7600cf194650b9989f41fe69b47d81ccd8505dba2a126e0aa84fe54a1fc76af7

Analysis

max time kernel
99s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
Size

1.1MB
MD5

036474bee55cb59b952ef3d162560d2e
SHA1

0ed06132eeddc00c7d4bec99bba850578212bf8c
SHA256

7600cf194650b9989f41fe69b47d81ccd8505dba2a126e0aa84fe54a1fc76af7
SHA512

1405f772c3c4a6d38dcbea32e9374013f535d2c6417ccf43f294be25f74d0b12422fbc452249f811d38aa855eb61377c02f8e9d5d3b9a91b22f91ea2b72143cd
SSDEEP

24576:8Si1SoCU5qJSr1eWPSCsP0MugC6eT4RrC2YQcHCKbNe6zwr0ErlMq:0S7PLjeTmuJwaNe6J+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
480	Process not Found
2092	alg.exe
2548	aspnet_state.exe
2636	mscorsvw.exe
2784	mscorsvw.exe
2676	mscorsvw.exe
2992	mscorsvw.exe
1896	ehRecvr.exe
2708	ehsched.exe
1528	mscorsvw.exe
2104	elevation_service.exe
1828	IEEtwCollector.exe
1564	GROOVE.EXE
2280	maintenanceservice.exe
2316	msdtc.exe
1796	msiexec.exe
1820	OSE.EXE
2464	dllhost.exe
2864	OSPPSVC.EXE
2532	mscorsvw.exe
1584	mscorsvw.exe
1556	mscorsvw.exe
1740	mscorsvw.exe
888	mscorsvw.exe

Loads dropped DLL 9 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1796	msiexec.exe
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\105e8c72bfe435d8.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B8C38573-4F9A-42C8-87C4-E64B775A6244}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B8C38573-4F9A-42C8-87C4-E64B775A6244}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1500	ehRec.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1240	2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
Token: SeShutdownPrivilege	2992	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2992	mscorsvw.exe
Token: SeShutdownPrivilege	2992	mscorsvw.exe
Token: SeShutdownPrivilege	2992	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: 33	2768	EhTray.exe
Token: SeIncBasePriorityPrivilege	2768	EhTray.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeDebugPrivilege	1500	ehRec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeSecurityPrivilege	1796	msiexec.exe
Token: 33	2768	EhTray.exe
Token: SeIncBasePriorityPrivilege	2768	EhTray.exe
Token: SeDebugPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2992	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2768	EhTray.exe
2768	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2768	EhTray.exe
2768	EhTray.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1528	2992	mscorsvw.exe	36
PID 2992 wrote to memory of 1528	2992	mscorsvw.exe	36
PID 2992 wrote to memory of 1528	2992	mscorsvw.exe	36
PID 2992 wrote to memory of 2532	2992	mscorsvw.exe	48
PID 2992 wrote to memory of 2532	2992	mscorsvw.exe	48
PID 2992 wrote to memory of 2532	2992	mscorsvw.exe	48
PID 2992 wrote to memory of 1584	2992	mscorsvw.exe	49
PID 2992 wrote to memory of 1584	2992	mscorsvw.exe	49
PID 2992 wrote to memory of 1584	2992	mscorsvw.exe	49
PID 2676 wrote to memory of 1556	2676	mscorsvw.exe	50
PID 2676 wrote to memory of 1556	2676	mscorsvw.exe	50
PID 2676 wrote to memory of 1556	2676	mscorsvw.exe	50
PID 2676 wrote to memory of 1556	2676	mscorsvw.exe	50
PID 2676 wrote to memory of 1740	2676	mscorsvw.exe	53
PID 2676 wrote to memory of 1740	2676	mscorsvw.exe	53
PID 2676 wrote to memory of 1740	2676	mscorsvw.exe	53
PID 2676 wrote to memory of 1740	2676	mscorsvw.exe	53
PID 2676 wrote to memory of 888	2676	mscorsvw.exe	54
PID 2676 wrote to memory of 888	2676	mscorsvw.exe	54
PID 2676 wrote to memory of 888	2676	mscorsvw.exe	54
PID 2676 wrote to memory of 888	2676	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_036474bee55cb59b952ef3d162560d2e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2636

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b4 -NGENProcess 2b8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 228 -NGENProcess 21c -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 268 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1896

