Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
Resource
win7-20231215-en
General
-
Target
538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
-
Size
2.5MB
-
MD5
90e7a25b9f808d95d5c6086c8d1e79dd
-
SHA1
fdbbfe0e5e91aeebaed3f1950b390847ba268a01
-
SHA256
538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00
-
SHA512
400a25dbee70a9f5fb5146062f53bdfc1486cefbba80f1d8f28c6d1fa77e3262873dfa42eb8237bc3b9e852e1a9720f32565fc934b7c1d0172a61b3f6970ab57
-
SSDEEP
49152:2cGJbpgcOVmQ+ljS7yLfijfzQwMWjoFznh7J5uP9USCfmzz9YVgY:jGJbp4VmQ+ljS2LfijbQwMW+J0+SC+zL
Malware Config
Signatures
-
Executes dropped EXE 42 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exepid process 468 2684 alg.exe 2604 aspnet_state.exe 2140 mscorsvw.exe 2672 mscorsvw.exe 2768 mscorsvw.exe 1092 mscorsvw.exe 1340 mscorsvw.exe 1008 mscorsvw.exe 3008 mscorsvw.exe 2360 mscorsvw.exe 668 mscorsvw.exe 1840 mscorsvw.exe 1668 mscorsvw.exe 1768 mscorsvw.exe 2820 mscorsvw.exe 1740 mscorsvw.exe 2924 mscorsvw.exe 1176 mscorsvw.exe 2644 mscorsvw.exe 1700 mscorsvw.exe 1500 mscorsvw.exe 3056 mscorsvw.exe 1528 mscorsvw.exe 2068 mscorsvw.exe 2032 mscorsvw.exe 1824 mscorsvw.exe 2380 mscorsvw.exe 2552 elevation_service.exe 2884 GROOVE.EXE 2880 maintenanceservice.exe 2756 OSE.EXE 1856 OSPPSVC.EXE 1636 mscorsvw.exe 2676 mscorsvw.exe 1776 dllhost.exe 2220 ehRecvr.exe 2376 ehsched.exe 1836 IEEtwCollector.exe 1272 msdtc.exe 2072 msiexec.exe 3028 perfhost.exe -
Loads dropped DLL 9 IoCs
Processes:
msiexec.exepid process 468 468 468 468 468 468 468 468 2072 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
Processes:
aspnet_state.exe538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exealg.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7c0d4cf8c0d5d3a4.bin alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
maintenanceservice.exealg.exeaspnet_state.exedescription ioc process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe -
Drops file in Windows directory 24 IoCs
Processes:
aspnet_state.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exealg.exe538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe aspnet_state.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC22D6A0-506A-4D66-A586-2016ED5BECB9}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC22D6A0-506A-4D66-A586-2016ED5BECB9}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 9 IoCs
Processes:
ehRecvr.exeGROOVE.EXEOSPPSVC.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exemscorsvw.exealg.exeaspnet_state.exemsiexec.exedescription pid process Token: SeTakeOwnershipPrivilege 1368 538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeDebugPrivilege 2684 alg.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2604 aspnet_state.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 2072 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exepid process 1368 538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 2140 wrote to memory of 2768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1092 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1092 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1092 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1092 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1340 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1340 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1340 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1340 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 3008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 3008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 3008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 3008 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2360 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2360 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2360 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2360 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1840 