5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
Size

1.8MB
MD5

9eadf3d06986955f12fdf60c3229ceec
SHA1

c81189f52c0a94bae3bb3fa8d9a1f35b6fcdfe70
SHA256

5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b
SHA512

17478f0a292c82aed8fbf6a35dda1da63b671d19805a781d0901be5e13d3594f5922dc79f8fa3bd42db789ce35534f438ec9699b1d0e228e2d98e5b32c742bfe
SSDEEP

49152:Tx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAeaB0zj0yjoB2:TvbjVkjjCAzJAB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 39 IoCs

pid	Process
468	Process not Found
2932	alg.exe
3024	aspnet_state.exe
1264	mscorsvw.exe
2876	mscorsvw.exe
1688	mscorsvw.exe
1936	mscorsvw.exe
1140	dllhost.exe
2196	ehRecvr.exe
580	elevation_service.exe
2668	mscorsvw.exe
2828	mscorsvw.exe
2592	mscorsvw.exe
2548	mscorsvw.exe
1924	mscorsvw.exe
2936	mscorsvw.exe
2252	mscorsvw.exe
836	GROOVE.EXE
1020	mscorsvw.exe
1568	maintenanceservice.exe
112	mscorsvw.exe
108	OSE.EXE
2716	OSPPSVC.EXE
1552	mscorsvw.exe
1608	mscorsvw.exe
2760	mscorsvw.exe
2860	mscorsvw.exe
2184	mscorsvw.exe
528	mscorsvw.exe
2448	mscorsvw.exe
2164	mscorsvw.exe
1792	mscorsvw.exe
2292	mscorsvw.exe
1916	mscorsvw.exe
1832	mscorsvw.exe
2560	mscorsvw.exe
2988	mscorsvw.exe
1532	mscorsvw.exe
1996	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cae69ad73db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_pl.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_am.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\GoogleUpdateSetup.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_pt-PT.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_hr.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_ja.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_no.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_da.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_gu.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\goopdateres_sv.dll	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM909C.tmp\GoogleUpdateSetup.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1AE17883-5A2D-48BF-88B8-D323F27F0A17}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1AE17883-5A2D-48BF-88B8-D323F27F0A17}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2640	5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1936	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1936	mscorsvw.exe
Token: SeShutdownPrivilege	1936	mscorsvw.exe
Token: SeShutdownPrivilege	1936	mscorsvw.exe
Token: SeDebugPrivilege	2932	alg.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1936	mscorsvw.exe
Token: SeDebugPrivilege	1688	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2668	1688	mscorsvw.exe	39
PID 1688 wrote to memory of 2668	1688	mscorsvw.exe	39
PID 1688 wrote to memory of 2668	1688	mscorsvw.exe	39
PID 1688 wrote to memory of 2668	1688	mscorsvw.exe	39
PID 1688 wrote to memory of 2828	1688	mscorsvw.exe	40
PID 1688 wrote to memory of 2828	1688	mscorsvw.exe	40
PID 1688 wrote to memory of 2828	1688	mscorsvw.exe	40
PID 1688 wrote to memory of 2828	1688	mscorsvw.exe	40
PID 1688 wrote to memory of 2592	1688	mscorsvw.exe	41
PID 1688 wrote to memory of 2592	1688	mscorsvw.exe	41
