e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d

Analysis

max time kernel
2s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
Size

1.8MB
MD5

cf2d505a9e16975de4b52ad0bd8d81d7
SHA1

94dc827ffa694102ba8ce648196fe2d6c962b128
SHA256

e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d
SHA512

e0503bcc109f315b58c28550cd587eff0895d84328aac0cd41a39703e71f60ba4c12c2716f638e6f882bc894dee0deea85889d6a11836c10ad1125bacfd54dec
SSDEEP

49152:ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAjCks7R9L58UqFJjskU:ovbjVkjjCAzJmC17DVqFJU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exe

pid	process
476
3060	alg.exe
2436	aspnet_state.exe
1988	mscorsvw.exe
2024	mscorsvw.exe
2784	mscorsvw.exe
2996	mscorsvw.exe
1884	ehRecvr.exe
592	ehsched.exe
2260	elevation_service.exe

Loads dropped DLL 4 IoCs

Processes:

pid process

476
476
476
476

Drops file in System32 directory 4 IoCs

Processes:

e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a66f35f6323b6587.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe

Drops file in Program Files directory 64 IoCs

Processes:

e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleCrashHandler.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_en.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_is.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_lv.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_hi.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_it.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleUpdate.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ar.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_da.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_es-419.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_bg.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_sw.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ta.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_pt-BR.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ro.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\psuser_64.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_et.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_iw.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_kn.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_de.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_gu.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_lt.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_hu.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_th.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_uk.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\psmachine_64.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleCrashHandler64.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_en-GB.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_fil.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT8B9.tmp	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\psuser.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ru.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_hr.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_sl.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_fr.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_pl.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_sk.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_pt-PT.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_vi.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleUpdateSetup.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ca.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_es.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_id.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_no.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ur.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleUpdateBroker.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_am.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_bn.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_nl.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdate.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_mr.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_te.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_zh-CN.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ko.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_ms.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_sr.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_tr.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleUpdateComRegisterShell64.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_cs.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_el.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_fa.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\GoogleUpdateCore.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_fi.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8B8.tmp\goopdateres_zh-TW.dll	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe

Drops file in Windows directory 20 IoCs

Processes:

e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

ehRecvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exemscorsvw.exemscorsvw.exeEhTray.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2156	e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: 33	408	EhTray.exe
Token: SeIncBasePriorityPrivilege	408	EhTray.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe
"C:\Users\Admin\AppData\Local\Temp\e1936db922d8bebac36c3c1a1f2872379327ce48c0c5ca4c07f503077aa1f03d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 1a8 -Comment "NGen Worker Process"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:2672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:592

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:992

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:1428

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2652

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2016

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2268

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
9fd7b20ebc53cc92d425485c1b35060c

SHA1
38c0473c9866abf4e7b984b8b35af37f21dfda33

SHA256
369f97b4cfb6c2147ffc7c24ef447f4f6edf053129e0cd28a415cc9c184c8264

SHA512
196028f2d92a20b34c71a90a6292077947df8b5177167e357b92805cb0b6e08e78844394c2d504a8a11b9b96bcdf773dcddd4396c8ae719ac3d0ba84822c382b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
7bc0c206459f04d065de33cee31de2e0

SHA1
13cb76a2e1fa132a0734f4baf3146dc24559fa31

SHA256
5bf4b655814b66ef8baf50679e79a8af2f3fff7446cf00566f8d9f1e56012d39

SHA512
b33251a1d819598d23ea740ac16a6f582fffcdd43598b4684481a46553924af4186341f64b78f20fe0a7af39987f31b40517d77668bf29771641311d90c54c7a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
7bbfe136f7bbf020811b5d92c18c68d6

SHA1
594c60fcbefddb95f50ece8a153393847eb0407a

SHA256
3a76ae004f7325507a2b18b3615b3effb9a7096748b4306bfc68782c42e8aac4

SHA512
ace4a8324b6d233e1ce5ab46139d2599e020820ffaee46271602931f4e5b20aba38f8ce2c0dca2dcc0a157439290e4b42e54dacd52cf7259bbdf5e3828675799

