c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136

Analysis

max time kernel
140s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
Size

1.8MB
MD5

bab717fa13baabbbe4225732cdf5894a
SHA1

b3d16a71b22515236a0f560411103a7e5a2cd3ff
SHA256

c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136
SHA512

8bfe0e0d77a5f42e5c3a526f500693e31744ac3669d5bdc66272be8904c794b7ded7b926fade4b7e318286caf39845f95a765eb93af762168da270f06b3ce2d8
SSDEEP

49152:zx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA4gDUYmvFur31yAipQCtXxc0H:zvbjVkjjCAzJuU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
464	Process not Found
2452	alg.exe
1440	aspnet_state.exe
2932	mscorsvw.exe
1972	mscorsvw.exe
1072	mscorsvw.exe
1248	mscorsvw.exe
756	dllhost.exe
1016	elevation_service.exe
1744	mscorsvw.exe
2232	mscorsvw.exe
2592	mscorsvw.exe
1632	mscorsvw.exe
2408	mscorsvw.exe
2172	mscorsvw.exe
1568	mscorsvw.exe
2268	mscorsvw.exe
1564	mscorsvw.exe
1604	mscorsvw.exe
936	mscorsvw.exe
684	mscorsvw.exe
1700	mscorsvw.exe
1112	mscorsvw.exe
2760	GROOVE.EXE
2976	maintenanceservice.exe
2044	mscorsvw.exe
2348	OSE.EXE
1884	OSPPSVC.EXE
696	mscorsvw.exe
2524	mscorsvw.exe
2112	mscorsvw.exe
2464	mscorsvw.exe
1052	mscorsvw.exe
2740	mscorsvw.exe
840	mscorsvw.exe
2356	mscorsvw.exe
2040	ehRecvr.exe
2948	ehsched.exe
2632	IEEtwCollector.exe
1768	msdtc.exe

