365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e

Analysis

max time kernel
65s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
Size

1.8MB
MD5

24c81b29473293282f37d57189fdaaad
SHA1

4d1b3363092e14bffc51034372667f64cc7ab687
SHA256

365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e
SHA512

da2067a730e7b74ead50137d47517aecda99afba805428bc8c004659e6a3e0a29afa8914dfe7cf74d630b660100588a40ba8ce4bd28e8e4d513e79f6d2098514
SSDEEP

49152:ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAOeyv4xb1AVAzl5Yp:ovbjVkjjCAzJm918o5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
468	Process not Found
1112	alg.exe
2680	aspnet_state.exe
2776	mscorsvw.exe
3068	mscorsvw.exe
1080	mscorsvw.exe
576	mscorsvw.exe
1436	ehRecvr.exe
2248	ehsched.exe
1968	elevation_service.exe
1736	IEEtwCollector.exe
1536	GROOVE.EXE
2588	dllhost.exe
1748	maintenanceservice.exe
1728	OSE.EXE
2776	OSPPSVC.EXE
1192	mscorsvw.exe
2840	mscorsvw.exe
2024	mscorsvw.exe
2328	mscorsvw.exe
1212	mscorsvw.exe
1156	mscorsvw.exe
2820	mscorsvw.exe
1572	mscorsvw.exe
1108	mscorsvw.exe
2676	mscorsvw.exe
2264	mscorsvw.exe

Loads dropped DLL 6 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6da4505d9a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_te.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdate.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_fa.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_gu.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\psuser.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_fi.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\GoogleUpdateSetup.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_ms.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_pt-PT.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\psmachine.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\GoogleUpdateCore.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{89C4F14B-4003-4E4F-9969-A2103971EDD4}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_de.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_id.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4692.tmp\goopdateres_lt.dll	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A36CF14-B929-44F0-98A2-A5A7B7ED9FB7}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A36CF14-B929-44F0-98A2-A5A7B7ED9FB7}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1484	ehRec.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2164	365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: 33	1976	EhTray.exe
Token: SeIncBasePriorityPrivilege	1976	EhTray.exe
Token: SeDebugPrivilege	1484	ehRec.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: 33	1976	EhTray.exe
Token: SeIncBasePriorityPrivilege	1976	EhTray.exe
Token: SeDebugPrivilege	1112	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1976	EhTray.exe
1976	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1976	EhTray.exe
1976	EhTray.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1192	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1192	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1192	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1192	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 2840	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 2840	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 2840	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 2840	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 2024	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2024	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2024	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2024	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2328	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2328	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2328	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2328	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 1212	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 1212	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 1212	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 1212	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 1156	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 1156	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 1156	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 1156	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2820	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2820	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2820	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2820	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 1572	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 1572	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 1572	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 1572	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 1108	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 1108	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 1108	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 1108	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 2676	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2676	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2676	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2676	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2264	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2264	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2264	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2264	1080	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe
"C:\Users\Admin\AppData\Local\Temp\365ad5e7f03aaa636600b632a0468a5a3be4a0fc97761fab372a13d4e632529e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 1ec -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 1dc -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1e4 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 234 -NGENProcess 254 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 25c -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1dc -NGENProcess 1d0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1dc -NGENProcess 1d0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e4 -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 180 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1dc -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 28c -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 278 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 180 -NGENProcess 244 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 2f4 -NGENProcess 26c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 258 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 180 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1436

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1536

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1748

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1728

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
04932c63e3fe971c53025e858b21a560

SHA1
c8f7bc447070fd0e4553cb75e0ca3564f4d3114a

SHA256
821b01ccf0c6e7245379514ce70fe2472888a20449bb9b8da4fd78c11d5bb102

SHA512
382557bca4ed2b42aa402026e9adbe877061ccfff2d1abc6f4c2769f919f48eca44b046ddd6b0325d79dfc5a75d91a09cfb257a39580738875e2cb171f033ebc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
09d87912d4a80bb7b4c4505a9e20468d

