d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd

Analysis

max time kernel
125s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
Size

1.8MB
MD5

9947b064c99c285292ff97c0570a3d26
SHA1

6ffc7a79ac256b26be7935d73c6f1b253ad931b2
SHA256

d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd
SHA512

136142638eb210b49646a66f70f2281ca82972ebceed92e66209939be38e57cdb26b77e2577aeaa67f09ce6a6c1e9c7e12466bfcd5227d23de83bab2fbb2468a
SSDEEP

49152:aKJ0WR7AFPyyiSruXKpk3WFDL9zxnSxgDUYmvFur31yAipQCtXxc0H:aKlBAFPydSS6W6X9ln5U7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 54 IoCs

pid	Process
468	Process not Found
2720	alg.exe
684	aspnet_state.exe
2992	mscorsvw.exe
2028	mscorsvw.exe
556	mscorsvw.exe
2124	mscorsvw.exe
3048	ehRecvr.exe
2144	ehsched.exe
2284	dllhost.exe
2748	mscorsvw.exe
2664	mscorsvw.exe
2924	mscorsvw.exe
2692	mscorsvw.exe
2076	mscorsvw.exe
2424	mscorsvw.exe
2176	mscorsvw.exe
3032	elevation_service.exe
2416	GROOVE.EXE
3024	maintenanceservice.exe
1604	OSE.EXE
596	OSPPSVC.EXE
2484	mscorsvw.exe
1780	mscorsvw.exe
1392	mscorsvw.exe
1600	mscorsvw.exe
2188	mscorsvw.exe
2120	mscorsvw.exe
440	mscorsvw.exe
2832	mscorsvw.exe
1644	mscorsvw.exe
1620	mscorsvw.exe
2264	mscorsvw.exe
1276	mscorsvw.exe
904	mscorsvw.exe
2904	mscorsvw.exe
1776	mscorsvw.exe
1252	mscorsvw.exe
2864	mscorsvw.exe
3000	mscorsvw.exe
2880	mscorsvw.exe
2460	mscorsvw.exe
2152	mscorsvw.exe
2964	mscorsvw.exe
768	mscorsvw.exe
2008	mscorsvw.exe
1104	mscorsvw.exe
3048	mscorsvw.exe
2536	mscorsvw.exe
2564	mscorsvw.exe
1640	IEEtwCollector.exe
2556	msdtc.exe
2840	msiexec.exe
1684	perfhost.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
768	mscorsvw.exe
768	mscorsvw.exe
1104	mscorsvw.exe
1104	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
468	Process not Found
468	Process not Found
468	Process not Found
2840	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\97759cd793c0dc56.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_ms.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_sw.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\GoogleUpdateBroker.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_bg.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_de.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_et.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_te.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_ar.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\GoogleUpdateSetup.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_sl.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\GoogleUpdate.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_bn.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_th.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_pt-PT.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_zh-CN.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT5561.tmp	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5560.tmp\goopdateres_ca.dll	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP20.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB18.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1A54.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2404	ehRec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2256	d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: 33	2292	EhTray.exe
Token: SeIncBasePriorityPrivilege	2292	EhTray.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeDebugPrivilege	2404	ehRec.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: 33	2292	EhTray.exe
Token: SeIncBasePriorityPrivilege	2292	EhTray.exe
Token: SeDebugPrivilege	2720	alg.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	684	aspnet_state.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe
Token: SeShutdownPrivilege	2124	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	EhTray.exe
2292	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2292	EhTray.exe
2292	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2748	2124	mscorsvw.exe	39
PID 2124 wrote to memory of 2748	2124	mscorsvw.exe	39
PID 2124 wrote to memory of 2748	2124	mscorsvw.exe	39
PID 2124 wrote to memory of 2664	2124	mscorsvw.exe	40
PID 2124 wrote to memory of 2664	2124	mscorsvw.exe	40
PID 2124 wrote to memory of 2664	2124	mscorsvw.exe	40
PID 556 wrote to memory of 2924	556	mscorsvw.exe	41
PID 556 wrote to memory of 2924	556	mscorsvw.exe	41
PID 556 wrote to memory of 2924	556	mscorsvw.exe	41
PID 556 wrote to memory of 2924	556	mscorsvw.exe	41
PID 556 wrote to memory of 2692	556	mscorsvw.exe	42
PID 556 wrote to memory of 2692	556	mscorsvw.exe	42
PID 556 wrote to memory of 2692	556	mscorsvw.exe	42
