8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879

Analysis

max time kernel
93s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
Size

1.8MB
MD5

c3e70aea2fe15e27f4bb34fe37fe073f
SHA1

e11f0e4bd3c36e7c4615bbafd431872edbdfe1cc
SHA256

8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879
SHA512

8dc39189c7516562ab033cab716486d60d9b3f886511b4957c8fb2f92e15c03f97434936eace3c478fcf4cec1f559bc483bc1aab7845c82e611219572a1d86fa
SSDEEP

49152:lKJ0WR7AFPyyiSruXKpk3WFDL9zxnSCblI7a8K2mFhbrr:lKlBAFPydSS6W6X9lnblI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
480	Process not Found
2976	alg.exe
2636	aspnet_state.exe
2896	mscorsvw.exe
1812	mscorsvw.exe
1720	mscorsvw.exe
2004	mscorsvw.exe
588	ehRecvr.exe
3068	ehsched.exe
784	elevation_service.exe
700	IEEtwCollector.exe
2440	mscorsvw.exe
2888	mscorsvw.exe
2952	mscorsvw.exe
2236	mscorsvw.exe
1432	mscorsvw.exe
2984	mscorsvw.exe
2932	mscorsvw.exe
2128	dllhost.exe
2052	GROOVE.EXE
2512	mscorsvw.exe
2668	maintenanceservice.exe
1600	mscorsvw.exe
1608	OSE.EXE
1812	mscorsvw.exe
840	OSPPSVC.EXE
272	mscorsvw.exe
2116	mscorsvw.exe
804	mscorsvw.exe
1788	mscorsvw.exe
2588	mscorsvw.exe
2532	mscorsvw.exe