SHA1
2bf14c6bfe459aa5c9ffe85e6ace3620d87d0687

SHA256
80b271362afde3c8d06600242e994106b07243bc919afa797665da09cd9c87f7

SHA512
40a164140736d51dc6eb41108ad8c99bd99eae3b4411f8932c589bc06c3d074b3ae7d67a25f383400267bfd686cec985e90d1d6ed0e16a30eb8e4dea6bd863ec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
3cd81065f9dfc82a59fb9bc5c07ea530

SHA1
2b7272dd751b430454cd63d254d9d2041e5eb23e

SHA256
760505c3db4967c65a63382a9f5f4fe09d76b08f17f7b0bb5c1516cfaab11498

SHA512
3fb23941473e372ed831b746f76c430d5c90a3e557131f59003e3323136aeeaf9336b81d6c04280ecd7fe60366d37dffd4cc8d2bea7c297dda3b4f09ec5eb513

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
c276e0dde58dad3af840b61373ccf0b7

SHA1
2986c1cd160b98fb556a6cd2625a897ddcdb27f5

SHA256
4b49d0bd68c63745395d06181be8a52a05bc0bf89811b4b8db125b42b6bef5a6

SHA512
0f09447c980ca2e44dd0fbefd176522922a38b2595a1284671635771169cd4ebeeebe11cad5b3620b74eb3f2de8f3fa5b52e231b05723b273d00d29efa5f5231

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
6a14edac9ffed0a0762b39784a4a636e

SHA1
4b139bd04807699d6649d9b761f669db399f5396

SHA256
8e9ff481cb108473a4060bdf580e66ddb9ea65ed4c6dd03aff19d36fd5a4be3d

SHA512
6e8c85bf81123ecea004788614b108269f9bb3fff0ec2edf7a8288de039744de930b2d340872b1e7544e4e8b5fef8c6a306d8e723bc56ebdbcc251d86ea372cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2a2ff60b5e35c7063d78682892f35d84

SHA1
1689ede8cbf31e786362f29dc6428cab48240f04

SHA256
07f9889bf1a4640e2acfb033d4958154cb47731a76445ec50e630d96e874ff95

SHA512
037e75a643de4a57f7784430bfb34ba13e1cd67956066dd04f2ff69776dc364a1a4ce5807ce79a65429da6c9e06d0894606c28d2be2ccb8ad7cd7a98dc63dd12

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
9e0941ed3300c058a84100467651e008

SHA1
5ed4cc0939d54044f72ecb9f3a22ea4af88ff3dc

SHA256
71be8975c6409bf7d1024842970d9d7f36a462cf9beb300f42fe1b94adbc33ee

SHA512
754233f064f20b3e6b427919f9af511e92bd8ac8704c791a143bf9bd33b0194493e84b96c7c5bc72785caa5358e4cd728deaa6b764405d99685e07d1f59b1dd2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
02b94319e07f84d577ea4dee1d3a1ed2

SHA1
9edba804a80b28ebd3c02193daa786947ef36a56

SHA256
bfae88e790275d967d636d7909cfaaffbe8f52a01b4ccd2510d06ebc71e63230

SHA512
ef6844210fb6cfa4dbd9236db7088f98fdc815a875c8385025a8281ba7423a0a6cebfa190d55b9db70212c5a74c71153987adefcb229ac74f58d783f5414822d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ed0e55470fee6ba9f02ca2bd8fd4bf8

SHA1
30673cd5d35545f4222c2c35a5e4e3c5c87f9cd3

SHA256
6984dc036216a28b2e4a9c740dfd4a2ca7fb88eb224646d56a53fbbf46cd99d5

SHA512
ede2a38add30768dc829a909fad553577b113fa38f6edea4081c69dc18a6e127d6d889513b51789920b3bd9c2a955a5b96c9d8e700dacce7a54244ec56a9287d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9a79008cdc149bad6e8625f7d040bc62

