a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700

Analysis

max time kernel
150s
max time network
160s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
Size

1.8MB
MD5

df8e6f10a77c60efab04bbfb014dbbbb
SHA1

174efc4665b7d4c39cf75149f7742905b859cf25
SHA256

a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700
SHA512

3d59ae5e1c122e5fa3dc5d55d34e16330373fe2d1fb406ea378cff8e7fba0e676c7a2c582d1d44ad374d7ad1feea90e1df0112e578061d05d8ecdbcc9553cc51
SSDEEP

49152:Gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAIkQ/qoLEw:GvbjVkjjCAzJ3qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 46 IoCs

pid	Process
468	Process not Found
2596	alg.exe
2460	aspnet_state.exe
3024	mscorsvw.exe
1668	mscorsvw.exe
1044	mscorsvw.exe
2248	elevation_service.exe
2260	GROOVE.EXE
2944	mscorsvw.exe
2616	maintenanceservice.exe
2468	OSE.EXE
888	OSPPSVC.EXE
1628	mscorsvw.exe
2152	mscorsvw.exe
1980	mscorsvw.exe
2336	mscorsvw.exe
2564	mscorsvw.exe
2452	mscorsvw.exe
1168	mscorsvw.exe
2160	mscorsvw.exe
1804	mscorsvw.exe
2140	mscorsvw.exe
1616	mscorsvw.exe
2752	mscorsvw.exe
1732	mscorsvw.exe
2636	mscorsvw.exe
1508	mscorsvw.exe
2616	mscorsvw.exe
2316	mscorsvw.exe
1724	mscorsvw.exe
2196	mscorsvw.exe
3052	mscorsvw.exe
1064	mscorsvw.exe
2228	mscorsvw.exe
976	mscorsvw.exe
1696	mscorsvw.exe
1564	mscorsvw.exe
3036	dllhost.exe
1784	ehRecvr.exe
1056	ehsched.exe
896	IEEtwCollector.exe
2128	msdtc.exe
1584	msiexec.exe
2428	perfhost.exe
1484	locator.exe
2416	snmptrap.exe

Loads dropped DLL 11 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1584	msiexec.exe
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\691e38929a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_kn.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_ta.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_ar.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_sk.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\GoogleUpdateOnDemand.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\GoogleCrashHandler64.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_fa.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_id.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\GoogleUpdateBroker.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_fr.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_pt-BR.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\GoogleUpdateCore.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_uk.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_ms.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B38.tmp\goopdateres_sv.dll	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7987B187-F0AD-409F-B8A6-D851C82C6CD9}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7987B187-F0AD-409F-B8A6-D851C82C6CD9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2240	ehRec.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2476	a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1044	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1044	mscorsvw.exe
Token: SeShutdownPrivilege	1044	mscorsvw.exe
Token: SeShutdownPrivilege	1044	mscorsvw.exe
Token: SeDebugPrivilege	2596	alg.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1044	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2460	aspnet_state.exe
Token: SeShutdownPrivilege	1044	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: 33	2116	EhTray.exe
Token: SeIncBasePriorityPrivilege	2116	EhTray.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeSecurityPrivilege	1584	msiexec.exe
Token: SeDebugPrivilege	2240	ehRec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2944	1668	mscorsvw.exe	37
PID 1668 wrote to memory of 2944	1668	mscorsvw.exe	37
PID 1668 wrote to memory of 2944	1668	mscorsvw.exe	37
PID 1668 wrote to memory of 2944	1668	mscorsvw.exe	37
PID 1668 wrote to memory of 1628	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1628	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1628	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1628	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 2152	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 2152	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 2152	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 2152	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 1980	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 1980	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 1980	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 1980	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 2336	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2336	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2336	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2336	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2564	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2564	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2564	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2564	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2452	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2452	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2452	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2452	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 1168	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 1168	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 1168	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 1168	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 2160	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 2160	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 2160	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 2160	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 1804	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 1804	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 1804	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 1804	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2140	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 2140	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 2140	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 2140	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 1616	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 1616	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 1616	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 1616	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 2752	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2752	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2752	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2752	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 1732	1668	mscorsvw.exe	53
PID 1668 wrote to memory of 1732	1668	mscorsvw.exe	53
PID 1668 wrote to memory of 1732	1668	mscorsvw.exe	53
PID 1668 wrote to memory of 1732	1668	mscorsvw.exe	53
PID 1668 wrote to memory of 2636	1668	mscorsvw.exe	54
PID 1668 wrote to memory of 2636	1668	mscorsvw.exe	54
PID 1668 wrote to memory of 2636	1668	mscorsvw.exe	54
PID 1668 wrote to memory of 2636	1668	mscorsvw.exe	54
PID 1668 wrote to memory of 1508	1668	mscorsvw.exe	55
PID 1668 wrote to memory of 1508	1668	mscorsvw.exe	55
PID 1668 wrote to memory of 1508	1668	mscorsvw.exe	55
PID 1668 wrote to memory of 1508	1668	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe
"C:\Users\Admin\AppData\Local\Temp\a6e71a62bbad9f3971308132220d2b60ecfdd6e78246226b1f1ad4e5b5a2d700.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 258 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1f0 -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1e8 -NGENProcess 264 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 260 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1e8 -NGENProcess 294 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 29c -NGENProcess 1e8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 288 -NGENProcess 268 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2468