PID 556 wrote to memory of 2692	556	mscorsvw.exe	42
PID 556 wrote to memory of 2076	556	mscorsvw.exe	43
PID 556 wrote to memory of 2076	556	mscorsvw.exe	43
PID 556 wrote to memory of 2076	556	mscorsvw.exe	43
PID 556 wrote to memory of 2076	556	mscorsvw.exe	43
PID 556 wrote to memory of 2424	556	mscorsvw.exe	44
PID 556 wrote to memory of 2424	556	mscorsvw.exe	44
PID 556 wrote to memory of 2424	556	mscorsvw.exe	44
PID 556 wrote to memory of 2424	556	mscorsvw.exe	44
PID 556 wrote to memory of 2176	556	mscorsvw.exe	46
PID 556 wrote to memory of 2176	556	mscorsvw.exe	46
PID 556 wrote to memory of 2176	556	mscorsvw.exe	46
PID 556 wrote to memory of 2176	556	mscorsvw.exe	46
PID 556 wrote to memory of 2484	556	mscorsvw.exe	53
PID 556 wrote to memory of 2484	556	mscorsvw.exe	53
PID 556 wrote to memory of 2484	556	mscorsvw.exe	53
PID 556 wrote to memory of 2484	556	mscorsvw.exe	53
PID 556 wrote to memory of 1780	556	mscorsvw.exe	54
PID 556 wrote to memory of 1780	556	mscorsvw.exe	54
PID 556 wrote to memory of 1780	556	mscorsvw.exe	54
PID 556 wrote to memory of 1780	556	mscorsvw.exe	54
PID 556 wrote to memory of 1392	556	mscorsvw.exe	55
PID 556 wrote to memory of 1392	556	mscorsvw.exe	55
PID 556 wrote to memory of 1392	556	mscorsvw.exe	55
PID 556 wrote to memory of 1392	556	mscorsvw.exe	55
PID 556 wrote to memory of 1600	556	mscorsvw.exe	56
PID 556 wrote to memory of 1600	556	mscorsvw.exe	56
PID 556 wrote to memory of 1600	556	mscorsvw.exe	56
PID 556 wrote to memory of 1600	556	mscorsvw.exe	56
PID 556 wrote to memory of 2188	556	mscorsvw.exe	57
PID 556 wrote to memory of 2188	556	mscorsvw.exe	57
PID 556 wrote to memory of 2188	556	mscorsvw.exe	57
PID 556 wrote to memory of 2188	556	mscorsvw.exe	57
PID 556 wrote to memory of 2120	556	mscorsvw.exe	58
PID 556 wrote to memory of 2120	556	mscorsvw.exe	58
PID 556 wrote to memory of 2120	556	mscorsvw.exe	58
PID 556 wrote to memory of 2120	556	mscorsvw.exe	58
PID 556 wrote to memory of 440	556	mscorsvw.exe	59
PID 556 wrote to memory of 440	556	mscorsvw.exe	59
PID 556 wrote to memory of 440	556	mscorsvw.exe	59
PID 556 wrote to memory of 440	556	mscorsvw.exe	59
PID 556 wrote to memory of 2832	556	mscorsvw.exe	60
PID 556 wrote to memory of 2832	556	mscorsvw.exe	60
PID 556 wrote to memory of 2832	556	mscorsvw.exe	60
PID 556 wrote to memory of 2832	556	mscorsvw.exe	60
PID 556 wrote to memory of 1644	556	mscorsvw.exe	61
PID 556 wrote to memory of 1644	556	mscorsvw.exe	61
PID 556 wrote to memory of 1644	556	mscorsvw.exe	61
PID 556 wrote to memory of 1644	556	mscorsvw.exe	61
PID 556 wrote to memory of 1620	556	mscorsvw.exe	62
PID 556 wrote to memory of 1620	556	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe
"C:\Users\Admin\AppData\Local\Temp\d630bd5a44f652ea9d63990a438f0867a4a44c9f370c997899eabd794852c2fd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 23c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 23c -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 28c -NGENProcess 264 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 288 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 23c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 2a0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 1d4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 294 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 204 -NGENProcess 1e4 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 254 -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 22c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 268 -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 238 -NGENProcess 204 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 230 -NGENProcess 1e4 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 230 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 260 -NGENProcess 270 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 1e4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2804

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3048

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2292

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2416

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1604

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:596

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:864

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2096

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1268429524-3929314613-1992311491-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1268429524-3929314613-1992311491-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
68e63b4abc817eacc81ac050c609af4f

