3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb

Analysis

max time kernel
39s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Size

2.3MB
MD5

68086d898430315f623dd8c3f25def49
SHA1

80b50f470100a11b5a44bb0a5b715842aceb220a
SHA256

3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb
SHA512

df91af032dbf1b8b30e15b168b34e13f8ece259a7ce3289f8f4e311bd149b68be1c4b9caf102e742a7a56451fa2cfe70c05a55cd9421776ec6ea3320471dbac9
SSDEEP

49152:EQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0jr70jIpM3kiSBM29mhNq:Etdnfnwp3oOLuB/3/ur70uMhSBrkNq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 29 IoCs

pid	Process
468	Process not Found
2740	alg.exe
2656	install.exe
2488	aspnet_state.exe
2920	mscorsvw.exe
1816	mscorsvw.exe
600	mscorsvw.exe
1492	mscorsvw.exe
2812	dllhost.exe
2320	ehRecvr.exe
2844	ehsched.exe
1960	elevation_service.exe
392	IEEtwCollector.exe
1724	GROOVE.EXE
2544	maintenanceservice.exe
2984	msdtc.exe
2452	mscorsvw.exe
2344	msiexec.exe
380	OSE.EXE
2780	OSPPSVC.EXE
1128	perfhost.exe
2092	locator.exe
2408	snmptrap.exe
2728	vds.exe
2444	vssvc.exe
2760	wbengine.exe
1820	WmiApSrv.exe
2548	wmpnetwk.exe
1788	SearchIndexer.exe

Loads dropped DLL 17 IoCs

pid	Process
2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2656	install.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2344	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
760	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ba1f447a7df8f25a.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\vds.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\locator.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\alg.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{319D131A-61C2-4C48-8959-C98203A15EE9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{319D131A-61C2-4C48-8959-C98203A15EE9}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2136	ehRec.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeShutdownPrivilege	600	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	600	mscorsvw.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	600	mscorsvw.exe
Token: SeShutdownPrivilege	600	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeDebugPrivilege	2136	ehRec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeSecurityPrivilege	2344	msiexec.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeBackupPrivilege	2444	vssvc.exe
Token: SeRestorePrivilege	2444	vssvc.exe
Token: SeAuditPrivilege	2444	vssvc.exe
Token: SeBackupPrivilege	2760	wbengine.exe
Token: SeRestorePrivilege	2760	wbengine.exe
Token: SeSecurityPrivilege	2760	wbengine.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 2156 wrote to memory of 2656	2156	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	29
PID 600 wrote to memory of 2452	600	mscorsvw.exe	45
PID 600 wrote to memory of 2452	600	mscorsvw.exe	45
PID 600 wrote to memory of 2452	600	mscorsvw.exe	45
PID 600 wrote to memory of 2452	600	mscorsvw.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
"C:\Users\Admin\AppData\Local\Temp\3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- \??\c:\5055bcdaee20a3a10d\install.exe
  c:\5055bcdaee20a3a10d\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2920

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2320

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:392

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:380

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1728
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5055bcdaee20a3a10d\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
353d9ecc3f82f3198185126885b7f38f

SHA1
4ac0522f015aa146f0fea7fa4d7218ca3c13e623

SHA256
3279150a8715a900130d39b8998fb8c5408cc281c0fa69f602f470b60771b176

SHA512
3f447d7d0e807b8766af21b3b49afba075ac35a7438209b50e03763e37e6b60807030eddeb678ac695c6c07bf97d35bbacf39b7a2f0ae20d70d4152c7fea4b8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b802e1d79e7f4ffa5b57532ae6796437

SHA1
ff7860ee3b38cad6f3c3200b8be7118cabbcad42

SHA256
1739878926e99e8a94b9b6add3e321bf124de86f12a15b93c94e086529777926

SHA512
743876d506b6fab84fd2a57d0643ed6c8efaaa928123b484bf5e1d7eac2b4092b1d984dc33d6635a268ce8ef8baa6e0e1aab20ea4d46b3c38a1029e39ea034df

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
50d86bda6cd0e3222706747cc0d28381

SHA1
418c76006cbfb27bfd56ffcaa5028f4facf99c41

SHA256
5feacdc100fc286e3a00fa702373818a3c720e4425139f6c5bee0d977b3c9e89

SHA512
b890ec5aad55de5113ca573cdb358ae05c8207d5034f07740a31326b7d7aba0897a4ef31beec0188c630ad675a72663179cd046ffd5fa58ff7bf9367ddb2c009

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
7068324e0a92e11c9c2dca67790ffe9d

