d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Size

1.2MB
MD5

0f4fc02d5dd5e92e5d831a879902db9d
SHA1

1e5491a355118ca542596d6394f30102a9473e4b
SHA256

d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839
SHA512

eab8b28c7753ce8b4d0fe48342ddffe68b507b41d6578ade5438c326c56612c7e4f4c16b4b08b9b0d3be808a4e7e9390d53459dad48fbeaf772a9459b3ef2f56
SSDEEP

12288:iuMYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:iudc+pFB5z+//ufNRoZW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
476	Process not Found
2716	alg.exe
2680	aspnet_state.exe
1276	mscorsvw.exe
2612	mscorsvw.exe
2920	mscorsvw.exe
1976	mscorsvw.exe
2332	dllhost.exe
2940	ehRecvr.exe
888	ehsched.exe
1136	elevation_service.exe
1612	IEEtwCollector.exe
1064	GROOVE.EXE
2968	maintenanceservice.exe
1728	msdtc.exe
2476	msiexec.exe
2956	mscorsvw.exe
2268	OSE.EXE
600	OSPPSVC.EXE
1052	mscorsvw.exe
788	perfhost.exe
2364	locator.exe
2368	snmptrap.exe
2104	vds.exe
1716	vssvc.exe
1896	wbengine.exe
704	WmiApSrv.exe
616	wmpnetwk.exe
2064	SearchIndexer.exe
2972	mscorsvw.exe
1324	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2476	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4bb49b3b78a61a12.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\alg.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\vds.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3F745F6B-5096-4006-9707-EB01E29A8E3E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3F745F6B-5096-4006-9707-EB01E29A8E3E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1935B2FB-83F1-4FA6-A300-A05326DB771F}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1935B2FB-83F1-4FA6-A300-A05326DB771F}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
968	ehRec.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: 33	1668	EhTray.exe
Token: SeIncBasePriorityPrivilege	1668	EhTray.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeDebugPrivilege	968	ehRec.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: 33	1668	EhTray.exe
Token: SeIncBasePriorityPrivilege	1668	EhTray.exe
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeBackupPrivilege	1896	wbengine.exe
Token: SeRestorePrivilege	1896	wbengine.exe
Token: SeSecurityPrivilege	1896	wbengine.exe
Token: 33	616	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	616	wmpnetwk.exe
Token: SeManageVolumePrivilege	2064	SearchIndexer.exe
Token: 33	2064	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2064	SearchIndexer.exe
Token: SeDebugPrivilege	2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	2244	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1668	EhTray.exe
1668	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1668	EhTray.exe
1668	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	SearchProtocolHost.exe
2888	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2956	2920	mscorsvw.exe	45
PID 2920 wrote to memory of 2956	2920	mscorsvw.exe	45
PID 2920 wrote to memory of 2956	2920	mscorsvw.exe	45
PID 2920 wrote to memory of 2956	2920	mscorsvw.exe	45
PID 2920 wrote to memory of 1052	2920	mscorsvw.exe	50
PID 2920 wrote to memory of 1052	2920	mscorsvw.exe	50
PID 2920 wrote to memory of 1052	2920	mscorsvw.exe	50
PID 2920 wrote to memory of 1052	2920	mscorsvw.exe	50
PID 2920 wrote to memory of 2972	2920	mscorsvw.exe	60
PID 2920 wrote to memory of 2972	2920	mscorsvw.exe	60
PID 2920 wrote to memory of 2972	2920	mscorsvw.exe	60
PID 2920 wrote to memory of 2972	2920	mscorsvw.exe	60
PID 2920 wrote to memory of 1324	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 1324	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 1324	2920	mscorsvw.exe	61
PID 2920 wrote to memory of 1324	2920	mscorsvw.exe	61
PID 2064 wrote to memory of 2888	2064	SearchIndexer.exe	62
PID 2064 wrote to memory of 2888	2064	SearchIndexer.exe	62
PID 2064 wrote to memory of 2888	2064	SearchIndexer.exe	62
PID 2064 wrote to memory of 1624	2064	SearchIndexer.exe	63
PID 2064 wrote to memory of 1624	2064	SearchIndexer.exe	63
PID 2064 wrote to memory of 1624	2064	SearchIndexer.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
"C:\Users\Admin\AppData\Local\Temp\d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1276

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 240 -NGENProcess 1dc -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2332

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2940

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1612

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2268

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:600

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:704

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
593d49e78ebd5c684b1f5342be065ae7

SHA1
ea7d73695f8b89967bfb4b9f5908bf59dd09b964

SHA256
c251932423c9f50fa6d7c8516df44a520dc0fee4c305e5890ab52033b2a84e1a

SHA512
5f482ed7eae0c6843450fd7f63f3a87f0391b16ef380fd08e5880186ed47f5fd45b23991086e83436c829dee82b33b7af5878b171e87558a3ac900390228af1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
102c0017b055ab57948f002ba1908146