Loads dropped DLL 6 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8b9164a42a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_ca.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_ru.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_sk.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_zh-TW.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\GoogleUpdate.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_el.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_sv.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_da.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\psmachine.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_zh-CN.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\psmachine_64.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_de.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\psuser_64.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_fi.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_lt.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\goopdateres_pt-PT.dll	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\GoogleCrashHandler.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1832.tmp\GoogleUpdateCore.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{267B9864-F1C8-4489-8CE5-F548AD3EF501}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{267B9864-F1C8-4489-8CE5-F548AD3EF501}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	ehRec.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2288	8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
Token: SeShutdownPrivilege	1720	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: 33	1228	EhTray.exe
Token: SeIncBasePriorityPrivilege	1228	EhTray.exe
Token: SeDebugPrivilege	576	ehRec.exe
Token: SeShutdownPrivilege	1720	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	1720	mscorsvw.exe
Token: SeShutdownPrivilege	1720	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: 33	1228	EhTray.exe
Token: SeIncBasePriorityPrivilege	1228	EhTray.exe
Token: SeDebugPrivilege	2976	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1228	EhTray.exe
1228	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1228	EhTray.exe
1228	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2440	1720	mscorsvw.exe	40
PID 1720 wrote to memory of 2440	1720	mscorsvw.exe	40
PID 1720 wrote to memory of 2440	1720	mscorsvw.exe	40
PID 1720 wrote to memory of 2440	1720	mscorsvw.exe	40
PID 1720 wrote to memory of 2888	1720	mscorsvw.exe	41
PID 1720 wrote to memory of 2888	1720	mscorsvw.exe	41
PID 1720 wrote to memory of 2888	1720	mscorsvw.exe	41
PID 1720 wrote to memory of 2888	1720	mscorsvw.exe	41
PID 1720 wrote to memory of 2952	1720	mscorsvw.exe	42
PID 1720 wrote to memory of 2952	1720	mscorsvw.exe	42
PID 1720 wrote to memory of 2952	1720	mscorsvw.exe	42
PID 1720 wrote to memory of 2952	1720	mscorsvw.exe	42
PID 1720 wrote to memory of 2236	1720	mscorsvw.exe	43
PID 1720 wrote to memory of 2236	1720	mscorsvw.exe	43
PID 1720 wrote to memory of 2236	1720	mscorsvw.exe	43
PID 1720 wrote to memory of 2236	1720	mscorsvw.exe	43
PID 1720 wrote to memory of 1432	1720	mscorsvw.exe	44
PID 1720 wrote to memory of 1432	1720	mscorsvw.exe	44
PID 1720 wrote to memory of 1432	1720	mscorsvw.exe	44
PID 1720 wrote to memory of 1432	1720	mscorsvw.exe	44
PID 1720 wrote to memory of 2984	1720	mscorsvw.exe	45
PID 1720 wrote to memory of 2984	1720	mscorsvw.exe	45
PID 1720 wrote to memory of 2984	1720	mscorsvw.exe	45
PID 1720 wrote to memory of 2984	1720	mscorsvw.exe	45
PID 1720 wrote to memory of 2932	1720	mscorsvw.exe	46
PID 1720 wrote to memory of 2932	1720	mscorsvw.exe	46
PID 1720 wrote to memory of 2932	1720	mscorsvw.exe	46
PID 1720 wrote to memory of 2932	1720	mscorsvw.exe	46
PID 1720 wrote to memory of 2512	1720	mscorsvw.exe	49
PID 1720 wrote to memory of 2512	1720	mscorsvw.exe	49
PID 1720 wrote to memory of 2512	1720	mscorsvw.exe	49
PID 1720 wrote to memory of 2512	1720	mscorsvw.exe	49
PID 1720 wrote to memory of 1600	1720	mscorsvw.exe	51
PID 1720 wrote to memory of 1600	1720	mscorsvw.exe	51
PID 1720 wrote to memory of 1600	1720	mscorsvw.exe	51
PID 1720 wrote to memory of 1600	1720	mscorsvw.exe	51
PID 1720 wrote to memory of 1812	1720	mscorsvw.exe	53
PID 1720 wrote to memory of 1812	1720	mscorsvw.exe	53
PID 1720 wrote to memory of 1812	1720	mscorsvw.exe	53
PID 1720 wrote to memory of 1812	1720	mscorsvw.exe	53
PID 1720 wrote to memory of 272	1720	mscorsvw.exe	55
PID 1720 wrote to memory of 272	1720	mscorsvw.exe	55
PID 1720 wrote to memory of 272	1720	mscorsvw.exe	55
PID 1720 wrote to memory of 272	1720	mscorsvw.exe	55
PID 1720 wrote to memory of 2116	1720	mscorsvw.exe	56
PID 1720 wrote to memory of 2116	1720	mscorsvw.exe	56
PID 1720 wrote to memory of 2116	1720	mscorsvw.exe	56
PID 1720 wrote to memory of 2116	1720	mscorsvw.exe	56
PID 1720 wrote to memory of 804	1720	mscorsvw.exe	57
PID 1720 wrote to memory of 804	1720	mscorsvw.exe	57
PID 1720 wrote to memory of 804	1720	mscorsvw.exe	57
PID 1720 wrote to memory of 804	1720	mscorsvw.exe	57
PID 1720 wrote to memory of 1788	1720	mscorsvw.exe	60
PID 1720 wrote to memory of 1788	1720	mscorsvw.exe	60
PID 1720 wrote to memory of 1788	1720	mscorsvw.exe	60
PID 1720 wrote to memory of 1788	1720	mscorsvw.exe	60
PID 1720 wrote to memory of 2588	1720	mscorsvw.exe	61
PID 1720 wrote to memory of 2588	1720	mscorsvw.exe	61
PID 1720 wrote to memory of 2588	1720	mscorsvw.exe	61
PID 1720 wrote to memory of 2588	1720	mscorsvw.exe	61
PID 1720 wrote to memory of 2532	1720	mscorsvw.exe	62
PID 1720 wrote to memory of 2532	1720	mscorsvw.exe	62
PID 1720 wrote to memory of 2532	1720	mscorsvw.exe	62
PID 1720 wrote to memory of 2532	1720	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe
"C:\Users\Admin\AppData\Local\Temp\8f9ec680348887ea5e8ca92fa81784763ee9e8b03d17c00d2a2740eed7e53879.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2896