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
7df1c2ed2354a3851f37b36adc861155

SHA1
8f8bd48c98282cffcfba31d7f4b6f9d4dbc60777

SHA256
8be842a56626e4e74c909579cd67bc0f09aa27a0cde8f2b9b3074f233b083251

SHA512
643650dabbfd944ceeccc593dd285a9f41a25d1f821e6ed0cdbe9c8a63bae60909750209f8bbc6d2d860cc0c2b279ecf9b32368d1e086bad6dab30e1ed69817a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
ccc360c6d62ba18706fdb74858c88457

SHA1
6d196650e0f9daf06002ab4667cef4abd4f39aef

SHA256
50528ab01ce4cbbdb851169404b46a568af5d1c5edb2e33bc8826f3502fc320b

SHA512
238ef2d835d9d496ec6524b4f937069059c524c9faa34244199d252d2a8f5f25df306fc40a5a1365aea41cda97bc77fcc4845fe8376c715af9c6a58f9d968c71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.2MB

MD5
07ec870a1683b7985000f1a10dab7f62

SHA1
7c00c492a0a63ca9f689bac6a21c18ca24f60d97

SHA256
260b577b404b78a67d60d4bf07ef18c7a796f3aa6e5b3d2886548ff72d8e5a50

SHA512
519fe10c7eea704017d9fb392851404524a7a72718319955c13264d24a3ab06eafc28a49ee3c98d55b4a274b615be60eed6e5dab71665d08abfda89f65d4c992

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
f0fab5b7d3603953daaa751bb1eff2ba

SHA1
18aacce55feadf3de111fc21d646b2bc5cd90966

SHA256
b3c59edaf8bb0becbe7952c72679ebc09aa631cfffa40d918c00441f0bc48893

SHA512
a1cd707059380b2983442c8e52c8f58d558ae7fd904e9fbd12785a692e0a34ec80307267fff0ae49d59fa85ca8b003ce0311946876fb44f61cc1e1d9e3395dae

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
896KB

MD5
f7d9590d241836765448234fcc4778e2

SHA1
4f9a69c356c61bafdecfda7d288c037335e74bda

SHA256
09f4d408814a313636dbf2ae3c47023fafa1800cd56f5e9fca2b42b0040d4ed4

SHA512
81ee83cf1db1f48ddd526877a78062ed1c3aa8062680d6f0e82ed6d49b9202962949d1c1cdd1214db1661418cfe4a5b662e1248fa10f009a6cd4b2236db6386e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
ffe6aa3d3daf71fcbdb32a4dc1a3e9fa

SHA1
b8862acfb0ff7a5e2849e6ed252ba559e7599032

SHA256
2d39240db71b37e165e2c8f9fb1c5ed48eca87d7992198459ce8b4e6f56240bc

SHA512
528c16fbff4dece5531cfe2f69808fa67f0af97ba8b70d502bd9add7426016d6bc63fb658a793d4b8b81249a3f8b2ab0ac15b74173f71987f9a1fe130d3df08a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
768KB

MD5
4cdec2cefb8741b9954b320e01ae3c40

SHA1
3dfffc34849d07122f16965185717cee725c55a7

SHA256
c19c993190b8100a50349d0c5c5e0a72bb65bbfed4ee474bdecc7e18e1276550

SHA512
6054bd2701ea835ff013232fd53d465bd938b4258c92f02c2ad357008fd1e6560c3616ac69ef098001d5726c36b36aeee26f4b91f378c3e009600e4038eefbe8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
960KB

MD5
9aded2004015e1b38db8f814edb2c2e7

SHA1
f66013bf7d98327437beec3f6156af1a3bda844c

SHA256
732249795a6d014cdbc42f348a35abd3ef0402786ef1bde456fa801e690beed5

SHA512
5223259f4a7023e880d0983412f114c7396231c272b632d180768dc70b30390f4b59e4fd9651c6090ae8f98f1f85978a9777de0c6bd2b92041c0e31eb048edcc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.0MB