SHA1
cf5a996b7889159411bd23c40b843d6c844ee5fd

SHA256
66c7a5cb4f7e3a6d8d10af3030865fea455c76260ea3c88c2384aaf3b14f92cf

SHA512
b79cf52211b2b6e275c65f2d538574b66b9a3b3d1da3e007b3e9b34010d52ba619e904370ff0477c9e5e3f0c209a12826439062e177d2124b8aff56e74d2012e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b9fbf4ce87e3204efb231de606215c19

SHA1
482459714cebb0c189fd65c081a16575dc03e09f

SHA256
05b3d031425ff8bc0961507426f3995c23a638ce8be1640fdada0a353f5ced11

SHA512
a561f96df00a89500bf38d874465de94260b3dc3dad33a6900ddae4c0b6d8624f38cf73fbb994517018b774c1f424e8f14507d25a8c373e7a4789771d6c8543c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b8d622608f6ad89a80cd09244c23a61e

SHA1
8d68c783afb127ba3120155319e4308384868bca

SHA256
0b5596293d94b46ee51f64384b14234fbbd76f7135009428aada2979b53629e6

SHA512
197bc8eecddfb4e0cc0d4bd7fb179b6741faaa777073d939e66d3f8bcff7ff03f1a7eb8ca103bd87134022e83a7e8b62a716b77e135a46c2ce7bb872d1a611b1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3fa2b844b227c67a1c84f4e918c30126

SHA1
492915cbfe636f56986fc1aeff9528682434ff37

SHA256
7ac68a833be5287fc6127efb68864f353466f2bcb6273f86fd9d68d431a8cf36

SHA512
ebfb7c43e0fbb686779492f510fb507124cac901f656e9192e43f399333a365d8b361cc420550dd7c4ddfa2f7a48eb37b07bb0c083e73d77b04ac14b29c84e15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
14955a6e4c7de1490ed6fc5aeb47e431

SHA1
9ded6c4a23736c2f3caf7dc1ab1db61ef5059099

SHA256
9d37ae7a9d3f694dcf0dcf767190ccfedae796a8c32d75bac66399281d6e0921

SHA512
b336e7c5a6321f05e877fe823920a8440c531a704d81cdd08d80d34fc6a3e9a8f6d4e79dfc470c2e797aab7968175a08b3bea87de366f7f261afbe82eebf9933

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
614f3d91d38f36205076670ba6415ada

SHA1
6cef63b7fa0a0a3342ee269df8086418503d4812

SHA256
08b5cc104ae7cff6fdf9570ecffd1115be03b528204355d14acbbd0f84d250e7

SHA512
fceb786195908b244cee6500b8674265aba7b4869d5db3d152a19576ea31e9bf6e7693f133dde69717b10d76cf15352c302fb4f31e6c82f5f85d5d166e19eb42

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e79a2ddbc49d64d85873270eb751c8ac

SHA1
3527bc4045dd77da11a8b3e1cf81ef0333e8fa0c

SHA256
a951593ef3cb4ad6b59941560e6090ab8dc34ac12f0b33ff8af96eb20302e275

SHA512
bf8eadb082b4b1f51310898c64304cd552f96316cf8295c03420bcef6e6208b1fb58c43aac544d948b5ba515b1234a4d75e5b2f7ce2453e241ed96145de2e631

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
bd5f6e25ff49f7488875198a4df7bf40

SHA1
d8b937ceaeb9189dc987a245ab9beb607d678afd

SHA256
b9deb6b3182cf593c96623021e26dcfebf0e8e3425dae24274ace67ac04c3834

SHA512
0228ac740e190409a6cf288a53b083cdd3ff2a8651fc16bf4eecdb1b299f079a0b29d4210c356f7434c909d94589e5ccd559f241604a4e20b259fb3591de805f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ce376c57764d472fe80bfa03de2c4012