SHA1
4400a63f52ba38998c80698659c0105e33cbcc1c

SHA256
782cb03166a5e7faa9ec815155ee33c88027e4a923a1a8af75b3dd02450604f1

SHA512
d7ccf5152d06d953777ddcb03d0762bdab3ea555525b0f8c88618591e0ea2f25ecf7208e834970382d97a35eeadf2adc2af6789f11ce8c537cddc183ab378f20

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6ea3cb043297a0f7dff9c2d8ff977ab0

SHA1
51e0aaa13a79ec64fe023d339f96c6fe836d31d4

SHA256
d1cba1f668fb46bd389d151b9fc7ad965e9454dd3a53fe70fc1a014f75262f1d

SHA512
72b67e67fae2c0a35e699f4de1f3f0f7eb96a6cc9679c5a1f04ea5d65ae10695b3a333ebf5f18aa2bb1395a28ea22d55963f4de1fe640790a200337aac6bccee

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
2d6442b4e6656e333fb902282f71f5de

SHA1
6e42e94759b99d7ea860e853e1881d60fa76b4ef

SHA256
84948e29ae38562f08783496bc288cda84e0845c9342ef3c326ca8f05e8ffe28

SHA512
5bb2ad34ebc924c31688defdf50455c2bdcaf19d76e9d6e46ab278ca9e2ddc785616ad623fc717e66285aca1c36cd89c36bd450f646db079933fdeae1b6c1b56

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
558c51b27ae7784440d3dd791b8a6967

SHA1
9c57f42517e758f01103c1bda90f0f375e54b728

SHA256
a6c2b49920a1b6208b7b3378d16029b5e5a197492142b0d45c7e45fd74953ac8

SHA512
30f03e02f9623a8579c74d3af5906ea3d1ab651b8d928868c1bbb74850c84f064fba9225cdc893bfd5d773a071ea9ef641d8613a57518567292651a94b158088

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
62ab54bd55ea616b638858ea1e5f97c6

SHA1
a667edf7e38f3630081e681e82838cb9665c67ea

SHA256
faa46af52b87d488c70beecf815dbd71dbc6cc9ab6d71c093e1b8df40d32d70b

SHA512
90c29d51073707a679fd6df17c9b118272caa303b9eaac13c0c54bf2c36da3e6183cc636af33160330b5b4d64553fafbd4379db8ac171654f546d38d76dd0187

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
39ce0556bb3bb36eb7f493c30e49b3f1

SHA1
f9a9904d555f62dc44cdcfd845a7d0323dcc8fad

SHA256
15982b00101eb8ec7ad959d79c8d00c48e1d2083c6beb90658258a48533f3cb7

SHA512
aa5b6380b51b07ec07235f36f49f55918ec0eee4d1dc0c827e6e3d86729c188929e49add983a7c9187916e891ad9614dac4106e75e58f8eca7cf7ed03c09b2bd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
829649628297b011829e39bde4c1fe04

SHA1
52fec780ee9e1ee4e6599a20938a882e2aba22e1

SHA256
4c103c124cdbe2a0e9ed163d7ec346fc5398284f959c605cf79c4a0ba99521d5

SHA512
a5d1996b43d3a270e175355f15fb5a76110d9207f052eced74091ab0f5602013d91ed106123a869f99b58f91fdae7b0227f5843ca5c1982a68e5190dba73d841

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a150ca0862a60b67f0f759afc40c3c70

SHA1
93c71f3c26835d15e881bb17dee4e26a403fc876

SHA256
a2457cd61aa923f958af5a50233ffb918a829c0acb8b49c84e5572e9fc37fabd

SHA512
f857877191ef0ec28d7679257c53ecf36dddb7a720c7095394c420eade37c97009078f93e7c720b2b798d62ee058e8741e036730ab9131979be60a9e61e7c92e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5e02c1d156b62fb69a2998685f323600

SHA1
e5fd38465a08ff0da8f26f7acb1ed3f1bac9426e

SHA256
0455afebb4344c843c3e3db7892b1675e54d3327fa1e35ee4b23aa4ff64bd064

SHA512
c27ec5b02f452db1bcc548c9d4378d7613c44b0312d3328c44507c9d7592677a89983ef04b6ed44fdc703ad9e31065b2f8214e1ba64cca139275c78aca4bb383

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7fbaf31408a647ef8b0674f466cac4ea

SHA1
41ba77e38ca440fca480041a3bd37a6937091442

SHA256
9ba76a53e201b4703d6108c498f50598a9c7034e6465e0ee879abf1cddfa0bc1

SHA512
d68ac5fabe6b175454f20bb4a0e9ee782a90243d862c55f39653ce4f16d4e1aa1ff7ee22c213936a417d7366afef70167ee8d6497c868d5c250b40db1b410f8e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d762ed20aefcd25ba1eb0cf2680a1b06

