f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
Size

1.8MB
MD5

e4903c4fb68b63a5be0c094b88d587e1
SHA1

4aceadbbeee51cd52cae594aca98fc71406154c1
SHA256

f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e
SHA512

f1f3a5338fb62ab1abc218de5418f7f1a681d884fd208c1e112c37ecaf2a5a5b26660257af9ca3e209a9fdcdb3fe617dd137b5de9439fb1556ed0ca6395ff1e9
SSDEEP

49152:Ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WACPYayvYNhVes:UvbjVkjjCAzJPP9yvMVV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 55 IoCs

pid	Process
468	Process not Found
2144	alg.exe
2640	aspnet_state.exe
1524	mscorsvw.exe
2252	mscorsvw.exe
2496	mscorsvw.exe
896	mscorsvw.exe
1116	ehRecvr.exe
2344	ehsched.exe
1320	elevation_service.exe
2188	mscorsvw.exe
2776	GROOVE.EXE
2956	mscorsvw.exe
1248	mscorsvw.exe
1168	mscorsvw.exe
2428	mscorsvw.exe
1292	maintenanceservice.exe
1204	OSE.EXE
1624	mscorsvw.exe
1996	OSPPSVC.EXE
1640	mscorsvw.exe
1532	mscorsvw.exe
1136	mscorsvw.exe
612	mscorsvw.exe
2444	mscorsvw.exe
2572	mscorsvw.exe
1452	mscorsvw.exe
2060	mscorsvw.exe
2628	mscorsvw.exe
2440	mscorsvw.exe
1616	mscorsvw.exe
1880	mscorsvw.exe
2356	dllhost.exe
1484	mscorsvw.exe
2248	mscorsvw.exe
1912	mscorsvw.exe
2908	mscorsvw.exe
572	mscorsvw.exe
2832	mscorsvw.exe
2664	mscorsvw.exe
1336	mscorsvw.exe
1548	mscorsvw.exe
700	mscorsvw.exe
2820	mscorsvw.exe
2268	mscorsvw.exe
3024	mscorsvw.exe
888	mscorsvw.exe
2716	mscorsvw.exe
1396	mscorsvw.exe
1664	mscorsvw.exe
1736	mscorsvw.exe
3048	mscorsvw.exe
1600	mscorsvw.exe
2244	mscorsvw.exe
3024	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
3024	mscorsvw.exe
3024	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
1664	mscorsvw.exe
1664	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1ed5938f3db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_cs.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_lv.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_es-419.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_tr.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_ro.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_fa.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_te.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\psuser_64.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_sl.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6078.tmp\goopdateres_ar.dll	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8823.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5E77A4BE-3FB1-49E1-AC56-045C592ECFB2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA2A5.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5F5F.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5E77A4BE-3FB1-49E1-AC56-045C592ECFB2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP93D7.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2440	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1836	f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: 33	2268	EhTray.exe
Token: SeIncBasePriorityPrivilege	2268	EhTray.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeDebugPrivilege	2440	ehRec.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: 33	2268	EhTray.exe
Token: SeIncBasePriorityPrivilege	2268	EhTray.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeDebugPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	2496	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe
Token: SeShutdownPrivilege	896	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	EhTray.exe
2268	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2268	EhTray.exe
2268	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2188	896	mscorsvw.exe	38
PID 896 wrote to memory of 2188	896	mscorsvw.exe	38
PID 896 wrote to memory of 2188	896	mscorsvw.exe	38
PID 896 wrote to memory of 2956	896	mscorsvw.exe	41
PID 896 wrote to memory of 2956	896	mscorsvw.exe	41
PID 896 wrote to memory of 2956	896	mscorsvw.exe	41
PID 2496 wrote to memory of 1248	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 1248	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 1248	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 1248	2496	mscorsvw.exe	42
PID 2496 wrote to memory of 1168	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 1168	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 1168	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 1168	2496	mscorsvw.exe	44
PID 2496 wrote to memory of 2428	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 2428	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 2428	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 2428	2496	mscorsvw.exe	46
PID 2496 wrote to memory of 1624	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 1624	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 1624	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 1624	2496	mscorsvw.exe	49
PID 2496 wrote to memory of 1640	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 1640	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 1640	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 1640	2496	mscorsvw.exe	51
PID 2496 wrote to memory of 1532	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 1532	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 1532	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 1532	2496	mscorsvw.exe	52
PID 2496 wrote to memory of 1136	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 1136	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 1136	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 1136	2496	mscorsvw.exe	53
PID 2496 wrote to memory of 612	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 612	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 612	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 612	2496	mscorsvw.exe	54
PID 2496 wrote to memory of 2444	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 2444	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 2444	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 2444	2496	mscorsvw.exe	55
PID 2496 wrote to memory of 2572	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 2572	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 2572	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 2572	2496	mscorsvw.exe	56
PID 2496 wrote to memory of 1452	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1452	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1452	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 1452	2496	mscorsvw.exe	57
PID 2496 wrote to memory of 2060	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 2060	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 2060	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 2060	2496	mscorsvw.exe	58
PID 2496 wrote to memory of 2628	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 2628	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 2628	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 2628	2496	mscorsvw.exe	59
PID 2496 wrote to memory of 2440	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 2440	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 2440	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 2440	2496	mscorsvw.exe	60
PID 2496 wrote to memory of 1616	2496	mscorsvw.exe	61
PID 2496 wrote to memory of 1616	2496	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe
"C:\Users\Admin\AppData\Local\Temp\f5f59ca077602bc5db3c61f3a1fa2464865a8f006eb2a6192a519c136c4bfd5e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1524

