b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
Size

1.8MB
MD5

1ca623b6524b4c6ea7547ddc199efb28
SHA1

740cf6bcb5d251b1fc8730bbfefd3ecb23a9b849
SHA256

b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb
SHA512

e4c75b0113263085ad6c88832e798bd8cb8944528a2bc241b1fd7188e05f313330a0166e9d6f738f3421e60210bcf395d20c1a68bbef3bc7aa06ac3c6a305233
SSDEEP

49152:Wx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAgJvMf+swLH:WvbjVkjjCAzJLqWswr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
480	Process not Found
2524	alg.exe
2848	aspnet_state.exe
1684	mscorsvw.exe
2148	mscorsvw.exe
1368	mscorsvw.exe
1200	mscorsvw.exe
488	ehRecvr.exe
1484	ehsched.exe
1804	elevation_service.exe
2272	IEEtwCollector.exe
2460	mscorsvw.exe
808	mscorsvw.exe
776	mscorsvw.exe
1440	mscorsvw.exe
2364	mscorsvw.exe
1408	mscorsvw.exe
572	mscorsvw.exe
2004	mscorsvw.exe
2144	mscorsvw.exe
2676	mscorsvw.exe
2584	mscorsvw.exe
1896	dllhost.exe
2324	mscorsvw.exe
540	GROOVE.EXE
2956	maintenanceservice.exe
1440	mscorsvw.exe
1688	mscorsvw.exe
2596	mscorsvw.exe
2704	OSE.EXE
2724	OSPPSVC.EXE

Loads dropped DLL 6 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\48f560a23d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdate.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\psmachine_64.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_fa.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_hu.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_kn.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_pt-PT.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_es-419.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_hr.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT1391.tmp	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_hi.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\psmachine.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\GoogleUpdateSetup.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_bg.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\GroupRestart.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_am.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_zh-TW.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1390.tmp\goopdateres_te.dll	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C1A00012-AF44-43E3-9DC0-1E9931FCD332}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C1A00012-AF44-43E3-9DC0-1E9931FCD332}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2260	ehRec.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1972	b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: 33	1480	EhTray.exe
Token: SeIncBasePriorityPrivilege	1480	EhTray.exe
Token: SeDebugPrivilege	2260	ehRec.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: 33	1480	EhTray.exe
Token: SeIncBasePriorityPrivilege	1480	EhTray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1480	EhTray.exe
1480	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1480	EhTray.exe
1480	EhTray.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2460	1368	mscorsvw.exe	40
PID 1368 wrote to memory of 2460	1368	mscorsvw.exe	40
PID 1368 wrote to memory of 2460	1368	mscorsvw.exe	40
PID 1368 wrote to memory of 2460	1368	mscorsvw.exe	40
PID 1368 wrote to memory of 808	1368	mscorsvw.exe	41
PID 1368 wrote to memory of 808	1368	mscorsvw.exe	41
PID 1368 wrote to memory of 808	1368	mscorsvw.exe	41
PID 1368 wrote to memory of 808	1368	mscorsvw.exe	41
PID 1368 wrote to memory of 776	1368	mscorsvw.exe	42
PID 1368 wrote to memory of 776	1368	mscorsvw.exe	42
PID 1368 wrote to memory of 776	1368	mscorsvw.exe	42
PID 1368 wrote to memory of 776	1368	mscorsvw.exe	42
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	43
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	43
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	43
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	43
PID 1368 wrote to memory of 2364	1368	mscorsvw.exe	44
PID 1368 wrote to memory of 2364	1368	mscorsvw.exe	44
PID 1368 wrote to memory of 2364	1368	mscorsvw.exe	44
PID 1368 wrote to memory of 2364	1368	mscorsvw.exe	44
PID 1368 wrote to memory of 1408	1368	mscorsvw.exe	45
PID 1368 wrote to memory of 1408	1368	mscorsvw.exe	45
PID 1368 wrote to memory of 1408	1368	mscorsvw.exe	45
PID 1368 wrote to memory of 1408	1368	mscorsvw.exe	45
PID 1368 wrote to memory of 572	1368	mscorsvw.exe	46
PID 1368 wrote to memory of 572	1368	mscorsvw.exe	46
PID 1368 wrote to memory of 572	1368	mscorsvw.exe	46
PID 1368 wrote to memory of 572	1368	mscorsvw.exe	46
PID 1368 wrote to memory of 2004	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 2004	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 2004	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 2004	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 2144	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 2144	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 2144	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 2144	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 2676	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2676	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2676	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2676	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2584	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 2584	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 2584	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 2584	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 2324	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 2324	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 2324	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 2324	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 1440	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 1688	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 1688	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 1688	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 1688	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 2596	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 2596	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 2596	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 2596	1368	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe
"C:\Users\Admin\AppData\Local\Temp\b14fd070da454bfb90482742d9cdb1436403472c1f4542504a6ffdb03216e2bb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 1e8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 29c -NGENProcess 250 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:488