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1784

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2808

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
50944cc747265b872728dbbef2cb050c

SHA1
f601b64bd76dfc891013fcdcc64c87d53a95394b

SHA256
b027da3ccd95d7d91e361d45ef23474579daa7ee0ca2c20024499f43a7753368

SHA512
cb630b578f62782043ef34fdb1196911dc49f35a34533142dc2457a484a3434c373dd02d185f8b31acc1db3da64b9c9a251928249acd1e783649e80acb56cce0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
8fd330a5ba6fb3dcbc87710d8feb7934

SHA1
bef1f9cfbe2c58ed985bf14764ed8f9780e8ad6e

SHA256
7e70636ae691a500349daab59ebcda8bd2dd8a3d4196ab46a5817d19dc8ada55

SHA512
b42d7f9766cf9b1e579cc23d5611683e86d0ed3be28d2dd18b307e499781d79a3affe19e4e8ba5ee71c7d8e5135733101c49f3ac2735fdace758ff399879a609

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b75b3cbbcb2fbfc3473d827cb6a17cd8

SHA1
271e71fcb1250dfd8330cd6455eb024c1529011b

SHA256
8924643312729d443df69a97cbfbfb7b5d0ceb9af52b6dfc9ce78186e9a700cb

SHA512
ecaee8a093c51120f9fd2224e23c52934ac327a411d01f0912a732d406a7f642221edc2ec81a7b54709cb34957713325318c5a955d80f704c438e70a510fbc78

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
8a8312cb0a260dc063d7355f29da5a04

SHA1
e67ea2ab63525db3de0d2d322f4c829937648965

SHA256
a8ad1a828fa01b3a808f939adc33043142cf516ec18a9db210e9478e4dcd0a0e

SHA512
eaa52c24d1efd5af0cc900660f9c8511173fbdd6e01f8350065d2a1cbc10770effc1fcd763360d7e17691ef3be731c8a13accb139053a21a50499b2ea3c78a71

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0a3c105b11424db6f8075d30026acb01

SHA1
ae157e019955d8bf09c23e72d9493d1d4b5ab02c

SHA256
3fa4ca45ee6e6783f132c89f77dae66f604edd261c0f9080d97caf459fccfd51

SHA512
f7e35b63cf19ef1645f32418440f09c4f2976ed06c9dc90c9cba0f2b37ee48aec4f4526389af96ea21551341a71877128595c61cbb9c1ed809af837d30d9909a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
17c8c4baecd1625c47c6410e59c8499e

SHA1
032379619a360c644fae192fa2fbeecbdf49edda

SHA256
319270020bb2edce6b64a1c1c26359efe2c4fa05ce2e082909a90b17403b23d8

SHA512
f0377697b4ce61e4eda1c2e9c1d45fb92bcdde1567f22d1f9deec4cc0822f4b5556a95e726f5f02025233e5fb50fcafbf5d01b93ebf18355bf5fbeb343c8a60a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
283ab0a26afba91741c184475a24e89b

SHA1
fda9fec4acd2f25d30fb868a71989e55875d62dd

SHA256
fc266a8e19a2144ca90146014168fc926857ede5a7c73f9a5deaf7dc53667cd5

SHA512
724b8cbdcd6e1b831d212be0154b08c47ca16328f33d7a8a2a2ae61033b22b02d9418f0f5fa48f7d85f60d0a00dd382398da4dc3514f4807caf94e1f30e7663e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
50648df05130581f94b1db67b487aabb

SHA1
a28d849812e092517ded4be9094f4c2d54120845

SHA256
c3709d75decdfd80bbc813a2df432405cf39a2e2ec72fbdbed57e44ec7132bc9

SHA512
e5c0a445d64ed5a6d747881a6ffb39681efcd5ffbf57bdc9959a8ca9c1119ef4d871b2bfacb444e959aa79b2f5816ccd3181b456fc7999c37b90ef6f0acaabd3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bc03b255477f361f61e1b925215f471a