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1840 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1840 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1840 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1668 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1768 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2820 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2820 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2820 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2820 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1740 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1740 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1740 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1740 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2924 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2924 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2924 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2924 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1176 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1176 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1176 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1176 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2644 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2644 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2644 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 2644 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1700 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1700 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1700 2140 mscorsvw.exe mscorsvw.exe PID 2140 wrote to memory of 1700 2140 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe"C:\Users\Admin\AppData\Local\Temp\538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1368
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 24c -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 244 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2ac -NGENProcess 284 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2380
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2672
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2552
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2884
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2880
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2756
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1856
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1636
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1776
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2220
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2376
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1836
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
PID:1272
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3028
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵PID:1592
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵PID:2736
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:528
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1484
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
706KB
MD5628b8ecd97b78902197a442dc5cc5404
SHA13194dbd8810078169c31eb5448a5d3beb1c5a98d
SHA2565909f8822fcfcc60d52bb5f2f14fe5a510221ebda982ded685102a0a85e3a1a6
SHA512d5e9fdbf47a11b3a9fd4bd0252f049b3c4c6bbb0804fe7694fc726de1e7b7279bd9a105d70b6dcb672639117f2b241e60f0ae330f9622e1664c4f67548b643c8
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
30.1MB
MD5cf87ea50243553f8b1c408035fee6b0c
SHA1aa7450043bf018204cfe29034c4a6891adace382
SHA2569ebb68c7b5160226cfbd4f86b6b7bcb494e7b57482bf3edac0f2b348defe48e8
SHA512ffefb0184744a9a9bd470abbd07b4230c58b57d7b87f9261c47122020b5e4d2d4caec15cca467051ee62bf92a8b63e957a37a53bdb1ce650db355a7b2bdfa1b1
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
781KB
MD56d13756452b8fe8b1150a9588c3d7119
SHA1b73caeca4b8b0d69c6bbbfa04f2a8deb8a3aca43