Loads dropped DLL 7 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\170aae093db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_te.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_gu.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_am.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_pt-BR.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_iw.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_th.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTA2B6.tmp	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_sv.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_el.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_da.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_de.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_bn.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_ko.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\GoogleCrashHandler.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA2B5.tmp\goopdateres_mr.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8632F096-F3A8-4A37-B369-528C67EDC5B0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8632F096-F3A8-4A37-B369-528C67EDC5B0}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1248	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1248	mscorsvw.exe
Token: SeShutdownPrivilege	1248	mscorsvw.exe
Token: SeShutdownPrivilege	1248	mscorsvw.exe
Token: SeDebugPrivilege	2452	alg.exe
Token: SeTakeOwnershipPrivilege	1440	aspnet_state.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1744	1072	mscorsvw.exe	36
PID 1072 wrote to memory of 1744	1072	mscorsvw.exe	36
PID 1072 wrote to memory of 1744	1072	mscorsvw.exe	36
PID 1072 wrote to memory of 1744	1072	mscorsvw.exe	36
PID 1072 wrote to memory of 2232	1072	mscorsvw.exe	37
PID 1072 wrote to memory of 2232	1072	mscorsvw.exe	37
PID 1072 wrote to memory of 2232	1072	mscorsvw.exe	37
PID 1072 wrote to memory of 2232	1072	mscorsvw.exe	37
PID 1072 wrote to memory of 2592	1072	mscorsvw.exe	40
PID 1072 wrote to memory of 2592	1072	mscorsvw.exe	40
PID 1072 wrote to memory of 2592	1072	mscorsvw.exe	40
PID 1072 wrote to memory of 2592	1072	mscorsvw.exe	40
PID 1072 wrote to memory of 1632	1072	mscorsvw.exe	41
PID 1072 wrote to memory of 1632	1072	mscorsvw.exe	41
PID 1072 wrote to memory of 1632	1072	mscorsvw.exe	41
PID 1072 wrote to memory of 1632	1072	mscorsvw.exe	41
PID 1072 wrote to memory of 2408	1072	mscorsvw.exe	42
PID 1072 wrote to memory of 2408	1072	mscorsvw.exe	42
PID 1072 wrote to memory of 2408	1072	mscorsvw.exe	42
PID 1072 wrote to memory of 2408	1072	mscorsvw.exe	42
PID 1072 wrote to memory of 2172	1072	mscorsvw.exe	43
PID 1072 wrote to memory of 2172	1072	mscorsvw.exe	43
PID 1072 wrote to memory of 2172	1072	mscorsvw.exe	43
PID 1072 wrote to memory of 2172	1072	mscorsvw.exe	43
PID 1072 wrote to memory of 1568	1072	mscorsvw.exe	44
PID 1072 wrote to memory of 1568	1072	mscorsvw.exe	44
PID 1072 wrote to memory of 1568	1072	mscorsvw.exe	44
PID 1072 wrote to memory of 1568	1072	mscorsvw.exe	44
PID 1072 wrote to memory of 2268	1072	mscorsvw.exe	45
PID 1072 wrote to memory of 2268	1072	mscorsvw.exe	45
PID 1072 wrote to memory of 2268	1072	mscorsvw.exe	45
PID 1072 wrote to memory of 2268	1072	mscorsvw.exe	45
PID 1072 wrote to memory of 1564	1072	mscorsvw.exe	46
PID 1072 wrote to memory of 1564	1072	mscorsvw.exe	46
PID 1072 wrote to memory of 1564	1072	mscorsvw.exe	46
PID 1072 wrote to memory of 1564	1072	mscorsvw.exe	46
PID 1072 wrote to memory of 1604	1072	mscorsvw.exe	47
PID 1072 wrote to memory of 1604	1072	mscorsvw.exe	47
PID 1072 wrote to memory of 1604	1072	mscorsvw.exe	47
PID 1072 wrote to memory of 1604	1072	mscorsvw.exe	47
PID 1072 wrote to memory of 936	1072	mscorsvw.exe	48
PID 1072 wrote to memory of 936	1072	mscorsvw.exe	48
PID 1072 wrote to memory of 936	1072	mscorsvw.exe	48
PID 1072 wrote to memory of 936	1072	mscorsvw.exe	48
PID 1072 wrote to memory of 684	1072	mscorsvw.exe	49
PID 1072 wrote to memory of 684	1072	mscorsvw.exe	49
PID 1072 wrote to memory of 684	1072	mscorsvw.exe	49
PID 1072 wrote to memory of 684	1072	mscorsvw.exe	49
PID 1072 wrote to memory of 1700	1072	mscorsvw.exe	50
PID 1072 wrote to memory of 1700	1072	mscorsvw.exe	50
PID 1072 wrote to memory of 1700	1072	mscorsvw.exe	50
PID 1072 wrote to memory of 1700	1072	mscorsvw.exe	50
PID 1072 wrote to memory of 1112	1072	mscorsvw.exe	51
PID 1072 wrote to memory of 1112	1072	mscorsvw.exe	51
PID 1072 wrote to memory of 1112	1072	mscorsvw.exe	51
PID 1072 wrote to memory of 1112	1072	mscorsvw.exe	51
PID 1072 wrote to memory of 2044	1072	mscorsvw.exe	54
PID 1072 wrote to memory of 2044	1072	mscorsvw.exe	54
PID 1072 wrote to memory of 2044	1072	mscorsvw.exe	54
PID 1072 wrote to memory of 2044	1072	mscorsvw.exe	54
PID 1072 wrote to memory of 696	1072	mscorsvw.exe	57
PID 1072 wrote to memory of 696	1072	mscorsvw.exe	57
PID 1072 wrote to memory of 696	1072	mscorsvw.exe	57
PID 1072 wrote to memory of 696	1072	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
"C:\Users\Admin\AppData\Local\Temp\c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 290 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 184 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ac -NGENProcess 1d8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 258 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2bc -NGENProcess 1d4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 158 -NGENProcess 1b8 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2156

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1016

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2976

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:1876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:1632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2716

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1792

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.1MB

MD5
49be8a0b45debfe1ddd58d555d772d3b

SHA1
f3cd3125fc1dd667a3d58e39b76b51d90e533649

SHA256
21e1bb398a92f610f77d08d0892b72aef5b154cc4874ec41040da5a60a9a54ab

SHA512
df7dfa20dd8d31e17a0e27bebe4dda302ec2100baa04b3a32805e0df016b4c3dca2062a0c680264b4556234e8769afcbd993b4e8491dd0f3071866d6127d3260