SHA1
6817d28477da618e07753f02fd0124c181a5e587

SHA256
0d01f09d5fdae42bae42656d049c7f6dab5c8a020a4c88cd6e823346c4374100

SHA512
3a32de488056bef9cefad243f19876c303a14d7418aa93eb81aae00db829e5a668cce202b220ff5856626e7997c77fb01b76d2ffed16ec9c42a0e54fcff5ff11

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
82cf08f5cd67b7b1630b35019f98d3c9

SHA1
be25d2fc7814e11d538570cff7b0b93b6d80051f

SHA256
f9a81b7cf4b1cbcaeac79e08209c97d8d3c1d361487fba65c4fc504cbf2a4a77

SHA512
9926dae463da4fffc44646366308447f7a716566562a3dac71a98e082da52f2e08b8b0b9090670efce8607cea00c0e39f2a78754c0e88861667816b9419d85de

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9236bd45829def7acd7e811d02bd786f

SHA1
2c517930f0a54ca1d449ffe913ee9016eb62d200

SHA256
41646059899a1b7f912231f2073009217ec40326c08a34704b067d27c9c31e39

SHA512
de416ad0c7d7b64ecbe8e785ef0167f22700948b8c3262742fa1b9ac4114e859cff0dde270f77cd433bf6803bbc859b1cdcb013cbd9d73ff91b9cc4a078a8a62

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ce6589212456b5bf7f64fcfe060dcbc3

SHA1
c5d478fd84dec49193948e542c082f732a4acbaa

SHA256
a610d262ef112ba51e6b7c1c100cf43abf78399ab2be39c39658290876a35901

SHA512
8e3d47c733380198218c28c0bea9ad897c680707787c7184bf05b0d837d9301b8f9f6658396123839f69eaa6d1fb66d71301c6df07cff9cc42a42a9e93a340d5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
0179fd304e2bb25250820b262b20c631

SHA1
e482d027a277b2a7066af8515f9c4fe877ea841b

SHA256
44f648651b43b42c4fc58ced0b0ed92d852c4ad09f2615fe6b26b4a78cc312b4

SHA512
0227be02271f07aacef330b9db599eb0e1a37b6902c6ccd17060c083f6a7cd2c168ce0bd7845b9d552aef608f23680d5799c60e6f00e512a25385359ada05b2a

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f2ff802260d65bb61151007d1b715ced

SHA1
fd6a4cbbc2b696cd029d8648be26f97808e71c54

SHA256
6cfdf205b60c0ecf2dd5fe232e95c6a979c9a1155c3c135e7fb7421f8f99cf0f

SHA512
bfed103bb83e6eb26f0250e27932ca2b7c274d437e91c9e105d90970abd46a3ea2ef5deffee1586a69daed41613d22b75da5a662c68ea7cd72b79be248cac0d7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ba3158fd6a43930d347056f6f951ad0c

SHA1
d615beb6a91a5ea9adce11b7be04f5ce0209a20c

SHA256
ee0b05fb2c7f123dff460a67960ffb15d6170ac20e7862bca019dbb72bd548e0

SHA512
47f8d7d38ce88650c101d73683b2e082af8376efb9b8279ef0179d16c7b019bf68b8be46a34fab0bd2079ccda1a191b8f30a2d80136b5872aefdd17382f30245

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
e993b93e4ac07078df9574d8d4b6fb4e

SHA1
34687c67438125396264c5c0fc239bff15d35187

SHA256
9b82085cdbd135706eb55eb294c16abe70c5c831929d31f1951fac11e90164b7

SHA512
302d2589c4926cdbaa71531d203944051ff9c3bd221688898187fde420c46b6aa7d135d7c29b404b8c3e53248fbf356ab6df8459dc29e5add428fd4beac4d551

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
e001696b4c90fdc323a2dde817073bf5

SHA1
9b2554af905f2bc7b4a3e36b6239f4f09700d3f8

SHA256
cc3f00e3db451c3d206c77ce5401991234d17d7517b792cddfac23da9d5d66ff

SHA512
9b7bec1361cb052444c48744446dbad2382fd9ce82f6157152d8445ac7537781423fe44e6160db79465a7e4bb941502275d075fd5c4805e52a93e0abe0ec7989

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2f8dd862837e070bef9e45e67826595d