SHA256fa70b9e63fb63ac07560f19d9641dd39e4f8052f1f4f00d867ec1e6120abf622
SHA512f2499f0633616b3bae07024f16b8119a791b290e98e1c2c1ed4bc0b8467414c7094893d619ea3965e0e4e592ba04eeac58d47723c4356f4ab0640ab91b2a26bf
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
5.2MB
MD56474931c3be943ef2a1eb27b3d468f11
SHA1e2b46eda9e77b7498f5bbcd6e73fa914d2f8cb39
SHA256be63e8fd594a82f8571d137f4411b7c2eb8ad2de26f06d57646844601c531b68
SHA5123d9826830df220adcede4dc9184c12f265800868f3c2a3f3dadcce187a6ce9d4bde2d652cb996914b667e801cdbad77025ad26e40641b1bd5fd0cbd4085d6e99
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
256KB
MD58660bb8b5a9dd62642e130fc64b1294f
SHA172ea0012a71241e7cafbe9db553a331ea8b4bc24
SHA256a039f53f3f553cd1f9a9c20db6a9f54d96f4e89e0652fd90d33174ebdd3888cf
SHA512b551132db7984500e45b1d7c448dd0d20cbddcf49c96dbd83b63e1571d02006e6d9aa200a10fc8fc14cb674ee84e03bf1a4fc8e62541867c47073714531769d9
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
648KB
MD5cecb366be1f9b94c7bddce9c9e4b6976
SHA10ee451717d55925f361cdaaa01a1c7d470b8f3e1
SHA2567c664473bbaa797c875fd2c0b02afd3277f8e386b01b8f8a8e020d30ff6fa56b
SHA5127ef86a8dd120c04cbd15de7eaa6e01d5bedb951aa0000f880c9c8553029968bd0283a140471b50c3fb1fb19da21232b8194f432ebfe563dd41114fc39d95e263
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
872KB
MD5a49b72a19eb78a437426219c30e1e1e1
SHA1683570bf719b82caacc83626452736b754a2e5d6
SHA256fe45b6f7b9cbf9cdae2778fc8ca471e45622d2be54c4b77ed906e45d25c0485a
SHA5124f328e574e37b9e84624025278d93079ccd92dfa202529d974ef93de4ddc3e098dce848dfb625cc589805c905aebdc801780a77af82bcb7f89877ef185bff802
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
603KB
MD575d62752eb046d42460c8e065142bcc4
SHA15cefc632bf0e22d62d866867ca49f6b86d8e9292
SHA25632c1f7e39cdd57eac619af47945fb6f18f2f13760103f7163e20fd8f55eee477
SHA5126d985273ca1c59bb7c1befbc8f63847968ec433cb95f0a485fc77e6b10d98ba87720b5664906a3142b23cbb842bf1010569b833a22ce5d5c682bf16e259e34a5
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
678KB
MD5617a59e71737e8337d529d4c34ee338c
SHA1f169a63577bae2cb0fdf95d4dc41e7fb53915836
SHA256134684b576061c89146808ff38236b8bf9f0a880d000ac1f7cbdce6bd67b83d5
SHA512fdc9796b0fc490f5f584034770db31e1506d48a728b78e1bf9397a3eb60638bfbd39addb8bf02d3692ff30eb0e43df9c16d6ca85581d586c60b226fc4ed79bfb
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
625KB
MD5cec594e36f07fde166aedd5e386fffab
SHA18714012f64cfd9304a9ffce5be3dbead6c65d65d
SHA256f2b477a3b3f49570d27d4aa715313d2d19d57805f83cc403e7b0e09ab1cbe997
SHA512265962f44d1965615f7d682d000e404fccde260ef38cfb16f9eca0b94613b355c4b12e55c739e03ccbf8c7a7f846cffe1b89e3548eb03b1a14bd991decc44fe3
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD5e2baab10c2c82dd291144a588df76c60
SHA13c2fa0446f5a006b13e2960b849da1b88fd1ae2d
SHA256327739ec609a59cbedf5ced0d01609fa747ad07cb1d740e5698462ae945aa742
SHA512c33590080aa55370763a5266ca4306074e868d768700de62bd61a46f1149c64b636a012d6937168ef90e084cbb238f067cfca6e673d684a71d452fd10c09dff4
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
530KB
MD50ddd1c7b6e1025f869029b3da109e0f0
SHA18cd32a47dcd1905536f03f880e33be9b73b33bbd
SHA256b377912227ad7d72f73926571dc119f7d3ef12f9130702f0cd82327a1c653e73
SHA512b7dce1f76b3b24ea5918b65f91ec331f2b0b2ef4809f851323c9f6a8fdd5d76ea4cf3175b54707033c35fa14ef22c0da939fafa827d9a7939335d72dbcc0425b
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
244KB
MD5925fdb50acb16ea4fcfab4c114369b60
SHA13921f851194b898767ccb9df170a6c3693deb80b
SHA25654d2e677405a4a6c2f463ded713ffd1805caf11b568a4eb392f2f3e3231e3a86
SHA5125a37bacfd849c7d900575232a002bf091398b10931bb2821b239d74c4f63c989038142eafa6aaaa26311e1d4ffa69e05286b3d2a0e513a31983c771d2972e437
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
60KB
MD525e19663e6346512e44000a28cfe19e9
SHA1bb23070cd05fa96c84ba60698f4c1aaeba3f3b95
SHA256cdf0146463621206e406df186fdd144fab9e57c3e4e851af951e20cb2b92f250
SHA512ef5b4afefb5130709d519d4edb66b152885d44bc6bf9144271240cbbb8abb3e4f73bf2b2de2cc4eb341dddaeb25fcd2d27769dddb5a2fd2b97c2e4be94782f73