SHA1
819d4d02f9215cc14149e2762bc9c5c64aa9af2d

SHA256
500228b690299e45bb04d712bc2a838c7b4cc6d6894a3d35ec0458b5fcdf71d5

SHA512
b30dae6fcce4ed68d98789cfdc600ced3a00bc2d8bba4f3ff899d4ee90629fa872a13a076e5f443616706a5f08fd7477f3703be164142acf2496b2f274aa60b5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
31606d7ff92f97c46aea81dbd7d4dd18

SHA1
2f19b9f15ed86d5e8df46eefbd3f0f879608bad6

SHA256
d81794eeb179652b8d25df2b630e2c1de3ccfd9d2a6cf786478554fbd1de5739

SHA512
474893e4543af560ff20f4ff8bca8966c59197a768a1b0cab9a923cc50e3aed4e5b04bc65c5c55bea1903cbe10596e99f7307bc1f2cadceb28d0d00ff9c785db

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
738a27351b6b05a42171092bb9bbeb9b

SHA1
4b901c23896e760b97341a0dc5acc96bfa47a6f0

SHA256
d5813f93798a62dda10b408f4a41bab06bd8c27d6e4a82629f258ad8181c0162

SHA512
3c4c02c764d33c2b730b9dc14698c1ede9d8fa5fc856638e1e15dd609fd344245d6f682afa308b03dfefa229dd474d4977bef70ca5fe1ebf696e5589793140e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
44f34a46752ec6e377479a8468fd1e2c

SHA1
a7371471b3883354af5c5d781ce00626053332ca

SHA256
ec44ab7ab3f12b513f161c0122e696ff542f0ec3577cb3ffcb9ed38d7ad2d40b

SHA512
30c476635f476b7a506f8aec85720b93422d7a44919e5380aaab5857f589cbf06b0d1855a8b1672c1cfc8193b8ae4f7fb270019bca0e6d755354eedc8f753fea

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
0bed242e1af897a1cdae6ad734985cf3

SHA1
05d12b9be1fbfea1e4b71ef6a4bb4bd67c7f503d

SHA256
9494950151de0050416761fa4213379ff516d14482c48967d5078565372d1d64

SHA512
1d86869b765ecf6433b5d4aa96e9fde5ad62ddefba2a076f32d2f1657fbebc46ce7c610954f1da826c77401074df1c4a4dc530d6c50e065cfea9a044b396bad8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b01484949d9fbc4ac1f085a70756338d

SHA1
f9a0d00a35a95fecca2a061aaae6439253b6f84e

SHA256
04a87eb25d8d7deb5fd94079b2834763367ea299523095793bc30e8d624e379e

SHA512
7954b708fd2782a3594565fe68f00a9852c8fe75156894ae61cd29291fc27af145ccb21c0e509e70fe8b3c59108d8c2ccb8471647dd7772da0d600b6a49692bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bbadc5581375396735ed3187290a1db9

SHA1
c21a926e689aadea3a879ac1a11d178393d06dcb

SHA256
b4be924ba803bf9c93599a56afc10a4ae4a01b37b45e041b6ae0dceda5a2443b

SHA512
e0591c2aeddb0b506562a89a29aa51e1db103869e86bbe8acb999e72775d761ff53fc68480f5c7a8e97acc2dabda3f1e4a6b7c1423bff1b27ac9fbe3dec00662

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
bdf5f0319ed6bd58bcfdd463bff4ef52

SHA1
99d405176356502216b4b32d87fa814189ee8152

SHA256
4c55996cbb4325759afd05dc22eaae54cd0ee18a730d6a7efe26c291dcee0347

SHA512
2d208f6b2450f8f50609a0ae7fd6e7511d5a4cb8ade48fb866539458af9a83b3648ec0648e0c123a3057d7aea7e6e39a581276d694745ef6652e2c75c600f1ca

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8eb903fdf2762be16d593fafb533499b

SHA1
4f1f82de46d1d1b277069c68752796e719230f11

SHA256
d6a40037c9aa16e1e44ff2ef378aa3260079d070a01ea4efdc74571c43f6bbd8

SHA512
42268450cff5d0d7e6447fedeccd84f2a401bedd6f0090829a656a7f286db9cd9fd23a9ed63805c3061bb15b5b974e9ea8898894e8d6927043f05fe825c87844

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
9e77ba3e3650bddb7afb7e8a3c2e2332

SHA1
0053ce9a8cb06278b712cf9420b86306b50dc8d1

SHA256
1cf4994f6838d7b3434aea4a3aec50b9ba0daba862b787012b422617d6794042

SHA512
d0e614419503563c5fe52e75866dde1464516a7bb725f46c1a2dcaaab0e54ffaa76a01c13f6d2659618a637872639922cab6ebfb8b520697ce89fbcdf5b077c7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
63b7431f5deaefe8004ce8e9f131c75a