SHA1
a239225d88728a3a500bd6c7cda419a52cb9313a

SHA256
e2b9740d5489c359feb4b01eb3de7b644849b21ec57d8e746392d5f260b7a76a

SHA512
feb4232d25ab5781c2aa4b78dbb7a721526cf348458e517087f97219a341dfc7278ffdd6e18b4025c5acd4244565fc13e56c211af0a7f94aa5eaf2cc6af84589

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
33cc739f16d5abaf92c253019575b219

SHA1
1bea231698aa67b6d08469c9d026bf0807ef54d0

SHA256
f838debca3479a75a2c78820926adb6c4e38228b27b2fc50e4ea4e1922f20756

SHA512
3446ea5e5b292b7f93d0c829f1bc65607f7a39e2440b89ce6519ebcfad1730b3612a66271f3f3eb968076e35755c116f8f7f4e352bf50b3444820358fba4f1d3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
b9042135b0d7eaa427a4bfc7bf35519c

SHA1
3ce76aa2d0e2ee17dcc7c917ea7702f3c30600e4

SHA256
01228beba2d4bf2df4ec0dbfed3c030195b433b82fedf831c02f9de4d002e9de

SHA512
b560dd31d9efea94a3fd8683223522865cdf35ac52abef1d20ce62d1ba064b4fe70623ffd1313a1b2e2b28fb71fb42ee03c7d3257a51c12d59af976f4a175f7f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
a49d7e8004a74a47fdf19ee2c35176df

SHA1
55c4809aa4a13394999c2273464ab6f7dd4b696e

SHA256
efa937fc4be043fc05c4ebae310ac98215829e6c18e267184cd5fa949c820dd5

SHA512
fdbdb23a932782fb2d5b45e13ea35ba447aaa01dc88d8e75134f971ce48365a7f2d0f1120fbb2139d69207377ab71aa127f4c9c4a06226d4765752f96f4edc87

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
bdbbd605193a39be5f650e7a2c8cb13b

SHA1
6833efb077bbf55372aee287849fb375602f3914

SHA256
d83a0220622fb881cc00ccefefe2e2e3249466170efc1f50fc3ebc5af0db447b

SHA512
e524bd4abf539f52e59111b69988b29883353c930f262bf269c67c3458e323806afaa2f54d813ed7fb51d4e78f12fdad9d4c245990ff2bc13f4724b40b53218f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
f71e546d65ee8884410791860783af7f

SHA1
3d5e04cb23d818b2c17ed556061610b3ebf16f94

SHA256
9ecec10a15fe3f42f6223bee919d1daf2b4eef3f18218e5e4271e2871cfad6fa

SHA512
02f6fa1b7820b514538e3458eff5288dbe24a02fadb43c49d9ffd4329493b3525242ea5ca29b5b7a57e2f1849e490dbc1152153a66b667f55b43d54578f8fb5a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
3f3eff31fc1c9c008b1239cb1f9c55a4

SHA1
f8ca2cc061505ca8741c024bd9b5f1376701a5c5

SHA256
f12e6ad99ae81c04d9ce42ac859c6454918ce50e1277cc031e8ef365570672e6

SHA512
019059c1e5ce088b46538f7b7dde8b4e6fec7be0568a31972121ef64aca6f13c5c997c33ffb32e70f7445a32c3a5831ec688526dbb1aa1e5b9b10b4646899b7d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
1425e35048d2eadbab2369b357118414

SHA1
519374e855e92e333ffd35164d93fe8bb59aed42

SHA256
4f3f9eb1010ac835030cbe6e14da5c0919b286888978184149d53ee093cf9120

SHA512
5589a19876e6e83550564f1a88785f03faea735170ff07c5a4058433d6f5bfd51ab82cb9f2a12d865922bac8c0b3fd96d0bdd9cb069c488fe8a990c74df2d344

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8196adb34806bdf69fa134d07178a0ce