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1828

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2280

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
f492bf0b9b125c9a2a7d15d353521ba9

SHA1
21c034ef4ce4e0cdd6c61a20f7eff2b3bb5344d1

SHA256
73f78b784b01360a0c7607c1e6f4173ccab0296047da899ef9040c7433055369

SHA512
8cd9253eae80f09d63456828d16e131edbda959f5aede99b1d890524f6f7bf4e59c9f0a4fc667a57870ddb8105946239fb63d8372326f8023b1a526de2469409

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
77c33c017592ed0bb02f1281ffb8b519

SHA1
9456ff0bb1f68da53cbc5f58214ab06fb4b6f5ca

SHA256
9e7350d96f5f19f4c48884055870f6757be3ebec8aa7ec95086c8ea2d49b403f

SHA512
30d775fb8d0e618829270471a1bf9ed9ecb7835ee368448b03645fd63076d57278d499b895dd3c7466e213ccb57d250ef4cb9abb7855116b7ce41f7683d98cbc

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2f4c65dc6ce9e85dcd63ef2ef342cb4d

SHA1
05db64fd1eb14c482fc14e4cb7f3e5dcc73303f0

SHA256
1c895c6f55fd50a3a2518a283ded371144e76c2feaf92e22e0b5fa5203bca60d

SHA512
65f6d21fad2f27a8c858158bf34edcd87bc7f291e9f3350246a913f323863c32089575a9aa0d1b4313597dac7a0b12e3ba3261eae248836db28ad9940035caf0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
03f7f3615e1ff7332f4bdf43d5ad36e1

SHA1
9ed591b509bc44fd526185bc419b42d439ab0545

SHA256
7a4a59b563b3586b4ae1be4df09d135496002d4f173fd65d0cccc1ef8dff4337

SHA512
57a20ce0ee42ddc410b599df71534ca6c63d799c6f01d33b9590ffa5faae2878e6471e4033f068eaa32d98771a0305fc53a8f96e4ec424a734a8fbe6bd160dd1

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
08062f71864995468482d15c189aa162

SHA1
c001f8de9ead3f5f98c3b7ef9602ddd48e38296f

SHA256
0c98c4571f346400813b3739455b15c5a9646dd72568714d2337b6d76a857017

SHA512
6013a9b373435920f4857e8ad52daf53df46621b705b260afb3d91bdf2ae94f31641998c72cc49ff892f7442af1bb6f4836f96c5946ab81e0feca4cebf306869

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
11b86caff03d7677465939aed314762f

SHA1
5dce54d967cc1a092dc189e3fd3d176cbbe3b100

SHA256
384c246ff1073be5225c0e3afcf2f6b08376eff2d31021317aee7b9541403c73

SHA512
d842efea0d08a03aca3a3a8e8432aa2133544e83dafc48317787e18bd65d9d1d8c9641d458edd3aba5bfb262d7d63643952b4163722ac4316fbec45970a794c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
572450dbc9862291abbb3a063412354f

SHA1
99d127ed161567d2c5cb135ebc36a4440169db89

SHA256
74809b6b9d424dfbac1a1335b00b31a0577b489163893a5071b0f7be2d02b0a7

SHA512
e4ca6b7f85af6644fe906ea4b737b06f4a4b970bb57bd55d61f59316a8e3e5e17532fc07d3712b1931abba5c1b6e5019c58628e3a771095914b7fb33100e4b1e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
22f8730c50604aa46c175dd29b4f9c7b

SHA1
314be0f8a3c45a12763e90abf68acc044dc274ea

SHA256
dca1b9ad5ce1c34a2b38733c163791ab0d43ca06af64057237e9d130ce041ec0

SHA512
f2fd6b15a734aae184b4e0d272f11a3dded066d7d06fae55d2e8e7e870a722aa8ffa39f56a93c478160b1ddefc2edc964444a6b53215fdc89e73a9910a461ae9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3c32a6014be2f6aaf4ba0fa06c9a13c2

SHA1
5dace00d08d8c13ef3f83342d3f2c7ca1503a7b1

SHA256
930bff63dfc6038c498495439ea5242e075069fd23139258578dd9605757af86

SHA512
b7a73f7af79106e05e5ec320b14f06e51e7b5460517d227651ad10c1658ed7cd2a6023939ff883f3fac37071d32c47d6238b430b8584969cb8d8d5cd1f242c2c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f7756adff25f590d026ae7d44166513a