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 250 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 250 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1ac -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 120 -NGENProcess 270 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b0 -NGENProcess 184 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:588

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:784

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:700

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2128

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2668

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1608

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:1316

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1432

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2468
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
8304c84c5a6fb9f57777482bced60433

SHA1
b99b60db4d8a04829d10cfa1dfe7ef3773f343c4

SHA256
2149d37313f2ea2d10e6836eaa0bfcc256b16127b3828c19e86904fc02c459f6

SHA512
0644d6783e39316575b61f859e77503e97ba106475b5d4046fb9c9a73d7f04d1e9571c36074492e274b58293c02f2a7b5d641d2729748f03ebe1aa8a5f72b119

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
76e5a9a7ca69e9f328b514e93904ef57

SHA1
11c7e0c53b55b4fe4e10f7d5d520a94c2a7bc68c

SHA256
1b723758220d44dfd6b7f99a9b2b32d9329149981b5c2fb61b7ee0e580bf4538

SHA512
f224baab0acda1018ad729fcabc96fb21c556675138744134da5aa40ee6bfbaabec1312574a91956f17bf561174c63501a80eff89d8d2a7abd265a2aac468e4e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
2346647a5fddd67a5ea097e5e3a30d72

SHA1
9947151bd6a46aaf81ca98c24cce05bc30a927ff

SHA256
9275500182ac9f76d438a9b345b24950299a47cd50d3389c5f750fd93d3f104f

SHA512
effe35bf9f2085225ff48a068a09c2cb7e9a49d294016a7088fe401a62709f8504b8a5e3854ba867511df3935060af55d10b407f7742810bdc069be902818d24

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
98ca8709ea38870685f6865d55809d3a

SHA1
e4fa1981eede31e93cac7e63411902ac28e75cbe

SHA256
001b841df52470ce1b8d1730ab0d136a829595a4d602df3e8d5f41e6afc78c95

SHA512
2a460037a76cb7e72bd65cf60dfffef42a8f48738e49158fc07a5be2dd01bc722c2dccd8197d1d133f5b2b317a6018573b3b00c2cb637d7867d10f49b6e31bca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d08395ecb734b0300268a7bb1bbf2c1a

SHA1
e8b2916bbf9405d373555a642fd3fce4573600e2

SHA256
f81e7014f58e195ed9b07058b7c7dec110116dd3ac83c83bdf575ff761bef615

SHA512
9628bbe6da992321537d19f346bd6c2fe786abcb2aeeb3cff02e203301ef3a7f36ecd91581d3cde776042bd4e1c4744d2aa2999b3245b79f0cb46364073bce15

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6981ecfd697e640771247b6fccf8e87c

SHA1
a90c65819e4d380f04baff231754c906c5d72c1d

SHA256
1a98ae8e728e5be2c30b9ea3d90107360dee9a2f5b7f8f1d9b5dc402ca2b11ac

SHA512
e7e4360395fe59c52f35ab38cd775644eef37724a62dd4eb7088ade6037409b67f090f6f14046560c011d311597aa9aae226905b8b12337ed8bd7435a91dbfab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
05d1b15341014e4cc5d5ab0d5a1974ce

SHA1
33b044bcf038102d5945a0c305168d0829ca0798

SHA256
aaf842328cc51fd7539754cb53eb856ccf25b115cf54715245127d1615746b40

SHA512
50e8578185b596d074c60d86624e4cc77dd75c5b4211e43f5be24f80145fb399ddb57d6d2760af9d2137b934947cf719f21edb7d23d15c3bef6d0445bcec6a20