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
128KB
MD56df53e52d85c1bc1839e7b544d9df0e8
SHA1dcbf2c3cdcc7ff517bed39a22ec79f178175c80b
SHA256a874e3a7f6da63336ef47d642abbb0f711934fbfdf25dc4ff38513a050d4ecff
SHA512bd937c140ca680aa0a6b9544c5c58e1fea47a21ae9abfca302a988495a3d5e4b710e8b7b65eba1e9418a7d14f18c096cefb9494c8cab0a77595d7d79fc997274
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
575KB
MD51213ac29bee62e1e40031f3f83e3d5ec
SHA1b3eced4b7a0b0db435c75a000dffab789f932be2
SHA25653646c70a829ab6ab4b901a96af9be397b66467918d39e9a07e420119e08905a
SHA5122b4962535d508a0948a832cc2b7a82d482469a581f9a8784dfcee629c416b9d8d12fe5e2d850c17e4aa1408d2fba805c67d8fe541aa869b7eb54493d40fa464e
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
170KB
MD5919d1d4f28bb2559f187f02ff50e7682
SHA14f2287b0dc27e408cafc68baa0d4a24e17bac600
SHA2568abf0144696b63a699242dd8975b4712a622122727ad9f7cf8772a24769311c7
SHA512bebf80d24619dfaa6a17060443ea7bdf05dae4e847c790368e9db52190ad84f6dbed8aa4efe4c2ef0c67a0c685c71db8c7160b61f6a5320352505e48ec178223
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
320KB
MD5bcdffb1a47a83007fa884265945f12cf
SHA1852e46a171e35c0d68e880b68c81412c079a1f7f
SHA2565f891363202f5c9417dd0afbd51960954215c1a0aafdb2f348edb3c58f5b3971
SHA512107d43cf4f74717e544cfb1917b1e4bab63e6f71ed2203d2b5beb39a4d8736c3ee49ae2fb517f348743be8314654d18fc471e9b79e6cda389abffe7c64db8433
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
192KB
MD5c6b5eb4eb71b6e587e9e993a94224ea9
SHA1f3a65c11866093c6c58adfd8f6fda5b5c455c94a
SHA25683847e7e2fa6557dfa2e33b4bee4e1957faee1e3bf8225abc164e758ad72410d
SHA5122a9a3b594b4ed20abbf0867903a7ba143c46c61c369c38ca7d81d1392b607cb1f9e473b469f73f2b1743aa18a039e424a7d366a02a789a213de135fcbe91d7bb
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
656KB
MD53c14735a29850a6f5d7cf3760885e10e
SHA19df942225632b332b8c3166947cf0b40a0da0cc7
SHA256ae6cbd379dffc08846b70c5c2a7f4f8f590cb0d034cb47c03432bef2a63ddc75
SHA512791389f692bc71f79abf3ddad9b39c18e1266d35effddebb7fe2acb3885387972401c8be49f6fa1ca325ae48a01be5fbce92315c14da1d7533208d8617549570
-
C:\Windows\SysWOW64\perfhost.exeFilesize
587KB
MD57de149fa993b3ea132ecd4f08fcd8a11
SHA10175e9c37afee64d95f699eb21d7c26b2d78ef32
SHA25607aa7fc091b4265412a89b68a68992481db408eb799df502260a15db39565b8d
SHA512d2fd2c4522221ca2ab2c7c7acd9472a6d143d1973de74c6178cd77fa73ab60a9ac57f10ff83f409c04a4bcec7fa6f24a70009dafd2405a2c7597d1cb39c3caaf
-
C:\Windows\System32\VSSVC.exeFilesize
1.3MB
MD5981a9df5c33db7e49995429a2b43fba0
SHA1b67984ae7de61e12dc05db5ac8982176874b8c1b
SHA2568e2c3009aae68079538715c60b77241095e848b271fc62509ded6ea1b701ec9b
SHA512a13c9c3f2a31a34ba2c3ef1ce5279de7e2b43b6c4f83df68fec252dc13c5f48f8c04e5631c0a5246a907acd445fc087ccfc2554132f8b2e807f17ad5677bc431
-
C:\Windows\System32\ieetwcollector.exeFilesize
674KB
MD57d256109d55bc51e4c265d2435425ffd
SHA140b3800b66ba699ede60f3baed9bad51223fd5a0
SHA256f26eb0c682ea79634030ad61280884305db8af7e3419d2a0ec0421988591285e
SHA512a7de0f6db42c83e7f27ebaf42c271ee119cc6f89049050cc562b163954deba0728e716b6a1a58cdecf2849259321364b08072cd6fc60b9687284a048ea4b4081
-
C:\Windows\System32\msdtc.exeFilesize
705KB
MD522778a51511379595c926224c5eabd17
SHA1eeb1ad6e2fa02e0d6b9d18d5b4d91d8f7812d47a
SHA256c369f616598e3e7d793c7c333c749b1d0c3cfd70a3a968795b55af7a73dfaa57
SHA5129fb232c5c5f65a6775d438fb5b3e1c8dcd0de94252b9039de31f10a2727f2ed5cf55e6bb51ce0b227986f6415771a465ace149f0f98c0a8dd6b1d33ef2b60ea4
-
C:\Windows\System32\vds.exeFilesize
128KB
MD5e2411a558f2ae8b385fdb79a9860b8f7
SHA112f4773d1b82e99cc68881fabf89508e15c3e7d3
SHA25633184e10e2ad5d5f1f8b90ba79ebc71a0e9665488a7ef213669dea0d6989f2b4
SHA5122ecced0e576bb33be2eb4dadde8d6f99ecb88b92256fb13ba77a1869a08f7a9e2518ffd851b1d253ae1fd15c6bb8895f3b7c50d7d1ef8f0d402601c7e08dbd0d
-
\Windows\System32\Locator.exeFilesize
577KB
MD5c5e87edc778712a47e3e40d1ffe6bab8
SHA173c45878050a68f80eb5f3594ad9b4a698b27fe4
