21d548d9f50b5c023693d11e9ff3efb3fbaac86ed4206ac4f87d79900cdee74c

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37746d977765e3a791f924a9cbee13c1.exe
Size

712KB
MD5

37746d977765e3a791f924a9cbee13c1
SHA1

ebd9ecb47c6e323d552234e2bcbc16fab7ff9de4
SHA256

21d548d9f50b5c023693d11e9ff3efb3fbaac86ed4206ac4f87d79900cdee74c
SHA512

951c14bb8f3518b46d8322eea1c2639fa608b4d5ba8eec653591f46c886ff279b993b3a1056823b43aa24c8b5f615b2967b4cd7d8d17ba6057e70075d5db6519
SSDEEP

12288:ZtOw6BaEi1sXYuHa53u4wU0VZAsztwy9IU6FpbOI+Xsk:r6BrksIuHa53YUS9wLDFRW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 38 IoCs

pid	Process
464	Process not Found
1740	alg.exe
2524	aspnet_state.exe
2536	mscorsvw.exe
1736	mscorsvw.exe
268	mscorsvw.exe
2128	mscorsvw.exe
1920	ehRecvr.exe
1708	ehsched.exe
2244	elevation_service.exe
1144	IEEtwCollector.exe
3024	GROOVE.EXE
2836	maintenanceservice.exe
2324	msdtc.exe
2212	msiexec.exe
2400	OSE.EXE
2800	mscorsvw.exe
1344	OSPPSVC.EXE
2440	mscorsvw.exe
1508	mscorsvw.exe
240	mscorsvw.exe
2748	mscorsvw.exe
1116	mscorsvw.exe
2432	mscorsvw.exe
2516	mscorsvw.exe
1984	mscorsvw.exe
932	mscorsvw.exe
2344	perfhost.exe
856	locator.exe
2024	snmptrap.exe
2052	vds.exe
2908	vssvc.exe
2580	wbengine.exe
1824	mscorsvw.exe
2800	WmiApSrv.exe
2228	wmpnetwk.exe
2276	mscorsvw.exe
1800	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2212	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\86412f48ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\vds.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\alg.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\locator.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	37746d977765e3a791f924a9cbee13c1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	37746d977765e3a791f924a9cbee13c1.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	37746d977765e3a791f924a9cbee13c1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	37746d977765e3a791f924a9cbee13c1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	37746d977765e3a791f924a9cbee13c1.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	37746d977765e3a791f924a9cbee13c1.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	37746d977765e3a791f924a9cbee13c1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FBF02DE2-5158-40DE-914F-6F7BE21F1D89}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2164	ehRec.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe
2020	37746d977765e3a791f924a9cbee13c1.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2020	37746d977765e3a791f924a9cbee13c1.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: 33	2968	EhTray.exe
Token: SeIncBasePriorityPrivilege	2968	EhTray.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeDebugPrivilege	2164	ehRec.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeSecurityPrivilege	2212	msiexec.exe
Token: 33	2968	EhTray.exe
Token: SeIncBasePriorityPrivilege	2968	EhTray.exe
Token: SeBackupPrivilege	2908	vssvc.exe
Token: SeRestorePrivilege	2908	vssvc.exe
Token: SeAuditPrivilege	2908	vssvc.exe
Token: SeBackupPrivilege	2580	wbengine.exe
Token: SeRestorePrivilege	2580	wbengine.exe
Token: SeSecurityPrivilege	2580	wbengine.exe
Token: SeManageVolumePrivilege	1800	SearchIndexer.exe
Token: 33	1800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1800	SearchIndexer.exe