SHA1
30fdfa36ed19d9ac9266635830d3cb743ef783d1

SHA256
200544c6327f160b86c0ef8fb05efe6efb941883b0f114f1556333e0ff4aaba9

SHA512
670a8476729e28009c9ab3f423706d53ae44d81741af9074f4bad587ae5c78c58a37779061bcf2b1b539da27ab1135915dffa5a75caafe99025fdfc4fc3db7b1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
39735cdb3ea2999482d87109c65e01fd

SHA1
b01bb1fd6ef2f0aef5757117a3bda958b17e8022

SHA256
f205b1a34dbd78d31a5ce4a375ed9a4e3f793d74be2921e2cdf3acb777941ad3

SHA512
82e19a04ef8747d8f1fa541ade061a0e7109de5ed4bc1de8df21cc42397c0969559c0902ed0465775b8e03524ac68656b9af137fe8ffb5b59ad771aff4b03964

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
863e5055b71dbe4dd69885f8f4898478

SHA1
e6f3e7a8ff5d143eb1f6bf574fdd97116b0276db

SHA256
545b4d6bacf33907d5ed9ec9141f995b9634a8dab44ecfc8318b92b604f88797

SHA512
02650b2630d9e882f0d1cc37e599f76c8e35bb09d6c17cbd0a81f3304383dda419985075849d13626d31b6bbbde737936658d5396bc53665a123afde685dd15d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
b72be3c4ad22b449bc54252de439874f

SHA1
79670de8265e5cfa0fb4a42a5de1bddbc1b280f7

SHA256
75aa37baf1c33765ef7f39d4a700b511edceace6783c192658114d46b1afa5fa

SHA512
73ccd6589b82841e6f392cd9454b7b2e8a7c59f8b76c052ef9289cfa4823dd20926564edb4f832c1db72755e01a44c4475201c4d34246413f57c408a3bacbf96

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
f557f86577faff27f862d665f22da044

SHA1
92740580c1ffa711d97a83b588e4f0c2f22dec5a

SHA256
5c9f2b1818476b7bb72cc888f2a290fa9474e0aac430a5189d7733948f4343b5

SHA512
95f5324f3acf4dfbcc493f762db5b7926570b0aabcec55c735cb2091a7f047d5cc20258b180588cd8ef75505928c9e01645148bf622c931c945efd891f9309fb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
657646c4636cfdadf26007ab59d243e9

SHA1
2a79d4bebaa6faa5591d036e3d0e1df07b72950d

SHA256
7bbefd8f566eb585a1c6bd559b28f163a443ec8ff2b2903733450388c60b1d35

SHA512
ee511547cc5e26875f7c504342a8344cac563156d8ae5eabb2a269ac80536fe33d873707c549378d62ecc01b8cf374c9c71f8e0385f777f8978d2f2b13ee9703

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f85af45bc8a5576ebbf424db8bc0ae80

SHA1
8c8258307b59c5ab83c7ceff49f04fbfb667f7a7

SHA256
53ac5d6d3e372386df981e3991d002ca98b648613e2277a81e996e629b982370

SHA512
289235b70cbf13242d30aabd14cee7543775fb5879814b1e28017b7f98758a7bc44d5b533132b9137825b340b37d1a5fdeef27788fac8c6a7362f6bfcb3bc785

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
6db567ca96d1a18c1061ef1bd2246253

SHA1
173b7fe46d15ca41b16b23370a24acfbfe93102d

SHA256
fe6ac74fd8cce780b252271201d6743ac1f8432f8daa37eadfe8442e63369aa5

SHA512
41e9ba6a959f94eff8f8dec22396b28c588c89fe34a01d0fe0a13af250063e59fd438df45458e0ee5913cbf0600dc402451b53e2b8400c3e452192e2e66105bd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5a3b3cc973281ab177004bc32c28c2ad

SHA1
001657cae33c4790348ea2b077e3d7f1dd317d45

SHA256
707f472540c1b491d4f7e0c46e6787abf104b072945b1774467b7a57aa4c2727

SHA512
76bf1e471772c9b297ca4a2f5125f42ca97fb63daeb20da4b74acf7b23fef7de33cbc2e146bb2b1b415658cf7127693bed5836f354c09e0aaedd106fa78f2357