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
71519cfe4cb5c14c51316e3601ed2dd8

SHA1
d04c99d56e05a3f101522891e47780dd96c672ef

SHA256
e76a51e3504f1441038eaf59e36843d14519207d16f5b883a755c543ae06820d

SHA512
0a80267205ab01f778cb2d532892932146c7c47cb3cbfa5f0533fe65ff53e0218b0388ed2765935cb7bb727ff5632caa60cf5a97a165773cf6263c34ca4da024

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
195df5078aed4d472efa40f13d8ab3cf

SHA1
18e4efa675bb27a2e900be018f621c949b5dddfe

SHA256
dd8c54fc5594e01150f9fbfbe9cc323ba3dfc5b8571c2df3fc2c87ae8d3902ce

SHA512
ff0305a19f39356abde0c74fe40356377f754cee04dd2911f6f5c514bf76f5e5c9ae5b3a68ddd84fe2c969c750213c661bd4d0fc413355ab117b6efa07b8c5d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
0bf8632f0be2ff85048976a4ecaede84

SHA1
a43a846aa5075e5e14c8cc75b735a14e53798f5d

SHA256
c609b7538067117b7ad0b8c4f6cb619baa768be80f993a72922b4e1af6c594e6

SHA512
bae4425fb0dd6861627e85b359b17c1b998f97630b5649b3651221ec647a07eec5676a3bd9131b946e4c4cc1d312217b2f835dbf4bb35d6e5238d526e177e541

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9711a2a1c4e8d87b6ccf3e949ba440ae

SHA1
6c748700956caefbf974f014f731a6ae6ba02ecf

SHA256
44952e6a33695fd1f463053660a26afaaada5186c60ac6eeaf1acfb090ddfca9

SHA512
7bbf1a77c227436892d61ebfe32cebae0acf4870816a5f983f684ab5335614548e139efe334f06ba9b5e917c332ec33374d53dfab42c0f711841ab6526c0691c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
3284fc2ef1d31fdc58c1e219ac5ca0e2

SHA1
a06609ecc0d4068f9fce3ea1d924ab38a3a1a846

SHA256
4807263c18eed56e6791ccd7c945fc1c4861a4f39bd97f40a0451c519a5b37f4

SHA512
5a3acf20356f2792193727c0ffa144bc6f310d3306be45a65d5ea81ae708308c771db13e96dc54fd5a84b100e5dcd60f4bb43521dcf03272fe25671beb5cc4b7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
6cb16178c6bfb78980264726ce22e60b

SHA1
f8bece6992dc459844f0ffea20b3c8848452c957

SHA256
20bc79f19c63e67aa306c9d58a616ca025f40b8f55649240b61a148e37699085

SHA512
20cb657e48ba82f813d9c04e684d518fd4e694ce8fe29275f54b9a1990de5747ef94b4e4ac35538405fd10264daeb5d1bffdd982326bc7de021635c5922b0528

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f4daa3c21fd0c55412ebd3e15d1814cd

SHA1
64784332a50f73cc587d0a91b02a379cc2c58544

SHA256
153d8382ef9eade208a6560e33d663a6250fa1e92fa88f9857ae3eaae9ea9a0a

SHA512
2c670c286d79615cab8636c780abd6af70bcfd6c6ed8725a183668f2944514ecee3be7af696519d19f979c26df170cc384a78e18850051e83f7c38706304f803

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
5d712b8acad2e2d9b00d3c32180ac7b8

SHA1
d2d548f82438acd17e7fd90725840339c92a3777

SHA256
31b6ef9c08d4782cc009511cd71b7d3eb7285d0b7b13af2d6edba80a90cb7304

SHA512
5d17e0861699b86e7c27ff4da08b328309b5b242d24b42d64a1e8b756310c277f97e3c039799dcd808e893e55fcffc6abd929608c25a7e0d68cc096dfdee440d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
b86bb8d2fd8fc21b13c5458c7cfe6bb9