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
320KB

MD5
badaae5d0e19ebb3ef6b37b3bec5dcae

SHA1
de055ad8d5fa3b77ad3039c7278c8ef6f034035a

SHA256
bf7094549397f73b189226966bd6e5ab37fb159f2878a133b85d8c2d2b4dff66

SHA512
8b76add59e5ca2f5abd54c66d42029a9c4efc8759c30a0a806f70cfe7e7f01c020285c0537cadd9ce13894acd56db364658b3351762162e928e043e49be17166

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
5e5b19cc3b7ab238f10552aa4be9e11d

SHA1
2b97dfe869bac2725d13f11532c42b0913d91f71

SHA256
72bd2457e2cfa1e7f673e81c9f7609b47e480c2efac35351ebf4870d5808f7f2

SHA512
85d0c0b7258f51548fd73085e4d2040746841ea8a7f1c58798b4a3ac7d0004f8d8f3cdbe1cc32e26980df7c98c7b64429e1c3f66d811be744edb8346e5ccaee5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.9MB

MD5
b4622f46d75d665bbf3e26168f17d658

SHA1
43de864f72fb19697154e820258edb43046b13ff

SHA256
f7622168b4bd2edb39ee67539e5a27785e9032bfd502e4be3419826bfcebce51

SHA512
622f6af397a86b082950a419929117ae06db6a74d505126e9898049be67c4d1c2aa511513e5c603e0b0023c5e098c9021feaccc4fc08607f06e3d18eee0f12d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6c7f911cff0ddc1a3a5665645c5be109

SHA1
f99b74a8f8d919811f955cc167fb52d41518e97f

SHA256
abedde0ad3454bee7a79e4483d715a1d4407c6c62831c5263eef4969acd9e3c3

SHA512
45f8eaa34d79dd0a4e5dc6efae1f582f5551ba2c6f776b92184e42fe361245d609d71b328550dfe75292fc89018c636d8bc06163d294b11f3bb0fc8aec2d10dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6b1544346c6a755187c775ef3c2a33ee

SHA1
2affeb6b20d2d4a11316d7b9760c201493a89a48

SHA256
3b7a217198e221c690f4b2dcaa246e410b2822e308c749bc558b03b1b3467e56

SHA512
a80f2c7f9f9959666fb97164e0707a28aeb0e9dccd93f2efda92eaab095ad7406957ccaf199056a414bb4bf543e7310878f3bc82ee2b2e4b6c45744b1e5df751

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
5219080137e57b45bf3494f2f30a4912

SHA1
2bc424f1d8a47d537cabb85d4ee282c0af3f37d8

SHA256
57218e2b2039cf872789d3a1e3a6670b7bce990a2e7431bd600cad9b1e221d5d

SHA512
016ac86ed30025aecda3e42a4adbec1069b5b2b57fee7e15e37ed84e082353440f66fb9b52b7a1ba290fd15f5a6700a28fdfdf1b6ad2e6f029025a5c19bd2571

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9ecb256d1f8001ce50088bbf0ce62fcd

SHA1
1a8973b19b856523de1927892e0739447a1178d6

SHA256
f545fa98889f99b730b48ba574164403bfda5fe83466789e64aa8a5fd91099b5

SHA512
aa42ae161b3f8a2c647e394e87c56a17ffbae398b352fec1ebe91b09322d825fa6c62a20cbc8aa0b82d0b25f3e1f58764ab2b36b00f78a781c327f11886f0d56

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
cc1b179c46479b6044ab1cb4adb49320

SHA1
ee19ca5df72713a97ed57e5d4b424e8d998e4c26

SHA256
8b0444d6c751abecf0564f32e05d3fabd6c948984c766f038421f982593b2db9

SHA512
bafe9c493ccaee1fc93c2aeb8ff92a23a871fb661265d1c381d248ff095a3eaae6cb46ed676e70bf9dd50dbc6a66427a39b252901515feec8a521aa117e7119a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
5ccc54c28846c79629fbc9de78659213

SHA1
e35fab6030a4b03faee37a3afebf3526bdf0737d

SHA256
2269058232dc1124272ebe81c24bd7bbe1ec77b604f9ea0fd1396daaf0f52bd6

SHA512
395975ee0ff96a6d952c63f699c17f7ba1dd345afd01629088120514dffe9b153dca014bb6e1c51204c11e97fac789ae5c603b8a5c2a7c7318e4f92ee1ec98b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4caf011d9ac1e4e95bf4f6ac3c103eb6

