70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 01:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
Size

1.8MB
MD5

395d938d8842b0bc4b46f02b0c53d4f0
SHA1

934090de9fb2dda42d153e471ea3847adae5c51a
SHA256

70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64
SHA512

61ac8f26370a71edac46591d7a9f4190b33db4e486630977d178acf7283a72d41d893b93674e842447399a4b5d989c55fba024c38639d156c371af73e62080e0
SSDEEP

49152:hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVBaB0zj0yjoB2:hvbjVkjjCAzJPB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
468	Process not Found
2800	alg.exe
1012	aspnet_state.exe
2756	mscorsvw.exe
2956	mscorsvw.exe
1640	mscorsvw.exe
1688	mscorsvw.exe
2484	ehRecvr.exe
2068	ehsched.exe
2384	mscorsvw.exe
2768	mscorsvw.exe
2764	mscorsvw.exe
2628	mscorsvw.exe
2756	mscorsvw.exe
748	mscorsvw.exe
1168	mscorsvw.exe
2268	mscorsvw.exe
2292	mscorsvw.exe
1768	mscorsvw.exe
2728	mscorsvw.exe
1716	mscorsvw.exe
3048	mscorsvw.exe
2408	mscorsvw.exe
2888	mscorsvw.exe
1876	mscorsvw.exe
600	mscorsvw.exe
2308	mscorsvw.exe
2440	mscorsvw.exe
2632	mscorsvw.exe
2676	mscorsvw.exe
2584	dllhost.exe
2420	elevation_service.exe
2988	mscorsvw.exe
2884	mscorsvw.exe
2896	mscorsvw.exe
2068	GROOVE.EXE
1844	maintenanceservice.exe
608	OSE.EXE
1720	OSPPSVC.EXE
2580	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a85e42763db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_th.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\psuser_64.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_cs.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdate.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_iw.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_ja.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_lv.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_zh-CN.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_es.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\GoogleCrashHandler64.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_en-GB.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_hi.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_lt.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\GoogleUpdateComRegisterShell64.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_ta.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_te.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_am.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_kn.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_mr.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_uk.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_it.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6651.tmp\goopdateres_el.dll	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6654DDDF-A0CE-4000-96B4-287221E39D5C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6654DDDF-A0CE-4000-96B4-287221E39D5C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1316	ehRec.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2760	70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: 33	2448	EhTray.exe
Token: SeIncBasePriorityPrivilege	2448	EhTray.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeDebugPrivilege	1316	ehRec.exe
Token: 33	2448	EhTray.exe
Token: SeIncBasePriorityPrivilege	2448	EhTray.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeDebugPrivilege	2800	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2448	EhTray.exe
2448	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2448	EhTray.exe
2448	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2384	1640	mscorsvw.exe	38
PID 1640 wrote to memory of 2384	1640	mscorsvw.exe	38
PID 1640 wrote to memory of 2384	1640	mscorsvw.exe	38
PID 1640 wrote to memory of 2384	1640	mscorsvw.exe	38
PID 1640 wrote to memory of 2768	1640	mscorsvw.exe	39
PID 1640 wrote to memory of 2768	1640	mscorsvw.exe	39
PID 1640 wrote to memory of 2768	1640	mscorsvw.exe	39
PID 1640 wrote to memory of 2768	1640	mscorsvw.exe	39
PID 1640 wrote to memory of 2764	1640	mscorsvw.exe	40
PID 1640 wrote to memory of 2764	1640	mscorsvw.exe	40