SHA256f593b8de0c10c85a030ee0b4bfcc6c9889e4153ef409696a69226c53cdd32671
SHA51260da9016a1d0a98bdd6e97ff3814d5e289858009efdb2b869e19b325551fee1324ce0db400c30531a0929270fbe02145bf51f0106411b567c7fa9ced8bf9a9d7
-
\Windows\System32\alg.exeFilesize
644KB
MD54a5cb8189a72546f36a7fc3713658a9b
SHA115eb546291c3c8dac0c8dc8bd7577cec33616219
SHA2569503938b456ec34e37e0559c8b9ffca29bbc82d963ac45480218b77c4fa30ed4
SHA512ff140b505be8dd85ad154b621f79ff6868b716703e6331e808e44119e2ffa3ab4412e810920ae1fd301850c80375bfa42915e4e9ee0ddf10d1bc509a0a708c60
-
\Windows\System32\dllhost.exeFilesize
577KB
MD5063ac91e44b236abf5acebe872c68fbc
SHA178c831c23190fb92dfdf38ab8bc9fbdf5586da8e
SHA256e227eab151714dc911cab7e33b59894520a06887b9eee932d574c32bde4dd4ce
SHA51261ea13c0b1fa417175e6f3cc3b31f2a821a266a2b55341ca80fdd93fd229d9e30819259d780bf40c0a66b7d4d0ef4a29962ff3354a83cdcdfdafdaff2f1e8af7
-
\Windows\System32\ieetwcollector.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\System32\msiexec.exeFilesize
691KB
MD546343b072d84fac2f385fb66d1475c2e
SHA1812aa7f78a602db36c2a5d3f8db739e0a40b06d2
SHA256a3f2e1f086d6f07e08db0ad0c05dc5b8d5407a0949269073badc1d7651a0a3ad
SHA512e67ea9b1480186180b5d847500af77a0472ae41d868b5b2439a713cb34b04bd1871bb342f01d9543b3cba956c3543b0f356265e80298dcb94c91f58c38514ed4
-
\Windows\System32\snmptrap.exeFilesize
581KB
MD5e5961bad33eb051fc9e48513d34b5fd5
SHA1e83fb0bb4fdd7e760e7aae8764506d2fd9dd29b1
SHA256eb2560092ef45606ea4761d03215d2234d4421b58d45918c247a6a458bfcbc60
SHA512efc98c8f30d6ac5be63f09f37663a3a4311bbb8965e565e3b63ba853983f81c057905c28cccd58ee425991c921d4ca884a2f5b0629988934caa5e75b548e0a3e
-
\Windows\System32\wbengine.exeFilesize
128KB
MD5523ed42d30c0042595fc3a41bc9a57bd
SHA1cfccc1d099a093b2439938dddb2d24b230e9a51c
SHA256a796f18eb5292e7b37e88092bb1f9b20655faa439a4f2ef359e984042a95c392
SHA5126c6613d70e8069a24bddd2b53e624f57afe02bf67c44578dd31f7df680c45178aea2c977a8fe78d440944d47a6775105d17d5c7871e09cce203fd209db2f2ee6
-
\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD5b6c33841a1f006d58c4032de3d2914d7
SHA159f1ae0aac91be27b742d139001caee6074ba28a
SHA256547fd8bef7c9cc26e29bd9a1bfb119bb0a9ea9d33ee4c185a3e09860defdbe2f
SHA5123accc8c993d37b0983cc3bbbc9225fcd21c4e2c40094b0b5123e0797b12d20df65d9186988b223e264d88a227fa8b39569ba3862242b7c753d4ec1219aebb037
-
\Windows\ehome\ehsched.exeFilesize
691KB
MD5369daf134e7bce0cd056c755f92ec53d
SHA11ba3a15d86484adb7703205e4c0bb761271bacfd
SHA2564118d4d777b7b515398ef7d7f46ace3127cf0882671065de2d0320400be6fcce
SHA5120df86523e119d4984baf1e39dfc8c2d75a1b0c5b39a48b1d8ddef03cbf45bb7f1b63cc8c6486c12433fb8a0b79f834cca29ac3b82edc855784bd8c10b9573e86
-
memory/668-160-0x0000000000A90000-0x0000000000AF7000-memory.dmpFilesize
412KB
-
memory/668-154-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-164-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/668-178-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-177-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1008-132-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1008-130-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1008-105-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1008-104-0x0000000000AE0000-0x0000000000B47000-memory.dmpFilesize
412KB
-
memory/1008-111-0x0000000000AE0000-0x0000000000B47000-memory.dmpFilesize
412KB
-
memory/1008-114-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1008-131-0x0000000000AE0000-0x0000000000B47000-memory.dmpFilesize
412KB
-
memory/1092-76-0x0000000000690000-0x00000000006F7000-memory.dmpFilesize
412KB
-
memory/1092-82-0x0000000000690000-0x00000000006F7000-memory.dmpFilesize
412KB
-