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 238 -NGENProcess 23c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 264 -NGENProcess 240 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 26c -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 1a8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 238 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 180 -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 264 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 284 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2cc -NGENProcess 2fc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 304 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 30c -NGENProcess 304 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 300 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 2dc -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 314 -NGENProcess 284 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 158 -InterruptEvent 1ac -NGENProcess 1a8 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 1f8 -NGENProcess 1ec -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1f8 -NGENProcess 1ac -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 14c -NGENProcess 204 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 208 -NGENProcess 1ac -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 1ac -NGENProcess 1f0 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 214 -NGENProcess 204 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 204 -NGENProcess 20c -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 1d4 -NGENProcess 224 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 218 -NGENProcess 158 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1ac -NGENProcess 1d4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 220 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 234 -NGENProcess 1d4 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 158 -InterruptEvent 23c -NGENProcess 234 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1116

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1292

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1204

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1996

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
df3d5c0106ca5916c3f25259db27b6e0

SHA1
fcd10dda9331011dfccee8940efd8aa779bbb1a7

SHA256
399b151ad88d61c7e8265a85226e3d6aeb1f716f259d233d70984491ec146597

SHA512
30517f0a14c3e84f90717dd3bb8392e7de11948ef7fc93907225fc2d433893466df896fe093930711caf1b8d3dee0a628882e66343d96e626b23e0ac87365949

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
d7ac92219f5e824d2001a426f8485a8f

SHA1
8a35b17cd2446136a9b9d7761b5a2fd1b80323db

SHA256
1256acbce21c8cbedc63a29f02538fc0094d3ef86e8f4ad3a39ea7e49b1445e0

SHA512
82128a48230f0a9cce9b65339efd13da1e802ccd5a3981d425a8a0cda22bbbfc3f3b8b935245ba9169fe954d4a8741277b140e8151f070b27a2110dff74fb675

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
a7aebc371793128c1e806031b9db13aa

SHA1
88c5819709df62a5c5c1b0704d5e2c36b9148114

SHA256
a2efe42eed74b05195cb19139c7adf8b136c649069039a97000fc880a589a36d

SHA512
7eb14d604cf317a1d851168ade1ee0daa4fa19a0a64884e9e7d5dd92dbe83bf043c7a5bc60d89efacce8bbbd4f022848a2b2896f8fb0703292a74e6dfda83d80

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
8dd71603f1d37aa81f7baac186ca9e58

SHA1
5f76aecfdaf847b189e6022b04331ee4c8b995a8

SHA256
88a7d13bbc196605cfef743054d5659f86114593ea33809900271230317d1d4f

SHA512
57d52439ba6a1e1a341a9ea4e0d1d4f460945231bbd850f81eac9a0112fe81b06c7406c7d5e21151de786076b3288b5e7b67f34337e9715027e5dd67f4171f4b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
44618357cefa71554ea85df68c588c89

