b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
Size

1.8MB
MD5

114953542caf35a0203472b96d629801
SHA1

e0ce6437697e71274c27692d77a1de7520a606a5
SHA256

b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7
SHA512

501e9310210b41c2c9b546561f40832f6ab412b0c4f89735bc18c17ad43a67d4521d4d21b040790c2d905c35a86615b3feafcf3c34ca2d84064bc7977d95e0a9
SSDEEP

49152:vKJ0WR7AFPyyiSruXKpk3WFDL9zxnS2/i3da1YS6ozB:vKlBAFPydSS6W6X9ln9/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
480	Process not Found
2464	alg.exe
2724	aspnet_state.exe
1356	mscorsvw.exe
1472	mscorsvw.exe
592	mscorsvw.exe
2960	mscorsvw.exe
1060	ehRecvr.exe
2000	ehsched.exe
2284	dllhost.exe
2604	mscorsvw.exe
2460	elevation_service.exe
2656	mscorsvw.exe
2864	mscorsvw.exe
1864	mscorsvw.exe
2080	mscorsvw.exe
1248	mscorsvw.exe
2056	GROOVE.EXE
3048	mscorsvw.exe
2600	maintenanceservice.exe
1652	OSE.EXE
2120	OSPPSVC.EXE
2468	mscorsvw.exe
2480	mscorsvw.exe
1800	mscorsvw.exe
2928	mscorsvw.exe
2696	mscorsvw.exe
2352	mscorsvw.exe
1448	mscorsvw.exe
2040	mscorsvw.exe
2796	mscorsvw.exe
952	mscorsvw.exe
1156	mscorsvw.exe
1892	IEEtwCollector.exe
2232	msdtc.exe
2956	msiexec.exe

