538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00

Analysis

max time kernel
143s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
Size

2.5MB
MD5

90e7a25b9f808d95d5c6086c8d1e79dd
SHA1

fdbbfe0e5e91aeebaed3f1950b390847ba268a01
SHA256

538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00
SHA512

400a25dbee70a9f5fb5146062f53bdfc1486cefbba80f1d8f28c6d1fa77e3262873dfa42eb8237bc3b9e852e1a9720f32565fc934b7c1d0172a61b3f6970ab57
SSDEEP

49152:2cGJbpgcOVmQ+ljS7yLfijfzQwMWjoFznh7J5uP9USCfmzz9YVgY:jGJbp4VmQ+ljS2LfijbQwMW+J0+SC+zL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 42 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exe

pid	process
468
2684	alg.exe
2604	aspnet_state.exe
2140	mscorsvw.exe
2672	mscorsvw.exe
2768	mscorsvw.exe
1092	mscorsvw.exe
1340	mscorsvw.exe
1008	mscorsvw.exe
3008	mscorsvw.exe
2360	mscorsvw.exe
668	mscorsvw.exe
1840	mscorsvw.exe
1668	mscorsvw.exe
1768	mscorsvw.exe
2820	mscorsvw.exe
1740	mscorsvw.exe
2924	mscorsvw.exe
1176	mscorsvw.exe
2644	mscorsvw.exe
1700	mscorsvw.exe
1500	mscorsvw.exe
3056	mscorsvw.exe
1528	mscorsvw.exe
2068	mscorsvw.exe
2032	mscorsvw.exe
1824	mscorsvw.exe
2380	mscorsvw.exe
2552	elevation_service.exe
2884	GROOVE.EXE
2880	maintenanceservice.exe
2756	OSE.EXE
1856	OSPPSVC.EXE
1636	mscorsvw.exe
2676	mscorsvw.exe
1776	dllhost.exe
2220	ehRecvr.exe
2376	ehsched.exe
1836	IEEtwCollector.exe
1272	msdtc.exe
2072	msiexec.exe
3028	perfhost.exe

Loads dropped DLL 9 IoCs

Processes:

msiexec.exe

pid process

468
468
468
468
468
468
468
468
2072 msiexec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

Processes:

aspnet_state.exe538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exealg.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c0d4cf8c0d5d3a4.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

maintenanceservice.exealg.exeaspnet_state.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 24 IoCs

Processes:

aspnet_state.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exealg.exe538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC22D6A0-506A-4D66-A586-2016ED5BECB9}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC22D6A0-506A-4D66-A586-2016ED5BECB9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 9 IoCs

Processes:

ehRecvr.exeGROOVE.EXEOSPPSVC.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exemscorsvw.exealg.exeaspnet_state.exemsiexec.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1368	538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeDebugPrivilege	2684	alg.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2604	aspnet_state.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeRestorePrivilege	2072	msiexec.exe
Token: SeTakeOwnershipPrivilege	2072	msiexec.exe
Token: SeSecurityPrivilege	2072	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe

pid process

1368 538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe

pid	process
1368	538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 2140 wrote to memory of 2768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1092	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1092	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1092	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1092	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1340	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1340	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1340	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1340	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 3008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 3008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 3008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 3008	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2360	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2360	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2360	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2360	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1840	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1840	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1840	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1840	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1668	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1768	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2820	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2820	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2820	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2820	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1740	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1740	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1740	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1740	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2924	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2924	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2924	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2924	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1176	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1176	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1176	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1176	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2644	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2644	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2644	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 2644	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1700	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1700	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1700	2140	mscorsvw.exe	mscorsvw.exe
PID 2140 wrote to memory of 1700	2140	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe
"C:\Users\Admin\AppData\Local\Temp\538846cb6455c23e4f803b523921f1d9ade5f27451c67b25a06625d80206ce00.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 24c -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 244 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2ac -NGENProcess 284 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2880

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1636

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1776

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2220

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:1592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2736

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
628b8ecd97b78902197a442dc5cc5404

SHA1
3194dbd8810078169c31eb5448a5d3beb1c5a98d

SHA256
5909f8822fcfcc60d52bb5f2f14fe5a510221ebda982ded685102a0a85e3a1a6

SHA512
d5e9fdbf47a11b3a9fd4bd0252f049b3c4c6bbb0804fe7694fc726de1e7b7279bd9a105d70b6dcb672639117f2b241e60f0ae330f9622e1664c4f67548b643c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
cf87ea50243553f8b1c408035fee6b0c