SHA1
411afee948fc5b5939ddcf68b11ecedef7f49a21

SHA256
13fdb76689c2ec199c5d1409a62fdcc52c17c380ca10a9ded838b9dff8d80d6b

SHA512
e5bb0d0c1f451efc499c55c72163497fa9cc1a1890b5cbbcfffb356269b097ee91047164ef12bd3d89bbbf48ee0937ab7d0ceec35cec4c3299a1457191ac6cd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
320KB

MD5
676598bccd98579464e08ea17ff8e037

SHA1
1195c1c848455fbff898006a1eba138aad1139dd

SHA256
13fe05d9f91a5b5f95b182292bc877dd99ad9955ebb1cffae58e935c9c8579db

SHA512
0830b20dcb6a1001787cab686b2948ff9f759a0c1dd3fea411d3ec9f68541db23e9444b280ab708468ecc8abc25f801dde6bb6794b1447129ec17fd86d7aefbf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
2b6f650166a31628ca574a2485edcb4f

SHA1
3e71689986077ea52de21114f2185047aedb3107

SHA256
b1cf9935e1fa5571fa0428ac2c3f4ae7a2e649172541edd1d92e49dda0316e8e

SHA512
533513948b59e77516ac3a0b468e7cb80c221b5019a945f58aa91542cd6db5fbbc525c1a8521579ef5b6822c40502c6f8000c81cd75c4711afd7e4879e552524

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2830ec621bc1d92f4152306815e24591

SHA1
74cea47c077ef8ddced1041081389c51a17cc8a0

SHA256
48d25cf576df0e7f32269d4e257e2e8e661a8f81bc173d8f3c00686e6bce7c25

SHA512
16b61dd3e30b7ba314e02c1651ab0281ac20ae46fc217e5522779fb838664808cfcb4066dc8b857b8ad5332fbb5b2f597897ed86e8e07e6349407f8ecd7c08b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b3179829995e851cf711ddcac84dafea

SHA1
400b06cb8dc8bd5ec8393a29a002ddb5c75723c7

SHA256
004e07e5fa041d08a56bce6079dba2d6ae29d2cf9b5a6bceed7d72b471568ddb

SHA512
d6cf6db616d78fc3b223e468ed1158c7a046485d1315b76a54ab523363637fec2f39b1ab6ec4e0d33645f6b7dbe4cad7ac5aa53b6299f7ee2cd80f48919d74e9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
adb3cc9d74a9cd21777db14336fc6e14

SHA1
72a2764ad4f60ed2973e25ac6ce1993fb5c5e2d3

SHA256
0e7af62f6e4f0e8c100202bb50926cf71dcc2ef710ccfa245a4bfd40710d487a

SHA512
4a09e242df2b9bf45234a76e90f29636ac46cd1f2363904c4a51c0e0448b1364f8174a14dca978b03882bfeb45e993bf01bc501a2c9fcebb237dad5506f8e745

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
98b96a52cc9185881fd3b580e56ecbde

SHA1
07e6dad63a21826bf260a2d4bf96e6d955909d7e

SHA256
54f82af5950b05f453baaf3bb3db9924a8bef19d1eef65706c4f94d9c233485e

SHA512
06f476c985ffc9f56a17bcebfd690ecbfb6a260febea357b3b4c34f361925f84bd9354074a87e10ee8bac8dbbfd520d311ab19fbffbea08b1e35dbc873595549

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
60538dce446134420339703de2f07741

SHA1
de2443d92d860e447c10ab6521f46f1e289949e9

SHA256
70c403f8bc34b3ccc9415054b3a6238f09396b92af5eb19d7b0a794414c6693b

SHA512
9e916160f91c5b9c1d23a0ae3b4c1b6cc5ec170c9603868940730cbc625b9bb62ff6c02d80ebd1b755568026be92c9a5584a186ab8f6104203deea0d4b4de5bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
120b00bd206b785dd02cf26328253567

SHA1
b17a00006aa4c7a8cfaf9231d79a555a8830b226

SHA256
6623169cb608897f019aab3ba508e198c6178420a96b14b1e68d489cf60a1ee4

SHA512
7208a64b661195e0547a292a31eebb2bc5bcb91c405b584c27fe117c8af782ff35a15df7c95c0531f4c623e62b54e635ac8eef3c5e1cdbe52e641537efb21738

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
308217dd973e47753c649c86db222116