Token: SeDebugPrivilege	2020	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2020	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2020	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2020	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2020	37746d977765e3a791f924a9cbee13c1.exe
Token: 33	2228	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2228	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2968	EhTray.exe
2968	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2968	EhTray.exe
2968	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	SearchProtocolHost.exe
2536	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2800	268	mscorsvw.exe	45
PID 268 wrote to memory of 2800	268	mscorsvw.exe	45
PID 268 wrote to memory of 2800	268	mscorsvw.exe	45
PID 268 wrote to memory of 2800	268	mscorsvw.exe	45
PID 268 wrote to memory of 2440	268	mscorsvw.exe	47
PID 268 wrote to memory of 2440	268	mscorsvw.exe	47
PID 268 wrote to memory of 2440	268	mscorsvw.exe	47
PID 268 wrote to memory of 2440	268	mscorsvw.exe	47
PID 268 wrote to memory of 1508	268	mscorsvw.exe	48
PID 268 wrote to memory of 1508	268	mscorsvw.exe	48
PID 268 wrote to memory of 1508	268	mscorsvw.exe	48
PID 268 wrote to memory of 1508	268	mscorsvw.exe	48
PID 268 wrote to memory of 240	268	mscorsvw.exe	49
PID 268 wrote to memory of 240	268	mscorsvw.exe	49
PID 268 wrote to memory of 240	268	mscorsvw.exe	49
PID 268 wrote to memory of 240	268	mscorsvw.exe	49
PID 268 wrote to memory of 2748	268	mscorsvw.exe	50
PID 268 wrote to memory of 2748	268	mscorsvw.exe	50
PID 268 wrote to memory of 2748	268	mscorsvw.exe	50
PID 268 wrote to memory of 2748	268	mscorsvw.exe	50
PID 268 wrote to memory of 1116	268	mscorsvw.exe	51
PID 268 wrote to memory of 1116	268	mscorsvw.exe	51
PID 268 wrote to memory of 1116	268	mscorsvw.exe	51
PID 268 wrote to memory of 1116	268	mscorsvw.exe	51
PID 268 wrote to memory of 2432	268	mscorsvw.exe	52
PID 268 wrote to memory of 2432	268	mscorsvw.exe	52
PID 268 wrote to memory of 2432	268	mscorsvw.exe	52
PID 268 wrote to memory of 2432	268	mscorsvw.exe	52
PID 268 wrote to memory of 2516	268	mscorsvw.exe	53
PID 268 wrote to memory of 2516	268	mscorsvw.exe	53
PID 268 wrote to memory of 2516	268	mscorsvw.exe	53
PID 268 wrote to memory of 2516	268	mscorsvw.exe	53
PID 268 wrote to memory of 1984	268	mscorsvw.exe	54
PID 268 wrote to memory of 1984	268	mscorsvw.exe	54
PID 268 wrote to memory of 1984	268	mscorsvw.exe	54
PID 268 wrote to memory of 1984	268	mscorsvw.exe	54
PID 268 wrote to memory of 932	268	mscorsvw.exe	57
PID 268 wrote to memory of 932	268	mscorsvw.exe	57
PID 268 wrote to memory of 932	268	mscorsvw.exe	57
PID 268 wrote to memory of 932	268	mscorsvw.exe	57
PID 268 wrote to memory of 1824	268	mscorsvw.exe	64
PID 268 wrote to memory of 1824	268	mscorsvw.exe	64
PID 268 wrote to memory of 1824	268	mscorsvw.exe	64
PID 268 wrote to memory of 1824	268	mscorsvw.exe	64
PID 268 wrote to memory of 2276	268	mscorsvw.exe	67
PID 268 wrote to memory of 2276	268	mscorsvw.exe	67
PID 268 wrote to memory of 2276	268	mscorsvw.exe	67
PID 268 wrote to memory of 2276	268	mscorsvw.exe	67
PID 1800 wrote to memory of 2536	1800	SearchIndexer.exe	69
PID 1800 wrote to memory of 2536	1800	SearchIndexer.exe	69
PID 1800 wrote to memory of 2536	1800	SearchIndexer.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\37746d977765e3a791f924a9cbee13c1.exe
"C:\Users\Admin\AppData\Local\Temp\37746d977765e3a791f924a9cbee13c1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2536

