61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
Size

1.8MB
MD5

4a3c7ad7114e5fc03f50188c206134b9
SHA1

ae22416ec97b9c39fe2e7d334fbfed0480aa850d
SHA256

61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185
SHA512

a4a5d379dc0f85f5cc7cfe3ac2518e4ba5c2a8453922f28aab770dd6da2fce244480ac526c3b59a7999e609714d51450877e33f2da109c14a4101aa6feb225ae
SSDEEP

49152:yx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAoDmg27RnWGj:yvbjVkjjCAzJ9D527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 43 IoCs

pid	Process
480	Process not Found
2196	alg.exe
1532	aspnet_state.exe
2752	mscorsvw.exe
1948	mscorsvw.exe
2352	mscorsvw.exe
1656	mscorsvw.exe
1800	ehRecvr.exe
560	ehsched.exe
2156	elevation_service.exe
928	IEEtwCollector.exe
1808	GROOVE.EXE
2212	maintenanceservice.exe
2564	msdtc.exe
2484	msiexec.exe
2760	OSE.EXE
2240	OSPPSVC.EXE
2392	perfhost.exe
1196	mscorsvw.exe
1352	mscorsvw.exe
3064	mscorsvw.exe
2548	mscorsvw.exe
2224	mscorsvw.exe
2788	mscorsvw.exe
2052	mscorsvw.exe
1364	mscorsvw.exe
1460	mscorsvw.exe
2644	mscorsvw.exe
2212	mscorsvw.exe
1576	mscorsvw.exe
320	mscorsvw.exe
2496	mscorsvw.exe
1016	dllhost.exe
1640	mscorsvw.exe
2712	mscorsvw.exe
2480	mscorsvw.exe
1704	mscorsvw.exe
2868	mscorsvw.exe
1588	mscorsvw.exe
1196	mscorsvw.exe
2984	mscorsvw.exe
1336	mscorsvw.exe
1440	mscorsvw.exe