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
02853b0c79803f816b46f496aea9fba9

SHA1
9a9be6ba0b621ef0aae4ce57962a14c3e97cebd0

SHA256
74aebb6dcf710eae341d55d1edacef5908b49ea7222ea522a914cf60dc3d72c4

SHA512
36ac11ba8bb8758c96ff774829c3f492ad83462032739e91a84c5a0db640db5ab98e03a0cae3636e337dd3f75607470ef4b446d668101007166049b60093c499

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
0ab70e663eb1861c1a34c468b96f460d

SHA1
4b9e94f99bc5fae6293c48be2defce59f942e78f

SHA256
42efd223077157405b4c9ce7b7a0474611126618c06fbf2f1871b7e1dc54448d

SHA512
67de9917a7604b73b6bc97b06933b34fba5867c4728157874ebdd6ebde3a0fd7a5964d183155210106abc057922331db5d1ef2fdf98449fc8e7fcea17657b93d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
3646d6cdaa7b79433356bcad7eaed2e3

SHA1
c2df1766824a572d9346f62bacd71b701766ae2a

SHA256
f6d81b5ac9866a6e65608766fe5f5f5276e8aa43547a2493978bc9af5021b8ee

SHA512
98ea8f27c1a37d82c6f054969774e609e828582c8ad48d21c75734a7c68d6167706914bcdfa3167f94ff6fbaa861e32635f56e80bad7999a8692cc63d0aa66c1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
d1301d699e8d7076c1ac63559d248ed4

SHA1
122cbc3c3c1431611b09e35840e0c73c2fda3508

SHA256
415c1f47f4758496373252e6517c9acfdd1763aa9de801ccd3ae0bf220a894b0

SHA512
c3ef3f31358b9e41d7bc0043cd72b2326f0c4b3b0ce3a6414d7a3a124957b72e684a33e46f7eb4687440bc7f47e787eceedf0ced12d4a6a4ddce7ff22c7f7113

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
e2ea2ee80169dd5996c2cced51ffb25f

SHA1
ac54719feaad400c8675c3f0043efec0e573dd12

SHA256
a5f14511d845edcc0e4ee393013ea60294390ef3635fee31c7c67b8ca50a2f28

SHA512
79ca6a0e0157bfdb0a40316a123f2c7ca0a2bdbf3dffbf6466ad32ca44c92338757308b80117b126c7fd7ffab4747b9b7c7907162c8a65fa9d314f4e3e7a3da9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
9618b40b908733e17822a2826a1be00f

SHA1
6e32ce45a2463925b8f8596cfe4fb6f3ab75bd45

SHA256
b3f8e3973202f5fbe566550f0fba9304c4d5d1ef5958cd1664cfb2fb7944ee7d

SHA512
981efccaf1a854cb3b737cc06e8ae625453693e16f89e8eaf5d837b1d9ae21dae63e809ef477cb3bc132c79714a19cad83256ea911ccfbb2a6eb750f8e671a0e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
8a08d75d0c9b5b77123609dea92d33d8

SHA1
c230ddad6516308f0538f9207de4de6d2d53cf73

SHA256
d3cb6d23659d753bd13cf6d69d8967fd22922b18b4cf901cf7f927e81be7b446

SHA512
e0157bbf696ce1273e5478907a75175426655cfe2f2e0d0683816b33d5f658db8e46c0ace0a1a1b236b4c33c0f76f9d9d31a16b4d54aba80fb95feff8ad5a9dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
30a23b64501d69ab36a77fced46d2eb5

SHA1
636f46a1218df156c26b7758af278adbf055e6fa

SHA256
7da45f22b8ab101a4a591daf48e5b9fb607c333300529b77b129612028e4b8de

SHA512
fb21a1127e49815ce101e3f33ab572b1fc64aff19dd38b3aa79f0857cc8d9606b5bd47d2099bfddbffa17b388b545779bf3f6e15cf22b8821f83a211bffbc916

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
91a569c287abdaadd0ad3d17a6b853aa

SHA1
f7c4f9d48731ba6adf73f3874cc70639f36f48e3

SHA256
f9756fa2fc4c8a34e677fe14b4c3a53733c56546aa1da77c09af212d330d6733

SHA512
d6beda34c8bfad9ab0aa6e6e39e23a253eabb4f036765855d1065c8903671462555b931bb49864960851a0142e4b3b29c4610164f151a93a53965d7fd73bd608