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 258 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 274 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 1f4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 11c -NGENProcess 120 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 26c -NGENProcess 28c -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a4 -NGENProcess 24c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1920

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1144

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2400

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2624

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
5833934c6e0faa338d75ff2caa1aec99

SHA1
1ff71c9ebc7305cf705940edf65bdaf1f9a95605

SHA256
ee6de4383b71e080cca19864bcb6af06b4f267e39fc70f863b3b5c4896cd7c15

SHA512
bd7e8ccf1ffbe166b4fa0891d44106440d93e71f8fa1d3d775eab67509239e2df14a1215b1bc76d8d9520f079f8f9096c0768684da42dc9b74bf85b72b8878be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ed15791f5d9b8698d20a107c554c959a

SHA1
fffd6a1a2f4ce9fcb80f2c74f33db109adb57ec3

SHA256
0ce052777ffe66e138e45e6dfc18309239017d85fcc4d14ffc8766eb0cd17b34

SHA512
0324c16f51a4d2ab1c2c254cb8e18344df41577feee330e4431829a41f99b9a5507b38d972824c36f22f95714876935a71487b2fa3c142fdae2be1c542a9dd0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
761543dd2581fc0d6a2e13e91d6da8c2

SHA1
ed1666b6c165029d2d60278796fca52397a45f4f

SHA256
4ac4b7b6d77290c889390a833e71f934786ccc404226708517a87c14d7a8f95d

SHA512
8823a9afd3fafc31856728d0d20b0d163cd6020fcf104c041712048e9261a03b48acaddc014aa9ea2b764ec16765022d4fe1a4903195a65120e6a2cdf878d882

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
65b61fe67f9595019a4c7bd1de09bd57

SHA1
966134d26e097a0596acd2d5f8d4a19e9f321dc4

SHA256
bc935f7722a7365e2b94744fb3067c1e78ec853cb706fbff601986029248895d

SHA512
b260b95025197058477096481d3fd5cf26f67eb29f827e82053a2e6cf103e17e57e15a112895ad97846a79aec4f262683302fccc29d4d960a5392c2174b754c7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f99705371a4a021fe9e323b0062225dd

SHA1
02ccdb1cc7e3f41d39967530f15ad5ecd2e6216a

SHA256
1ffc355b1e78c1376d0c348f0e2bd3faf5655ad4faeb0b45f3fd8c908f7aa0bb

SHA512
93c538187bfe6684e5e589a0fd95fbbd3b430361e3fd94b109a17408b42220d9cf33b40499b0e68d972fbfd88a65678b1c31a2e8dff999aedc067cde19216e68

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
4b588fbe383c52ccf64739479bd7810e

SHA1
a62fcf11d6e4f8efee3e0005af38045b332681f5

SHA256
82e5e19d3f0be78d65a1e99578956ad872b2d61f22db0ce5f1912428dd2498d1

SHA512
551b18a8e4ac6dd7882342a5e71951756962f09c271a5433fb63e9e638f542510495da19f71eb082e1f4bf99889a8dc8baac187e4d3e69a7a08671682ba8b3f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
db81094d287d255937550ae7dfea8bc3

SHA1
684b5b3546008e2e0cb766ed1d56fb1b6ac9fa77

SHA256
d26a8dc2faf86b25a619d57d8f82f94f554a4b76b64b4fc61e51e447bde7ba20

SHA512
12aef92a95f112657640faad0498b5ef401368071720f0d81029595b09812a92d6e85065f9df55e2cc63a1edf39f7a3e1136c782eacff6d2d50a0b0a17540037

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
074a6767bd41b98e1fbcd7d7138e6a77

SHA1
c4e8e45aca73c439cf07c924225f028182a58531

SHA256
47905e9e44fdd22b8511229f19edfa15a2ab8bc7ef76e120c63859f7c204f040

SHA512
ec6aaf9d1dc44b623a84b195027d4d787b53c24c14c36819f59407387666885f2a0f8259704422ae5d0df6de458b687a9ef05a1b6581ced4f581174e94e657fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
47d3553476fe3726836aeaafd213a174

SHA1
5aa17d1eb62a8bb3f09a7301a99166aceb30280c

SHA256
739106b94b9e7ca16ca28c821cead5634117255d6ea4314d072c8f289652db24

SHA512
6c136073366c5752880f868211c8a6f144d18905514fa50e5849f551053cfa5f764fd2be26976fdbd831a253c83b0f1c5c6f5bc54066181e8e0cdea7321a7184

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
af27cef65a8eb6129948cc75d6da1d31

SHA1
00c569a59b47945b76a2f1f594934101fa3d9ea8

SHA256
225a0dab9064af7d5970146ad17202a687c05c76590ea434592c59f47f4673a8

SHA512
d62bbc222e82a1024d859acde0a235b9e0bd9741057e9ba4634abff666ca5a600b6d601a03074323abeabac4d59ef850b57556ec43dbf50fb03b270014350a54

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
f50be3930a330d581b043456860d1b19

SHA1
fedbf7b8a4ed39bb24df020f522bdad3b9d031ee

SHA256
1ff9fbedaa6736c037818e4d6c781b4115b529742346b0ff4406be73c140478d

SHA512
b263786caaef453c820eae112a10b149d22393a4907db541c4043ec45dadd46a0f33ccf8a6661317381ca363c8a791a19d2a108dbd25dc1df4a3114bbfce447c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
d90a7bc9666ccf9e1ef73561ca2dc795

SHA1
0afff945b20b57b8140436ceb21c9abb41d84f68

SHA256
5bcbea8516b987901f90ed632a038e14f11eaea7d433fe30f78a84e5b0fb514a

SHA512
891e9bf801925f84b2b3943c3e5f9755fce2863bf51a2bbf07a729f3d388fd5dcf0cbd92c0bdd8f9fa3b8a1323965a3e869030d6929d24a019f073c7cbafc5b4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
ad3a798062232ef983a3bcde6c0c9c3c