Loads dropped DLL 9 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2484	msiexec.exe
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\System32\msdtc.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\System32\alg.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\28629f482a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_ja.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_da.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_es-419.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_kn.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_lv.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\GoogleCrashHandler.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_sk.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_el.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\goopdateres_ro.dll	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF4C.tmp\GoogleUpdateComRegisterShell64.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F7CA756E-C7E1-484D-8AB2-37C9E3EF7E51}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F7CA756E-C7E1-484D-8AB2-37C9E3EF7E51}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
988	ehRec.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2120	61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeDebugPrivilege	988	ehRec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeSecurityPrivilege	2484	msiexec.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeDebugPrivilege	2196	alg.exe
Token: SeDebugPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1196	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 1196	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 1196	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 1196	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 1352	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 1352	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 1352	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 1352	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 3064	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 3064	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 3064	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 3064	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 2548	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 2548	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 2548	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 2548	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 2224	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 2224	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 2224	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 2224	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 2788	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2788	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2788	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2788	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2052	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 2052	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 2052	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 2052	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 1364	2352	mscorsvw.exe	54
PID 2352 wrote to memory of 1364	2352	mscorsvw.exe	54
PID 2352 wrote to memory of 1364	2352	mscorsvw.exe	54
PID 2352 wrote to memory of 1364	2352	mscorsvw.exe	54
PID 2352 wrote to memory of 1460	2352	mscorsvw.exe	55
PID 2352 wrote to memory of 1460	2352	mscorsvw.exe	55
PID 2352 wrote to memory of 1460	2352	mscorsvw.exe	55
PID 2352 wrote to memory of 1460	2352	mscorsvw.exe	55
PID 2352 wrote to memory of 2644	2352	mscorsvw.exe	56
PID 2352 wrote to memory of 2644	2352	mscorsvw.exe	56
PID 2352 wrote to memory of 2644	2352	mscorsvw.exe	56
PID 2352 wrote to memory of 2644	2352	mscorsvw.exe	56
PID 2352 wrote to memory of 2212	2352	mscorsvw.exe	57
PID 2352 wrote to memory of 2212	2352	mscorsvw.exe	57
PID 2352 wrote to memory of 2212	2352	mscorsvw.exe	57
PID 2352 wrote to memory of 2212	2352	mscorsvw.exe	57
PID 2352 wrote to memory of 1576	2352	mscorsvw.exe	58
PID 2352 wrote to memory of 1576	2352	mscorsvw.exe	58
PID 2352 wrote to memory of 1576	2352	mscorsvw.exe	58
PID 2352 wrote to memory of 1576	2352	mscorsvw.exe	58
PID 2352 wrote to memory of 320	2352	mscorsvw.exe	59
PID 2352 wrote to memory of 320	2352	mscorsvw.exe	59
PID 2352 wrote to memory of 320	2352	mscorsvw.exe	59
PID 2352 wrote to memory of 320	2352	mscorsvw.exe	59
PID 2352 wrote to memory of 2496	2352	mscorsvw.exe	60
PID 2352 wrote to memory of 2496	2352	mscorsvw.exe	60
PID 2352 wrote to memory of 2496	2352	mscorsvw.exe	60
PID 2352 wrote to memory of 2496	2352	mscorsvw.exe	60
PID 2352 wrote to memory of 1640	2352	mscorsvw.exe	62
PID 2352 wrote to memory of 1640	2352	mscorsvw.exe	62
PID 2352 wrote to memory of 1640	2352	mscorsvw.exe	62
PID 2352 wrote to memory of 1640	2352	mscorsvw.exe	62
PID 2352 wrote to memory of 2712	2352	mscorsvw.exe	65
PID 2352 wrote to memory of 2712	2352	mscorsvw.exe	65
PID 2352 wrote to memory of 2712	2352	mscorsvw.exe	65
PID 2352 wrote to memory of 2712	2352	mscorsvw.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe
"C:\Users\Admin\AppData\Local\Temp\61df94c5e0694076a062670efa67d59ac6e99bb6c79afef681f931a078a87185.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2752

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 240 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 1d4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 26c -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 278 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 29c -NGENProcess 1e0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 23c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1ac -NGENProcess 284 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 184 -NGENProcess 29c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 184 -NGENProcess 2ac -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 294 -NGENProcess 2b0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 294 -NGENProcess 184 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 194 -NGENProcess 1b8 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1800

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:928

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2760

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
861437f405c17edbe6b6fae5ce6a955e

SHA1
3efe1e4e2c822b9d87bff8db30270d628cc32800

SHA256
46e7ed14e4297743b3c735b297068d91a84adec1c4994c9a34756d359470e053

SHA512
946df3f9efc8f9cb06f1fb325162bc71dd33ee622c43e8c22bb2982b16fc8580b3dabcd4669122170fa36f255bc4f142cb15972ad26372c99f83a50c064c9233

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
2ce50037a642347435bdc53c4789d180

SHA1
7f248974ba0bd512381861a7f5ba59de69bef2ce

SHA256
81cf8cbbd6ac6cd1e072aebbc2cce0375c4efa7b9ec239058a30b2e8343a08bc

SHA512
bc7ed51d26fcfde334a14ccab6ab94af39ea7e2ec4387d35d9acba717c744529a65ca0336936c99aeb7ec30d7438f41b82a4c64c76bae375a65f4fdb0ecda9f6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
f5457eb0d557b120d6213e79acfe61a8

SHA1
507a7caaa1ea592990f79a2fdc043db570300cec

SHA256
edd582675fb94992849b1c694d136602262be0da3c926afec2ff09c5a992ee66

SHA512
937a1da1814f2f6b93bf9880b4efb820e80c7930a2670c020e5bb8d304f4692a4fef47d4e467de374d288998da058421a4697cd46a4a07174bd7d337bc0c630c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
307a8c95661a2f08c02c3b4b982d5d6d