PID 1688 wrote to memory of 2592	1688	mscorsvw.exe	41
PID 1688 wrote to memory of 2592	1688	mscorsvw.exe	41
PID 1688 wrote to memory of 2548	1688	mscorsvw.exe	42
PID 1688 wrote to memory of 2548	1688	mscorsvw.exe	42
PID 1688 wrote to memory of 2548	1688	mscorsvw.exe	42
PID 1688 wrote to memory of 2548	1688	mscorsvw.exe	42
PID 1688 wrote to memory of 1924	1688	mscorsvw.exe	43
PID 1688 wrote to memory of 1924	1688	mscorsvw.exe	43
PID 1688 wrote to memory of 1924	1688	mscorsvw.exe	43
PID 1688 wrote to memory of 1924	1688	mscorsvw.exe	43
PID 1688 wrote to memory of 2936	1688	mscorsvw.exe	44
PID 1688 wrote to memory of 2936	1688	mscorsvw.exe	44
PID 1688 wrote to memory of 2936	1688	mscorsvw.exe	44
PID 1688 wrote to memory of 2936	1688	mscorsvw.exe	44
PID 1688 wrote to memory of 2252	1688	mscorsvw.exe	45
PID 1688 wrote to memory of 2252	1688	mscorsvw.exe	45
PID 1688 wrote to memory of 2252	1688	mscorsvw.exe	45
PID 1688 wrote to memory of 2252	1688	mscorsvw.exe	45
PID 1688 wrote to memory of 1020	1688	mscorsvw.exe	47
PID 1688 wrote to memory of 1020	1688	mscorsvw.exe	47
PID 1688 wrote to memory of 1020	1688	mscorsvw.exe	47
PID 1688 wrote to memory of 1020	1688	mscorsvw.exe	47
PID 1688 wrote to memory of 112	1688	mscorsvw.exe	49
PID 1688 wrote to memory of 112	1688	mscorsvw.exe	49
PID 1688 wrote to memory of 112	1688	mscorsvw.exe	49
PID 1688 wrote to memory of 112	1688	mscorsvw.exe	49
PID 1688 wrote to memory of 1552	1688	mscorsvw.exe	52
PID 1688 wrote to memory of 1552	1688	mscorsvw.exe	52
PID 1688 wrote to memory of 1552	1688	mscorsvw.exe	52
PID 1688 wrote to memory of 1552	1688	mscorsvw.exe	52
PID 1688 wrote to memory of 1608	1688	mscorsvw.exe	53
PID 1688 wrote to memory of 1608	1688	mscorsvw.exe	53
PID 1688 wrote to memory of 1608	1688	mscorsvw.exe	53
PID 1688 wrote to memory of 1608	1688	mscorsvw.exe	53
PID 1688 wrote to memory of 2760	1688	mscorsvw.exe	54
PID 1688 wrote to memory of 2760	1688	mscorsvw.exe	54
PID 1688 wrote to memory of 2760	1688	mscorsvw.exe	54
PID 1688 wrote to memory of 2760	1688	mscorsvw.exe	54
PID 1688 wrote to memory of 2860	1688	mscorsvw.exe	55
PID 1688 wrote to memory of 2860	1688	mscorsvw.exe	55
PID 1688 wrote to memory of 2860	1688	mscorsvw.exe	55
PID 1688 wrote to memory of 2860	1688	mscorsvw.exe	55
PID 1688 wrote to memory of 2184	1688	mscorsvw.exe	56
PID 1688 wrote to memory of 2184	1688	mscorsvw.exe	56
PID 1688 wrote to memory of 2184	1688	mscorsvw.exe	56
PID 1688 wrote to memory of 2184	1688	mscorsvw.exe	56
PID 1688 wrote to memory of 528	1688	mscorsvw.exe	57
PID 1688 wrote to memory of 528	1688	mscorsvw.exe	57
PID 1688 wrote to memory of 528	1688	mscorsvw.exe	57
PID 1688 wrote to memory of 528	1688	mscorsvw.exe	57
PID 1688 wrote to memory of 2448	1688	mscorsvw.exe	58
PID 1688 wrote to memory of 2448	1688	mscorsvw.exe	58
PID 1688 wrote to memory of 2448	1688	mscorsvw.exe	58
PID 1688 wrote to memory of 2448	1688	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe
"C:\Users\Admin\AppData\Local\Temp\5f2acff200b7ee5d7399dfbcdc97ce2a3db16e09eb290fbb1777211341c0b75b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1264