SHA1
015bdc026c096d9c13a288dae44592f25a21fd26

SHA256
bf87280370f2be9040ada043b122879f414126d74a31a91560ce994f03a20705

SHA512
8e6f3c89757b37a08f185b89b86eadb16ff7a731889f1205c8fa87875df0d8510b8d14c4020b38f28aadc1d8f0a686caa85a77d9ab40f9ce82ce50c137a241f1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
dffb59a047cdde248149d40ce40f3446

SHA1
738b5fe3a183a4e64501d3324b2fdaa864c9084d

SHA256
d9a05836f976ee5765755f444662c6d9eaea8df301b94766469366eee508364a

SHA512
ebc12558e1349ba55b575a0a455264c4ad153b4c83833bf5bbc1a511dccfa05d6806f46fef4dee144f3ef877cf3d337d8157d3c5b5001fcd4faf34d87917d507

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4da02b12cd6a7933a0ea2be45d42edb4

SHA1
a0efdaaf5423ed4a73c41260a46fcd144d33e5cd

SHA256
7308c59737e532cc714fd606fd5ad508d6677e5f2c849692e316aaa69692d3a4

SHA512
cff81f5cbba2ec5b76e9db9b5c141282c51ccc04df65238afe89c15a6cf85a86dafddb5d174d397611ca7b69f588090611c2ac683333f8f4e2792a10e8adb630

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
1c6d5071af552737cfafe149f42cf857

SHA1
e406e1047eb954d262a1fdd10d4b2c638ec93fc7

SHA256
a633626513efa6ece3a0212f6ab9d02bc692f14724d03d763cd4500ab83b8b30

SHA512
5071bb7099182fe0cea07cfddf2c75a8ea1b5b8712ae3f7f907de5e21dbcb2a3cbe767fb2022039f145b006e8a5dd8377d844fb417d98d176f77f23ca081f1a7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
db6d1d078c6ee80bf183a30d49ce7e3d

SHA1
33538f1e3f50c8bde7c5259ce42f2e0209fc949d

SHA256
f058c088d5e8f8d97d57902cfabce2d9ea934e909078bc38d104e35ce5fac969

SHA512
b8b0abed509ed0f538ed787617319ee5daf918476db97396e958eef2c9f399cb754504d15f4edb40a02c527ad9210977f48e4492f56e2b5b83ef650590290c15

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
5d7fe4e8b194c736b95a90436e5617c6

SHA1
d3995e9297a38b4cdf30ff4f706f22e01433fe59

SHA256
2db09ff05bd24fbc8b186a80f1ee0aa1389390e939472bc085b0cbb704eb4777

SHA512
5b0c29819af1012a8ca5d33ccc563d345a89d3c0992cdc6367c2a9b7934442c4f3ac52ccc9e748c080ce38bb4a47bfbb6c91f3089f3caf3aa39d5094f986559c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
f139a50492a3be60567285f8673cb877

SHA1
aa308cde06fee9b27a1595f3f7f78f16d6abaef8

SHA256
99c87892b5a8e4d85e375863f4fe9db1386cf1d527c84a7948d24b9a5bceccbf

SHA512
300e734f71593fb0d90789fee2f7ac2f24dc1ffa75fc7928463da65cf995d61fe3d56e5bef42723fcbc17bfd61fd57e0c0b17708f0da6f064e48a1c073608fb0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
5ca8bf4bc11571eb5d6336acc071354e

SHA1
8ece243e3f09465601029994106de29e92383fc6

SHA256
005a97be5caaddcb5f9920be4e9ac19732614ec0266fc1bf488522563e92b44a

SHA512
5ebb3675578eefd250a2bc829d1be2b131dc167f09fcb7732eea879eb81c51dabfabdc581bf0a86254fda66a459b8989239a1c440a9ef812eeeca1c558d0bd04

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
9b7d33793ce8f55614e2937629e0c473

SHA1
df1dc5f2bf73f2244afd07493ac3fc5c3abef97b

SHA256
1063b847f9932e616fa75e9f200987c761243ad24978167548207a854ad1ca8b

SHA512
1ce584d8a2fe89234b34ad9f249222558f93ddca759d2b38aaa3a9374d8b8b891aedb89e4c339816178b5e742657456e7723b66ba118b8ab7accb5e575fae2ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
905c7358d14d91a826f89812c207321a