SHA1
cb92fd4458eb26cf0063c4fbcfe7eb8babb681cd

SHA256
43f67d672159fde6717e0a96719b5f40c13d5e782c5cd4972fb5f405983a92ac

SHA512
79bbb71805b4f06d6b30205c33eb6ae620b3fbf456c9474a7748a60f9b5256b2ae4569966adfc7ac2f4f53118e2330f1040a6f26f6cc2b4dde4efbd31f885eb0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
896KB

MD5
7223c30e84eec200a36009e9266b22a0

SHA1
8519ae660f3c4ddaff18e4406dc66e5a591aa7d9

SHA256
99f651e337e0d6c1a1f79be87e9a3559c68b1d2ba4e5e1e106d215c458d1eb44

SHA512
4b34442947cd71c6a1d3f6e358ddc801f79a895dc470a4ee474f4d60e8d60a9ed2fd9a196431be0c4032e1b0f0e9f78f40c4538cfbab57ebc07c39cfd1ba26a6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
10ccc3b45c6d5a1c3d15dacdb914d7d8

SHA1
b368defc1000033efc101edd1a859bd911f2ea42

SHA256
916a580d7b4e44a76a61bd009ee1326f674bd211220e200d582d6bb9c6cd4c72

SHA512
969f1558261f2f789999ad9e0fd4d465f9e648c4d8ca145a9f8aeca16fa62b5083f7a9f2ab2b03c61eb1de15fef3cbcb41f6adc9daf98f6e2bbf8b42afd847d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
7196ae4e088a47f37a9512a392caa80f

SHA1
56bc353da67ca726c8a6b3eeb735a25872217f14

SHA256
7dbee26e364ec7ce218d484e11ea7072338d7f641b6b09f65f73f3c1addc7d5b

SHA512
92d2e926e7da62d139afd8c50465118bdc641b6adfae31c7abc8b5c09592c82d0bb3baa1297ac2d12b6d9b9981c58c22bc1e8d33c0fd07df3affcf7dfc59961e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
dc8527b53f2d2ce3d89922899f0f53f5

SHA1
bb724214f10b1280dc626a5014e46c6428f86dc0

SHA256
65e36d7e675f4b8ded55951020bd9bf0de557335332743deaba0d345c91ca464

SHA512
2201fe47f3e9d3199c24e990c6bf3c5df90296552f513e9969bb7e7111760ce759f4326e42fbd74387dbad796b4349f6eb23e58c345ff5c1fcb0bf890454659c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
91069cfb78a6655b51abba7cc14fda69

SHA1
945744516285defa22b5bc57a1d5ce73f8026655

SHA256
3b1f3b4bb4a9a427ed21a90b282727533191e8aa124d9a15a908d98a8d938069

SHA512
877768c1e5c87e554b779e807ca90e2b3ba9a5a7c2e68727c28f31be569bb9775ee85f7979a533a6e70dfb05df6364b11c54dfce62c2ef6b449d65a7679f84a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
08bbdc938e1deede6c18b55ccf9e321f

SHA1
d851e0de27206cfbea9ba8d20412fa66402d7985

SHA256
3aa9f6810137a633d4c691cf61ec4fc9444a6d44aaff5f293552d98ca7157c2b

SHA512
4a22059557e6fbcd30be2051da4727c21ab7de6f735ad04b07e56f6ef3709cb5feb95d2d2d5c10e5260b31dd14e08349a7f7f338f49f1fe3ed5e751e34e153a5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
704KB

MD5
f8b53f972432be26aafc99e5f93a6615

SHA1
cad95d937628d43c3d435016dab4c04dca478211

SHA256
8119ea77c99bf3fd807dfaa06d4dc89286f9b78ba022fdb20b8251891eac98b6

SHA512
4894ba76b9807cd9f7bccb6a475ac4b4f7187a9ee1781615f7c6624d0df59f41c4c5d7a7ad043998a135524f963b802c1b1c79168d473dc60863175029b9b3cf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
81ada63ae0bab84b12ba77e847b700a2

SHA1
c2cf4603edb2880e62df014c43505069a0ed37be

SHA256
36b037c86924ceff8014d8fa984264824edac0982daa6080b1559de2afc017b8

SHA512
90de6beb5a7b159f3699c6d5608f06325c5aa17da0dee899d00c23a8434f649312fd464401d7fcf2d3b2d096eaba6957173fef20c9b6017459565b24507beeee