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 24c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 1e4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 258 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 1e4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1a8 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1a8 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 24c -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 1a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e4 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 28c -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 180 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 294 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 1e4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 180 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1140

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:580

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1568

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:108

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
64KB

MD5
499d6c1d37cb69bb85f9e3a903c84cfd

SHA1
297f415cd58b961d01e7da65dfa94f08821c8649

SHA256
083fe6aa492e463b8a1ed826f84b1b2f62ec33623eb3b552e6e89abfba9fcd1f

SHA512
36409d398d279345f23105d0a286a70857a1b88038113b4164148332d8b25f5476c47f4277528998ad2633584b86c0b0d7e020363d4d9a27417beb2c4921ec7e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.1MB

MD5
0e28179c6319a9607b30450cf1cf25f0

SHA1
982c75975eba4ba3793cefa2171d1564b7bbc974

SHA256
364d9211fe14974c24f6f0d5bec09858d8bb35c524576d7c83df9ed946c34222

SHA512
663f1beda78112e295f2f1eda4e7ce33b496254fa409f849545a3bfb9b5d5d8ae6654b04fcacfd7177e6e1ce41aec15cf936185a10594b82928c65ccb6b01b02

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
128KB

MD5
77443965dbef53562b540c18b3f979f0

SHA1
e2f413f7297beff7ae7543eb6d2e3565630beb51

SHA256
ac177b05eae40e8d208e18b914710f6a792041c679759d4cb0f624291b23983c

SHA512
ee5d03ad5bdf3591e9cf3b2483f9cf53144f57458250169f1c31b77133d001a155ea8a21e57bfdabb67f99afe99ef583c442ab54a318a325ce2f51791f37c659

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
768KB

MD5
493c4ec44b250922f812743352920f59

SHA1
c938c775fcdd105a0e3255bb274a678f6d612c17

SHA256
32acf7f42ed4af182cb915fd66b9848d376889399a66440f44a2f2367a07574f

SHA512
7db45d8490bb00bd2785fba6feab213023662fa9114eac5d6d4943c5567208217e0fde885c87af9c4e0a3cb21740a299ad17b519f7d3137adb6c97ffcbe8b72c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
640KB

MD5
6ef5121bcefbf095ff7bed1e006dd2a1

SHA1
b08b6e6f996877b350e18258c49f21f63bea8da7

SHA256
a7797db029bdd528b65de762c5301b3a7a98a9329966bd97e271c5c28ea26bf6

SHA512
ef25c2897b43d93e6cc16cba40c6dd8ef4fa416573fb1c037928314c31ff406d6f6a4246089ebe5ba47aeb7672ba5732a21dadcdbe5c928374f40fb0e0e0e160

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
64KB

MD5
c3f7564f0a3a1fe9391e43ff835ac5b1

SHA1
f3b38dfc343686ed56534de8836a497cb047997b

SHA256
bbab60b98ec41378afa64273f6318730475abcaf45820b8031b96527e5a0b4d0

SHA512
da065b8f799e5318bdea0e3542e2f1f82915c0ab55b4090c576e2404b8337f2606a64718edb92d137228bf1d75eb81a2504689cb51744ff5957f1f624a76b1fe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.2MB

MD5
34133123b0f3eb0724e98823ba51b27d

SHA1
0fc64c89c0e0cda291851e24bf9398ffb12adb6b

SHA256
3085f4503443ef41474fbcb0b88b9636ae89b2009dd2ed26fc9e2f33a6908399

SHA512
4694ecbcf5f42de6620df324a8860981616be8cf7367340242e028efa2a24be9bff6bc43c44d5f54ac52fa36bc3db7e10072af208941e5cda1f694894692115d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
960KB

MD5
51576c067ce10a0ab6f2df78c48b474d

SHA1
7eb9fad7921761b55abcf2683912b4058813b5b8

SHA256
93a870ca0764c0ab80196bb343255bc8eaa98b2fae2450f39f8048868763eedb

SHA512
2016c0b29116ac029df237dfb713c7ee257053c97c3653ae0324e7fb7655f5dc8098538202d36281a27f753c557e6414d977421d30d46b0d1e77e2a849e7fcd4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
832KB

MD5
88bf7277697ae2cd726f89732c15a6e7

SHA1
b66aa20fee88ba1fc94f4ffe25519739bcdff406

SHA256
20a624cc73fb3e92703b3ee95891b73bc077b4b936490d105801357338418cc8

SHA512
e0c6c52022fef3d763328b57d320fa21e7b632d7184b6a9cb66c059400e3dcba8ef9b180dabbd3e2a8b6a5190bd96a5609edee87e4c24cecaa42909f24175fb0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
64KB

MD5
6437f16d546b37f78aa8e9e81086ef24

SHA1
a47aa163d21dc09d3e3ae79176279663a2ac0a32

SHA256
ae09ca30b82e05df9015e0983c92afbbe825b55a6e44aa15c348b28a582c4975

SHA512
896d00eb77ba7b698a2ade5d0c44e44b05943609357eba8022f5f1188ec08cb5ccd7db14d7c70d157c6964511e77c9a6c26602a34e443849b4ffca41a3f482a9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
704KB