SHA1
aa7450043bf018204cfe29034c4a6891adace382

SHA256
9ebb68c7b5160226cfbd4f86b6b7bcb494e7b57482bf3edac0f2b348defe48e8

SHA512
ffefb0184744a9a9bd470abbd07b4230c58b57d7b87f9261c47122020b5e4d2d4caec15cca467051ee62bf92a8b63e957a37a53bdb1ce650db355a7b2bdfa1b1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
6d13756452b8fe8b1150a9588c3d7119

SHA1
b73caeca4b8b0d69c6bbbfa04f2a8deb8a3aca43

SHA256
fa70b9e63fb63ac07560f19d9641dd39e4f8052f1f4f00d867ec1e6120abf622

SHA512
f2499f0633616b3bae07024f16b8119a791b290e98e1c2c1ed4bc0b8467414c7094893d619ea3965e0e4e592ba04eeac58d47723c4356f4ab0640ab91b2a26bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
6474931c3be943ef2a1eb27b3d468f11

SHA1
e2b46eda9e77b7498f5bbcd6e73fa914d2f8cb39

SHA256
be63e8fd594a82f8571d137f4411b7c2eb8ad2de26f06d57646844601c531b68

SHA512
3d9826830df220adcede4dc9184c12f265800868f3c2a3f3dadcce187a6ce9d4bde2d652cb996914b667e801cdbad77025ad26e40641b1bd5fd0cbd4085d6e99

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
256KB

MD5
8660bb8b5a9dd62642e130fc64b1294f

SHA1
72ea0012a71241e7cafbe9db553a331ea8b4bc24

SHA256
a039f53f3f553cd1f9a9c20db6a9f54d96f4e89e0652fd90d33174ebdd3888cf

SHA512
b551132db7984500e45b1d7c448dd0d20cbddcf49c96dbd83b63e1571d02006e6d9aa200a10fc8fc14cb674ee84e03bf1a4fc8e62541867c47073714531769d9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
cecb366be1f9b94c7bddce9c9e4b6976

SHA1
0ee451717d55925f361cdaaa01a1c7d470b8f3e1

SHA256
7c664473bbaa797c875fd2c0b02afd3277f8e386b01b8f8a8e020d30ff6fa56b

SHA512
7ef86a8dd120c04cbd15de7eaa6e01d5bedb951aa0000f880c9c8553029968bd0283a140471b50c3fb1fb19da21232b8194f432ebfe563dd41114fc39d95e263

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
a49b72a19eb78a437426219c30e1e1e1

SHA1
683570bf719b82caacc83626452736b754a2e5d6

SHA256
fe45b6f7b9cbf9cdae2778fc8ca471e45622d2be54c4b77ed906e45d25c0485a

SHA512
4f328e574e37b9e84624025278d93079ccd92dfa202529d974ef93de4ddc3e098dce848dfb625cc589805c905aebdc801780a77af82bcb7f89877ef185bff802

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
75d62752eb046d42460c8e065142bcc4

SHA1
5cefc632bf0e22d62d866867ca49f6b86d8e9292

SHA256
32c1f7e39cdd57eac619af47945fb6f18f2f13760103f7163e20fd8f55eee477

SHA512
6d985273ca1c59bb7c1befbc8f63847968ec433cb95f0a485fc77e6b10d98ba87720b5664906a3142b23cbb842bf1010569b833a22ce5d5c682bf16e259e34a5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
617a59e71737e8337d529d4c34ee338c

SHA1
f169a63577bae2cb0fdf95d4dc41e7fb53915836

SHA256
134684b576061c89146808ff38236b8bf9f0a880d000ac1f7cbdce6bd67b83d5

SHA512
fdc9796b0fc490f5f584034770db31e1506d48a728b78e1bf9397a3eb60638bfbd39addb8bf02d3692ff30eb0e43df9c16d6ca85581d586c60b226fc4ed79bfb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
cec594e36f07fde166aedd5e386fffab