MD5
9cb50abfd1650196af8739b348b4a18c

SHA1
5a5426d039a13ac34a0564b57d8769f5b101fada

SHA256
878d8be028d3f14ced1276f20d82a9a222433bff09ac238ba573f7a1be0f30f4

SHA512
9e59ef350d6fe72c25889ef26a9df18e79e36067fd2f6a0bab650711d8655b165bc39f11624b6dae2be0f9f68527e7bad7766eea023951c3c8516d7b10c9720f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
960KB

MD5
0b0009d0d0eb75dd138ff7bbcc005af1

SHA1
1813bc56117b28ff3954b59b1fc1e07f79835bdc

SHA256
49397faa629325dcbf8355f52c91693450ea424df4252bea29c6e09c7f50add7

SHA512
bb915f080601dab1b69626efcf877102bfeeab47435fbebdf137aaf69f3eaddc511daa348ecbcb1f864ee26324adc3485898a6b0ebb6abf50af1cdcbd72addd3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
832KB

MD5
8b51de590f12c3e541c815a2dab5015d

SHA1
342aed9f1c4a074423e3206b94fd2442a5a3e070

SHA256
0250e7f4d1e7f2bfbafdb0ca5cef08e0c660fcde05ddd17dd2e121c5812b902a

SHA512
d8583dff18095256259ab774dbda87b8c13864a3bd3888570635c534bff31c3e1d74ecd630e58f9e171acf4f465b8291853ecb94e1a76cc2229349cc3938f95e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fe042dff933f6a1d902ce2920b9a0b34

SHA1
006c8ca99306c27478a667f6ce480c6db3910f14

SHA256
ea0f9376f37efd542d0147ef0835df97c574dd5bd454ee741bc35aa3fdf823c9

SHA512
d27eb335d123b1f84f05fb4bef5de7dc42026eefa0a474be90ed798bbafd4a8bbf127b358d1ff9dfa1457c61cdcc6909ac3ba21a63608ba08b604118c2f42ca6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.3MB

MD5
eabdc97c3bc5d8cf8135c793d0a52971

SHA1
8b9fb17676319e09eb56ea4297be5ea7ff7a025b

SHA256
ef8e5d86dd0e81a15e5edfe7e056ec7652e0da2dd63a6e092114b149d3c3feaf

SHA512
d911497a879f050d9255205833fa55ddcbe59d37dccc48cc6ab8a5adbcf7acd6038e43abdf087381b17828b2fea167e39b6260f965aac1de8e6a6dccdf942ac3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1024KB

MD5
2a72089d1d172c7bb11a69644d0e2521

SHA1
0bb8ff386ec13fd3935217fe71decc25bc2283a8

SHA256
c32d2cc9999d9e8bc00faefaa0fec8208260fcd9029647a313f9a8e5370f8e4e

SHA512
af912400c1e2ab67dd8a0924b47fefe2d55d58a16670e4245d2d302687477906e9b2ba287a7f6d9c4754b65536783b20963b43c300cbe8d89115f8b0f17cf93a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.4MB

MD5
b0c1217d9f1a6d61cccca8065177d8ec

SHA1
1b0c065123eb82fbb7778dcf8dd4366b90764bde

SHA256
2796a0c0e232a7372c53db3cab1eaeef7b427de578a19dd062623cb3e79b0ab4

SHA512
712b79f62c6ae4dfdb4e2aa3293cd37fcfeb815ef95d5482f50ce9d6c9ac563f12c711e5f7f664aba5754e23ab29a018805c19e17e839507cbff3c7fec7e40ec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.4MB

MD5
6090f7c97a54dfbfb2ab0a709ec02b66

SHA1
8e7c59ccf10a9c4227fd9e039b70f4ec6907e8bb

SHA256
233f768fa05bc3f833b21ba9df0024f6c22f7549d3e888555f8866d7750c484b

SHA512
977fb768b76ddd22eaa59eb2c5c0a379af4400ebdea085308191d970c1e86521ae97a5a5ac9c70c572ec6d44ac515b6ab9b5ed16e294492b88e891ec026cc926