Loads dropped DLL 9 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2956	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b5f421eaad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_en.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_hu.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_uk.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_kn.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\psuser.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_fa.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_ar.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\GoogleUpdateCore.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\GoogleCrashHandler.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_pl.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\GoogleUpdateSetup.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_iw.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_ml.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_en-GB.dll	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99CDC3B3-4DEC-46C8-B6F8-02310CE4FA35}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99CDC3B3-4DEC-46C8-B6F8-02310CE4FA35}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2392	ehRec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2868	b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: 33	2668	EhTray.exe
Token: SeIncBasePriorityPrivilege	2668	EhTray.exe
Token: SeDebugPrivilege	2392	ehRec.exe
Token: 33	2668	EhTray.exe
Token: SeIncBasePriorityPrivilege	2668	EhTray.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeDebugPrivilege	2464	alg.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2724	aspnet_state.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2668	EhTray.exe
2668	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2668	EhTray.exe
2668	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2604	2960	mscorsvw.exe	37
PID 2960 wrote to memory of 2604	2960	mscorsvw.exe	37
PID 2960 wrote to memory of 2604	2960	mscorsvw.exe	37
PID 2960 wrote to memory of 2656	2960	mscorsvw.exe	41
PID 2960 wrote to memory of 2656	2960	mscorsvw.exe	41
PID 2960 wrote to memory of 2656	2960	mscorsvw.exe	41
PID 592 wrote to memory of 2864	592	mscorsvw.exe	42
PID 592 wrote to memory of 2864	592	mscorsvw.exe	42
PID 592 wrote to memory of 2864	592	mscorsvw.exe	42
PID 592 wrote to memory of 2864	592	mscorsvw.exe	42
PID 592 wrote to memory of 1864	592	mscorsvw.exe	43
PID 592 wrote to memory of 1864	592	mscorsvw.exe	43
PID 592 wrote to memory of 1864	592	mscorsvw.exe	43
PID 592 wrote to memory of 1864	592	mscorsvw.exe	43
PID 592 wrote to memory of 2080	592	mscorsvw.exe	44
PID 592 wrote to memory of 2080	592	mscorsvw.exe	44
PID 592 wrote to memory of 2080	592	mscorsvw.exe	44
PID 592 wrote to memory of 2080	592	mscorsvw.exe	44
PID 592 wrote to memory of 1248	592	mscorsvw.exe	47
PID 592 wrote to memory of 1248	592	mscorsvw.exe	47
PID 592 wrote to memory of 1248	592	mscorsvw.exe	47
PID 592 wrote to memory of 1248	592	mscorsvw.exe	47
PID 592 wrote to memory of 3048	592	mscorsvw.exe	49
PID 592 wrote to memory of 3048	592	mscorsvw.exe	49
PID 592 wrote to memory of 3048	592	mscorsvw.exe	49
PID 592 wrote to memory of 3048	592	mscorsvw.exe	49
PID 592 wrote to memory of 2468	592	mscorsvw.exe	53
PID 592 wrote to memory of 2468	592	mscorsvw.exe	53
PID 592 wrote to memory of 2468	592	mscorsvw.exe	53
PID 592 wrote to memory of 2468	592	mscorsvw.exe	53
PID 592 wrote to memory of 2480	592	mscorsvw.exe	54
PID 592 wrote to memory of 2480	592	mscorsvw.exe	54
PID 592 wrote to memory of 2480	592	mscorsvw.exe	54
PID 592 wrote to memory of 2480	592	mscorsvw.exe	54
PID 592 wrote to memory of 1800	592	mscorsvw.exe	55
PID 592 wrote to memory of 1800	592	mscorsvw.exe	55
PID 592 wrote to memory of 1800	592	mscorsvw.exe	55
PID 592 wrote to memory of 1800	592	mscorsvw.exe	55
PID 592 wrote to memory of 2928	592	mscorsvw.exe	56
PID 592 wrote to memory of 2928	592	mscorsvw.exe	56
PID 592 wrote to memory of 2928	592	mscorsvw.exe	56
PID 592 wrote to memory of 2928	592	mscorsvw.exe	56
PID 592 wrote to memory of 2696	592	mscorsvw.exe	57
PID 592 wrote to memory of 2696	592	mscorsvw.exe	57
PID 592 wrote to memory of 2696	592	mscorsvw.exe	57
PID 592 wrote to memory of 2696	592	mscorsvw.exe	57
PID 592 wrote to memory of 2352	592	mscorsvw.exe	58
PID 592 wrote to memory of 2352	592	mscorsvw.exe	58
PID 592 wrote to memory of 2352	592	mscorsvw.exe	58
PID 592 wrote to memory of 2352	592	mscorsvw.exe	58
PID 592 wrote to memory of 1448	592	mscorsvw.exe	59
PID 592 wrote to memory of 1448	592	mscorsvw.exe	59
PID 592 wrote to memory of 1448	592	mscorsvw.exe	59
PID 592 wrote to memory of 1448	592	mscorsvw.exe	59
PID 592 wrote to memory of 2040	592	mscorsvw.exe	60
PID 592 wrote to memory of 2040	592	mscorsvw.exe	60
PID 592 wrote to memory of 2040	592	mscorsvw.exe	60
PID 592 wrote to memory of 2040	592	mscorsvw.exe	60
PID 592 wrote to memory of 2796	592	mscorsvw.exe	61
PID 592 wrote to memory of 2796	592	mscorsvw.exe	61
PID 592 wrote to memory of 2796	592	mscorsvw.exe	61
PID 592 wrote to memory of 2796	592	mscorsvw.exe	61
PID 592 wrote to memory of 952	592	mscorsvw.exe	62
PID 592 wrote to memory of 952	592	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe
"C:\Users\Admin\AppData\Local\Temp\b90389dcfec22b25f16a7a3f13738b21894266e4493fd6be5726bc44531fd3a7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1356

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1cc -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1a4 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 234 -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 250 -NGENProcess 180 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1e8 -NGENProcess 268 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 258 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 258 -NGENProcess 1cc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 27c -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 1cc -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 250 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 240 -NGENProcess 228 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1060

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2284

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2120

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
f310b9809671012341b72c0833a3c545

SHA1
d240d5e3e9802686efacaa5e085eb678a71950d4

SHA256
6ed6069a219d4cfb1fa396663705f7e5eb7ea99e4f10ec28089f2843e870b2ea

SHA512
3628be35777584b2e742214660afa0c3aaab5a2ee6917dc3cc09ff92b4174aa68c46e48189745290712ea8cb8c4520504b871ea0a944fbfc43a189637e1077fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
30fa6446fe1982d4232bd2e2d1ac2913

SHA1
3bde22853366a59891fb4a5b2f8c0da4cdfa960f

SHA256
7bbde8676fdae345b626d63b26ab4f0f4f49aba63469101aa2a7b4d1d24e48bc

SHA512
4732d40628159f3709447855ee4155020e6a68b376a14de565355bf1b65e992f79868ee2f56b51b70bfc01aa5f35c91a8fe1d7ce0dc9823368ef6bac69874ac0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
d3574cbbd7da9ef5826693c337202397

SHA1
5c3ce82cb9c0c17925afd607ad70578560720698

SHA256
e631ee3e103157cdfffe1364d1593c13435be22695bcb6b67777f5dd985f91b4

SHA512
0c6b14d975748b9b0e2a737c9c962413953766a7fb1e843473b9d436db14a02f2a5bc443abe822853e714f229d8aae19ced102b2b480e40b852fc12d567f7435