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1896

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2956

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
a880146d96dc0ea4769b33f2749cd326

SHA1
6a51e7cd4fc42cd16b682aa4d9c6a3a3ff3febbb

SHA256
e4fcb854e000921aa038a33ec2699ccca3ea0c454f0a536c5b242bde09a51362

SHA512
5a103b3d6ddef932f5d755f2858591276c404b766a69da22cd300151442d7f4b9d021c5fc4f5947389b1bb79aedf507acaad2a745453b91e4983239f93f88f07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
54469f463285fcdae57e7db7080ab787

SHA1
ca7091daac1f7a4e251eca84e0f6acae7e4cda3d

SHA256
6ec6b9d09e9a7bfcdf40226c2956fcdabaebbd01cef47738a600911d9af9a9e9

SHA512
681f2f8647e5f2df89d0c2e2e77df4b35628d27bdbf45d7bb7490fa773d0f5e703cfcf76f7601e6773da6d8e753d24c59c72f4469eec787886d047053418c249

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c8faefda5c5d1dc53dab2cba9c607a8b

SHA1
04dab870c48eabfcaf9f2aa7d9a1f0d2e2f447b4

SHA256
2a4615eb0f3535be979520a7c4669a945277c14689c44b1e7a8b9ba995b45822

SHA512
8a5ab866e916239c971d150c6ca6c7e6f8a283a5992ba0729290cf87a74b46af1d006d1386ffbe2d9a6aa7cafaeb0f221e84f321b51b67bb79c67283c732834f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
bc50d9e3d684554a7ffaec1249967098

SHA1
8368b3e766cc87863163781f9bb20a1c6b5eb772

SHA256
15ab615b5f70360ebb5f444f878f0a17251b883065e505dcb3ba04bf7df7bc01

SHA512
ccaa85fb9044538ae727ec1518d77b0a0444f4c950949371da5fa5bad608d323e005da6cb911847bcd5ca37bf763fe395632ba94acfe89f6523a496ea0ccbd7c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c8dc9df63b13fedb18529f744c3a2ae2

SHA1
bfe430ace40c4cb7e9e854aa523399d0412c551f

SHA256
c491ef6d39c81e47d17dc6b5e2a0bb581fb922454533ff94a82bea8a47b281eb

SHA512
87931d1312c25edb8e9e3774d9c61f645d8f331eb8adddff0f16eeaa406dabda84c4d3a4da165c07dc53230ad62d3d5237a5be700c3963559c854ab491de3393

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4517f04ca06b5bd7586b0d09c8a8de55

SHA1
950bb6b5abf43dbb13d5efd23d9890491f3acfd6

SHA256
aa6167198a5bb0d4284413954f07ee048416e66e2ea0d8b05bffaec15680f53a

SHA512
d7d59c5a89cfb02f00733386a6ac1a8933d7f127870cda2ab6d2e6920cac63cf056570aec7176457e283b34f760ebdc24c4657a07640956c57377faadcf69542

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
4ff4ba39bdbe31a39ee4a3b0a992f22f

SHA1
f78b6bccd9595758a177f18feebed198cfb4bb04

SHA256
24de1e48323802bfd8a562d1f00c82fa2131dbe28ac5f323db1b460083622631

SHA512
22bbda154efa5ed93ed1f658218b52c6fd60be0c89cfb0b2c45c98a2eb3d030e8e47f181e2e0e881bebc5ca5e601a084f88a7f5472a010c46b21d6d38a53c9a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2be993761171a9e4bd494764c2bf9982

SHA1
8f044a421be1775cfc27e9595621ed1dda85166c

SHA256
ce2213a2c36c59c7f5b648ea99e56120d5e8b97b96336d50b9123d5456651d4e

SHA512
9122bae33e301b3e8d7497b015966e92f3f4e166b53fabc80d7ffbd5080b6e1dada521ba9c8f47a437df32d20720c7dc1ce5a79a0a2111cc35821c3c4bea418c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e954bb1531cf85166a0d3eb1cb91408a

SHA1
adcfd091576bb148a964d6b9e81e00b3f96eb098

SHA256
cb859cf850da4bc7ad8a851408e69f6a3a29cc54a7818ed54ed78f2010cf3419

SHA512
c4ad4201a057fd951a40f7cad0c54e2bd0d12831057fb57711d943da761ed4c12819903bc989b760369c2597d688a4a773e6c2466c17ab0d6e582b67078e5931

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
3f5a9e6865530125e63bdfc33c16b999

SHA1
1eeee16580957ca59585ff7b68d21666887a6380

SHA256
b55decf524b1e5000b768eaef37002097162b824f37c99853d20b61778b2fff9

SHA512
a60c178b2cf97a061b4084521a716be08a2ab4e0d7d3c41a3409a9d256b2d5410d440d305f9d33c123060df08d6ca1d55ffdd00de60b3de80e82efdb6f461f6c