SHA1
e9e80066638e32b5af9ce047f129b37c0fce599d

SHA256
ce7967763946f01f9b0e38bfa5fa5ed1185dec2c07b0167ac21b2eea87bdf85e

SHA512
d897cd170553be7716c303535301745137f7d542c2972e93127046e584aa5fe36fa807b17fa82a8611e41760338dc05beb8fe0e99e0c243b3b4a33f7674e1e67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
8bac753c8b75c565387694ffe428f820

SHA1
96f2dc98de7538a52fcdac200fe94eff71886d5b

SHA256
627a4156c69a20da5e78cc0311d4f1a780616e73493d3e2aa776f1fdefb10417

SHA512
2295f4e5727fb3ea4c506e37eca0cfe434827d24f5f98a34f5671a711e22f496a26775fe95621c2d31ee4dc783aa4463d41a3e5594395c47d21aa68f4f7cf0e8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bc775ead0df27249427d4e1094d53dc8

SHA1
4b7fa4367ead73a61851a5c03233f163fe97067c

SHA256
90989f4782f8b69b2a6157cafd6f9af5e6a3d5d8ead30f2497f04036cb985ea8

SHA512
de370103b1cbef24bc283a076da01263b28f0f2e95677da8b5220a0032a30d610d819b35e0eecd20e04f7be6bf239382afcb4e9f8013fb46470d08dc029d6745

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ea62217d0acfbf49019c122243bd3b2f

SHA1
f1e722f5f30ecc1ec1f2d178d5ce0199c564274b

SHA256
97a0b7ffb105c59ea2d157d1c0aea4ee05f2f2ee38819a3b8ec1a8039f57cd40

SHA512
b3648982cfe03ba19ac09d4f799c19a11e02336151a4b9e73d8cbd7053c487e2f9a2e975844d5720a1e6547905eedea397b1de703ce369445c149acd9c958005

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
00785203e2c70326e74751874cfcad04

SHA1
acd776cfc2ef598ad030bbae8ac3ea73055c8396

SHA256
df3aecedd55ff17e8e3dd30584fd2ee1d5c4f24940cf00eedf476212b5ea723c

SHA512
3e4f4eb5713c00314206ea5f18f8ba807bb53619df81a78ba99759e49e361a60242f050f22f2c3f66093b5d2abe9f2b2b269cf37112a606bd01f3d1faa21446e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
adbc552aa8eb861e35b52cac8579cab3

SHA1
e95b4321d5a3283a5a733023fe512b131a91af8e

SHA256
602b9c71aa70a2faaa6bfcf466d6eb2f81fc2568591a672426ab0e326da8f69f

SHA512
dc45d11a30afd67c15a9dfce2e2041a6ffa01914bbbae10db7021b6d98e5392f33226e95b7c21d61dc0fee72f2ac122f9d9313a408396871938f392895588c70

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b4558914bcb2fdf51b2b7e4c4d35b9c

SHA1
56ba594e76f851d2b56d2fedf41579570329d563

SHA256
05b1f7b0adce8d9cd233937c2b95c4ed3ec3f05dc789637838a949187b4d1a58

SHA512
e8d0258c7caca7ea6e069b6416ba75330bc77c285cc8caf6f4372cef9e431ceae7d63b5c841d37829a58ca9ea13e9a521e3c525cc8b7a115cfb24597fc29ad16

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
9792edbaa4943ec49392220b909cd3ea

SHA1
1115c79ed9d71f8ea7be1b12642767599e4c4884

SHA256
8c85df0f8d37c9fe10d6206350f320b54c38357b453cf53b6998d96a605a160c

SHA512
658e9290860cda2a3ebe2b795af50881f2fe8ce316630cc30f02ad6ec19be1a2c384d74b0a810172b7ff3f8f93b221390302a5802f990d1cb5452a686c78b7a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5c79c6c74794267e2233cec1624517b7