SHA1
8caf866f6d23222984cd63f82b644b34033945de

SHA256
b7f3bdb6f634b1dd19c00298f43b99a300f5900872b3a8f4422582013baea9d8

SHA512
ddac5ee11dc466ecb113974df42910bbd45c07a3d2402b12159f870a2414d4477f9bb1a71f3b657e4144bba3a14be2b7593d2edc3f8d07e692ad591d08277f3a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
90271fa3540914322fdf9377106ca223

SHA1
525d2188bd024b6f1f13c956cd309beca80e186e

SHA256
fc2c63950f9d1c3cf9e075ab98993b7fbc7fd01a34f7fabdbad67da20cd2a08f

SHA512
97331ef4610a32bad4ca9b2db02ab8bd440ab636fc10c1d3728f404330c7b760e6746a048b1001ec9238c5bf133730b1702ac22bfa154c54c5224e10fc52afa1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
98f1b066fff3c00129a1a3a0e1902d1a

SHA1
7f9ff7f72440e917094b4cf6d59b195fb1560d6d

SHA256
5ae5b363b09e9e2f12940def0996d70d4d2c6219b8a3593c9be590b82e34ad24

SHA512
99ecf1f83eaf53b3debc7c4940ddb172cfb9f3c79d9b2b05a2f477df4908394e71d5ac8a916cce2aa75a6125700a13cd5ec3beaf994db14f905d03e4bd98889a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
ae83536183ba11f81ce05bfe0aee0be2

SHA1
7c29be7dd3376a186f683bc158fd2dab15786df4

SHA256
ac442e6627289917cd959be5f796cdfe5f3658e6b38207cb8afdd724a4f22d5c

SHA512
f4a9e80a301eaaf2b5711048299860765a8f1b1bb1f6f99946c54d9d775c93a12242799e48bd0862e5d4bc890e7ff1ab0cd1a5a62768cfbded92874c3232ab02

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0d8b603e098183a93214a29a967d7066

SHA1
f20aa597279431ea554b2c163e29001f8c1301c7

SHA256
80166b10ebdfe9728dbd9bc174d14f4c1cc693ed4d8f5a8819b38e0d1f81a4ab

SHA512
1cbdbf99fa750211bc1f07fb89312c043b3fafb1ce1478c30c561648dce2dffa6ccb2698dc5243d9b76eaf2ba255abce1cf9b80595414426255f7b67a135be5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
5184124c65cc9ce024fbaee044d8262c

SHA1
ba112b57dfed3c3307d37198d96fb886ed5878a6

SHA256
f0ffda7694ed5d9d0b62f838ce77b82ae744520ce0556b140c5cc241e78cf8a4

SHA512
c66f325b2f10eda13230bd2bd2982e5cc0e60d03d45e762aea4ac69923a0c9b33198d7c9d842478e12fe15099f5247317ad7b0663119b822c52bbacf54970383

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3703030abd8e01c9c06fd1ae16f7ca72

SHA1
404b444aa2ec21e665dba3020d66053686d7b3ec

SHA256
6f80076ca5ef3ed6d45d8c477861910e92c0bc5676b8adea4a4e7a9775ebd17f

SHA512
0361f1a1c1c0eed4cd7251808ee3583d421334c7d31d4a21ed2bbed9bee835ae8b54affcf97a564e1da1227bfc59132641d4e879b83f07d317a3d2f58a037813

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
37147d6dea0be194c0da66b07441a1b4

SHA1
ddbe37e03a7b5ec47ca8fd5f580782d68be34102

SHA256
53c2ce58ed7dab61d630b96a9b37c50ac17e48250aefef885900a695af566930

SHA512
4e64843a978b2fa31d8cf9737aa8556930c1361bb9fa233df323f8a389d9f127b3352e20bf1700af374a9d5016785d14b781eecf4bc784bceb3aadf2f2e7882b

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
68f015002668cc65adee2616e0d7547c

SHA1
f968a05cbc7653a4eeba6d717be19e35b15b4a44

SHA256
298d29681df75bdef60ff8496ee0028879700f1a472b86ecf45f64245650b217

SHA512
0e2bbb0b71dd82f2f41ebbf74384adecf2f1363727ca3e710ca1f2cc1aa7c2eb276bad90f358d3befc0b6a8a7308a4fdac36436e33eb503341e9efb88642d8bc

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
08de0fdfbec04f33d9b321deaa7bd903

