SHA256
63fd7f10960d15cc75a58fd23c9b9c68a8e7782e8521dc5f236ea2a4ab841892

SHA512
6d787cea7858888d19b067462ca201a995fa720e076ca3361434542f58b08d5c004ed90d185b97b5e7b4f31e6718095f95995669e20f840b782979c1e4b6954a

Download Submit
\Windows\System32\alg.exe

Filesize
158KB

MD5
6b6b4a2b16576e22c0901b3866a681aa

SHA1
cb7b8ad3fd7582fd6dc59f26d7da648d04cb1513

SHA256
023c9eb90969018f90fd0ee569ea740b6482592583838ff74c0ee0bf610e235e

SHA512
d35aaf842ebeed583f25cdc6d6e8e9e015e3abc0463b8b4be2a09038aecf7e07c3221b79576cc2405ab5287c57ee0a35c4ce65899328f0a4be69471882d56fd5

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
304KB

MD5
4d5d505507bedb024ffc7b9f8d7201ca

SHA1
23348c56361d99e36e9801fa13edeeb3aa86becf

SHA256
6d78c1b4000b95552827349ce7252ca83d7461af5d2e2a451efebed73fe88c53

SHA512
7d717ec49a2f7784b1f12807270c258eb6860c36eb82798fadcfe849485a80ff5c825e3e4f7152532d7dadeeb9c866e3bcdb9d3c49b0532f0d9b07c1a8accf48

Download Submit
\Windows\System32\msdtc.exe

Filesize
128KB

MD5
6ec3407595fc91306c5ecdbc5224c3a3

SHA1
a30f045525f62e17090d34fcc7ec5ac6605397ac

SHA256
e91f4d1fd5b60a05573ffb42837cc8a2c30a55d02b80080807d7965cfd4607a6

SHA512
65704a80d82688f6122079b2e24cbd6fa3fd5d36fd2755f98c193381fe02b98f77491a778c75bcece96ab3297924de457189b9696e74e2473d01389e2909b9f5

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a13d5d12f72dd5aaedbb865488d8a348

SHA1
f17a6d65e44fe338c3142a6f9b0cea537b54c150

SHA256
c2d953ee9368aa6b211790253c3c1d4cd6ecf3befa67f29191568f0994139b75

SHA512
baa1d25121c64ce982e0138d3932db4f13b8405c1db52e882659dd083387b02b3c1be893c725304cc46ac93a9df423b50062eb19eef164362767a30cf9a02a82

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
6023d30e2e037998095402ebf4f0eb7f

SHA1
cb960d8c46dff544cec06215a353aec9516ab516

SHA256
314f32baab3919b821731fdc20a1a8b7e7a3eabfbe982ae926605bbebe3e20f3

SHA512
fce5bf2e217ddc3dc569fa82dbfeef602de0cb1126087793b818547cc5bab6f000b19540555404b5c649fd1765534a761c4024c5d1d12a9f33695f4325d4c844

Download Submit
memory/696-482-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/696-347-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/696-455-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/696-344-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/768-112-0x0000000000490000-0x00000000004F6000-memory.dmp

Filesize
408KB

Download
memory/768-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/768-106-0x0000000000490000-0x00000000004F6000-memory.dmp

Filesize
408KB

Download
memory/768-111-0x0000000000490000-0x00000000004F6000-memory.dmp

Filesize
408KB

Download
memory/768-141-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1120-572-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1120-559-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1120-552-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/1208-264-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1208-324-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1208-254-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1208-257-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1292-541-0x000000006FA38000-0x000000006FA4D000-memory.dmp

Filesize
84KB

Download
memory/1292-358-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1292-540-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1292-539-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1292-357-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1292-359-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1292-373-0x000000006FA38000-0x000000006FA4D000-memory.dmp

Filesize
84KB

Download
memory/1556-87-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1556-95-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1556-101-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1556-171-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1632-570-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/1664-124-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1664-123-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1664-130-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1664-157-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1748-146-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1748-145-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1748-152-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1748-276-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1912-294-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1912-330-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1912-329-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1912-310-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1980-162-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1980-163-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/1980-169-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/1980-296-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2016-326-0x00000000003C0000-0x0000000000426000-memory.dmp

Filesize
408KB

Download
memory/2016-477-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2016-319-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2084-249-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2084-7-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2084-122-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2084-1-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2084-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2220-450-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2220-464-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-529-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2220-528-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-306-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2284-292-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/2492-277-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2492-341-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2492-289-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-343-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-268-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2540-547-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-557-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2540-558-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2540-511-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/2540-531-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-346-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-312-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2768-345-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2768-314-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-144-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2828-55-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2828-32-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2828-31-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download