SHA1
f7bd19d72e2a9820182a654fec281d2a24516b23

SHA256
18c354c91776c9a945aeba6e93deae4dbab242ce8efa9de24d92f3d0e6aea71a

SHA512
ca3b40fe52b48d69911e911ab587fbd8c5f8f60402a757e143f18641e5efb7f170400572dc1b666d892eed9057df4fecf5fdd72ca64628c535b425776ff28848

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
09959b957a23d088f0d7f766095cd752

SHA1
3ebf790bd23f633e551ccab412fcd56d5178238a

SHA256
9c546763927fb0bc82386308f71a2b177072673308fb07622133c6a54c8de56d

SHA512
f695a026052543b5346a08b9019037f69cad4f7e45ecb89bb99620fc2fd4e1977a80ca616d2f3ea636ece52bdf49438eb24754997dc37147257ee6b2278a7707

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a884bf269b01c45762bd117ca6a6e6a7

SHA1
d5d5adb9d4e6ede1e8fe1c6d7b40f441b7d445ff

SHA256
c933aeff4c7b56aec5af661f83cddc437b54e6afa4946e9876869617358033dc

SHA512
365af07920fae61364a7744be08b791836c017fd569490265aaa3e79e7a20260f3bfdb845dbf16e9a6303791e7a9485899017d5d9522ce69db4bd710d0b26267

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
2b241796048ce3727d7a7a2ad712f223

SHA1
5f185730e0efdfd13705e2297a8f8021597d6a28

SHA256
a04213f8c27075d55004aef511ce1f4faa8ef6e3b33ab198c3db05e96c8930f0

SHA512
7f7e955ea33069558f5bf2599728233c7b4ef679168fe8bf42d811744c4bbc09d88c5ce874b19bed9afd836308aa377ccdfd5fc4c08ed631dcfcc045c67dd69f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
8ea4792cacb564beb2e96b9f3c90432b

SHA1
fc280b85daa37f741d3f28a58c16029de9058e64

SHA256
0928bdd05a74ff02722afb0b8e2c2d5842344ea24bb35de84813bc4eb32793d3

SHA512
bd3f0b121a713dfe9ea940be1f90a22e20449463fa6fdce6b4c98f95a38b7e9037c4f826bb04a60bac4d0de13ce45886d464b17f26cf4867cadaff8dc38f219b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
286828f40017de9cd8d5aaab36c70b8a

SHA1
b50556c41555b90c07188a3c77d737c416a98984

SHA256
7e2245265dc170754ca7dd28ec09f866fb9bd573e5cfb92319a5a34f70c1aa42

SHA512
e9329f105e0de1fccff365c510d4fb9a0bb29defa9ab405f9422dcb4c6f8135dc0d76e3add2a9df96b9a27ce66b32f80ce444e3a5b8aad6a7ec9b3e6765827f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
be5750f53ae9f5b31f604b74ac2742e5

SHA1
1f82f868ce4fc083429b47116fddb6bfb9bdfee3

SHA256
f24099e9aae24f46dac4b9e4aec0422d10b05491dfdd0b93199accd4865bbe46

SHA512
0e31c88212974f6ea15c5013635c818723d2066c0c4001e9310e494dcc17b0d440019ecdcaefffad0e812044dfff44bcce974310256e832a687cf518243d2ed0

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e9567be0ddbb3731506800a218ec36c9

SHA1
a394a435f70b4c190d3b31b5a71da7891dfdc4df

SHA256
71c5700f9c920f07879f5309331cb0e4b0c9591624e5ee74f7acd0917aa79520

SHA512
4958b9ac0eb76ac27939e20568eba871ea5762da1d4d9efbed8208d51125598622a8136cb2073ca14e2121609fe0cc82af00fa5a8be1aa5683331a013b2bcdcc

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
bf3cd8888135e77c7f5018d4b929d9a8

SHA1
dc83ae5fed91a206323c3f892bffee67931b4cd3

SHA256
eec37badfaa75844698d12bf3ea00664de3c4c4045826158dfbcf1d8eb9e26f0

SHA512
56cc02de5587afbe7c8484c2b89910f293f038581b270bea4a218a4ea13a6c1906ee25478c09871de2170d98e543ae2db37637e0bb7ce5239c9aed21b4eada99

Download Submit
\5055bcdaee20a3a10d\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
\??\c:\5055bcdaee20a3a10d\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\5055bcdaee20a3a10d\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\5055bcdaee20a3a10d\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\5055bcdaee20a3a10d\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
\??\c:\5055bcdaee20a3a10d\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\5055bcdaee20a3a10d\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
917abb7269534b15429678b778172f82

