21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933

Analysis

max time kernel
162s
max time network
168s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 19:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933.exe
Size

625KB
MD5

1f4c00c89fe2ac37902fbabe0d006229
SHA1

e758519742b272b3b7f7b9de01324cd95b9171a2
SHA256

21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933
SHA512

6b5e31360ee1ba15de78f174d5c445f7995a5150a6138e69546eb3cefcbbc52eeebc6c9041489aaf77c8033331144002f8487c970f344f97867cecfbe208b2e6
SSDEEP

12288:R2r3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:IrHofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 49 IoCs

pid	Process
468	Process not Found
2624	alg.exe
2868	aspnet_state.exe
3040	mscorsvw.exe
2896	mscorsvw.exe
2780	elevation_service.exe
2396	GROOVE.EXE
1480	mscorsvw.exe
1416	maintenanceservice.exe
2996	OSE.EXE
1660	OSPPSVC.EXE
2316	mscorsvw.exe
800	mscorsvw.exe
2904	mscorsvw.exe
2836	mscorsvw.exe
836	mscorsvw.exe
700	mscorsvw.exe
1940	mscorsvw.exe
1612	mscorsvw.exe
2544	mscorsvw.exe
1712	mscorsvw.exe
528	mscorsvw.exe
2240	mscorsvw.exe
2704	mscorsvw.exe
2332	mscorsvw.exe
2124	mscorsvw.exe
1240	mscorsvw.exe
872	mscorsvw.exe
1928	mscorsvw.exe
2652	mscorsvw.exe
3044	mscorsvw.exe
2260	mscorsvw.exe
2872	mscorsvw.exe
2500	mscorsvw.exe
2556	mscorsvw.exe
1092	mscorsvw.exe
3020	mscorsvw.exe
2504	dllhost.exe
1232	ehRecvr.exe
2456	ehsched.exe
2672	IEEtwCollector.exe
2608	msdtc.exe
1832	msiexec.exe
2824	perfhost.exe
2288	locator.exe
2212	snmptrap.exe
2316	vds.exe
2684	vssvc.exe
1900	wbengine.exe