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.4MB

MD5
bfe5361b11e6ca49a686b67a952d171b

SHA1
dbae76787e86d6ad507beb45bdf82f80d564da21

SHA256
5b068b961a906c65053aff5a7022f990ab071ef233900f0986d40c005b176b49

SHA512
f3c46e5b4dbb5f00c8bd815c9a2d1c6f7805d60e97dc8a03942409f9f55d82a52d38bcdad12e175a3fa68f2b989eeef9642067001f48c12f785704fdca6fef73

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
576KB

MD5
62f843e364734ba0b86f2cd2b9dc97f1

SHA1
df19e85168a2d794f55b97571613c34443f82218

SHA256
c8013cc928b355b91048f6fe967a7aaaa3609dd27729bd739efa99f5ead304dd

SHA512
96ccc3e9ff9f308113a02cc16b820dc38ccb1e40046861ec1a035e2969752f90e10f5a95774cc55a50fd9b966b3a536bab008a7fe331c9c5f58843f9510fe244

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.3MB

MD5
f68ad4411cfc299c9ca7a1b8dccfee98

SHA1
04e720f510687ae92d784d01b7de99c2f954d3fb

SHA256
0d12de41e3705f97d090d93a3c0d336433f94f77efbc72c01afd7f27850d54fb

SHA512
6096216db0856f6f4d40f1f963f99dbd1e221cdec0727578ed78d44423b232f74a1e29b1ca435d75fbabcc936417a39a7f95f87d6b96afbb4cc80c826bb976c2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
640KB

MD5
08a28d4bcc2b92fb87d21ee4409d7c64

SHA1
03faaec36493604eb5bf36c0021e70927d026e41

SHA256
cf2784b4d1aa99fec05de0573d03ae17ee673ec7b11b8b2008c7791966906bea

SHA512
17435e00250c96aa964e5cb25170fe555049211f7f468c63ad2b776fc4ad6510a847a9386cb26e0026e0f86dcde6c3649349e186d9f1aef2d28b3c80cc073e78

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
640KB

MD5
9b9edee59f7f7781ae29799b45318a62

SHA1
7ff2e6da28e39c9ee3371051b6ecfeb804b34e83

SHA256
e110ac689e7ceca1c544201b5a17ba9358cd42d12aecceee8cdf81945d93d1c1

SHA512
230a23ea0fad9f6f26761955bb38ad83925824267cbac382931d6790fe0081a83fb76e3ae6193001ff0770138913a32b787477b4f85641ea4c444db0ea2317d3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
512KB

MD5
8a82386fa1076a537682ec5c19cec872

SHA1
1a33c19bcf19d4b54ee64ccd79f2bbfd3df78ac4

SHA256
87a23cff3f1d2759a6b297f7d2c8f52e886a9b8e2b5738d86481f51f27d3ad05

SHA512
90ce43cc194a85ac0a44771b64d9a8c5454d2b3b642eff41394fcaa1a5b28d4ddf108713f2aa969a0b2a16dc4466900f759049fe7ec657fc9554ec2c880c0892

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b54f02f25a48edd236b18058568e856e

SHA1
2e582545f6f7105037cb8a4faabb4d22003039ce

SHA256
b982b55264f2c0138597794cb8eec41105e6eb8a29ee23754ae9e741d55e6455

SHA512
5b75116be579e8444881f8dee8491137cc1388659b072c8a110cea99d84b5544691bbd3214b1fb0a7956c0f071814cfb6c257f82941604b450e0240629422fb3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d18e5735b4d596f2d2dca716ba575d98

SHA1
7dc50fb14b85aee99ad738b2a0887006c8d812b0

SHA256
8a8d2604ea23618fa54122c34ccde3726b27970fe951c646730522ae1124af7c

SHA512
641027303f30746d6f8b04785a5c8c1f9ca366fd2751bd7510b0b4c28aefac52263a631700debc8965c9ef0e850215bc121d76dff72f794dce4fcabdedecd953

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
6f0f5f065987d8a522c936ea6e0ff765