SHA1
7e39712644ba9cc4e9c1c625de8e8bd26201cbbf

SHA256
7f59da4af4266946439356389f89816e6dafa3b339b69aad3bfe0d7d7343fcf0

SHA512
d0bb568a5b41277b70bbb66f9b693e4fa5da241e414ab12a9c093dab0bb37a51172033c495f8011ac374fd5f6d72f8e2bbe33db351e740a3815caf4e60df1f73

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
9dedefc41fcfe11a8090a6965ef53022

SHA1
0769dd02862c8e18a722433b681cc9174e392c0e

SHA256
ae72dd89b828ca43976c3dc928bb3abc6e05a9b52b83d70714b0f8368980ece6

SHA512
83c7ef5308f9ca2f748534094d74bdd6833582ec787e5eb0cee67d751e666de4a503fd187688ddb0ebcdb7e5228e47612156ddfbbe66d93c66fc626ed7996d94

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
7588d5db16278471e1358ea4518f29aa

SHA1
1db96ffe8fdff2bfd56533ac17d38de32598b490

SHA256
aa228c6a31796da1fe320ca8bdcc0bd8037b3be141043bd9dc91cc6153d33c3e

SHA512
d0e098c45276e486f2db5ea5ea1fb227fd1796bba217543a4a074064c86f2f23c024aacc34d459ce3282c6aa3b202b35afce3b10aa6ffbef0a57794f1d3947ab

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b5155d0ee33d2e603ccf16edede35f06

SHA1
dd210cd4e7575f94eeac652de64df15fbc0d89b0

SHA256
67b52b6c5eb6dfef8ee1af19079d8535ed5eb8de7a0425fa3810704de54895cd

SHA512
6496afae35c8f2e93eec2dc7a02d527b48b8d11b8a2f3acc9e1faa4ba3791d2acd829d0d2eff32752af3c564466c8b022d0f853ba79cb89147492ec17fcafd95

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
56209cd5dd34387aeb579fa5e6a1d3fa

SHA1
9aa7d58cd9897dca437babc7d1b22d6e98f7b641

SHA256
a2210f59c365d01bb3a597f28a6f7e740c1b758ccc5b7973a5946e2bd9270c40

SHA512
b2b31d1fdcc6890486fbcf07371b5ea609007716b196c2b4073fd4735edea8a86d440422180e0a416a63fd7b110aa4815fe085f192e30c985e7dbe1cc1588c30

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
898e31cc2a6c5fca51c410db2690c3f9

SHA1
fee7e2eeb104c11bd493d41800d0b4aba5069a5f

SHA256
ae031896576b09e75168cf31864f7cf6b73782f78569a055d5a260c77969d245

SHA512
040ad31c340b452e5df6684c25bfa8377879847176c5aff02906d93b6baabe6e9e23dfa3711dbfbaf337eaa958b96970cc5784437d5007c7e898fdd465325fb0

Download Submit
memory/380-313-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/380-308-0x000000002E000000-0x000000002E194000-memory.dmp

Filesize
1.6MB

Download
memory/392-292-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/392-216-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/392-208-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/600-113-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/600-187-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/600-118-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/600-112-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1492-200-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1492-131-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1492-137-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1492-129-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1724-237-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/1724-245-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1816-124-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1816-99-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1816-93-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1816-92-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1960-285-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1960-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1960-201-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2136-303-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2136-322-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2136-232-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2136-233-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2136-235-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2136-306-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2136-296-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2156-0-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/2156-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/2156-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/2156-7-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/2320-188-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2320-242-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2320-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2320-274-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2320-250-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2320-169-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2344-287-0x0000000000590000-0x0000000000721000-memory.dmp

Filesize
1.6MB

Download
memory/2344-283-0x0000000100000000-0x0000000100191000-memory.dmp

Filesize
1.6MB

Download
memory/2344-293-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2452-279-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2452-325-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2452-301-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-263-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2488-71-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/2488-136-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2488-70-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/2488-60-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/2488-59-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2544-270-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/2544-272-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2544-239-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2544-246-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/2656-147-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2656-64-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2740-119-0x0000000100000000-0x0000000100183000-memory.dmp

Filesize
1.5MB

Download
memory/2740-29-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2740-47-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2740-46-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2740-32-0x0000000100000000-0x0000000100183000-memory.dmp

Filesize
1.5MB

Download
memory/2780-320-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2780-327-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2812-150-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2812-146-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2812-214-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2812-155-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2844-259-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2844-176-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2844-185-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2920-75-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/2920-162-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/2920-76-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/2920-82-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/2984-252-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2984-317-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2984-261-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download