SHA1
8714012f64cfd9304a9ffce5be3dbead6c65d65d

SHA256
f2b477a3b3f49570d27d4aa715313d2d19d57805f83cc403e7b0e09ab1cbe997

SHA512
265962f44d1965615f7d682d000e404fccde260ef38cfb16f9eca0b94613b355c4b12e55c739e03ccbf8c7a7f846cffe1b89e3548eb03b1a14bd991decc44fe3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
e2baab10c2c82dd291144a588df76c60

SHA1
3c2fa0446f5a006b13e2960b849da1b88fd1ae2d

SHA256
327739ec609a59cbedf5ced0d01609fa747ad07cb1d740e5698462ae945aa742

SHA512
c33590080aa55370763a5266ca4306074e868d768700de62bd61a46f1149c64b636a012d6937168ef90e084cbb238f067cfca6e673d684a71d452fd10c09dff4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
530KB

MD5
0ddd1c7b6e1025f869029b3da109e0f0

SHA1
8cd32a47dcd1905536f03f880e33be9b73b33bbd

SHA256
b377912227ad7d72f73926571dc119f7d3ef12f9130702f0cd82327a1c653e73

SHA512
b7dce1f76b3b24ea5918b65f91ec331f2b0b2ef4809f851323c9f6a8fdd5d76ea4cf3175b54707033c35fa14ef22c0da939fafa827d9a7939335d72dbcc0425b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
244KB

MD5
925fdb50acb16ea4fcfab4c114369b60

SHA1
3921f851194b898767ccb9df170a6c3693deb80b

SHA256
54d2e677405a4a6c2f463ded713ffd1805caf11b568a4eb392f2f3e3231e3a86

SHA512
5a37bacfd849c7d900575232a002bf091398b10931bb2821b239d74c4f63c989038142eafa6aaaa26311e1d4ffa69e05286b3d2a0e513a31983c771d2972e437

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
60KB

MD5
25e19663e6346512e44000a28cfe19e9

SHA1
bb23070cd05fa96c84ba60698f4c1aaeba3f3b95

SHA256
cdf0146463621206e406df186fdd144fab9e57c3e4e851af951e20cb2b92f250

SHA512
ef5b4afefb5130709d519d4edb66b152885d44bc6bf9144271240cbbb8abb3e4f73bf2b2de2cc4eb341dddaeb25fcd2d27769dddb5a2fd2b97c2e4be94782f73

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
128KB

MD5
6df53e52d85c1bc1839e7b544d9df0e8

SHA1
dcbf2c3cdcc7ff517bed39a22ec79f178175c80b

SHA256
a874e3a7f6da63336ef47d642abbb0f711934fbfdf25dc4ff38513a050d4ecff

SHA512
bd937c140ca680aa0a6b9544c5c58e1fea47a21ae9abfca302a988495a3d5e4b710e8b7b65eba1e9418a7d14f18c096cefb9494c8cab0a77595d7d79fc997274

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
575KB

MD5
1213ac29bee62e1e40031f3f83e3d5ec

SHA1
b3eced4b7a0b0db435c75a000dffab789f932be2

SHA256
53646c70a829ab6ab4b901a96af9be397b66467918d39e9a07e420119e08905a

SHA512
2b4962535d508a0948a832cc2b7a82d482469a581f9a8784dfcee629c416b9d8d12fe5e2d850c17e4aa1408d2fba805c67d8fe541aa869b7eb54493d40fa464e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
170KB

MD5
919d1d4f28bb2559f187f02ff50e7682

SHA1
4f2287b0dc27e408cafc68baa0d4a24e17bac600

SHA256
8abf0144696b63a699242dd8975b4712a622122727ad9f7cf8772a24769311c7

SHA512
bebf80d24619dfaa6a17060443ea7bdf05dae4e847c790368e9db52190ad84f6dbed8aa4efe4c2ef0c67a0c685c71db8c7160b61f6a5320352505e48ec178223

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
320KB

MD5
bcdffb1a47a83007fa884265945f12cf

SHA1
852e46a171e35c0d68e880b68c81412c079a1f7f

SHA256
5f891363202f5c9417dd0afbd51960954215c1a0aafdb2f348edb3c58f5b3971

SHA512
107d43cf4f74717e544cfb1917b1e4bab63e6f71ed2203d2b5beb39a4d8736c3ee49ae2fb517f348743be8314654d18fc471e9b79e6cda389abffe7c64db8433