SHA1
c8fa903249dc60d18116852ce1b6b1fb49002eb7

SHA256
bb13ea5febe14b8e67a13eeb3c116f67e107e4c0071f8f26a71e066723971eef

SHA512
a9b44d81e75f9c8deac1afea4c840fd6aaabbd841ee0e7dcac1b0d495263babf709d0a4c562dba4df5902fb429f1a1d9b7210aa33d41821814c70abf5835d4a9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
c3b7dc3b4f75a47a7c5e4d5aad4026c8

SHA1
4f093ebcb90c389657b3ee9e7bd31c81e5165963

SHA256
981f896e04e5589876e21430f34536c7bcb27bc1d1e0f8078e9d120c9f712566

SHA512
e76798ec227f37901b4218ae13fc67be140c542ebea5dc92cf9678deb406a1f967cf8a8fb7ca41398aeb3b24f695ba8e098ee7e2ca6e410490ec31e729870054

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
c85d30c98fe695f17b518766d2a73614

SHA1
892fa4b5c23e9e9a7c14995d31510755b5ee4398

SHA256
76cdc82af28d9795b98d38b465724aab68b15303a11605cd5fec4d0cbb364c15

SHA512
733212fe95f775e6ffdaa908b9146bf5547a67920d9596648591c3370835a4664b49823586db57673ee71270bbe716d311db30646a7328996009ccef2f80050c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c8279ad1d11e538a4078a5c9afde9dbf

SHA1
a8ca53054d7d406695ca41b4f5ba5af7e53cce58

SHA256
b7d53cb41849ad7288d9253483172c2d4239ef11ac21c164e47ca303dbbad200

SHA512
c3f2d8aacb8848ce0ee1530aa1aa3f5a71e863002a9023f15e0b86df65c6ca56399b91d6ea1fc05eb4e0c5fd630d8e2ffde97c3edc660522e3a89a17edaecd07

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
50ab7db46e8f7f8f42561269e1c58724

SHA1
f0f7ab509c443aee749eb18a12a6e148f6a1a81d

SHA256
f329fea1962a0c383bc9bdcb128c5cf851dbae5a06f03862bd6ff70129a5efb8

SHA512
82298da1889ef29779a701a46f33ba203f682ac89bab85ef87ca8b9ce4cea777a6e3627841687c607063f8b7b4ba1fe1250a0437e31aee1eede400bfcc280d15

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b39e05e5391b5976bffc2090a7a25f97

SHA1
921737b09ec2046beaca84997b5cb17097ae73e2

SHA256
372eee08579b4eb625e7d5fe0e6d63340e629ca4ded27bdc3699b5d8a5c82427

SHA512
69b753fcdac4bf6c6c55b0ab6306681a5b7bd3da8fe23bee0f22611ce39b58378ae936cde7d5324e8615839ccd01cc4d98f84db09f7a75a1ccc0fceea81ce7ec

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
6d18f1060187c8e22bbf1f553c895db8

SHA1
ed2802eefa8799ad01067511011e89491940fcd9

SHA256
febfe97c0081e56dba7a2151ef7c45165d735e3a3276104b46817ab481b65b76

SHA512
ee0f402e7b57e58b14ba0506524727fe65665805d8dae077108b97b6ee0c385ccd3f53ea9c1ef7938c36d4a3cd26ea5b7ee0d6c65c4e4a47376787915c285ed5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
9ca855783c9a0c6d30179007021fbefd

SHA1
ccada3b467acd1a1849377223ddb4c54df704245

SHA256
f1896837116bcee2d7763de585697a58f6d0fedac3fa560b07cd166216705e9d

SHA512
b952ce02f4fa68c5aa98414d6a5ea0b136cca73a148ee5d5159dc1128a1c5728109d55ba80f31d95c2029343a4ca6747b00c173617b02cd6f5a0ab5db2fe7df3

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
46d45acc4f90f837109953aac23d4287

SHA1
a0261f809a10e57374e8ae85edb755c270aab0ea

SHA256
75dd954869dce529494a255a4b90b352afb06d22ac7abbf2a29f610cea31e8af

SHA512
722446a27baaff1a568aa1357f52951c525ad4f31372e470aca2d7c0489fcd3ff22205c168582310db192aec10713fd0cd4dd415324a03c3f5876a4ff69500bf