SHA1
8aa1c4b689234219bde63bb7d4703ad3b1d9eaf1

SHA256
063a52bedbdb5585f763c87f75ebd340bde44cad324dce9c3d47d9c3ac68514d

SHA512
24d8622a961c68b5e39c43deebc68e7278ce755a15418df8abea6f63df8c6323d14791e91fc532ea5e55d919082fa65b40c7e77ed00555680638661c9c2db3f5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
11b004d680580deff6a2c0c6961f68a6

SHA1
6c4f1ae7675962bddb5ddf7ce80ecf5ea424533b

SHA256
fddbf9e06427623bb79ecb23bec8b177b1bbf0873e47cdd021eaf50d07b2efa5

SHA512
67bd3d6f26426fa41af47fbbe1a667ec9e586b3b997dc92f892111536539e1d32b13168609fd295b2e2fdc56ff8ff02309e7277b0c4767b60938ef148aa398c5

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
bb57377c30ba4512534314799e0d8b42

SHA1
0c9178f7ceb55213dc9d5f8d8b9b10e4659d8fde

SHA256
e6720c24d2cc13c8fa9c5aaea3300fce97dd3279a97a85903524c103bc163977

SHA512
b66d244f7efe3c92b2f4bcbe841d539d1d0765174f1398fa0e853eb4de53d41c6e2ddfc0d519bd80fa6f1904ec2a439a698d7010ebd3bdae45df0cbaa36b8a0e

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
6fd94cfb20567ddaaf71572303e4e4ad

SHA1
156c45a9742dff86b376f3fd19bfea6fe2e13947

SHA256
720500f9083320d1ff98d8b7458bd9f51c6e66e74fd24c1fab43f1d53a55cf57

SHA512
ae67f924a0b0695ba75093db011711c40ef78143cec708617ed803d09c3bd64f71779fabd450b17effd6d2796b72f4c70c5f4a971d011c2f885450f5810748e6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
da5d8c4ef5bcaf38fadb5251480a30af

SHA1
cad24047e207496cba72cde3359f1c1b01af24bb

SHA256
881055a1e7135de9b63558632383ec8fa463b57471f9404df65468f95729e1ae

SHA512
b7c00833abead8c9347af372b6b5b5c4a2702f13d642ab706b6f4c80b71e0f524b752afee6897d6903626bd621a3ced81df6b0100b8e6bddbab854353bada3fd

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e018376a270024e787c344370c0e015a

SHA1
ef0981e65347c19a1859b07673151fc43418b89d

SHA256
5e4a1dc195393c9341340923f8003c819afb0a37516017f3209f79a5ffabb1af

SHA512
d1708a3a9164202a0337c68ab035696a13d91c0ea39ce2e10611e8f80056f0ac4d034d84e32e2ce0f2fbf95514dfe0ef60e2cc00ef960cab33e000e6b8b7c9c6

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a8d7ec6ebc1e7fc712789d3bb26cc552

SHA1
adc6b1e03c10a54420e874f7bc7e19c525363e3d

SHA256
1fa0cbc525aca8de52cf69f865cde6187d9bbd47ce393f1245f19393ac643ac9

SHA512
96a2057dd7c0c54e4c3d88ccd66be93d78034ab88f360d0c0d992e76119d7ec14501d59e374e1ee22264f95a95e6678cdcd03b8f810ff30666cb2460cddeedc6

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
d4448e2367d869b6155d1db2fe78b4c5

SHA1
25ecffeb62277146b838b5e378a54c0271f8004e

SHA256
53dd1df6e4440e5834fcfa7e3f785869fac6b13108b9a0c32b2027dfeb055b9d

SHA512
1b8d478dccbec8c15c114a7a3ef448b1c9e4063a8f4bbc66811fa3a2b57f1e76b4e569cbfd1d656de9794c8f94ce668dc72f481d6f63cb78195d0c7cf8cf7f3a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c1df1bf7fac7c6c8f392418f8f607989