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
192KB

MD5
c6b5eb4eb71b6e587e9e993a94224ea9

SHA1
f3a65c11866093c6c58adfd8f6fda5b5c455c94a

SHA256
83847e7e2fa6557dfa2e33b4bee4e1957faee1e3bf8225abc164e758ad72410d

SHA512
2a9a3b594b4ed20abbf0867903a7ba143c46c61c369c38ca7d81d1392b607cb1f9e473b469f73f2b1743aa18a039e424a7d366a02a789a213de135fcbe91d7bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
3c14735a29850a6f5d7cf3760885e10e

SHA1
9df942225632b332b8c3166947cf0b40a0da0cc7

SHA256
ae6cbd379dffc08846b70c5c2a7f4f8f590cb0d034cb47c03432bef2a63ddc75

SHA512
791389f692bc71f79abf3ddad9b39c18e1266d35effddebb7fe2acb3885387972401c8be49f6fa1ca325ae48a01be5fbce92315c14da1d7533208d8617549570

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
7de149fa993b3ea132ecd4f08fcd8a11

SHA1
0175e9c37afee64d95f699eb21d7c26b2d78ef32

SHA256
07aa7fc091b4265412a89b68a68992481db408eb799df502260a15db39565b8d

SHA512
d2fd2c4522221ca2ab2c7c7acd9472a6d143d1973de74c6178cd77fa73ab60a9ac57f10ff83f409c04a4bcec7fa6f24a70009dafd2405a2c7597d1cb39c3caaf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
1.3MB

MD5
981a9df5c33db7e49995429a2b43fba0

SHA1
b67984ae7de61e12dc05db5ac8982176874b8c1b

SHA256
8e2c3009aae68079538715c60b77241095e848b271fc62509ded6ea1b701ec9b

SHA512
a13c9c3f2a31a34ba2c3ef1ce5279de7e2b43b6c4f83df68fec252dc13c5f48f8c04e5631c0a5246a907acd445fc087ccfc2554132f8b2e807f17ad5677bc431

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
7d256109d55bc51e4c265d2435425ffd

SHA1
40b3800b66ba699ede60f3baed9bad51223fd5a0

SHA256
f26eb0c682ea79634030ad61280884305db8af7e3419d2a0ec0421988591285e

SHA512
a7de0f6db42c83e7f27ebaf42c271ee119cc6f89049050cc562b163954deba0728e716b6a1a58cdecf2849259321364b08072cd6fc60b9687284a048ea4b4081

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
705KB

MD5
22778a51511379595c926224c5eabd17

SHA1
eeb1ad6e2fa02e0d6b9d18d5b4d91d8f7812d47a

SHA256
c369f616598e3e7d793c7c333c749b1d0c3cfd70a3a968795b55af7a73dfaa57

SHA512
9fb232c5c5f65a6775d438fb5b3e1c8dcd0de94252b9039de31f10a2727f2ed5cf55e6bb51ce0b227986f6415771a465ace149f0f98c0a8dd6b1d33ef2b60ea4

Download Submit
C:\Windows\System32\vds.exe
Filesize
128KB

MD5
e2411a558f2ae8b385fdb79a9860b8f7

SHA1
12f4773d1b82e99cc68881fabf89508e15c3e7d3

SHA256
33184e10e2ad5d5f1f8b90ba79ebc71a0e9665488a7ef213669dea0d6989f2b4

SHA512
2ecced0e576bb33be2eb4dadde8d6f99ecb88b92256fb13ba77a1869a08f7a9e2518ffd851b1d253ae1fd15c6bb8895f3b7c50d7d1ef8f0d402601c7e08dbd0d

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
c5e87edc778712a47e3e40d1ffe6bab8

SHA1
73c45878050a68f80eb5f3594ad9b4a698b27fe4

SHA256
f593b8de0c10c85a030ee0b4bfcc6c9889e4153ef409696a69226c53cdd32671

SHA512
60da9016a1d0a98bdd6e97ff3814d5e289858009efdb2b869e19b325551fee1324ce0db400c30531a0929270fbe02145bf51f0106411b567c7fa9ced8bf9a9d7

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
4a5cb8189a72546f36a7fc3713658a9b

SHA1
15eb546291c3c8dac0c8dc8bd7577cec33616219

SHA256
9503938b456ec34e37e0559c8b9ffca29bbc82d963ac45480218b77c4fa30ed4

SHA512
ff140b505be8dd85ad154b621f79ff6868b716703e6331e808e44119e2ffa3ab4412e810920ae1fd301850c80375bfa42915e4e9ee0ddf10d1bc509a0a708c60