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
bcc845de96064ed69b51a7cc07526d87

SHA1
34ac5cb8365a0bebf35a2ff9bb2fec8fef2a6396

SHA256
61b5c0172c0702e0d6c3d92450084173da18edb7704a9b8f522cf73bfcc28c30

SHA512
d2fd7bd8916f19d38dc9ad15ed585d2b5b057b15897b13ade9dbadfd3a4bd09f939baeff27d49791109504dd2e67a4949711c1003b3d18432c25be65a319784c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
fa5c0379d330fdb06059a0127f8feef2

SHA1
6533470240a40f0c96220df723a6a8c998bf385d

SHA256
4e577179ff591953130ff622f2fa2a6ac42f408ecaea67733a21b13be719a9c7

SHA512
36cb5dcc35f7e46f4c11078b55a25463046c7d2a4cdaa84bd4902b51fd57b59dce5d9798955456c16b310ff99b8981e48227b62f63f9998f960e7eb421102101

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b07cc41d1240c967617f9cf2b29314a0

SHA1
ed50971c09cb52863a00fd65b95c89d82542d4bf

SHA256
1a96969d4898ec63eb1f96374cddf0c4920564e243a0f420afdd49fba4511667

SHA512
10133ce377c06defdf1248c95c350942f29f7c980609c22588fb2bd3bc05d0239545b91df377830603f45ea097253eec1e0e3713cfe339a832d922ea20ef09db

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\105e8c72bfe435d8.bin

Filesize
12KB

MD5
6d617855af9028d16cc5405a1cecf366

SHA1
02619eaa029e2c6b9aa99bb4c593f4b501237e85

SHA256
4b33cc29c4061a8c9fcf8597085e2266e3b90837fbdeb416dc42871bf1f6dd2d

SHA512
905c2fdb5604966d3101b42a038adf2ef202a4d3706a4f1c06fa05103e5127625b8a06ab30ac31d78adeaa9129d6a823c500e1518c241a70edc26666529afc69

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
ee6258bf29a2d85aa57efc7444e7c6ea

SHA1
ed56547e314698691b4604fe759837c02224756a

SHA256
c3b1dcac323c850e9b4f08bdfab3d9308a75d9af1fdd9194fc7b199a511cb9f4

SHA512
873484b508561b1fead81efa8caa573cb1aa550c4ca690ffe3e164ef3dbbcb6cd5bee462cf9974a9278ea3f77b2236955915ead7cc05a2fdf7990ac390cf9881

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
630687d8bb227259971b130d51ef49f3

SHA1
ac9036674a5766c1f97dd14984811ce2e555cb6b

SHA256
0e69b90c2cdd83030ede19d9cc1ac04b7680874b5f543d20707524ebdae65706

SHA512
20718d138c39bc612940ad3a1d247222cbb8341b5934c1e72040cb1670315e565b481662fa45802efb36aa3f260a02f0404cd0f36f5ef2cc6919f2326e97cf7e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
af5b967606de30e66d39e058406a4043

SHA1
e15702d0aa3dd15c84cba2c695f63bde4d600d30

SHA256
0de1e9b0e428bd6ecaaaad3f78ff7c0620465a6dfa4e64764b9749632369622c

SHA512
3b936588f7c77dc56c1778c8a743acee423624d9df23365c90a22b4c5b31f3f064c442b2be4be1f440b6f6e536c299a5431cb807d64c3c1f23d3a07b68d85971

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
65355207ba84faf3ea849bc07102d795

SHA1
ff1a5b9c380891a26b9ea3d93f588539cf368ff6

SHA256
88fa190c30dbc4bbfe736bdc947068badafd70352e91f4e8d039508022147002

SHA512
555705b5a974042b7006ad0481b06445433b88c4c029b84cbbcb6d7a5d74b9894ee621d4025389033e4e7563903b0bed909a313264e67a3f38d195fe07885627

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
73f90f1f092c714bdb71d142a473dd22

SHA1
a38a9b3070810fc77f0f45d70e423cfadf892b83

SHA256
9461a7cfacffc1a06eccf872a7685bd5455ce307bd3c18fc1bc0ff094c9fda5b

SHA512
4a7cbd42525de55ce51eaba3dbd26ff7cc6fd549a7c118ad76dc6daddad6278bf29d1bfc966c909c9a7eaa17c9af8fb5aa6896dc1fd49524ce33d4347afa365f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
195e8016a1259b65e18546654108262b