memory/1092-100-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1092-101-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1092-78-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1092-87-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1340-117-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1340-102-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1340-116-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1340-95-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/1340-90-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1340-89-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/1368-1-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/1368-30-0x0000000000400000-0x000000000068F000-memory.dmpFilesize
2.6MB
-
memory/1368-6-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/1368-7-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/1368-0-0x0000000000400000-0x000000000068F000-memory.dmpFilesize
2.6MB
-
memory/1668-207-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1668-208-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1668-194-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1668-182-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1668-188-0x00000000002D0000-0x0000000000337000-memory.dmpFilesize
412KB
-
memory/1768-224-0x0000000000370000-0x00000000003D7000-memory.dmpFilesize
412KB
-
memory/1768-209-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1768-222-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1768-197-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1768-223-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1768-202-0x0000000000370000-0x00000000003D7000-memory.dmpFilesize
412KB
-
memory/1840-179-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1840-174-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/1840-192-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/1840-193-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1840-167-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2140-47-0x0000000000630000-0x0000000000697000-memory.dmpFilesize
412KB
-
memory/2140-41-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2140-86-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2140-42-0x0000000000630000-0x0000000000697000-memory.dmpFilesize
412KB
-
memory/2360-162-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/2360-135-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2360-142-0x00000000006B0000-0x0000000000717000-memory.dmpFilesize
412KB
-
memory/2360-163-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2360-149-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/2604-31-0x0000000000A50000-0x0000000000AB0000-memory.dmpFilesize
384KB
-
memory/2604-38-0x0000000000A50000-0x0000000000AB0000-memory.dmpFilesize
384KB
-
memory/2604-75-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2604-29-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2672-55-0x0000000000AA0000-0x0000000000B00000-memory.dmpFilesize
384KB
-
memory/2672-96-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2672-56-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2684-69-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2684-21-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/2684-14-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/2684-13-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2768-84-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2768-85-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/2768-62-0x0000000000320000-0x0000000000387000-memory.dmpFilesize
412KB
-
memory/2768-63-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2768-68-0x0000000000320000-0x0000000000387000-memory.dmpFilesize
412KB
-
memory/2768-71-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/2820-212-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2820-218-0x0000000000310000-0x0000000000377000-memory.dmpFilesize
412KB
-
memory/3008-147-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/3008-120-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3008-125-0x00000000004B0000-0x0000000000517000-memory.dmpFilesize
412KB
-
memory/3008-133-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/3008-146-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3008-148-0x00000000004B0000-0x0000000000517000-memory.dmpFilesize
412KB