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
20579765fc32d37680373f59e851c64b

SHA1
ed0067047c854a0581fed5a50530203bd2367de4

SHA256
893b5528165e15f5d4b686df2d2dfc763ce20ed7937b793b069e121ecafc0021

SHA512
0a9c300b92690e0ec9ab3e4b594e12f195065f4cb63b755e76de6f88a9ad766d6691061090b2aeb8d6d93028da99913def26b8cf5d12c349de362d3463ad91ca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
18d5f7a1efdd9d43fc684542bd65ee17

SHA1
4dd7c07e28e8397f3e9f0d3dcb6ac45ff706a498

SHA256
9f7beef06dec549fd8937fff393ebd27868bedf4cfa858375f14c641601c5186

SHA512
ae0dfeaaefa60e41a24b978ef491a1ab55af73bc4e31c97590cd9b6fbf285358eb21d2aa23cf1f6ea866bdbcecefcd58e6bed18c80c4bc8f6ea064daa1e436cf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4ac38ef6ecbdd3be90c46aad35d3217f

SHA1
f169c1b2ec91810198b4c31fb6a38ff398542874

SHA256
0d21d6e837e664f5ea94cce9f68b20b85a4a9c307703c7bb5183ec7dbc7aee3a

SHA512
618ea5893078f43671b7923ee3d3e2c127cc48e2176a48ce3073a9b91b074fd875fba86383726f16599c73bf54639606e65b94fdb6f4423997b0e922c789d5e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
95fd1884f670a5a7085d117f11f9904a

SHA1
c08b13b6d3563f5d4638128528f6226856aa9930

SHA256
8dba35793f90d0c34515e04ed6c315436785c65524a780e05b32adb383a280f6

SHA512
20748ba9b148577c1c68f9ba6ca12218daa2435a7e62030d0d32b44bf911750cde3691e834da60eab4f1ce5d1e21b54ab44871ef02dcc7240035174f48b9397f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
a1003ec0c1a49888d172683d21e7dd04

SHA1
8f9cdb12dbd755e22b140e8afa6872cd3ef01dec

SHA256
95c6123d761016a5865bd6f59ccda9d83841714161fefbbc56a51a91ccbf756d

SHA512
36d0c99e25f31931a92264e51a817da1260234a8f5f7a8f95fc9887275b579a1eec782edfe7005886ee77b7e002176e934386783693e45aaf39f8b629e5c0c04

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
63a1269e0314385fd7bce4721c0071ce

SHA1
1c2b34ff1713ef7d82bddb6112d4cec1cb9886cc

SHA256
88367271aaa98c73646c528bf09400a30575426a3c8b753e2a7f5949edcdb5e7

SHA512
1bcb392dd2c5c7d66e39be2c3feb1215ca6442bce3f3c96b533245e35ce5b2a104858d8a3a483bc4df24833c1a3445a0d5a6b1bf4869a840f24e764eb82b1923

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf4f5ac8fc4edf8c6c311d6eb8f3d6c4

SHA1
31658cc8a94ab695997f089f403b299ac6d738ef

SHA256
f28e357bd60fb731abca5f0a0f7281df552cc4b0e44dfe2787fc6a03b6f58bcc

SHA512
7456c1fb55f2671d9784614dfe757815d3bfa8855e0059a30142d224ff134ffcf847e48b344296fead81ebd7fc8c3219eebc3aa6d7875d12fccde40976def06c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
3322f65688308197403576a8eba0bd49

SHA1
8198b22f9bee3fb213194a4709e2d2ebea8514ae

SHA256
8a1bf270b0177fd17ed6220e0fc11a720b8f955a0eb82898a27dd90787680fc3

SHA512
3b1f8220c848584fc1e3864080eb06229f050733abfdfd1d383ffc2279b06b404c86427d804f36b779dc60bd08e20be1e463bbec27543442c42b7a075da2c601

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
7d807b2d7bb34b9232e97044a5f19d30

SHA1
bd9e1fb8d4b3a65f3643ab68b2d58e690ce5f46f

SHA256
e12d7338d0b70d05737c6a897ee4cdc40b1d008d592a0c5cc96cbe70df2bc9d0

SHA512
989a971ca259e1b2b91fb5f0cc077bfd57c5489f78ba59d878e6842ff3f183a3a7846b4bf3a6de47c2c603075efedfe60b9b1aee9d611f2d2f7f52924d6e4962

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
49a69a9ab66bcd5db406ff3a2bf44dad