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
601e4a533748dee3cec116730a51b92f

SHA1
659b66d3a95b3ad90871ef4311eb3759ccc8a2bb

SHA256
0739f7ef855ddaf26afa1a4b1052cde66e9188f36117b3c5ad0235ba22c6af49

SHA512
3d9dcb31d037a63518f36314d6a8679a93c432f9e652e1cd69c50f0f29a7a1ff6158a41ec8af8115f2c5a53446ef9cf28cacd157321204e0aa85f04efd9ae48a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
5d6b51df804e9cf02864a35d4f825781

SHA1
36e59277e0a6717e8181c9fe3d54b982feb3ccf1

SHA256
e265b8b84e4518d19c95b53e77533c3a810724fbf4a12a9f8078b3322e50b3f7

SHA512
527233b607f568bbd1100a62ad1964b0c39972463e615a2798075abcfa3a9392caf4a37ba42bcde2212cc5cb6b31d7e75d03985965a4698471d98618185a5975

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.4MB

MD5
edb0bf7e66aa301aa14b2308cfae86bd

SHA1
61ae6d743a68316b0bcb7da164dd08d3de9dfae4

SHA256
05098cc94e3f84a0254b56bd80f06961a6d1fe53bdc45d0fcd05811e230abd7d

SHA512
277c777c3a4b132b8608c4003a557b4711c4257e1a28ab8c07e4e18cedf3f6a360bb5702ac2b56b3dc6feb9679aa8fae79db6e04b36407b0f6ddd1846e5a1b3e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
184cc2dbb8e205f2a73d17eca8ed83e0

SHA1
e35e285d7674466e2d9701f6031cee80fa09e4c7

SHA256
928771d960b111d30139c098bc266189a8fa1f283de8b1aa6e7c17c966ef8df9

SHA512
b2c0cdcd534d4ff31b0708b113ae843d41e34a52d67ac11e99714c316586a5ce844a40f7d1bc3ca82fa9114b2680d12330f2ff0da0773c4a5a12105a22ed901d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
ec15448706ed9d9992eada84c983d200

SHA1
ea26a0e5dd1ee2edba53f37152845bcc5f16fa4f

SHA256
246d29b54435aa2efce664f90b2815e5fb44742afaf3867116435a0e38717b69

SHA512
61b921edf88fefb9d13c047eab34e8f97928ef2c468279a8fecf78152f99c0c21fafaecd7d6f28ee1433493e363ad0bc1acf55a1096b41e53f197b5bd001b595

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
3ad59caa29b8693daff99fa052d68119

SHA1
dd685f3f6e4a011966f0da0c33ebcef2121aa756

SHA256
ec2405656331523747c95f419513da41776b2371bcb09bf3819b7246dd7d3a76

SHA512
cfc385b98be36b01c616b4d7a598f9625481ffbfa787e21be2d901f16dde075884051f0a9ff2f57614c0b7cf0cb48cbe0730d9b8423cb5c1866009974fd90abe

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
eb6214dcd9fedd748fe2f6594cd8d897

SHA1
fcc049de80432e1aa3fdadcc2a884be52d74f162

SHA256
0865fce2cb2a7e6388bf8b9829db8a9e1785d1e78a7e18b4b50abbf4a1dbf744

SHA512
67cd8dac60015585c60564112a0774ca7148b77faaac15cd05741975b86ac3e4214338328d128bd6e64cab9eb0c9b0e82b404426c79224ad3ee3e6176c74fdd6

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
27a2f8cca692eef628acd7c07eb3ed24

SHA1
ce5fe3e51132fec791089ac161c7b16fe1891a64

SHA256
bfcc98be9c217ee0fa9e8d4b7f51f6032114b41a41a5825279faadfad64b141e

SHA512
80f768a3778bdc6439cfdcdeffc651a31c08d16a6b310d6773bdfb569a86fe1c07d9d705ca814c5dba4e7990cf8a02679ace8d7f2999afcfca0760e6d96625a4

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
8a277d74207d8952e5d4bcf2a28e85e4