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
063ac91e44b236abf5acebe872c68fbc

SHA1
78c831c23190fb92dfdf38ab8bc9fbdf5586da8e

SHA256
e227eab151714dc911cab7e33b59894520a06887b9eee932d574c32bde4dd4ce

SHA512
61ea13c0b1fa417175e6f3cc3b31f2a821a266a2b55341ca80fdd93fd229d9e30819259d780bf40c0a66b7d4d0ef4a29962ff3354a83cdcdfdafdaff2f1e8af7

Download Submit
\Windows\System32\ieetwcollector.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
46343b072d84fac2f385fb66d1475c2e

SHA1
812aa7f78a602db36c2a5d3f8db739e0a40b06d2

SHA256
a3f2e1f086d6f07e08db0ad0c05dc5b8d5407a0949269073badc1d7651a0a3ad

SHA512
e67ea9b1480186180b5d847500af77a0472ae41d868b5b2439a713cb34b04bd1871bb342f01d9543b3cba956c3543b0f356265e80298dcb94c91f58c38514ed4

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
e5961bad33eb051fc9e48513d34b5fd5

SHA1
e83fb0bb4fdd7e760e7aae8764506d2fd9dd29b1

SHA256
eb2560092ef45606ea4761d03215d2234d4421b58d45918c247a6a458bfcbc60

SHA512
efc98c8f30d6ac5be63f09f37663a3a4311bbb8965e565e3b63ba853983f81c057905c28cccd58ee425991c921d4ca884a2f5b0629988934caa5e75b548e0a3e

Download Submit
\Windows\System32\wbengine.exe
Filesize
128KB

MD5
523ed42d30c0042595fc3a41bc9a57bd

SHA1
cfccc1d099a093b2439938dddb2d24b230e9a51c

SHA256
a796f18eb5292e7b37e88092bb1f9b20655faa439a4f2ef359e984042a95c392

SHA512
6c6613d70e8069a24bddd2b53e624f57afe02bf67c44578dd31f7df680c45178aea2c977a8fe78d440944d47a6775105d17d5c7871e09cce203fd209db2f2ee6

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
b6c33841a1f006d58c4032de3d2914d7

SHA1
59f1ae0aac91be27b742d139001caee6074ba28a

SHA256
547fd8bef7c9cc26e29bd9a1bfb119bb0a9ea9d33ee4c185a3e09860defdbe2f

SHA512
3accc8c993d37b0983cc3bbbc9225fcd21c4e2c40094b0b5123e0797b12d20df65d9186988b223e264d88a227fa8b39569ba3862242b7c753d4ec1219aebb037

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
369daf134e7bce0cd056c755f92ec53d

SHA1
1ba3a15d86484adb7703205e4c0bb761271bacfd

SHA256
4118d4d777b7b515398ef7d7f46ace3127cf0882671065de2d0320400be6fcce

SHA512
0df86523e119d4984baf1e39dfc8c2d75a1b0c5b39a48b1d8ddef03cbf45bb7f1b63cc8c6486c12433fb8a0b79f834cca29ac3b82edc855784bd8c10b9573e86

Download Submit
memory/668-160-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/668-154-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/668-164-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/668-178-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/668-177-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-132-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-130-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1008-105-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1008-104-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1008-111-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1008-114-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-131-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1092-76-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1092-82-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1092-100-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1092-101-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1092-78-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1092-87-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1340-102-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-116-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-95-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1340-90-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1340-89-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1368-1-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1368-30-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1368-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1368-7-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1368-0-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1668-207-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-208-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1668-194-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-182-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1668-188-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1768-224-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1768-209-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-222-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-197-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1768-223-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1768-202-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1840-179-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-174-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1840-192-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-193-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1840-167-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-47-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2140-41-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-86-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-42-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2360-162-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2360-135-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2360-142-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2360-163-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2360-149-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-31-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2604-38-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2604-75-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2604-29-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2672-55-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2672-96-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2672-56-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2684-69-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2684-21-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2684-14-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2684-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2768-84-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2768-85-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-62-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2768-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2768-68-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2768-71-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-212-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2820-218-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/3008-147-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3008-125-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/3008-133-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3008-148-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download