SHA1
054ea23524a6a7c8955fdb6358ca4365ac4cc5c1

SHA256
16c829f9cc6d4747051d66217898d77167ed9fc8681d4ea5f45d33022144b9f3

SHA512
30ed50f2f3b60dc4c0209381c90939d53e2189fa7113878581352104ce12f938471ae0c8a8e337278b829f2535de488f05f1a1b658f1a6c44d51d85686cabfb9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
53f02ad25d9bfcd6c8d058481b8a2350

SHA1
013d0cef733594ebbbbc2510d4fd662c0de39695

SHA256
6230587317b4f47e1d17cb0a75959a799f62e5d73c506d732b68bbec9959abea

SHA512
f155484a943321cf5a261c6d8b2c207d7e12dd13e67c4334eaa2123f3139b3a0a7502097ead1b9c539058828ab4b25423d2150e59dc6d67753ced61a87370e02

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
331f0cdd577f9e5e3a202f558c175622

SHA1
725ea7ed1fd8b0e89a88c3edf4bda3911f07ebd4

SHA256
c1aa2940d855dd664cbad95e761afad417fd02bba2f11df163503b8a102d6422

SHA512
09c65bab6ff1b63bb5c14162b90428c2e5c0f564de81bf9e4fcc7e95681a34b082491cbdffa60992e292f74eb0bd58b58f256287bfcec6127881e1ad3b1f5a91

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
0668b2c9213ce83c3f99868be7a4923f

SHA1
20f6bd56433ef16117a47366ccb10531059ab794

SHA256
24420d11d8e1997bf72e0bc2e880b456f726b11b93e29d244645b03cc7fac599

SHA512
ae5bc6577e6150dc566fadc4fb29e2eb5a76d3bc49f8e3bcd6b3c99cac83254f0f082646240bf43b3c44f232aa3cf19292502b39086360734aa66872d965b4ae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
92f478c0aa38d85ae4f322975444c440

SHA1
45d7ba80ac2939d1a26fee5efdbe5871d20acf34

SHA256
4fc4701ee4e2db257aa0d543c0b6facbadfb6fdd7c11b966e3d666ef460b31c7

SHA512
6393e5e377bb0fbcbd4c24319f6b417242cc51f530581e4a0466b672ea87e084d4cf5279fcd9db324b067d20f21f787a4fba9088b52f66d06b448c26da6293a2

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
da2c0edab650337dc1b8d6b24d68d693

SHA1
a75eca2c6a1ce230060f61b95c154448650ac0ab

SHA256
bcaa7e01eae37ae3bbc816c6b2079550db9d061e2c33f0157db166669c4615ed

SHA512
9b5f0fb8c9b4ba91e1984d6c82afeefa8d6437e39c0e9d9abe74a491582e9318987d34a86ae2ec1d0baf773252ecf6c8e95b133e82281054024fca9172709cfa

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
e3858958ffb1b610c3250f858fbc309d

SHA1
a50daa9eda2be33ecae910e33bf599a666747ddb

SHA256
bca50e590b299b4e4a1a3a881eb882aea5bf46b9a044b88dc44c44768e8d692e

SHA512
d0b9039839c4b071a46b1e568247110be9073aee5325f8e44c4265a5843e34a6847fd58d5dd4afbc55af18351a1ceef2350cdc8a34cddfbf105cc32973639689

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
104d371c516b05def4b9ae0fe79efc49

SHA1
6b35e9714eef4301ebef1d96868e2abf4dbc232a

SHA256
01e5402fff91620c8fcb1fb50e9a196507a70a22ee8c3e73689c80001ad95e15

SHA512
7670f9b5a1ca6f31f697f8e6d10c7add7ca8e217afacdacf86dad59e4549a6fd44438fa5a72d0fed79ebaa77cff65a5c9f9b0c58b1301269fff515af072907ef

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
485633bbf0ca842a970044356433d507

SHA1
ac4ae86294727b657d65358c413c29cfd1961b59

SHA256
3caae82bbc6807dd4656eb53980d85195d2e97a3c881f8a5dbd2077030cb91fd

SHA512
973d14644f3a6df530fd1f8f745b68bfe211551f9ac73d7407d2a79574522937b1c36d768d86248aa8817d76a932a6fc8efdc237ed0fce3b9eaeda7dfbe5ec7c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
f7f009f107304722202ef1ccda5dd297

SHA1
a7c36c02991fd9e498db8bab9417391d1beb030e

SHA256
47c6ca1e6ec97b1238ba8a465e12d34b41d0faa8f6d317a58ec9f478f49bd9b6

SHA512
59b3146b6d901903e01fd20cc38816041ab990b6cce6df326bb0b5982bf58a847629533e134c70579c8987774dcb128c2517e82e65cef7deb4153606e88c1343