SHA1
a8a79915342cf4819d6dc72f7341ae030ac89f6f

SHA256
52bd413b07b465606d33682ea397202b74528b1fc31a21b3812330b6a7921ea5

SHA512
610957a3f38c14d17245a1581e9d0233298c8847e4410350b8630bb90a69f0c58ee97f9a8e3b4a70819079d8eb9eff25bfde1727e8f6e3caa15e682fa956259f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
3cbd5a0e6a4b6c225e3775fdb0c7197d

SHA1
a43c277be73d90567b90c71fc406ac787cb97def

SHA256
443267a0c99a9bd44588dc94b26ac3c1c6d886dd3c4758887fa3e07c29f15b7a

SHA512
d3876e373d9484cdfa948fc0acb02eea484d1949eb79e0a01393a5cd85f6debb7aa9e7e82fa5ed0eff3834a26a5497957834fbd4de76496de15460a11ea2a2d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7094a8786f1b5e08a96f16d45390bd25

SHA1
ae815728cf165f82bb0ebe2f0f489a2053abfa7b

SHA256
ceee63bfd0c82cf7fc32654a2edf3ce36c515f82b9ec408dfa80162bef2947d2

SHA512
7ad2f26f6f9d7558ba87a42d4e31d90693d8599d8c4d2ebec8be6614104216126f8eb9c3b8d322028d870dfe632bbc2c05de3d52efd0b9a20f017d703dcdb8f0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d1b05ffba565456d0e87f9bc040e79a1

SHA1
2616904285a02c4abbbb9eb37b3e76b458e25b23

SHA256
48e64e740dc2a39a5cfc968beccde6b692230d4bba51f8789d135afb666476ac

SHA512
aea052f3385567da56a66e21c538dbfd5ea19ac4ff28f92817f0520c3c0bfdd522fb55d9785f61034d229525072eec4e0de24c15f522b85607439d348e0b2837

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
55b9a7d48c702f53d63e615b50c95d65

SHA1
8298d2b24ea53e71cf794c35b45b1034e7a40927

SHA256
8bd39b2f471c4f4250a73d665afefeee56881be3085aa7c3252cb5448ae6c461

SHA512
876f79c675a9e17bafeb5c6b403e41a7944f1219f701f99bfad2caa97824cae71930a92716d57e68926f2789c9c814358079b36648ba10f8c8c8c9de23a8162e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
53f3b555f375d2dba71fff453a3f195b

SHA1
5a32c045c3ec2a6c85ace0605bc442b4db80c09b

SHA256
003f2c28dcaf85bd19a2a3a96282752ed2d9fd6dc70e585efb4ff1e5e188add6

SHA512
058216aa7fc16b0b556efefe77889c73157bb373573ef4a203f0bc5586a30d0b31142e0ac3f1b797adcbe594a23302d453628253778ef4216535b4782d99984d

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
59a938776e85b69de60b7e5275363be2

SHA1
4001a7d29742d9aa8ef0424700f4f63994aec407

SHA256
fd3a7be4b6bd05aa5b1b1520795ec5d37896cc49313d8842132181005327eedf

SHA512
ebd261481d64a6b9aa3168d94388328bfaabd6a9bcefabf3a5765cd97e0211118b7a1751a9d92708cfd7e52fe605ec2f2247eb4a43ea23da9167e817fbb39e38

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a733e2f6026fdde418a4023f40d439e2

SHA1
17ba5905ace50f9b174b02c2d38931f5446413c2

SHA256
8b56145b58107621316574449a26da4eb02881a30c58f7c6335320d4bf3ffcca

SHA512
057fd1cec45d5d2a513b2b042fe5d0e49375deae4ab0fe3413a71eb8ef1376f56dfa1c53b861dd99f026a1e2966edd24c919843392d887b795b30cbda632b147

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
a512c352d5b15c62976934bea85d9617

SHA1
3b9f0f52401198cc573a80625d62d0bfe37f30d0

SHA256
07766d693a284fe80038db20add368a08c77c8b09d2a1c8540351a1722066946

SHA512
544db177486031d813ea8508e372680a0545e1629ca509a565f646adf8519350a07f7d5b978b4f5e09b6f9d096ad3149ade76f81905723b0a79be66ca9c0acaa

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
e6f01bade965f59cc5b9852349ea3132

SHA1
8da3fb2eef00f31a2d2bb89d11b2f58c5fc18724

SHA256
7ae35a47d1e68df9bbf8f8d3298db47e38a0064d7fc485ec789568147531b6a6

SHA512
4cc408c0200498193a43cf3d75d1679a835df840f533e14dc3273ee00418e4db3248bf8f99c09104d5b2049d982974d81ab1b4611588f2f6b49c2e57aa8b4ea1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
f2c453d129011b420d1409386464ac23