PID 1640 wrote to memory of 2764	1640	mscorsvw.exe	40
PID 1640 wrote to memory of 2764	1640	mscorsvw.exe	40
PID 1640 wrote to memory of 2628	1640	mscorsvw.exe	41
PID 1640 wrote to memory of 2628	1640	mscorsvw.exe	41
PID 1640 wrote to memory of 2628	1640	mscorsvw.exe	41
PID 1640 wrote to memory of 2628	1640	mscorsvw.exe	41
PID 1640 wrote to memory of 2756	1640	mscorsvw.exe	42
PID 1640 wrote to memory of 2756	1640	mscorsvw.exe	42
PID 1640 wrote to memory of 2756	1640	mscorsvw.exe	42
PID 1640 wrote to memory of 2756	1640	mscorsvw.exe	42
PID 1640 wrote to memory of 748	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 748	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 748	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 748	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 1168	1640	mscorsvw.exe	46
PID 1640 wrote to memory of 1168	1640	mscorsvw.exe	46
PID 1640 wrote to memory of 1168	1640	mscorsvw.exe	46
PID 1640 wrote to memory of 1168	1640	mscorsvw.exe	46
PID 1640 wrote to memory of 2268	1640	mscorsvw.exe	47
PID 1640 wrote to memory of 2268	1640	mscorsvw.exe	47
PID 1640 wrote to memory of 2268	1640	mscorsvw.exe	47
PID 1640 wrote to memory of 2268	1640	mscorsvw.exe	47
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	48
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	48
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	48
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	48
PID 1640 wrote to memory of 1768	1640	mscorsvw.exe	49
PID 1640 wrote to memory of 1768	1640	mscorsvw.exe	49
PID 1640 wrote to memory of 1768	1640	mscorsvw.exe	49
PID 1640 wrote to memory of 1768	1640	mscorsvw.exe	49
PID 1640 wrote to memory of 2728	1640	mscorsvw.exe	50
PID 1640 wrote to memory of 2728	1640	mscorsvw.exe	50
PID 1640 wrote to memory of 2728	1640	mscorsvw.exe	50
PID 1640 wrote to memory of 2728	1640	mscorsvw.exe	50
PID 1640 wrote to memory of 1716	1640	mscorsvw.exe	51
PID 1640 wrote to memory of 1716	1640	mscorsvw.exe	51
PID 1640 wrote to memory of 1716	1640	mscorsvw.exe	51
PID 1640 wrote to memory of 1716	1640	mscorsvw.exe	51
PID 1640 wrote to memory of 3048	1640	mscorsvw.exe	52
PID 1640 wrote to memory of 3048	1640	mscorsvw.exe	52
PID 1640 wrote to memory of 3048	1640	mscorsvw.exe	52
PID 1640 wrote to memory of 3048	1640	mscorsvw.exe	52
PID 1640 wrote to memory of 2408	1640	mscorsvw.exe	53
PID 1640 wrote to memory of 2408	1640	mscorsvw.exe	53
PID 1640 wrote to memory of 2408	1640	mscorsvw.exe	53
PID 1640 wrote to memory of 2408	1640	mscorsvw.exe	53
PID 1640 wrote to memory of 2888	1640	mscorsvw.exe	54
PID 1640 wrote to memory of 2888	1640	mscorsvw.exe	54
PID 1640 wrote to memory of 2888	1640	mscorsvw.exe	54
PID 1640 wrote to memory of 2888	1640	mscorsvw.exe	54
PID 1640 wrote to memory of 1876	1640	mscorsvw.exe	55
PID 1640 wrote to memory of 1876	1640	mscorsvw.exe	55
PID 1640 wrote to memory of 1876	1640	mscorsvw.exe	55
PID 1640 wrote to memory of 1876	1640	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe
"C:\Users\Admin\AppData\Local\Temp\70f6c34760ede381b3e910d2a73aabe890f27f01208c6af4533838db66d4af64.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 258 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 264 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 260 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 270 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 254 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 288 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 260 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 254 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 188 -NGENProcess 1b4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 298 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2ac -NGENProcess 298 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ac -NGENProcess 2b8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 160 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 154 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2484