SHA1
ec62623a9dee317bf9222d1471a14b0762df3f75

SHA256
48666f5219f5d5823fb0dd423509c715b960cceb44feb69a664800d429aa4489

SHA512
7b1215842fbe4eac3843c2a874f6200fffb300bc5b9c6371d1290beba8fc18d0738f1b90c5329c28d524c6ecbb88ac247041a031604b4ee52bac6dd51f9b6ea1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
9250b7e6b7b6490c7432311affd03de5

SHA1
d8c6bcc178c1ec61000994ad5435707cf0b3682d

SHA256
c2d72419bf3a423c2801c4a41953cdb98e07957fe6eb5742b541626d56b4a255

SHA512
228f49de5b2089f6ce41964b5be2c4715e20c480688aebf29e781f2e0bd0ecfda1222d76ae9b253128d8c6a0aae306f458cfd745dddb2f02c6d5c809b8a2b8a4

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
0975349da812800e146c3ed40e4b2fa7

SHA1
eff527a65e8639c06db8472ef2024fd00987e136

SHA256
ece12fd91ff82762924dedb29c0f27d540c6a5c8f77871e5fd5cd66eaa1c450e

SHA512
a4dd742d4303708dedfa02ea70e69ffad94751d6bca67f0d57b3952b659cd4d6f8fe535111c331d42c813a6c0406b1601a3ab1666170eef43529457a36c287c4

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8d477089cbb412b3579578b2380eac25

SHA1
f22bb70fe9ab96b022b8bf8ed973e49a9a5b55c0

SHA256
54b71689c1e03c45e6306916a11397213025bca01a45c683f6db147f8325195c

SHA512
1a5439766e8770652fb013d485608be73f47cd6844db05baaff5cfe3718d050d066697137540618cf9487b6dcdb877b062058ead35a96879ca6d91eca628a94f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
c1983085f6e34243274665a0d8dbf724

SHA1
872f122212f4340a98a81fba2569b24f045af19e

SHA256
a5448c1be4c96259c2b66d35fd3fdee4ef4a0ca9ae6d3fbd14f42a5ad15473ac

SHA512
de81559178db81b68783f7433975bee2c1ed972def8d0fa305aa6a7f41545b5816af2ea8f84f32f4a48708cacf126102adcbeb393e81beb6210b14029191154b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
423a9b8ca436372ae3b3c37e4cb37b40

SHA1
91f7d22cea860d86637bebfef8635b6c94f3617f

SHA256
1fba0468f3394803609cabeab93894cd23ae66254241803b037719b02c285494

SHA512
430e9ab0aa8d1dfc7098e885d3228b9663be11058b4b238ca9e2d7d04fc37733a612c6ad1de28ba8151668a5f4178b86d267c8455375205ba335d4841a7fc673

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
4ace5b8274c0dfedf58adcb28b9655fd

SHA1
22f6d8d695f6cbc69cda6b5d48df5aaad5c93d4c

SHA256
6f385df1428b22af8e040a629882aa950ec67691aa7596bf297119b760cc3bc0

SHA512
a508c0ffef94b6c6ca25bf4d94beaacf44a4c7668a99c0231464ec7c5439e2d0b5eee843c6446fc9f08bded90a3b0e57ba99bce112aed207c568ec856e895511

Download Submit
memory/592-289-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/592-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/592-146-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/592-141-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1060-188-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1060-276-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1060-339-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1060-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1060-313-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1060-181-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1248-396-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1356-113-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1356-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1356-108-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1356-150-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1472-176-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1472-131-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1472-123-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1472-124-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1864-377-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-392-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1864-371-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1864-391-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-365-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-194-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2000-340-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2000-278-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2000-404-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2000-402-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2080-389-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2080-383-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2080-393-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-291-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2284-282-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2284-357-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2392-361-0x000007FEF4450000-0x000007FEF4DED000-memory.dmp

Filesize
9.6MB

Download
memory/2392-331-0x000007FEF4450000-0x000007FEF4DED000-memory.dmp

Filesize
9.6MB

Download
memory/2392-332-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2392-334-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2392-335-0x000007FEF4450000-0x000007FEF4DED000-memory.dmp

Filesize
9.6MB

Download
memory/2392-316-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2460-309-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2460-381-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2464-18-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2464-13-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2464-89-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2464-88-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2464-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2604-315-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-329-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2604-328-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2604-306-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2604-330-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-341-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-348-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-346-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2656-333-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2656-336-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2656-347-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2724-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2724-103-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2724-180-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2724-96-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2864-375-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-351-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2864-358-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2864-362-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-376-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2868-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2868-269-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2868-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2868-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2960-304-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2960-158-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2960-161-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2960-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download