Loads dropped DLL 12 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1832	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\748e36d99b392089.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AC0193AA-201F-4A60-9BA4-8A4089BB5837}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A4D68AEF-33A9-4C89-B47F-D7FF5807A3F7}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A4D68AEF-33A9-4C89-B47F-D7FF5807A3F7}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	ehRec.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1164	21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2868	aspnet_state.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: 33	2792	EhTray.exe
Token: SeIncBasePriorityPrivilege	2792	EhTray.exe
Token: SeDebugPrivilege	2992	ehRec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeSecurityPrivilege	1832	msiexec.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: 33	2792	EhTray.exe
Token: SeIncBasePriorityPrivilege	2792	EhTray.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeShutdownPrivilege	2896	mscorsvw.exe
Token: SeShutdownPrivilege	3040	mscorsvw.exe
Token: SeBackupPrivilege	1900	wbengine.exe
Token: SeRestorePrivilege	1900	wbengine.exe
Token: SeSecurityPrivilege	1900	wbengine.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1480	3040	mscorsvw.exe	34
PID 3040 wrote to memory of 1480	3040	mscorsvw.exe	34
PID 3040 wrote to memory of 1480	3040	mscorsvw.exe	34
PID 3040 wrote to memory of 1480	3040	mscorsvw.exe	34
PID 3040 wrote to memory of 2316	3040	mscorsvw.exe	38
PID 3040 wrote to memory of 2316	3040	mscorsvw.exe	38
PID 3040 wrote to memory of 2316	3040	mscorsvw.exe	38
PID 3040 wrote to memory of 2316	3040	mscorsvw.exe	38
PID 3040 wrote to memory of 800	3040	mscorsvw.exe	41
PID 3040 wrote to memory of 800	3040	mscorsvw.exe	41
PID 3040 wrote to memory of 800	3040	mscorsvw.exe	41
PID 3040 wrote to memory of 800	3040	mscorsvw.exe	41
PID 3040 wrote to memory of 2904	3040	mscorsvw.exe	42
PID 3040 wrote to memory of 2904	3040	mscorsvw.exe	42
PID 3040 wrote to memory of 2904	3040	mscorsvw.exe	42
PID 3040 wrote to memory of 2904	3040	mscorsvw.exe	42
PID 3040 wrote to memory of 2836	3040	mscorsvw.exe	43
PID 3040 wrote to memory of 2836	3040	mscorsvw.exe	43
PID 3040 wrote to memory of 2836	3040	mscorsvw.exe	43
PID 3040 wrote to memory of 2836	3040	mscorsvw.exe	43
PID 3040 wrote to memory of 836	3040	mscorsvw.exe	44
PID 3040 wrote to memory of 836	3040	mscorsvw.exe	44
PID 3040 wrote to memory of 836	3040	mscorsvw.exe	44
PID 3040 wrote to memory of 836	3040	mscorsvw.exe	44
PID 3040 wrote to memory of 700	3040	mscorsvw.exe	45
PID 3040 wrote to memory of 700	3040	mscorsvw.exe	45
PID 3040 wrote to memory of 700	3040	mscorsvw.exe	45
PID 3040 wrote to memory of 700	3040	mscorsvw.exe	45
PID 3040 wrote to memory of 1940	3040	mscorsvw.exe	46
PID 3040 wrote to memory of 1940	3040	mscorsvw.exe	46
PID 3040 wrote to memory of 1940	3040	mscorsvw.exe	46
PID 3040 wrote to memory of 1940	3040	mscorsvw.exe	46
PID 3040 wrote to memory of 1612	3040	mscorsvw.exe	47
PID 3040 wrote to memory of 1612	3040	mscorsvw.exe	47
PID 3040 wrote to memory of 1612	3040	mscorsvw.exe	47
PID 3040 wrote to memory of 1612	3040	mscorsvw.exe	47
PID 3040 wrote to memory of 2544	3040	mscorsvw.exe	48
PID 3040 wrote to memory of 2544	3040	mscorsvw.exe	48
PID 3040 wrote to memory of 2544	3040	mscorsvw.exe	48
PID 3040 wrote to memory of 2544	3040	mscorsvw.exe	48
PID 3040 wrote to memory of 1712	3040	mscorsvw.exe	49
PID 3040 wrote to memory of 1712	3040	mscorsvw.exe	49
PID 3040 wrote to memory of 1712	3040	mscorsvw.exe	49
PID 3040 wrote to memory of 1712	3040	mscorsvw.exe	49
PID 3040 wrote to memory of 528	3040	mscorsvw.exe	50
PID 3040 wrote to memory of 528	3040	mscorsvw.exe	50
PID 3040 wrote to memory of 528	3040	mscorsvw.exe	50
PID 3040 wrote to memory of 528	3040	mscorsvw.exe	50
PID 3040 wrote to memory of 2240	3040	mscorsvw.exe	51
PID 3040 wrote to memory of 2240	3040	mscorsvw.exe	51
PID 3040 wrote to memory of 2240	3040	mscorsvw.exe	51
PID 3040 wrote to memory of 2240	3040	mscorsvw.exe	51
PID 3040 wrote to memory of 2704	3040	mscorsvw.exe	52
PID 3040 wrote to memory of 2704	3040	mscorsvw.exe	52
PID 3040 wrote to memory of 2704	3040	mscorsvw.exe	52
PID 3040 wrote to memory of 2704	3040	mscorsvw.exe	52
PID 3040 wrote to memory of 2332	3040	mscorsvw.exe	53
PID 3040 wrote to memory of 2332	3040	mscorsvw.exe	53
PID 3040 wrote to memory of 2332	3040	mscorsvw.exe	53
PID 3040 wrote to memory of 2332	3040	mscorsvw.exe	53
PID 3040 wrote to memory of 2124	3040	mscorsvw.exe	54
PID 3040 wrote to memory of 2124	3040	mscorsvw.exe	54
PID 3040 wrote to memory of 2124	3040	mscorsvw.exe	54
PID 3040 wrote to memory of 2124	3040	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933.exe
"C:\Users\Admin\AppData\Local\Temp\21542db4b2e455c323893c27bc098bd8222444a71f959f295f7e0f835ae95933.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 250 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 280 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 2a0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 248 -NGENProcess 2ac -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 2a0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a8 -NGENProcess 2b4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2396