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2420

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1844

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:608

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
4778d50dc7dbe1dbb335c4e8cc22c9de

SHA1
fb4892630f0374a1ccfbb48723d53feca8c4e279

SHA256
5d2f8721b5513181fc8d2931adfe39352a57f7a5bbdcb1a48726f3bdaedc3d70

SHA512
3b96881f507e40fa778815ecf64dea3464fe184f0d8704c85704c6d93ee90acde1206e361044ac52883cd89c72090d59bb2f13604ada7c36b1afd67ea70ee115

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
10.0MB

MD5
5368546fb814899b164036bba83f6fca

SHA1
58aadf6de258d9489af279611a1426595b631f31

SHA256
b7740a0425978f4cd0ed62f63a986f580cf8db94b0f27a6080dec621ccb7f773

SHA512
2c58bf5437731db19d890a2934f07c26080509a1c2de7eb6507025c17e04b913b469fe7381f82521fecf7756b6090743749eb138a755f5a33e70e889065d2269

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
704KB

MD5
7cde792eeea2668c6b7608b1d7b18980

SHA1
0ffbfd97451df6a10b9d81fd21f1d8b7e95546b9

SHA256
d874d12a8b6dcbb990c1b14e9aaeb2c26de8ec96635246ec94880180e21fd7c0

SHA512
ca7af3d194e2ab651e5a76d23030acb3aa4ece7f0e4adfe67318bd5dd8bb9a278468af279ee2e6f46ff4b1f8c3d0863822d4f1ca77665c5ca862e7a3320471e8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.4MB

MD5
ae46151f6bee6eab62d5c2aae2431c4e

SHA1
394a268db9dc0ad2341f34d61300182e6b1cdd68

SHA256
8295494646aeaaf409c6b5f4892f0d0a43894e8122e0b612c904f0ab7e0f0dc2

SHA512
de6b83b5757a2e76030a23d51bafbb2718d06632174c11d4444e440f463f8687b4d8a9cd0e035eea56ae3b51a9e6cc82a7536ebcbfa69e25ae37cec9cef34f92

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
447KB

MD5
08d9db83c2981e8a3ef7ba2a66683bd0

SHA1
0bdb80adda7a34e512713f27e65a52a3f6096b7c

SHA256
dfd46306af6da031bdf9e25fdeba83238f96991a681b0cc43ad0e6dbc915296f

SHA512
3cc7b9463eee889255a7f043128e7d566f187ea5b20573ac8c185f7ceab4645e99a7ce306cbd152a3959ceb039be30d83b609c773d178e40bcec8e529aa3a82a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b7dfe116a84ed7226579c2d57195f976

SHA1
7c2eb663f70ac3cc22b125f7e487bcd33dbbd2a4

SHA256
a659b04dc48c0c7c4cf97105f7a7ee2d9cfa11e62328fa05ecbe9d7694aea314

SHA512
c210d5fd4dfbe5e55b2db4a49819a0a3ec3ada767a5a807ccc2441aa9033531bd48549279f78a651a40bc7764a39dbe4a1cc93b1d383e74dab4456eb4f706cd1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
6dd410c68c5820ceb55ce51ddc13c935

SHA1
2bde82dfb5f20acdccbc64ac4437c838f9e2eb54

SHA256
1c83e10c0d441643a76467528b8bb607d5f60128f24e066ca218a26af26d4f54

SHA512
a9b8534376d5ca81c8483a6e46044c91a540958ce26dd45ac07288f4a096815307c10f97949439ab2484ecf9f31aa0e8da74188272a922288b613eb85a26000b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
f204bc550f09279fd08ba996e56baa2b

SHA1
83153d30e0949b6847252fc74455d7730a7ec1ff

SHA256
ba618dfec5c15fd5f9763310a77c478d668e41377df3d7b9512e60aaa1fdf8e8

SHA512
7c19637d2d0948376dbed4d017bd491515f43f189ec9671822e837f94582fb112e545cbc9c16f9c6ef16e75dcb0a1944fdb439cadcecb9770fad3249bf6e73be

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
13a6c816153c8407364cd9dd3a1d33be

SHA1
191435753764ac3ce8bcd73e2b8056df0b02990b

SHA256
ed295bad8fdaff5b02e82def960bb19eb8f4115fe2027507ccae6950df457f09

SHA512
ccc5e7141e573bccaac46f343b80f5d074b49cffc0fca5121a2320f930ed1f33e115db3780384fa13dc2ecb1b6dffec452843c154ba288c57a4bbc44ebd9d618

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ca185fe7ee76478781b14d14530cddfe

SHA1
4c5fecf73777dc1dc5eeaaa3908a9acb7bdae71d

SHA256
20383963de5b0f2dd43ba421c3635113e499683039d8f1cd1f7d3121f810a698

SHA512
09b69ebf26924c1ff1ffd1fe7785baa385fe908390c47d8e54412f591eba85f0b1bb13685df1a95d76ce95794e1c18fc6df7431c33e79cb883264b7bb4878d82