SHA1
083eaaa395f4427057cf27e39a351850e5ad6111

SHA256
be70c74d9d332fe84de94cf9ec23e8589f3a7ec5ef2f48a02163eebc46479fa1

SHA512
475bd44529b51eb9dde91d7d43b137791dd2e5e2d0b4260ff15631221e2ad64d32446b6e9cf64f1d4d76d0febfacf7d7f91682cefe7ca3a0a67f9a569f9236ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
fd4a6b723ad013b8fc229ac1da72e68a

SHA1
98bfbd7bfd0d51f220ff2e418ac8dae67e357945

SHA256
178251ff590a04224e337971d5a17d610ac25a3f3794db00ed4a02454a848266

SHA512
fc846d9d1b865e549f155f5697b988d62bb51ae580688cccdd4aa01b96f4e8c119c2879aae1df951baa92751e8ec1359b3099e47f9b71839b789b2c3c89b8797

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9edb67a9f5ad9aaf88e06ae508a75880

SHA1
721f12a75d42225e6a4a677ea21cd27e876462ad

SHA256
a96e938061acd1789d6e1c30834a34d3fba0959b48b98c2831eb7aeedd871127

SHA512
879c25670cacb2d5a73e870d43df07591bfafd752a7d22f6a16036a32c6048c8b23ad0b240f114c9c0581b5492620b5a006edc9611ec84136ba3102a6c9bf460

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b08a5e643a7b34c9aee59dba3bface39

SHA1
ef52a7350de33d660bb8fa4f50da0311dbab20a8

SHA256
033c2d17b13f30935343f72d8841bfffc88279309922149c8e313f4099423933

SHA512
a259084cd09f4e905b82f44728d3c435573c8412acf8aec63c9636295fc0c324b600def966250e67e83727d428d10b32fb1b352a2f49a2e97f1a8344dea74767

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
73adc2f76d6e543e5c9228257d600a84

SHA1
11ab1743425ebf038d2ff6ff5ae678f5c33f0659

SHA256
63e3192edbf239bdf11e93dcbaa4b1431c3495282024b997737db5d913c8a4f3

SHA512
5cfd67400542d185eba22d56b1b13489e3c19d9d403dbff49c09df3f50c294da17b55e233ba46a4e33bc81b5ce4e6f4f73dedee04e955490ac6014a6aafb67ca

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ce1af36a49e7ce83807530fcdaa618e5

SHA1
4fc285e9b280198d497af06653dc870b36af37d7

SHA256
3b2d18ea3a7b4f1b5e02d9d552b969314172db25ca90b1bd26d4cd9ed6ac5826

SHA512
8b70969a573d2e3a87d15ac0d6e09893e7cf8fb9b28b7543a0467bc5f38109bf44857dc3e0b673b60b207f4a69d26e0353627bc3c10a3331a298327ccb29f2ad

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
220b47adc12b220f8027b21a176da13a

SHA1
8a20f759f2e3279314e4a6dc82ad49b72c9ab744

SHA256
ff2b70f000064a43b1f4c417bb21b814d90d239df864aeaf1683b69dda181b6f

SHA512
37ce733b5e159b34eeb62c911c9419008bef967f44e5ef0e27cb9ba1597f9486aaccfc10ef354a7bc6be4a5a7a5e874aaa307f8fc850ffb72fa34c611ce8b69c

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
320202954180296f04225af0da4ffe54

SHA1
6d17792cbec39b174115cd6d799dd0bc3ba269ef

SHA256
79e05440960f2675fc3c767d7847a2788e5bdf9d9ea57dc12716ecaa5f338252

SHA512
58b21e6edf8d81666551958d705273121aae9f479775cfd1b7a5b269aa7cefafe4a4ae03ab313c0bed7f3c696838f1eb4483aa0c24db3a5a845890a317dde793

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
c55560ceb4232f5c3bc5c9f46533c6c3