SHA1
56fcfc13839c0ec552a69805da653b98909aff73

SHA256
af0974d29f0d72cf7367dac2a1f47008a7fc660c0da8f1d7043dcdef5d565ba2

SHA512
41a8232edb3dadbb23041f8112f1c2384c70c4f642b76a2ea07c5d6359642eac9ed7f1ae206ae1a1a577215b5825e552f84d46fe8a1244630160eefd0991f2ee

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
70ae65b171484ca8e5ccecf515817e0e

SHA1
355a0e30e186d0099a6d50c72ed42f7616bd0f88

SHA256
45c3efacfa741d5bec757e5cdaddf8cba303d6bb424f4ad8d5fe0421f133de9d

SHA512
71ee72f970afa2cb308e4d67912f3572427bf25e1964099c105ce51d67a00dd8d1ccaa55649e62e7638f7c01e465992f272edf249db8a48c42380261f14c1b39

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
acf516f44cc1c09bc16a52d6f11e5682

SHA1
22078e44e4f01df81cc247b7273a75d07c872b71

SHA256
c5cc0491c64993c8e68faa5a21a14c189ed96e3b0c205e4af972c494327f9f85

SHA512
61d2f23555ea6574f0266fbd05c1ee9fe0e1819c95954db841485f12bf5eb6242ea9960b5931b83bbb402d7b477cc46941ecddcb95a49d43efce3e38c55aa8d6

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b0de5016c0dd2a17811ecd10f2a45d18

SHA1
de38c52503659b8261ad11c9d83502d99011f930

SHA256
e58a6e110cd670023ba982882aef713fd8e9a5311ba393aac50f35c2839435f3

SHA512
04269a417f7e7f4bd136105b82a88b75aa4ac7a7154d3f35992decd90b7e217c84fb5a21c99c7690b64ebc524738d7f4df7552ac14f06ba8e1b897f541e730cc

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4f81df1ad71cff61c211613712134546

SHA1
a51ba65d1a8ef542b9b646fbf8422aa5b22db1f3

SHA256
ecf9efa3e25b73976a8b374da50a9d10ca1383bfaaab659e72ce5a1b56caa1a9

SHA512
56a819bdf976057df7045c28a269bbb50e4522eb23aa6d91d15c7d8dd46b465266b90fc98bf1e7a8b610e1e28dab20747363ed19cf02c3ccc845314d2b361856

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
4efc92cb1b36f752de0b081677d73e55

SHA1
493a5423fd65d9ece7fb0fc27ed6aa9fa0a3112f

SHA256
fc3e1a7b7d81746f4a4c456a433122debb6fbc6daeb19ae0dcc85387204b4dcb

SHA512
b6a8b53163573963674c1e2bd2f7549cf28e33d901a3ed941d8dc011cba7bc2cf0aa46b5283d0f74c451fffd9a865e2373ded910c90d5558853b3a7a7dd78656

Download Submit
memory/600-274-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/600-282-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/600-283-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/888-222-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/888-255-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/888-256-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/888-134-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/888-126-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/968-246-0x000007FEF4840000-0x000007FEF51DD000-memory.dmp

Filesize
9.6MB

Download
memory/968-173-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/968-241-0x000007FEF4840000-0x000007FEF51DD000-memory.dmp

Filesize
9.6MB

Download
memory/968-212-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/968-245-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/968-170-0x000007FEF4840000-0x000007FEF51DD000-memory.dmp

Filesize
9.6MB

Download
memory/968-266-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/968-175-0x000007FEF4840000-0x000007FEF51DD000-memory.dmp

Filesize
9.6MB

Download
memory/1064-184-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1064-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1136-139-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1136-148-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1136-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1276-37-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1276-57-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1276-44-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1276-38-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1612-257-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1612-254-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1612-188-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1612-178-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1728-194-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1728-247-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1728-204-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1976-146-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1976-78-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1976-80-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1976-86-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1976-85-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2244-60-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2244-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2244-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2244-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2268-268-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2268-261-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2332-187-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2332-102-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2332-97-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2332-95-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2476-224-0x00000000005E0000-0x00000000007D1000-memory.dmp

Filesize
1.9MB

Download
memory/2476-227-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2476-220-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2476-280-0x00000000005E0000-0x00000000007D1000-memory.dmp

Filesize
1.9MB

Download
memory/2476-272-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2612-59-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2612-58-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2680-32-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2680-62-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2680-26-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2680-25-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2680-33-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2716-61-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2716-12-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2716-13-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2716-19-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2920-132-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2920-71-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2920-67-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2940-202-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2940-116-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2940-121-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2940-108-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2940-110-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2956-287-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2956-236-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2956-242-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2968-211-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2968-210-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2968-189-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2968-185-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download