SHA1
d6db0d504904595aeb5626824929f38ca7158531

SHA256
92e123d3cd31ed3eb41e38619762945757afe606aa043ff01976630408b5beb4

SHA512
4b83296075d49117b6f055417cecfb18402a2075ef0a7b425fb6c11555d9c170c694446967ccce4cd25b4f7bbd3d1fc574e26db9db4c66328a7aee208526a867

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
5ed96a8bd0fe53a7f2a3d4a6e939225e

SHA1
369ab46f6561612267c416f1fb07d6939c4719e4

SHA256
018955ad038d0f7aa2b3de80c62fd85a435d1e597bfd4e6da7a6bbfabf67a24e

SHA512
959349610f947e76def1e57d1c5bd544e2e053d723cd38c1ef39bde125e8415422483606a7e20ac1d070652be9f5c1265522a51443e592a3887316a576d26b82

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
49934a96b401df5dff7866228bcb587b

SHA1
54b474f20d8897614441611f39960adeac319d82

SHA256
0baa9fb59987dfe350bc2daa5971b887f7e3be48ff6da1405518e9cf93a7b74a

SHA512
77f8fc1262bc9d9fbbba243e9b02df4f9e8f597b0a86975db9ed928c746ff622708d18c86dcaef3d195e96834ae21549f63e9e05e3b8c0110ac7abc1e504cc28

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
465462ef091352570e97c4d5cc18f24a

SHA1
1ff346245ba45d472fc2285a21d0b1f0b1d6e822

SHA256
005b16b07a2505b9d3f2d71c094b9570b2406485ba3b65da64f16a172d2da1dd

SHA512
e406c409895a0e9071fa926a411105e203f9579fd8aa23782fdc45677dc08c4ce2695ac90aa890a2d335773e67c7ca1961c7bef3c8154db4416c5a46293ab35b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d6fd17169c43788a75259de131b1fc4a

SHA1
1f5461d8e799edf4cd146db3b0360ba146062434

SHA256
07c6e41b071b279b93051fb72361a4f95f70227ce9c0e2466d57f3fb205f3d88

SHA512
03bbaf1426afe4c4408ea2c519163efb84794a1add5215577e06916d369efa07dd70e6884240c76591214c41e0828d01a25cb6a5ec9902fa4c8b07e5edc8d179

Download Submit
memory/576-356-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/576-409-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp

Filesize
9.6MB

Download
memory/576-225-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/576-224-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp

Filesize
9.6MB

Download
memory/576-381-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/576-320-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/576-355-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp

Filesize
9.6MB

Download
memory/576-362-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/576-228-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/588-179-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/588-188-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/588-187-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/588-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/588-318-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/588-203-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/700-223-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/784-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/784-218-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/784-341-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1432-394-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1432-383-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1432-388-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1720-142-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1720-147-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1720-227-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1720-141-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1812-129-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1812-159-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1812-130-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1812-122-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1812-123-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2004-309-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/2004-170-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2004-161-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2004-164-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/2004-169-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2236-378-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-367-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2236-392-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-393-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2236-372-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2288-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2288-140-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2288-302-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2288-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2288-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2440-319-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-344-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2440-345-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-307-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2440-314-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/2636-101-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2636-180-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2636-95-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2636-94-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2888-342-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-338-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2888-331-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2888-361-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-360-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2896-136-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/2896-111-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/2896-106-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/2896-105-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/2952-357-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2952-376-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2952-348-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2952-377-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-363-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-42-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2976-162-0x0000000100000000-0x0000000100183000-memory.dmp

Filesize
1.5MB

Download
memory/2976-31-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2976-18-0x0000000100000000-0x0000000100183000-memory.dmp

Filesize
1.5MB

Download
memory/2984-405-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2984-407-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-400-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3068-205-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/3068-202-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3068-337-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download