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
b43b09e9eb82b11a6adf0ca3566a52e1

SHA1
92b6b3efe85c93b83a59c4c6912f45f6af01a0ac

SHA256
43df891baaf1b0273e1a220d9918fd76b80e3100e63f56fa80eef58f4fc5eef7

SHA512
584652bba7e2a2956989af3f89cf9afe4d76962c057f1e47c8e8cf954b48cca8af1586f916cc8486697d7557bd3afcbabddda1450335cb5512dc7a9de62b9745

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
7d8f6dd0dfbe86fc1712769b568b22f8

SHA1
e02f0fa436b705a6e06fb2a895ed1002b017aa3e

SHA256
c59b285df49104e46dcc97ef866959689494238b6899f5feb4bd77a1a419a6d4

SHA512
66a8e583c7fc4f0737a5524a255e7b2a708789cfbd4b65ee6e8bb77c82a26648df101213d73d765b594da4a8218e71085573f2b227dd768d515163978d2f7446

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
67fbdcc9c801a5d95d97381df09d422d

SHA1
b144ffc3b031318a69bcffa254842eb54375f35f

SHA256
d6dc3ef6940a94ee51dcd6f80ff0beb9a79a4b87e11aee5234af0853299ca0e6

SHA512
3358312794a8855947eaefefcc6c65fdee2b503669cc920d931c30b53fc0004562c837048305331442eb3216d3529329f9b9eb7a500b559744c229b62c478ca0

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
217f65e6bc5e1ef87aced981f71baa3d

SHA1
9503278c65b0a4280dff01f0a323cca20c93e831

SHA256
f06503776b8f9466e6efc6fc1ec340b9c100cdf6eec6b32a2f5439eb0453a8e5

SHA512
98e3046633a46c3662284a4352fc1e60cb32dcf97ce05076ba74f82cb37ecf71e7c12feac84aa5bf3dab45784d7c3bbfa6c8f13d6ba33c9fa9c1de8e3bf1f812

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
59cc46e50db62573f0637e137fd7edc5

SHA1
f4bab5751fe45b8e457a39eda7acdcd64c64ea8a

SHA256
07a3ae4f884c9809a36684d66ce4929dd65ef621535dcde1d5713bb7c082fb40

SHA512
991425c8fe5f49d9df60cdf4e743e11cb036b3a26791b8c8843fd89687d6216a27b52a8d83871c4de6bd62506e5a130b065c485ac9ed228071f97065eb8ecf24

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
f407255b46c15fd705db644b1a31f616

SHA1
2c33308738bfa51c34a4ff39d368dcc6701c007b

SHA256
6968d92818c0a85005ad65a53557153d20fbb13981b2a52e37c21e4b88d415ff

SHA512
d2b700d2fb7a428cd7293f202695571729e8ac90ebd55e87ab2dd9463a36f99ff08dc6b5f6ce561594840fd7f6ed0f6402edb0196d1853141446db1c5b476a2f

Download Submit
memory/268-76-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/268-77-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/268-83-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/268-152-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1144-169-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1144-168-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1344-271-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1708-128-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1708-138-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1708-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1736-55-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1736-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1736-64-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1736-63-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1736-57-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1740-93-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1740-20-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1740-21-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1740-13-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1740-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1920-117-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1920-209-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1920-116-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1920-123-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1920-183-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1920-140-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2020-6-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2020-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2020-75-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2020-7-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2020-1-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2128-94-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2128-95-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2128-170-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2128-102-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2164-232-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2164-166-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-167-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2164-292-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2164-229-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-172-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-233-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2164-239-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-281-0x00000000003A0000-0x0000000000452000-memory.dmp

Filesize
712KB

Download
memory/2212-279-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2212-225-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2212-227-0x00000000003A0000-0x0000000000452000-memory.dmp

Filesize
712KB

Download
memory/2212-241-0x0000000000570000-0x00000000005D0000-memory.dmp

Filesize
384KB

Download
memory/2244-222-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2244-150-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2244-153-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2324-212-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2324-200-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2324-267-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2400-242-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2400-251-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2440-286-0x0000000000AB0000-0x0000000000B17000-memory.dmp

Filesize
412KB

Download
memory/2524-28-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2524-115-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2524-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2524-35-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2536-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2536-74-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2536-46-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/2536-40-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/2800-291-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-290-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-262-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2800-256-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-276-0x0000000072CD0000-0x00000000733BE000-memory.dmp

Filesize
6.9MB

Download
memory/2836-216-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2836-196-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2836-186-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2836-218-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/3024-237-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3024-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download