SHA1
fd6331da2b9b4d0e9d2c3f8c5e5671cdb1880675

SHA256
a51a4bc0b5afbeb7be8fdc453e4d3ba3d1a98837087480b524595ced3cd08d6e

SHA512
bf09729b0bee87dc927386ab8c10ef353a22b0ad63835372ec1050d75c9e69eb1c8c4cbb4f55f5171183e5114b435b51adcade76d991dd360ea6ea319ed4e9d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
876956c5778c2bcd78d6cf2aaf5b3f1f

SHA1
9adc073695c9ebc963a52e67c4828972ce748d80

SHA256
06b5b8a8eaae14ba17b838dcf41698ef1bbf9f0df9effcd621e86b88bb2bbfb4

SHA512
4849e44a152a5633ea0b9a5e024e61d31d6240e9bd6d2abf8f275eea9d9b90f3852a1dcf537305be6470b6a1c3058b947b3727614672b0bf1e1fbc8a2fc8bd19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
13b98a5cfeecd6a7ca10a61167697d5f

SHA1
dbfca3b9f6f5720656c2660852cc9587b2308677

SHA256
a5d8a000a1087536680ac688ac51fb2942355893006a79e504dd5d41e1d85952

SHA512
1ff381e75ec63db7eedcea495db8a42deaa4be287f5846c6ba3f90c8debc1c67e7d60722e38f6a45e92aa6d68226201bfa3dc7dfb6eaeea7539e1baa8822e6ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
b8c839b037c3c9c46e963f51c9776449

SHA1
d3d1cad69f60df8f574a27820d7900a5359dfe7e

SHA256
e24bbe381791e2df8da5494b2e8245253e21a8478b58a2fb3a07a05e97c802a5

SHA512
621c1d5d4921f5f7469157d006ca918817db81a4d5656463f1c24680702b217a5814300c99cd74ec52cd2afaefd65a6b35bd41c3b9dc8d0e638ba8eadbc950d8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7e11faabc5d7aa2cce8945230f11307b

SHA1
fe6ae53aae076898cb52181dba389b9a146a981c

SHA256
3fb5c3d9d2eecb8bce5fc6f8362879800ae68b725b56f9e54bc7b3cbdcdf6aa9

SHA512
662a743144b83a10860ddcdfe404e5c4ce42d823a654628f5b816710640495b0739251c3d9946df89d9529c7001a46558ecd0391daf04779e1811e893a1b93f4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
be29e2ed224177e32b7aeeee3a92ee2e

SHA1
a6370900d6fc0ce81c8ad65152ce90f87121cd59

SHA256
1a6981da2042c4ef0723e995ae1d86773ac57ee5d8cb3ee9106acef52b97a5f9

SHA512
873e416637f4e1df0774a757342fae8c349e74a261c885741e8142798d3824589c26b214cd8d69cf3ca9b4411eafe511123c57ffa331a81ac07e232ef7c55204

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
768KB

MD5
1c6e5665da0c195bdc16950ad5fb3b6f

SHA1
6c49ea4380ee3b0f9e6f49263628a482434d0a95

SHA256
5b9919bca769abaeb83dc4b279443c3cf9e24c979cc6a7c6d0344a7baf83769b

SHA512
c6e08aad6351a9418919bab12e5a551a168d7a8c1c308d2a593442374c72ebc31fd5cf97861508ae63b6ce26793c0941a08cc01861985c1667eaff6ca5d78209

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
08c36b3b54c33dc699a6ffc4aa29abc1

SHA1
c5b781b6953f1814ba1a3b8dc5cf97a69c582fb5

SHA256
838a85d2aec45bcb6a344551b08e82020e527466808821fade46496e59c7ca14

SHA512
610570be2b53617de75b7226edac5774d5c14ea501a269fba946862f2ca49d558e1d3f9e0fafe68766899444c0931e7996c4febaabe2c8fc69bc337c284eae84

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d572569d08ec840dac0684dbe330d4e0