MD5
5b47455bcc9ec5bfa5e09dffe22aba97

SHA1
7ba5d7a7854397e4fe4b41211a655f497e77a1c6

SHA256
ed92c5ddc3d714dfb1a0cb024d4bb38938b523af68a6d6d5074b8b4ce3b71acf

SHA512
a4e78a7545e7a0b0d527994c96d22dfe54b99b2fd0d5b03a594c06d0edfcc45bc1463d3e7952acd6427e71fbfd2ffa81f33b1d0db261604d4dae090fab137048

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e62682d63c454e219194528702bf6de8

SHA1
26bb23b63a8ddcc820a6c3e6a040e8067f5af330

SHA256
aefc0a0c1aacb5256ca9d62c2d9526524010392980355693472564dc7fb5705a

SHA512
7b53f2490f3ac137cdcac4da9af91aa3ec26d79308a5a460f2e4c96bfc66f7414ee97fa7e040d12569c7526928ee7dd4ac04198e4433c9d159a137a2effa8eb7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
0665523c65bc929265bd93b3ba3f0d56

SHA1
c4e014589205627cdfc64d43695f4c6355ef46a6

SHA256
0641e44a363b44d7c2a4c9a6e8a7c4481f62ab9d8063b72fcf2b96d0c9d5e113

SHA512
8f5600a13958a93a97901d2ce34a103b5032c0dc390ae4137e7a6e300649501aa7e364932a397f81bb4fe0c3b76f6ea110b8f924defab1b53b548a4bb9293e0b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.1MB

MD5
3353c5660030f69b3d7aef55febc4f4a

SHA1
a1467949792be254b0eee651dc4ec2fa906fdb43

SHA256
20452c2025b125762168ba1ad838c91723824bd54fbec378ff3ee0dff74e38ca

SHA512
449aee8c403574855ee4321f27baeeee7bbde7911ca0688277aa2f8dd8fe206a3a6e3420ff343bc0c2974c0a165218715b7817318571bcd5c22ae97029103508

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.6MB

MD5
6e1e4d70c6444c6d22be0f38a711580c

SHA1
797af9ca0dd9ef0d5a30dfcc8fdf036311969e63

SHA256
1ccfdfae8da62c7dafcd0de62bfc1759f9724735b0dfb6931e3f574de9fb54f8

SHA512
0743ec791a39e93db70dae11c6a0bb55f39b35654459e65bd4b5ee967f3d096b4d2630441e7e6c958711fbfc843aab1e9e4f872ea21425b31ca9534c9e311976

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
6b30d574b3cbe2eef7a7523a8f9b47a5

SHA1
13260c741eaa423e6ca7b0c2ad62837762447e0f

SHA256
79dacedf79ae13fc46ac2a508fb5deae5e775329228fd39fd292dfd370c539f7

SHA512
9795b61c72d68f1c458db3f2fac27d6409e10fb7d460de7b09cd7a8f348927516f2bc3043b7c08a025fb92e58f0be8c6f2e1a4eb6830c705433045a648cc0d4a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
93ba59e31a16cce8ef18b0f1443e5d1f

SHA1
d07500d18ae7288adf12c13ddcd44542d252d9f3

SHA256
dd67e5c09a8dd935aa6ece76590397b113d0696965dd59bc5ec5501f7dca82e2

SHA512
2eebf541e10f35e7cd333c72ed61215f69df37a2dfe16eb9d137f8e0f7da213bbf62ef51ae1b59addb9100b2121f9c08082c2f89d48925a0e104e83c42d7f18f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
832KB

MD5
f1c6e6d4ad20fc0343cda70e3bdaf18d

SHA1
9251a87546a75da5d1f11bb395d82710a6261965

SHA256
586e8dc4cbad559a9607315916ee68c3ad791e247ec2b90d2a02d57922d0a724

SHA512
906f4e5a0a4cd89e99cc1977c9b31ee75ee389888084a851757f9a3038ac9aed08f4ef82ff27bd4b4738de8d03bc257e03462e6e709baf2d9fce43e0eee5fd77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ca8d3cae3b66d3439a885610d4c0a171

SHA1
c0daf473d9dab3448c2d4fc4bdacf1b4eb31250e

SHA256
8ed9d57e1af8cb0c268c0f4e722d85a2b332d75febbca947ef1505cbf768caf8

SHA512
19cbf37371ad25fc7bd6c3b90aaca95702d447c89801c77764e41dbaad1e5615087e197990eca550884b8f9092cd00f56dc88c6576a23e2ded7b440e3e465225