SHA1
a2882281f607ed18d82f76c868ccd29b58340563

SHA256
8cfcabd2595dcaac8696e22d5adf30a28c502d6a024ba3e182110eb97aa84234

SHA512
f8d870969c504977841ea3573eacd9f42524a1cbd3ce0cd06529537303bf5ddfe8ffec53b3b6b23ff5ebe89986006bc3539c0c9242b26f8d0d12e6b08e7b7325

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
db0256e6a4f65bdbd0bf500cdf8c7844

SHA1
24fa6813801bc2b3c1152f942adcce2a50a138c8

SHA256
1e76f2e525c6b3c5a626ab3508d7ac00058667c03f92742b6c41a29a9d2f9b86

SHA512
a1a97ad5c5b2a73e6ee07bd4fd9b703a7faf5f9be5f25129143dba5ae7c49b7d8e4546a0bd7919cf9489ea92162a385450b8ae20d27a63123e4441565fe2a250

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
4daf25ded78920dbdbe0b6e8ffacf5c0

SHA1
619586f0f4f6c779ace4bc316f320f123a94bd70

SHA256
986901ead1fdbc2c9112c9a9b9d543afd73846a9908c6ea1ab43b16c30d8872f

SHA512
2a880466d7b3f9df088e80b9a201c17bf2cc605f386515c8270fb5af8584eb28971e52708aa0636ce49b3cee68cee00b5e6898faefb99aef481cbff97c6fc924

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
ab8401d38eb812f2288207be694cffeb

SHA1
be09cede52be6d8f570080866a878206463424d7

SHA256
a02e56b6c5886d5065603ae8552bf6bb7ca355afc1e1a83155c0ed50ad34db94

SHA512
2aec80ef830789b62d7dd83ec66918246bb60e662d9764b24dbbd7dd7ce371bb84894974902130293083d9916c6ad61dad619e57a052202634393f99c445ba51

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
783f3a450920109852c5cc42e5a83b52

SHA1
089ffcb7e404a5016438a31fb8fe2eb4e64f2f54

SHA256
181d940e665665ba4901bfe2712aacef31982a7efef2d548017eb83d7db534f7

SHA512
6dc20b248a8604bebe844e4b18e5ef32b4734111cd71304c77711d94c24c6cb35b21330c6ef1e55569d6c3ef4dd96cff23353b387cbe69f86224e80ebddcc826

Download Submit
\Windows\ehome\ehsched.exe

Filesize
320KB

MD5
313b6ec5d5913980ef68cd247ef9dace

SHA1
14ecbf5add7c81af6b8f060d49e13beaac024801

SHA256
bf2504835696827227168f8b9fe5d82ce3f3be6033955b1b7bb78fc8f9594f7b

SHA512
1891dcea43b505c03847a52a0446d2b859f0f5df3458f75a4d59e82c7967ef648011a7b244b87922c9364930795cedb0d6afc899f840045477f968d3c3c544cc

Download Submit
memory/896-141-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1116-159-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1116-306-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1116-168-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1116-154-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1116-166-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1116-152-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1116-284-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1116-252-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1168-345-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1168-364-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1168-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1168-342-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/1248-344-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1248-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1248-329-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1248-326-0x0000000000A60000-0x0000000000AC6000-memory.dmp

Filesize
408KB

Download
memory/1248-318-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1292-385-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1292-379-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/1292-386-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/1292-371-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1320-254-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1320-261-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1320-262-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1320-308-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1320-256-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1524-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1524-135-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1524-104-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/1524-98-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/1836-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1836-246-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1836-7-0x0000000001E00000-0x0000000001E66000-memory.dmp

Filesize
408KB

Download
memory/1836-6-0x0000000001E00000-0x0000000001E66000-memory.dmp

Filesize
408KB

Download
memory/1836-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1836-1-0x0000000001E00000-0x0000000001E66000-memory.dmp

Filesize
408KB

Download
memory/2144-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2144-26-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2144-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2144-13-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2188-267-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2188-277-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2188-270-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-301-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-297-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-302-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2252-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2252-149-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2344-303-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2344-165-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2344-250-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2344-167-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2428-356-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2428-368-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2440-285-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-307-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2440-304-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2440-347-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-328-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-334-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2440-340-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-282-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2440-283-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-121-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2496-122-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2496-268-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2496-128-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2640-74-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2640-247-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2776-365-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2776-281-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2956-320-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2956-322-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2956-300-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2956-305-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-299-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2956-317-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download