SHA1
361270cf06606cf49956b0f7515ccc39a9a26b4a

SHA256
a82ed6f037a9be3d1ecc38c38c87fb18a57fd69d92d3e4772a69f439dbfb3a06

SHA512
3addce431d5c0261a71cb6464897bb2ba6860c834290734aa666aca3b1053d7cdc97e40042052f33ae5728c107f9245f0430b4a852be448467feffe56f246bc1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
2606aec8c4a7812779e09e198bfe2223

SHA1
3b54b4c11a3fd8ac3370bc33f10a6b5df95a5fae

SHA256
9c0e9dc96825d12f7b1266bdca18ddef362e45fa57161d8947413a6609b79862

SHA512
cabc6cdb3b0f0af185488dc2257affa9fb2465c013a0f5a8e171701f90dd8fb30c048bb42af8a01bc881c9d7d41464f593b314df7f8ba0b05cba43632520fb1d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
0302a14307e466f1fcc18ca72f06a3b7

SHA1
c5d17941c1b97ec325eab404227f5f65ffc1c610

SHA256
6bf32d5a81ad1bbe0b8bb3e13e0c3420d2e14d5fbcd8aca6b70ca1cd3729ee1f

SHA512
cc7432db7d87a1336182eadf6f3854f3d9ee62e712528804b88ce4bdd8d933093c6f2dce340ef2a2b82df3ac69fd6126e0077a91fba621922749244a25e1ffa3

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
671b7d8a1a5fed02677b03e88d27e427

SHA1
75755963abc026b1d26c5196f2c645bf690a90c1

SHA256
0545e561bba0a574aee7e24c5ae19e2ca2a789eab3ffbe64fefc0cf8b9c8cce7

SHA512
e059b30d0d9e0713750840608a33b1079a8d77b9eb9b003fc117f84d7a069ad8e2d4e2a879f8c5e1f94f7d50fce605ef48595909f0b23a8948b2132f77bb84a3

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
976281d0b77637dc1c9dbe1874e63cea

SHA1
ee5d6517cc466bc7fb261e5d16804fcdd145e4f9

SHA256
fb6ed9388e7963d2ec15737153b51ef1fa068fc1f26aa07d7e82dbf771bf8b72

SHA512
c8b9def21cbffd80489d3d9c9527badef5c27187c1727c8402051af337b2fda196b81471b1fc2f8f15150c1b7a8f26ee0dc8d0d9a297da9843078b634c631efb

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
69dea63a4903975484bbb4f4e42419c1

SHA1
fe2f7915169c6dff1a3324387b67afa8d3ab42ab

SHA256
41fee0ce8606f93b45bb11a8271692c3da89d8107206f2304ecc69a1bb051be2

SHA512
0620762074ea7421dcc20fefd6b59b12f6d609ed2ed211caba4f13e16ac32ef69911da27e5448a21bae025bcf4c150b58a91118fd7d7c3611080108eaae86993

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
29fb82e3ae68394e12dde76a1eaecc1b

SHA1
e2afccc72a5f6272c8578889e07e4fa087c49548

SHA256
ba23fc73bf464ba8776f33b29fbf1fc427e1e0331b1f3c62f394ba7f5e7ce230

SHA512
0cb1e632cef772d760989008df7323f6d787870a10c95a7e4f53e9879d0710000a6125e792269c591db94e189e6f6fc70cd4701dfebe1ae46c0a7a33aedc4d07

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
eb41c78227dcbd2af46baa889d3d216a

SHA1
c6398cd07b84d307ff0875cfe16e4e1f6f620b05

SHA256
e8c74ea7e1577163cf847ab0a2653a23a7aeeec471d40c38cf1261b97d248a39

SHA512
101c2202bac26bad0f64ceeffdfd6c9ab139a6eca3755b810700ad946d73b869cfb5fa53d61b31a9d5eac645d3cb3a4db9267d636f43c6ebc5cf971fb8d47201

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
7c2efa3cb181e4953d0b8d851f858669

SHA1
1767eb8fb14f0e4acfcfd6702119ffec2d392309

SHA256
4d041d89d9425098672510dc5ca1f0f926cb8eac495ff166956b0836f1abaf2e

SHA512
368825511c6bb470dff06e5e32cc7ca04e3c1b28bbd0d59d597df27870674fb60c01ce211010493d121200ca6bb342ac1eda7be69af36ee8e135c3ffa52c0888