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
f33aa6224c6b9f24022d326cd230b873

SHA1
532074276ed9075852334f202ae1b36018be310f

SHA256
a61d632495b43d1e4be038bed81d7701adef916e7bc95f11b356c23f9d65fb7c

SHA512
56244d06067ea49fde66bf2476449b155608936bef44b09e5163a324dd61f0b8f02f691453148347a4dac65e61a15ffd3753ceff1d8c2967618b411c76391116

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.5MB

MD5
4a3dc1161703b55cda86bf7ca50d2b73

SHA1
bb42e8b066d645c77e8980a1ea8b169f6003a575

SHA256
4f1bc45b0121fd33e9e6a7ba98aff300a1e8a8a376adc7aa65b8dbd7f73b6314

SHA512
e2720cd7f082f0051830521dda0535ceed134b037020d9014bc006034240155772ea9bd636bcbe89a9f368fc34c55c591c853c94861e0b7a4a8c6beb4eb3a04b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
cfccb9fb76f0d9e82cf77f4458bea329

SHA1
42f802cabcc129ea4f35da5768c449dba2634d99

SHA256
cc933319655c567799119b004d7d3e36b22484d044b2049dd271d8ba2795e37d

SHA512
4135634894d839d14ab36395dea77d58c14972a6fb2b6e439b195a2616f986932badb363ca71b10cbaadcb881392038ae5638b55a1912ff921ace1f551078e4e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
76d6ead2a21d396f347ed60b91a19aee

SHA1
462ea6f6f24decc24a929942c3bb9d636303d87d

SHA256
3f752349be336100b797d3d1bd86b560c270492b98ae4d7e7a2b3f7145ae2343

SHA512
b38a5d6f0ca13c87b82eaad7278eb87feb90c6489b36db340ef8c17355bd7401495df4d5fc16faaf53f40db9d6419ece7198c20c558d42decfbd87f76b4316ab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
00bb2a0951719c53912ed0407079ad68

SHA1
f5d34fd73aa4ad843be31b176a675c3ba47dc6be

SHA256
6e53d6298812d4a05357acc36b5855f425040d640df5eed09431d16df9313a3f

SHA512
0aa349998687d314d3aa4f897805b4c1bcc6b0dee39ac979bec68ad584cf792f29fd46eb96de2a89785204938a464e3f123070a177be5e3f0d0e941b246a8a92

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
b19f7dd1128f4335e5a13699ee8801ac

SHA1
1773156e41c8052718312707ccda508d6ff9a3d0

SHA256
0b02a30c893f93f7613fe234bdf4884d131ece1696445d7ad12c541d4a8849d2

SHA512
a96ba3a05b6f67ed44f1a528fcaa6bf7c5b422c1bc4a1dc4d140535aefd88f36022cc932a518e609efd4157881a42de46d1948ba22512ce96c5ffe4279dc16ea

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bd988747b77b5623c4372db8f0a01301

SHA1
f59700caa089eb5a7411a25493bbdb5c521e86e0

SHA256
e8c26056e28021426adef94879e095973d8cd8ef7d8646ad93290fb89b08b929

SHA512
cdc36156a5975ce43402641771076a2e8424a1b58ddf9f5cfd08b00c68722e334531d8db2b7b654b586c0febb3b822a139df5b75781e5ad5ef8765714662a97f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
eedc05c367719e0fd3b3879f5d57b16b

SHA1
871168bdb4994ded4f2abb8f55c73757d0946c17

SHA256
8f97ee3181e716614b15fef8986dd49b33fd0073573bfc263eaf442405395b56

SHA512
c22f561c2fee706d2a5b7cca809f7363902810ec1d665441dbdb5ef9f2a7981a7f884ac8be0af5352f7a04d795f9c7655ccb70419694a2913f035ac9304937df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
935b30180548395df1955a585656eb0a

SHA1
502d4d8b3d77d9b39f3ec0acc5351ccd9f9aafb8

SHA256
910da1b7c3b26fca51572746c6283b9041849d83d6749bef8100ce1b30ec45a2

SHA512
7ef4f63c1f4b41dfa8576488ddcbdd3874bae1884942938ebe669b48f8ac08ee28667ae7f9c9bf605e951e5d894da6ca57a5c97c3ffffc5208185dcc510d60a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
9dc92247b0343e6c9ccb5bb4c4f63b17