SHA1
1d3f719dde09dc05c5f82d7761fa7070898a108c

SHA256
6414791d91bc35ab3e8752997126986e695befd119aa594f95fe09db391a6d68

SHA512
c397c174c2688f0378a60efd20829f8fe1265a0e30439bf19193b6e75c9779ea9e3c4d4860fe80fc8746d8a4bf4e40b0e615637c19ecd8cf923a69fdad4d3bfc

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
743d74be0e7a47df4ac5ad64ce65574f

SHA1
c8e6ea1c7cb59b4bd56f4d315c49a2b9c2851cc8

SHA256
633b73d981ac379b6127378bb88b29fa1fb98fbb65649e43c3fc0b7323d94ac8

SHA512
425cfcd851eb8bf9b2dc6ef3e40154ad9fc18f3b169bf36670231865e38b567e05a3f69475b1f8375a13617acb6cd8efd8cd60b72a4e590644836abb42946697

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
12362ad57a607850d39a5981c88badde

SHA1
688200a03c3a64c5742ee483889a47a9779aa056

SHA256
c4c4159f8868955a1490aa19227e7e45e958ed5d9a73532bca1ef4fd7779f48d

SHA512
9dfe61b8c7846baa373aaf4723604192300cd902f9ddd1b4e64d7e6722762c9947a347e053b50ef21d50743bfa7d8aa8b5b72aefda8a88eeacf9d636264ce77a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
123f7ec2089652a953991a355b2cd6fc

SHA1
833e912d6bb74b331f79a97ff9ec7659af34678d

SHA256
39e384293fb73e7e31bfce7d1de1f3ca6280088a2cfa6daa14e30140eb434fdb

SHA512
442e87d5e2be0d967c3ff65f277f9cce0c59f0e61435549991ca9da686254fd08d549c71b33ca95c80fbb92e62858e52113575b151a6f1dca5022de3e47385d7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
dbb6447ee4e699ee850e8892179a2e60

SHA1
7ec27b7ebea2c6a343efcfdba5800a089b0a72ec

SHA256
fb744a55195d385ddefc45a5d350bb6dcec18a7a9dff4edaef7eaa3ab37437a5

SHA512
50d009d094d69972b616d322cbd96da4afce9e7ca67baf8aa48e4f0e3a806ad488e39abeceda61c5f407c4d6a0e0ed2a583fe5c69b0ccea66a67cd9fd972b897

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
26fa6fdf877313b8091980e30032eb4e

SHA1
5abd43f5061022eb73d0d0cc41901826c8b85eff

SHA256
1ceae9b9421d33774f7ae9fd81f8cb6e2f18e9f73db7ba797cd6c29f5da82834

SHA512
b08edf19610b59c310c369d54409aa8ae3412b3e4d5886ff411c0e7165239d8c0760e78c4df75dd932009eb7378dca9d7bf012b18b5fa2dd4ca8c712fa0b16e3

Download Submit
memory/888-521-0x00000000723E8000-0x00000000723FD000-memory.dmp

Filesize
84KB

Download
memory/888-316-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/888-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/888-468-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/888-353-0x00000000723E8000-0x00000000723FD000-memory.dmp

Filesize
84KB

Download
memory/1044-213-0x0000000000570000-0x00000000005D0000-memory.dmp

Filesize
384KB

Download
memory/1044-218-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1044-222-0x0000000000570000-0x00000000005D0000-memory.dmp

Filesize
384KB

Download
memory/1044-266-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1628-420-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1628-334-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1628-327-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/1628-421-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1628-422-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/1668-256-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1668-203-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1668-197-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1668-196-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1980-518-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1980-486-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1980-519-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-517-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1980-508-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-423-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-484-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2152-483-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-417-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/2248-289-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2248-241-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2248-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2248-234-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2260-252-0x0000000000A50000-0x0000000000AB6000-memory.dmp

Filesize
408KB

Download
memory/2260-249-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2260-318-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2260-246-0x0000000000A50000-0x0000000000AB6000-memory.dmp

Filesize
408KB

Download
memory/2336-530-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-515-0x0000000000680000-0x00000000006E6000-memory.dmp

Filesize
408KB

Download
memory/2336-520-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-531-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2452-548-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/2460-215-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2460-97-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2460-104-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2460-96-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2468-424-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2468-295-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2468-292-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2476-82-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2476-181-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2476-7-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2476-0-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2476-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2564-536-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/2564-538-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-527-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2564-550-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2596-177-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2596-33-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2596-36-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2596-57-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2616-272-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2616-278-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2616-284-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2616-285-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2944-260-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2944-314-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-268-0x0000000000B10000-0x0000000000B76000-memory.dmp

Filesize
408KB

Download
memory/2944-331-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-330-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3024-183-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/3024-185-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3024-190-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/3024-232-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download