SHA1
6f6c82707106e77989da4518270bd50e09380ac5

SHA256
f6daffb0ab2638205212a2b774e81cb6fb9fe322241caf9d0b7d16b725349f38

SHA512
f945ef40709e4a39c1c7cf00e57ae795fc3fc9bcefea6ce103e48e34645896b46815aa085556605b4402dcdefc83d1720d3b5fa9817f0edc7ee59fac9bfdce45

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
1e890d3a4fb3c7d55ff41c04c0a7c575

SHA1
e552a5b9d26e423a6419bd5440b441976cb5d704

SHA256
4fce96693e2ac157123efaace310d9d691d40cc8cfaaba6fb0ef8c66d7b4b299

SHA512
475977556d568345977ba2b35314e943e4b283fa36ab5c6c201b1afa097f8bf37478e69cb30e3efb649c1fdd1d73ba6df06e5102a898a6e5da41ab8fc104587a

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d8d60b31713daf6000b68168a1bf831b

SHA1
daa0e6abb5364bd7dc570152723433ecb8c3e47f

SHA256
13e147ff56c227da9973c46feacebcbd1ac9288ac85b66de03dc919a18334e27

SHA512
56ffb49c513eda06f24606ebe9faeb4bdeede37266a84b532abe8bead09d9e1fadba34c176e705c8c0e344f9b61f73cf2abccf5945a310d9e9eacdf85b5cc134

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7318201e89c031fb93f0838e779a524b

SHA1
bf231f4ca802e755db3e15a79c7471ac3f6c5b2b

SHA256
84f8f7ab1e6a98abea3ec106e722720fa43c1494cf914029e7ebee0a648630dd

SHA512
7e61b51f6ae8a31ec77a0a6269f63bebbccdb97a0b7d5d5af7aed230a0511049cafd22e9d4d677be0047cfe5f83e9906f6a676d97c2c0573415c036c4ec587ae

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
3b9437e1cb19f97afc23f1b196885e17

SHA1
5ba350529d653da434b81d82b23db1a76c752980

SHA256
92a381ef9aa58e1282dc03a86012d166114f043115223b7ceaaec1276fd8fef0

SHA512
4de7fe0b47dbfa6255114bfb073284bca6560f555a3251d83b796f63b7b65ddd9543eafa857c175a149e3310e7508ff481c2c3ed613c02f6428b0751686ce471

Download Submit
memory/560-231-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/560-180-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/560-182-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/560-173-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/928-214-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/928-216-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/988-314-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/988-213-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/988-210-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/988-211-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/988-322-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/988-278-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/988-273-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/988-251-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/988-280-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/1196-418-0x0000000072E50000-0x000000007353E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-409-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1352-421-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1532-174-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1532-94-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1656-144-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1656-215-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1656-150-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1656-142-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1800-159-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1800-186-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1800-187-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1800-185-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1800-167-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1800-224-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1800-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1800-260-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1808-222-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1808-227-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/1808-298-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1948-137-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1948-113-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2120-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2120-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2120-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2120-403-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2120-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2120-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-266-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2156-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2156-196-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2196-158-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2196-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2196-14-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2196-38-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2212-240-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2212-246-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2212-234-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2212-247-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2240-304-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2240-309-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2240-312-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2240-427-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2240-320-0x0000000074268000-0x000000007427D000-memory.dmp

Filesize
84KB

Download
memory/2352-197-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2352-126-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2352-125-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2352-131-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2392-318-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2484-271-0x0000000000610000-0x0000000000801000-memory.dmp

Filesize
1.9MB

Download
memory/2484-281-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2484-269-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-321-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-411-0x0000000000610000-0x0000000000801000-memory.dmp

Filesize
1.9MB

Download
memory/2564-262-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2564-254-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2564-316-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2752-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2752-97-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2752-123-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2752-103-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2760-417-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2760-299-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2760-291-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download