SHA1
e2786461fdd0832da4858893bbaf3d37ed26b37f

SHA256
90b570b29f2c955b94cb371292243ec55461e0c4564fb2344ba76882cc43c4a4

SHA512
b46dfa24d647d9b34bbcc66cfd7aa90b3fabc6bf4187beb969f312c5a522e334ef1244070738a3128b53c04ba110decf352b93958df796cdf00a86a308a60335

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
5debb38d2f2f062e3e1282c1f047f606

SHA1
b8bdc5a59683bff75aeeb91e557c036e9bb4281e

SHA256
1a3d86e953f1f9bfe0080e06d8b6103af6ce5f8ff21ed3e6a473853116471366

SHA512
5fee2e59346efecbf573cb8c8382a68473756f819fe96a99321505479f169eff961482b6ff41173cba9801aaf28db82f09edfbf480869d1a1d1b8602a0916a0b

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
86db52d84a39988921631e06ebd2be9e

SHA1
1ebd9e783e4d1c37ad9deff7aaa9d36540987cbf

SHA256
df355d6d411168bc9c60a76448d13ef47652f00f316492fc33930592d01fa6ae

SHA512
6be32e98201473df847cbe71173914e6fc2c33374c968cd3a905640d4e1680396831de568eecf005eb00c367d1ab9b0d715437b15db76f3bc8e262ed2fb1d074

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
24215d82541cc05646974518cc07a136

SHA1
5354b33e78a40223b978357cb52accc7f46a26b7

SHA256
f76b7674880e6ddf11074b6ae8bbcfc3e48e4e78a2256614744e21b5a35a2fe7

SHA512
b7af7ba62de1976e198590862310fdb7dfd69999c536ba345b266bd87559ffc86b0fc28de09a4f0a97a21685bf49cb2d3208dd281c3aaedb61ee69160430b710

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
0f2a38731436248e60322cdefc3ca0e8

SHA1
9658909590013349d4275dfb7e204508d9259617

SHA256
45f0fb0c28563647bcce3c112668f409058f4649217e13450b0399b709db713f

SHA512
b2c10b2f0c889cf0a74dca710a72de59295c7f2368f673706dfa11690a6d46e6e0e75e9b905dd4009f34eb249ea88e4da724a0e430d86ecef5bef9bc4cc92942

Download Submit
memory/1240-68-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1240-7-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1240-8-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1240-197-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1240-196-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1240-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1240-0-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1500-158-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1500-160-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

Filesize
9.6MB

Download
memory/1500-198-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1500-157-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

Filesize
9.6MB

Download
memory/1500-204-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-116-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1528-114-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1564-163-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1564-161-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1584-415-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1584-420-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/1796-241-0x00000000004C0000-0x0000000000572000-memory.dmp

Filesize
712KB

Download
memory/1796-238-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1796-183-0x00000000004C0000-0x0000000000572000-memory.dmp

Filesize
712KB

Download
memory/1796-180-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1820-209-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1820-317-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1820-187-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1828-166-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1828-422-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1896-90-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1896-83-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1896-112-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1896-101-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/1896-99-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/1896-169-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1896-84-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1896-199-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2092-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2092-92-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2104-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2104-132-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2104-124-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2104-127-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-164-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2280-165-0x0000000001020000-0x0000000001080000-memory.dmp

Filesize
384KB

Download
memory/2280-174-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2280-175-0x0000000001020000-0x0000000001080000-memory.dmp

Filesize
384KB

Download
memory/2316-171-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2464-220-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2464-213-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2464-414-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2532-412-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-426-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2532-425-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2532-400-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2532-407-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2548-97-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2548-18-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2636-80-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2636-21-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2636-22-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2636-27-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2676-125-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2676-44-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2676-45-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2676-50-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2708-228-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2708-102-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2708-181-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2708-107-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2708-108-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2708-227-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2708-98-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2784-36-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2784-94-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2864-232-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2864-324-0x00000000743E8000-0x00000000743FD000-memory.dmp

Filesize
84KB

Download
memory/2864-242-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2864-240-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2992-60-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2992-61-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2992-67-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2992-135-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download