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1416

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1092

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1232

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
8a0ae969424444d8b70f54bd354df530

SHA1
f5a129f0b821584d2c915d7b30bc8df2638c7817

SHA256
1a1833e816c4f3067067d164a41e5a5559560ac42a48654e33f9542d82c3dbc4

SHA512
20e8bb786704c1add086ffd81338bfbc2cfb87fb2572a43a4d9954a5f0130eefde96a7bbade645153fdc86309df0f571b1d8c6229eb1ac3d871b338b2db87b4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b2d6e0ab0888b4fbde525b6d1af9d753

SHA1
1706a5c7acd2964d7ec5aa359371b393d4ae6059

SHA256
373b0a616d036a3e5b81b4887ce253f2e20c720090823ae304d2b416ab605427

SHA512
7476c33191a22cbefad5d814ee080c0ef3783e7b5cc81495fce02041cb3f6eb19e0c42a5bf8642ad53d708d5b517f05b29dcb2ceb3634645dc6d9b7d6bd6c09f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6292c3b1f47c67103fb868abab16dad5

SHA1
7d50839f537099faaec181eba0017ea308c7573e

SHA256
036868651d21a089e614484aa466226713c9b8f246cc9b1cf7a93f76794c6b5c

SHA512
403cf387c5f730bfe981bfe421e2a6fc76ef7b421c56cbf7d8fc2776d9b507e6066205dd82da9e666c626654b553797d95e66c230872cac6724a287238e2dd32

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c1a5b9c97aad26236cef6d085f92287c

SHA1
064aeb0094bbf5b335f249ab0d313f1c8d222169

SHA256
b3998f1f18e3fa81597b589138df744c3c947fba36000d4a462bdc1c7177cf17

SHA512
a334aa77a9e7e21dcc1a3d6a9093ec10b37f833a199d40282f3598fcd6f782f7406c5c8dfb5bf7509559e255183a766f12517b76282043fec6c12c9c7e072b34

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8f3c78231e9caea4a1d37275b6edff4a

SHA1
02a521a0c005639825df3508beef609962633b08

SHA256
4703b41fc941ab1e1f9eec57f1d1ea6c8fa81e3cee442f80fa9f31d29c66d9cd

SHA512
a0a31a8fed60a641b7b5fe077acf043552a3964d04454681a2e4496f1c47db301535f27caab1a9751b85b440a50fd7ff1a2b69aaa1ded38606ab5fde74704217

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a496b360f4f1173ecc37fd7069b9524c

SHA1
ba58384b48a8475dfdf9bde09431073f4f4c0357

SHA256
7bdb3d2d69f7ba7eddfc45a658cf4b2bd92964be26b946ccc289b47fd2d5b780

SHA512
6b8cbd8e0bbb8e1eadc1ccf7a03716279424f43f90ec7505e6fd908917ef703b9dfb0389659d94c75b97e008b2a66fe4ccd05c0c159f4b2b0901f22b8873025a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
3539e72bb08f040cc2b548994db4f441

SHA1
0c16fe2dd21c65c16e2209ad48b71c04a2a07a5a

SHA256
e854d71f4a2ee924b136effa4f12e03bcf3d967261d2294065b1053557d32f9a

SHA512
f2c7afb02824052977f8eae9325c28c01ba9be7a3968d58aa4fd5d633b64f2228ae182593e08cdd41802e2f7ac5268ff69d97b819a66e3c6ee9b9db5e3baca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
18a23a0c2ab7bc3d71d78de2ccad1b61

SHA1
b80d2b7519a771e032f456a886411476a4512e70

SHA256
8acdca171c7aa84963def44fe3de7e69c0e43b031bbd633decf71072d913c620

SHA512
af454e6583472643f216c7fd04e810d46cb47488c34dda8fd89076587ae4f4b24e34cc73d2f34f20e979f6455d3f7b8800bc32e61f7421b154cb5d174b1a63af

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d3788a45d0386e7253efa3e4176bc555

SHA1
25cd7367237395eeb7dffde1fe918e8d33cd9dda

SHA256
1d26e345cf8e02af82b130aa350bf86610d5ab421995dd2d3e7719be5e8e7588

SHA512
3cff85eb8a2d7e69767e4b386dd50e265b22cbab9fc38ca5bae2247078f53c337a8efe4b7fa50dc40855c1355874e4d3cd432567060a1e133292b9139b70db11