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
5dbf9d51a7e0a6fbf78686337f4cc542

SHA1
9b04dd6f82748a40aa83cb109d294a5f18d60cec

SHA256
a80f2b094e253d665d3156ba87968dc1534b85673ece7fcdfe33bc2b9b9c9aa2

SHA512
fb7f84cebf98febc6921e5c43e097d4f9279c036e783d9c6c4577116ea1b3a55a4359dd7a9317306a5a14bf43e8d92581eb58cf8e07f11916bbedcea4b4989a8

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
5ea4f02b0682609cba6fbf1683044f01

SHA1
0c12f1ed4541f97d2ee9094954dc1a16bf1178c6

SHA256
7c0d9f10a73f101e1dbcfbc34b7ef7ead40691f0541874409a9a97043ca8bad2

SHA512
278a93bb86a88caa4727d8202effece24f3e4a770536d6429b787b26a00d2397471e67eb958a606ea8e52e2a5efad3ef0880a2dab4edd7a54299e49dd19f8af3

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
87b2d835fa97df0f72ffcc98c8dce475

SHA1
25ed0aaa77856b48b46253478e515140b910ab6d

SHA256
0a84f686a16ac7b6c14bed91fccafb8e0a564d8083a00dd8e9ddd4334cd91547

SHA512
4df5ca04ee0b84af8046ecc89db58cc26c17ef4fa4f11adf82f4979eefef696d8e8ef2faf52dbc17a9aed8aaf5a51d4298e95dba36ca6b45440b9af36836288a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
3516f0a1b8a718c8d12541cec9b9fe4a

SHA1
872329e8ac5e64de6eaa1fe2bc5ababc9d84c451

SHA256
856346bcaa71fea4763416ea4c9ce335322199b16cc7dc73a1ebaae606b87529

SHA512
6244b9918f3be5abad2d69234748d5c4fd80e6ca4ab847ea69070bf3fe79cab7fa8ea73412f2907238e02107b9c552eb51374a08ffbfef6927cc3494e92d5c25

Download Submit
memory/576-140-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1080-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1080-193-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1080-121-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1080-126-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1080-127-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1112-67-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1112-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1112-157-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1112-17-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1192-355-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1192-382-0x00000000724C0000-0x0000000072BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1192-428-0x00000000724C0000-0x0000000072BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1192-427-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1192-356-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1436-150-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1436-208-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1436-175-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1436-149-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1436-178-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1436-176-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1436-156-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1484-204-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

Filesize
9.6MB

Download
memory/1484-306-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/1484-205-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

Filesize
9.6MB

Download
memory/1484-352-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

Filesize
9.6MB

Download
memory/1484-363-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/1484-344-0x000007FEF3CF0000-0x000007FEF468D000-memory.dmp

Filesize
9.6MB

Download
memory/1484-338-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/1484-202-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/1536-287-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1536-290-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/1536-359-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1728-331-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1728-451-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1736-200-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1736-329-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1736-192-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1736-195-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1736-201-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1748-315-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1748-322-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1748-330-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1748-326-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1968-180-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1968-313-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1968-187-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1968-181-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2024-463-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2024-464-0x00000000724C0000-0x0000000072BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2024-454-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2164-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2164-7-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2164-6-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2164-1-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2164-288-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2248-296-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2248-164-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2248-165-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2248-171-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2588-305-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2588-297-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2588-378-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2680-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2680-173-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2776-383-0x0000000073948000-0x000000007395D000-memory.dmp

Filesize
84KB

Download
memory/2776-135-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2776-347-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2776-362-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2776-462-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2776-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2776-98-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2776-103-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2776-361-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2840-465-0x00000000724C0000-0x0000000072BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-467-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2840-425-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2840-420-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2840-430-0x00000000724C0000-0x0000000072BAE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-159-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3068-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download