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
750367d0722f2d3e3d790a8306e54207

SHA1
68cff05aae15195f87fc8116bcc56aa265f0a6ba

SHA256
39e5194008e1d46b6bb95fea966985ce22918caa81469c3f5728a7bea7075cd3

SHA512
2b29ca27d8a42ea2d6973c84b0d57caa4893b61f218f7884cfdb725ea73b734b8a405cd2f6ebba1dc7ab8f7a6a85224e68f452ad2dc9ab6bfd7a31e75d9a2d04

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
d80912522b2cabd556cdb171d65d9fba

SHA1
19c0264fbe3e6df99ed7727b9a9e746c86f6c391

SHA256
b0db4a299e3ba4a578db29d9c46f9441b527368c8fc17ca9137bbfb53e318f8e

SHA512
f244e995aa949962fe86425ef241d497b482180920add205eaab69112ecfa4afac0dbf9bc39c70df673a76f23df658628074b305f453fb74a0534a505f935417

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
f66f6c41d93697808c516ae20ebc1403

SHA1
1aeacc9470ef53562170a6380f8b79140bcbe1f7

SHA256
ab836979481bc2bf570f4b01a851ddcf6b9e30b98bfcf4eb3d00f160fb4ff604

SHA512
c98c4b2545777b3343e3eb3a08e7b29500c78be99591c8548be05a54fcda7003122cb361e539449aa12235fb35b5fcebb96084085451f513ba21fd3e51b93e56

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
76bb326bf5932f262be64ea3921b1128

SHA1
897610aa928201b15c9fe264c5130a70e06d339b

SHA256
86918705e6af177f69ca36aa4092baf42affd2bbb8d7d20d8be0083689b10847

SHA512
508c2d031e56c2d85d166827acebfe5cc76406dc5131cefc2c81ecacf1e8078baaf64fa42339679abbd89a7c81ab7dede457f4e5cebeefa83b025c45061a887a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
423KB

MD5
baec9b72f766748a80ffbe10eed4d97f

SHA1
c46e832f1d05c024c4b4c249a0cd1dd40811dec7

SHA256
adc3e450213b4a719a3e0c9e592d7f59d5ddbae2447074bb84f6bafafc10df79

SHA512
0660d5e83b066153764613977dfde8ef337d671aad2f2a496739a1be79040ef10e83d2f4b37a119b2bdfbdaeb5313f9505843b354a81e0a42e74ce89bcce39cc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
3aadd3bc3e3137b9008906ae1d4cd29f

SHA1
2b91ada8266b588622504aa8aa9613eb0c7b3339

SHA256
1d69ae9bdddd212e808db30a5a555d348f5775426f80020613d8093343731a7c

SHA512
205cb1109b265d4dc832446e3ebaaf305f1365f32328f1d5f9c42858af1c53c6a9e4b4805474f3a5695a6b1c53eb0dcf8adbddcaebdf971d91e5e07f8448759d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
a46ce823853a7b70d39be717a1249014

SHA1
e7cbd1980885062ab2619b4c285e9d5d0d0d7bc6

SHA256
27035a20c5a763e4a7b47e6fdb1a2c242b75847a4f91fb104480f74956c77505

SHA512
423de7c2edc6bb92a39801d7a7fe3c92f982d791e90c6f273e8fdb9e57be4d2a03e58e8493c0d0b2e07d238f823333f77d719ad9b12be18ccb5bba0dca9539fd

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
8d0af7ec7b27ef2238f362e11f71574b

SHA1
33aad4ebc7c72fedb7d0333d62827fc0966a2610

SHA256
321b45715810702d517dd3a125df4370559c92a0d760e62d3a66b9e1025c0e28

SHA512
492b18f04ab38cb5223d803650360033f868a35cb61c37e3b44b1592a45ec06e2ab048bab8519819fcfad28d664d4fdc11e04848a8da4d19dd52552f9e50c6da

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
01e857f80ef021596b264180230c64de