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
c6a8b213827e5869a2d13d063c46a936

SHA1
faacf30b278878c7145576d323495e4caf0dbf7c

SHA256
2baa2b7040d1d18ab539c1ede2a9d259a2611be095300ecdb757a339e01dade6

SHA512
112ad94612d473228feea848d406d74563771c2e0d2a47ab1a1c26b0c1f2d50a4e1e369ddd34aa04933eb443b835bccb8fae1a9e8b86ca5f59ec68757fb8385a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
0db1aef5d5db14c1516b9557ccc5d1d8

SHA1
69ce0b6188f48fde46db1aaff2559fbd1650ab4a

SHA256
b0c5b9dfe367ee9f42715e68396b10524735fa3a826f18fff6a4120ae77c0178

SHA512
ce5926f6bc7cf188546f90f705d14234bca09e7eff89238aee7160ba99b27e68ceba266d891bdfb072e457f007aa362221f611a135033a45ebd0e91d2df6e4d0

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
00bdcde7b8d6c5e6ce82370bba30b646

SHA1
5bbd3df2679096c4d0c5cfa5a6d2f46af052a46b

SHA256
ee3c197ee74fbdf2f5a4bc9dc379f62bc87320d76aa90fe6deeaedcb80fc533e

SHA512
0ae07258cd2b6c6b12d7a5085e2c7736c0ec2399583bae2f74911e91202ff886f452a32cdf08c18de44ca5bd369b6a83a8f15812859a574602aebc0604dc2ef4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
e23b0b3c6f74e7e853aa11affd5581ae

SHA1
76849cf56947d37d7dd59b55e52a440bc48fa3d4

SHA256
d6ba3d9b847215d553d4d3837e2bbe25bdd48f616433aae00a36cc1d6353a08a

SHA512
8685547ca187d57b59d1728feb5e87a58145e01ca044a13d17a904d7d9996d8214e13ef11d5638e894637019b90b2648af0b23fa4b654e0cc1e6e58524158012

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
6cb698a10d0567e3d504cce3331ae3d5

SHA1
2841c60bd9dfee28aa908d9c803f1dc4468fb122

SHA256
a02cd8b3b4f870456446b7998615f3fc1922ec99f6d20768322950f1d890a08f

SHA512
7cb7ba8a930feef7720296f0ce00df792655acf7ceaf6ae6fc1baef433c80fc525691da05cc647b964aadb04515aa9a9eeda162cc113de939db9dc5f8ce982fb

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
973f24c1e4393919d35441b0d6a4ea22

SHA1
2c4fc8144ca4df60520dcbe3ee44b397e3fafc82

SHA256
64f3dec60dadf21555b0c745bf598edc839e5fce1fc6df0fd90d4ad7bec218b2

SHA512
d9261b83f46a4eb5c5f21fe82c8d3a0204b83c7f02a03871bf685923b1ea7b8defc767a0a446221a1fdacce065b04c739058ee41f78df57fafba2f2295a4ebe0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
5890daa553230d2ae524808679131417

SHA1
2c0ed5283b68a6bec32c3babae2b4a585c4d01fd

SHA256
b415477a3f3668cad9b3de645fb50119b3e25408a07bf18e4169b883f6d2c785

SHA512
08a6f96fbcf95494187168d875aac56c888434b74a2554891d252330807059bf518178a2b1b30e2fd4466a406a571a29ed71d09a5a5764e2ceeda41156d16ba2

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
db2c5f761a7249a29b69594d20c71033

SHA1
7d4c2f8712cbeb45c2ff40e5b840cc07390e1f9a

SHA256
81ec0b7156dc678e97fcb256429dd2031b37f36d1f3eed6158f60084c7ac952f

SHA512
bc895d1bec634598acc8ef949ed7402f4ec9f306ab5c0de32303d9adb98a2937aa2117d37ebc81c32279a7344803b6bada28516842ea85ea004346b48e86e569

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
dcf6e775644a589ad534c2dac5c00cfe