SHA1
c20aab4c7b7aee550550479c4371e33466db287b

SHA256
8e911bf16d5117d339b7bed1be1a6944fdb6f41938f02a68d5ec4801362abc40

SHA512
3ccb39b9255a9a0b62d8576963da3e4ce46370cb703a60180662d45fc3c719f9587bb58e54de3e483a894f0e743cef5faedb4a8c98fa247af097b180b2934e83

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
2327ec1ebfc527afb19d673130cf0428

SHA1
9077e282a6f25a71f6270934cdcc7b631f1d8f6a

SHA256
8d3cc1d2469999c7ec79614d826903745cc2c6c999631cdc17f925afdd210044

SHA512
794021955b35098015ff345ed87f108da3bcf7c66d34593b20063b51c043881021347cc2e243c02bf31eb9bb4f3d1475e0a3b16a06f3b37ba5227d7d85445895

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a92c21527d9b0dcf5a56289d95f94143

SHA1
604d23dbef4fd881d18d72fad2ef8b21949dde12

SHA256
7bbc8d2c9e987c1fd2ac345f5bc1eb82cd13d57f49ff701cea8fba62bc9dbb16

SHA512
279d93da71dbc744b9b0c1b03559bb7de7b178ba60e044a00ea977d2733dea45439def4f97702e62f168766724d1434160d6f3564e47029f690ee469573d4311

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
14398d393b9605deb0626871f857e4fd

SHA1
69e18d6c580a614d035b679d7b9d8f27a62a3762

SHA256
b4b10aacc9ceb62f25f4de4a94450f38f94ede38c3a30ba04c4209bb83b871c6

SHA512
c3934630a0377699a377a5de1a052400dd282f23ce1574d0122e540e6bc4f0e0126f89567a4743aaa8ced2e5c80bbad1b7964fffde4f7960f8ae59e72c3fcf11

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c3b61836e32847ac0e6e28e76993a723

SHA1
2a1d95b427ad2fc9bef0e53b9f2b4cd3681a35c9

SHA256
29bfa93f929c1aa8c9a9e7c5f01aacd4d3000f706d14304d4f979c5c7a58b3d3

SHA512
3f48ba7ff313f77012659189935097a52d9950b1dac00c0ce4aaf172f28295d20535083799fbfb0509db2c4fbea32d991fdf32c1275c16afe4baffb52aa8d15f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4af79f30287f8724cee410d77c3013c4

SHA1
dd5b0229e82b3c69dec0762701dce910c7d3ab06

SHA256
d6c22b7521bf18b407595b346a94b4d6f6a69e2af80d697c556a52e4555feb4a

SHA512
c2a30e6df8101be54dceaaf070ecb46da364c9b0d1804cdd33262828546e75d75dd9981f8a9f307080e1d42179c3dcd1990549e148653be5e49b64ffad372742

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
651c0d84521d4ccaf46e532738cafba6

SHA1
706b280dcd51cabbe70dad7e20c4bedbe794543c

SHA256
df701b4bf631b0ed8024e6a9764a360096beab84b575437f5386c1dfc3caf29e

SHA512
bc251c752e2d89305d04047fd4cd1ae6dc27a2f294bb335bc950611f5700a7a6530cfd0d3be11ccb4eda41db7ee32fa3c4acf03e03ab289399b33fdfbd73b3b5

Download Submit
memory/756-258-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/756-303-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/756-250-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/756-251-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1016-312-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1016-273-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1016-265-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1072-285-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1072-140-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1072-141-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1072-146-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1248-161-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1248-159-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1248-166-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1248-293-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1440-95-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/1440-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1440-253-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1440-101-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/1440-102-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/1564-417-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-397-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1564-400-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-416-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1568-388-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1568-372-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1568-375-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1568-387-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-406-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1604-414-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1604-418-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-333-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-327-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1632-345-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1632-346-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-286-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1744-279-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1744-301-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1744-288-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-302-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-130-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1972-131-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1972-122-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1972-123-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1972-263-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2172-373-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-374-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2172-357-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2172-361-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-247-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2208-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2208-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2208-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2208-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2232-299-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2232-304-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-318-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-319-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2268-403-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2268-402-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2268-389-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2268-383-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2408-344-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2408-347-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2408-359-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2408-360-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2452-56-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2452-37-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2452-158-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2452-29-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2592-332-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-331-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2592-315-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-314-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2932-107-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2932-106-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2932-113-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2932-156-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download