SHA1
f5aa552202512a7a36753e8bb9b065f44ba0d523

SHA256
390791605ed6f296c29b9b0ffc8093de59ac654309a28d0f52031e50d9dcd720

SHA512
90a83aa94bed2b5ca531023fea63360a91b14b031ab618da6b20adcc72b252fb4e78ac34f8634432209f5c7f7c847062d2d4cad7c1e36102a00ecfdd924b9907

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
23e0a69939472d54c62ef3866eb661f8

SHA1
ebc2a9cec38299ddd01ec9c7fa4202da9bb220bc

SHA256
babce3d28fd761689a11875c025f70c0123b17beb7e6d3a36e386198fb14015a

SHA512
e17624958fde34d8e207acbd0c55c59fac84ef91c184931070dfb1a3d9dfddd5f1cb258cde93c11eea1144a4abdba07e37ca0866b25020c44442637e252f0a06

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
a822222261150e36b5bd0965db8ecfbe

SHA1
dd988f3864d092af737c8b8a98a0633c5cf8eef4

SHA256
b5891a9f20da4a77f195ef87c77321e1cd6100fd4c39406f8aa3ae9b088fb7f5

SHA512
12bc5510c789fbf2ed8039fed1eddd968500f2ed653d6992b9f886aacb7b62b57f453f64ca16038be8c07632ef469fe86c514b9cbeee51fc47410402a090a79a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
cda4976744eb937c63d91cd9986b743d

SHA1
6962fc81180e5fab75ed9a5d072ef5a5e87bf4c7

SHA256
b2fb1eb66b75ab7aba0b7109ec73c577db3c53829b9d7c857fa797ccfe6974b0

SHA512
bd2831aa9f659a2adf942d3d5203da4b05d07e7a3850f805510d32a60e057b06600366fcf9abbfef863ec66e2e2da71ccdbf99adf70dc2292e5d35c14fb7ef6b

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b5076d465f2611772e3cc0a72a5de378

SHA1
3300a8489236583728b8c70101be9f505dc84a00

SHA256
3d6dab43a54806b8219444c39b341798b012863d67c98e294e4881d165e1cd9b

SHA512
92acf766f97f0a4aa6742ab713fff676426c3aef951822ec1057eef7b4592c6273f82ac20cbde363599df65647891ef010b7b00a5dd4a128f7556c1e8dfc4a22

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
594c9da7b93077dd1b8f79af0871423e

SHA1
9e15a69f3b48f7a498a6916698ec80be9d6030aa

SHA256
ac1493e618f95c40521d0f51fb12e8b0ff07f9ead9e2cb9c5d247f6f4b77c774

SHA512
510221bfe2d37bc8ba43b3b76b2793057961de371b782067f65db2f2fe102e6702785aa5b34118f7aca87036c6955e2347aa82fdb281f1ef2559e212e777c76c

Download Submit
memory/748-328-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/748-344-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/748-334-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/748-357-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/748-358-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1012-240-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/1012-94-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/1168-347-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1168-371-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1168-353-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1168-359-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1316-258-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1316-283-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1316-244-0x000007FEF4DB0000-0x000007FEF574D000-memory.dmp

Filesize
9.6MB

Download
memory/1316-245-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1316-281-0x000007FEF4DB0000-0x000007FEF574D000-memory.dmp

Filesize
9.6MB

Download
memory/1316-261-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1316-296-0x000007FEF4DB0000-0x000007FEF574D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-117-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1640-255-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1640-116-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1640-123-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1688-132-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2068-342-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2068-235-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2068-260-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2068-238-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2068-156-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2068-343-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2268-363-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2268-369-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2384-276-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2384-277-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-257-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-254-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2384-250-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2384-248-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2484-143-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2484-274-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2484-142-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2484-150-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2484-230-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2484-157-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2484-241-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2484-259-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2628-324-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2628-316-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-299-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2628-307-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2756-339-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2756-318-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2756-105-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2756-97-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2756-338-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-325-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-322-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/2760-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2760-2-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2760-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2760-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2764-310-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-289-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2764-309-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2764-292-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-279-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2764-286-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2768-293-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-266-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2768-268-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2768-273-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2768-294-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2768-288-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-155-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2800-65-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2800-31-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2800-30-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2956-108-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-133-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download