SHA1
df752e44585453a0d1062c4ccc76afdeeb609887

SHA256
498221e64e0ba51a6154116456cf13cfb2b141005cbae44751abd146256330b4

SHA512
92b674af8ad5aae5dc9c694f6ba8f5b2d98f81c86172117c2c313f7810517c73ba962521a8b9e39c0049c989702ff7889267ee76e73f7b7f7c2e65da9ad3b7d9

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
90e5c33266fb11a374b1c0a549f6cdf1

SHA1
22dce5ffb8c80e6bd306fb8437b352a45e3bc901

SHA256
5d73583aca5b94158fa9808d058e4240c6e2fd8a4c1fe20146d7af0785442c3f

SHA512
ffb3980e8882fcb18eb28dd8263351a78e77d8709d98a97fb648b9c9fe5b5d0308f467059ee35a1ba4e20e2cf269b671a2bf5ba2b357a663360b6a20e76c8e77

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
93600113aa90e785116e66024e12d877

SHA1
9a326c233a818fecf0505d8575534b8c90e8c7b7

SHA256
ea38ccb4d507b5652f8ceb149a225f783f86c9ba5e6cf2feae120ac5218681cd

SHA512
988f7324f2b1a827e5a131674b9074c564619ca29b7fbf4de782638591a8b43547f85c23fc4cb241ca246c2347b632914bbeba547aedd519dfab23ce028b11aa

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
aff8552d3ca31e25159cfed762097fd4

SHA1
84029f776bea498a112e1b00abbf76656b032ce3

SHA256
22ddfb2547b07531b7b1ced121b2f77b2fbc182a8297d0b03440fd766c3462a7

SHA512
36688775294e5030ad237be38516e74ed3e6ba348ccf562489dc740ff2b9b12c6a192eb32f5f65e37146969af659fde47797cd16bf6ef4035df0a23bf00da11e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
8fc246e4f921906d63839b69b63ed3e4

SHA1
ed2143900ad2fcdb7b7d343874e25dc468921bf0

SHA256
ffeda554c60e148809e8f75ac674a27d1fd8c8f8f3e3cb369d10379308031cbc

SHA512
b03aa1a8f2480db865d560a348e39ef71d710bb77677578a859e9dde761f3426faf36693d537a95cb70ae021937a76cfd6db76dafe2d6c23092a5a3782785653

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
7b0441e944671abe606421bfc62a6faf

SHA1
673af1f08d19dc5c08e6a19f2938e2ef7458d02e

SHA256
d0d3262361e89f8fbe97d3c34e3c22c0b1c413c984dca1f051fcb5f255efef04

SHA512
23339c38a2ecec137aa27ba4cbb07fd24ac2097814f092a561ebdd8a40f6be2fcea025a62081d1cfe972b1a42b8799c21a254f145423f03257e691721a2481cd

Download Submit
memory/700-388-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/800-315-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/800-313-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/800-190-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/800-208-0x0000000000AB0000-0x0000000000B17000-memory.dmp

Filesize
412KB

Download
memory/800-213-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/836-369-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/836-390-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/836-380-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/836-386-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/836-379-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/1164-1-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1164-25-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1164-7-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1164-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1416-135-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1416-134-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1416-111-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1416-112-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1416-118-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1480-137-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-101-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1480-107-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1480-212-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-171-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1480-102-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1660-152-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1660-255-0x0000000070028000-0x000000007003D000-memory.dmp

Filesize
84KB

Download
memory/1660-143-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1660-366-0x0000000070028000-0x000000007003D000-memory.dmp

Filesize
84KB

Download
memory/1660-151-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/1660-321-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1660-302-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2316-163-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2316-173-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2316-174-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-210-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2316-211-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-94-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2396-88-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2396-150-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2396-87-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2624-73-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2624-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2624-14-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2624-23-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2624-20-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2780-82-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2780-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2780-75-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2780-74-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2836-344-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2836-376-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2836-336-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2836-347-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-375-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-38-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2868-85-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2868-30-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2868-31-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2868-37-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2896-65-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2896-110-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2896-64-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2896-58-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2896-57-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2904-345-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-325-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-346-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2904-309-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2904-304-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2996-139-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2996-138-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/3040-49-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3040-43-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3040-42-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3040-98-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3040-48-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download