SHA1
c844685dad36b44b38fcb0e0b91c9808f392637b

SHA256
b09a580327912bb0fcf02566251dd4394cbe06ec0fe5a23a0e26d1e174a09c70

SHA512
f89f90ff01b0ca21a57df5cb1884a308426d1b8163e42f986036718b5123ef3fc3a1162609874403f76280e4d20a4a39a0aa2ebb624d696a4f60d1ff1df3dad6

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.1MB

MD5
0f5a22e16f9605851713cb88cea37ae6

SHA1
f4532bc536d8eb09b6436200863f254f8dbdef2b

SHA256
51a3eb3541a3a91bf005d8b38b8505df5f45ab44a02d7a26ea70fe8df2e5ff48

SHA512
23b4d653fb3c3826c6330e643a3472303037ad1cbaa1455c12678598160e2ee8c482a1a9cefb30c57f3f54ff2cf8a336882dd3142a5edbad3df5ac3d1e65cf8d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
173b8fd7ba9838248c69546e3de17a6f

SHA1
83b59e9fb9d9a7c9ff15a6a12723b730df0a27f8

SHA256
0fe55d061ea3fd979273adfe785712d81e16ee221969eb770a22d677dcf77f94

SHA512
4f186431daa94b4ce405155b2045a65d40ee7e957dc8c620f14b194c7d9b0e61bc1693d681f878e5dc08e499c7cc07216c5cd497b8334a1d18feebc2fc7ea809

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
170e1d44a4f1a93acf0f128762f928f1

SHA1
572c0a7f851340cef3eae80d7af6a06482235493

SHA256
eb6bbe174452597d7ba95cb95d3181c457fdbf55551891bafa817a63335ff0e5

SHA512
2fe2482bb7693bf269ef913cab3f0ebb301ba905115d6c399c2fb766f2e9e3ef6ec8149ad9a832cf05ba9718a842ea06df43cd021713881d725fa622f152a16e

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
fb1f0cdf114f7e34950b9e0f5754c9ef

SHA1
07395ed647ab4206ddb63b6d38a198d421168239

SHA256
d8188d5b9ee9bcf716082c8e138576c37744a0b23a54edd3af849dd9d1f5dc53

SHA512
09261f68104a8bd0dd95018e321bd3fdf6645c847f2ef374a198b9cc1e976eeefb49ce0894967e3a76c34eaec75048dcb79d26f0f26aa5ffe533457a3dd42bab

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
09021bf56897ecdf2db6f70f9fc489f9

SHA1
90b6bbd06cbf04cf61f2f44e2cf66225d2845b76

SHA256
37e06f045144e30e100182ff74ab3055e9082f857c34673e512a755bdc6bb8f0

SHA512
fcc022e76ec0fe9093833ee50b0970e8205953d6853f608626b0b9553a1d0e7857d9dcaba037f570bc320a3fed14bcda72b8b7343decf088496c3d45e9ae340e

Download Submit
memory/580-307-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/580-260-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/580-259-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/836-384-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/836-385-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1020-403-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1140-162-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/1140-159-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1140-167-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1140-285-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/1264-98-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1264-97-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1264-104-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1264-122-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1568-398-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/1568-407-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1688-124-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1688-125-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/1688-131-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/1688-268-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1924-344-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-357-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-358-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1924-338-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1936-143-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1936-279-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1936-142-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/1936-149-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/2196-264-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2196-175-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2196-174-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2196-317-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2196-256-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2196-265-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2196-297-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2196-269-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2252-374-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2252-369-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/2252-362-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2548-324-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2548-342-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-343-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2548-330-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-319-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2592-314-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-308-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2592-328-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-329-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2592-301-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2640-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/2640-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2640-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2640-253-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2640-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/2668-281-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-272-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2668-280-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/2668-271-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/2668-296-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-295-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2828-298-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-292-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2828-312-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-313-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2828-287-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2876-153-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2876-115-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2932-28-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2932-160-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2932-27-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2932-12-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2932-13-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2936-359-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-372-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-373-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2936-353-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2936-348-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3024-173-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/3024-89-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download