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d787371716abb40ba78c7e828b3eb6e3

SHA1
8881be62e5afcf0d845b887c0934d4d448e72018

SHA256
c84ba43574ff7816fba8e9e857b28301c137e94ace1354228839591e00a8518d

SHA512
0a728fca2d5355807f0467cf28d78b1476267447af8cb82dd5db29729cf7a17de8a321647492a3ad198be219d5ab1ca04e4479bb23e83d54057abb87a32e7008

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
01ea657b8cf6dc3c1cca59eeb6454def

SHA1
7d32fc9d3804effaf250190af2ec6f7ba6fa155d

SHA256
4bef7d4ada55f52206e1088f02ad210db46b33d33b21059b3d11eb8f06a7e3de

SHA512
d9a65ac3a76a73fee960b9a8cc3c91c9836fbd51586c48b655b8b161b972fff992eddc1db7564c7dae1075f120af39d798e8a1c1b4419b32b41ffc39d135fbe3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
232e44deec54265b19a7efffb6621049

SHA1
978481e912e910cdd90360d2f7f401b655553f6e

SHA256
7d3cd83bb242760d0c325126370c8b997722266fe496de490b9da7c1f12c615d

SHA512
731be156dfe10042cc99c49624606c565006c98c68e6ca1d40f1a9bd0ca179c175a8adc334f22889dff7dd6c29273b846956acdd33dc7837317b075e310c51f9

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8a6200b21e442762034e8f24e795bdd0

SHA1
64df1858c921785e9072238769021611763c73de

SHA256
12d2c5ecf0a24f912bf5a0834c7fe2dbbc8ee439bfcb2af79701c31d001b759e

SHA512
e81e7d62748878a6608ea8a830f3bbe2eb311f204d052514801b7ba5154bf614bf955d341d28cd5a3050fd0491bc133566e37c86819e712dded85c5b98e57af0

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
046746692a001bf251a671e4d26c0a1d

SHA1
332729a358780c0fdb23d986ae94443e6db59d83

SHA256
161184517d99e98d7d1e2b115851b643adebd0fb593ca9a960df6a50a3393f9d

SHA512
1e57531b725f13c06a116b4110562b7d3c7f610d6c0c85dd4ebe1773db26acf07ccdb02865cd780f70380b1eb53c26260a952baa827b6a7b6ced4e7a81abb36c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
0f33c1030c2c6d7740cd5e89cf483f54

SHA1
0bf61d42bd297f0b96d164f10ad79836a224282e

SHA256
5550f4f2f3da2e7b13d8d635079c9a034542b4d165c27c50f2c7498eaf8a22b3

SHA512
866f86e576e5d660ee151c422f8c7de67108e21c37685889fc7c854e317c572f5ad8746e5697c8063de702343702680f0bed9f9650d69e8f86fb7bb6f7fc96ad

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3c738bcc013ca32d4fea36ef6c95f6c5

SHA1
7d38337c8de51ad618c012a53fb1820f459debc8

SHA256
f9ed10a289c9061c890453e35afc29887947fded7309f0746fed00b5b98dd0ff

SHA512
22d460bfa1a5a73eecd81d0697d4e1ee4a5ec74af6e3a6f29332c494416a2f4a712eb7c05264527323d11c9a9172cb12b9355b34f97dc6aa5d27421608f274d8

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
2e8ee82015f31eb7efa6baa7ec8265ed

SHA1
0eac6fea51f4a9ba7f07ca85546df64a07a9a744

SHA256
670657e953e90ba67623c974f96f9ad0421efc0e47c371ba257ea58d4c2d9497

SHA512
3ad7dfa7d78da413b66ae5e716caeba93daf787c88cf4838be1099b4e17bc30af2ddd37cb41c3a24373486ada3c22eb08446c3bb114cb3a912c0b2a3354b0d2e

Download Submit
memory/488-188-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/488-208-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/488-179-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/488-232-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/488-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/776-373-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/776-349-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/776-374-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/776-358-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/776-353-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/808-341-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/808-357-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/808-356-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/808-338-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/808-329-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1200-160-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1200-230-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-161-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-167-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1368-219-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-149-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1368-143-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-144-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1408-393-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-375-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-370-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1440-389-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-388-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-364-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1484-194-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1484-318-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1484-202-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1484-324-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1684-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1684-108-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1684-113-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1684-140-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1804-220-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1804-212-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1804-335-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1972-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1972-1-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/1972-308-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1972-7-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/1972-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-124-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2148-176-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2148-131-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2148-123-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2260-359-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/2260-362-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/2260-347-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/2260-234-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/2260-233-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/2260-345-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2260-229-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2260-227-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2260-228-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/2272-225-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2364-390-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-384-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2460-340-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-313-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2460-320-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2460-325-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-339-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-14-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2524-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2524-42-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2524-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2848-180-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2848-93-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2848-103-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/2848-102-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/2848-96-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download