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a11eefc5d501bfcb0d2b66d9cf03fdb0

SHA1
c7b134a967faef219516cda09c363d89b1baf9f8

SHA256
492dc8cce4f60a8a12e2e3baa83a5178b177120f5a0b171c48b0b16472a96834

SHA512
4630db9368857930bdbfad4389aeb32b09a3bfbadcf6512c240b62410a828aeee126d4276373d049a75afda86a1e8f68b24156aba3ef642501ab040d6d403a3e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c15d81eff77477474ae783b826a0e755

SHA1
b695916a8ea3461e2669617007f7637b3f2f3b55

SHA256
c1967d5fb4fd880d78ac1b707054b18930822bb20d8b67ec4467e404d88cb5eb

SHA512
9e0349e31781c9867cef3b23792da10f32eceb459e07e196d85caf654ef14a756aba9d1c9f4278c82ba05de6d838b2896240c1e619924a6d5524a47c74faa2a4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
ce6819fc13b45054da9b1d72404fd59e

SHA1
6e70bc81a83e1041c735b1b80058c0b1a7714d13

SHA256
996bdafe48468e2a6407056b967c42003439bfd64a5bf08e882ad34eb05a4ea7

SHA512
a0c3d628e5fbc106e4f5d1bea109e24cb1bebdf4e3c5dc24ffcc0783e7bd4135c25307f64c5568f600bd71451aade6c894ec87f7aa62e3454ef35b3125d5dfe5

Download Submit
memory/592-181-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/592-180-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/592-173-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/592-246-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/968-326-0x0000000074808000-0x000000007481D000-memory.dmp

Filesize
84KB

Download
memory/968-315-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/968-302-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/968-310-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/992-280-0x000007FEF4D40000-0x000007FEF56DD000-memory.dmp

Filesize
9.6MB

Download
memory/992-278-0x0000000000D20000-0x0000000000DA0000-memory.dmp

Filesize
512KB

Download
memory/992-317-0x0000000000D20000-0x0000000000DA0000-memory.dmp

Filesize
512KB

Download
memory/992-212-0x0000000000D20000-0x0000000000DA0000-memory.dmp

Filesize
512KB

Download
memory/992-274-0x000007FEF4D40000-0x000007FEF56DD000-memory.dmp

Filesize
9.6MB

Download
memory/992-250-0x0000000000D20000-0x0000000000DA0000-memory.dmp

Filesize
512KB

Download
memory/992-211-0x000007FEF4D40000-0x000007FEF56DD000-memory.dmp

Filesize
9.6MB

Download
memory/992-213-0x000007FEF4D40000-0x000007FEF56DD000-memory.dmp

Filesize
9.6MB

Download
memory/1428-218-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1428-214-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1456-237-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1456-239-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/1456-261-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1456-262-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/1616-424-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1884-159-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1884-187-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1884-185-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1884-225-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1884-184-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1884-167-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1884-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1884-255-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1988-103-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/1988-98-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/1988-114-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1988-97-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2016-296-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2016-297-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2016-415-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2024-152-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2024-117-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2136-292-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2136-223-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2136-226-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2156-1-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2156-409-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-7-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2156-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-6-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2260-189-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2260-196-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2260-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2260-268-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2268-332-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2268-412-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2436-174-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2436-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2608-248-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2608-312-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2608-256-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2652-325-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2652-270-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2652-272-0x0000000000610000-0x00000000007A2000-memory.dmp

Filesize
1.6MB

Download
memory/2652-330-0x0000000000610000-0x00000000007A2000-memory.dmp

Filesize
1.6MB

Download
memory/2652-281-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2696-427-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2768-322-0x0000000000210000-0x0000000000277000-memory.dmp

Filesize
412KB

Download
memory/2768-320-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2784-130-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2784-124-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2784-123-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2784-197-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2996-149-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2996-215-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2996-142-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2996-144-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-158-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/3060-80-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/3060-23-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/3060-13-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download