SHA1
91dcd8d23bdd14c52dc7c319fd544490e2364258

SHA256
fa3f5c686febd27550338fe38bcc39796a6e4d4b1f285e9c1f93fc0615b45fc6

SHA512
f34ad0246a0175fe2aa50982ca8dda9db6ca14bbf6daf42ff95444adbb612c22df0ff97022790cedb77323d46eadcbd5551af4ede79a294faff250d17dcdbfda

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
908045a7489a03f8e2bc7168a0b0a195

SHA1
badbfcc508ce3b0f8514d07eddbc903890a46309

SHA256
7c6a70cdce26dc53d8a9a4a1744b17b50f875d0e10d8adcc0f5e3f6e6f035837

SHA512
dcc5d48012d5421d97b6d722c5c62cca6c27f4822b93cc02b3e371861d2bc1e428835237a0c5b39cba37e22a65cda05a750aaaa62a5c608ef42ace933653de8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c21f922671081f2dd82a713d625b7ba8

SHA1
a8c4c8e2dd34118b11e850e30d486011945fc9c8

SHA256
ef816d6ad23a37fd19758b87e6a445bd52b98184311bd356413fe36004ec3a9f

SHA512
329329716c601b5e1a9c923719de53b6e78ac1b2fb6e0b8dc52369192e54bb38efa9d4510abda8030936c4799a69b7ead8b65b23fe584d690b8b4e37c187d249

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
92d6a14bfdfd38b81c235a6d14c7765d

SHA1
f395e96e8a70aea62ff507b628fea17366fdc0e0

SHA256
7034d3071bb1056a6316fa33ec515b2d61b882401d5af96921de1e86120b02ea

SHA512
f3258d8413be583c5ea2b9f0e40fc24d45bf7f3c27519ba4e57115be6796d87c95815e720a7e041a1babade33a0f8b8c9b0464afdba9bfe9c420743d765145d4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3c44e9fd38e10d5751f1a5c2d1d58404

SHA1
4901bb710299b3814e7cf30efdd25560a6944d86

SHA256
a58abf1befddbad6b2ac0e4d7336be7669c2fcdcef27af4e739f00dff3410830

SHA512
d137146515c9988adeed6791ef04359e3396230d044e8f08aff3ea7887c2bad35f64b0a28d0526db2db89ba127d7c5632fe6f2f330ab25a87f0c7f46356dfa61

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
930040effd395b3dc7208cc627b4727c

SHA1
3b16e3f489c2cfdeaffcb6a0a9bb509189619fb0

SHA256
6754a4e18dca65d1669c46e0b0e045ed0aa1a2bcf7314f2bf20f1f6b9880b007

SHA512
54c4ac8f9ab994cc0f59cc30197c1a81e21a7c6fa006ba160fed1d9f9bb9194856a6023140fa3aea38c2c237a35f2aa4a0dc473cb1418c9fab09410e50642f23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
d5b1fd55b5ebfaa54b02e1f94a3e016d

SHA1
3b55a0e67a900b9253d61be57d336ddd26ad7253

SHA256
a50d8d7a8aed623884d28a7e697b7adae2ae8342e15b99df46f6f0fc86a0f4ba

SHA512
546ba36896274f1515dec81c34f66a78e9a32d1b40900b0520d312dd83f5c9b0dfedb7b53ab142c9403f183427f3fd472757f7cfaf0ef9bdbd26248aa243ecd3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
353KB

MD5
8750721d88b0d28910bf6034fa0e2d50

SHA1
42e2426c029feecb1ec81c28fcb16a459178f8b9

SHA256
019f1313725548338674a8a9011791d469f41f8431d9b19dfd6813ee21470210

SHA512
84680b66938276b3bfe8d4347052f5163783f8f01bdd18e7455a9316796e8752b0c62d6587b147c4fcffb7743eac563b61b819839c0aa8949be022af4b34cc07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
437KB

MD5
4db0bd9700e614de93bd2865c8756cec

SHA1
eb8779ba5994c2676d4218d1c760e30652943e0d

SHA256
c39ab3de3053a12695c0adfe4ad8a73377babdeb82c162c4aed3de0bc033c597

SHA512
d5793ad7d4ffb63cf85b991cd3b522e1564bcad5f220f7589e87e145a37d0ae7229fbaa2d1be1d296575ba78e2f72a80ab35ec9ca2ec1dacad554d894eb2ede6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
162c389316450796ce5afe93ad7e0776

SHA1
27a1d3cab4dc5a4da83377887d8f7746f0d7d589

SHA256
253ba725625656e6f229680d41f4b12a7741c3819c0889d44619634ddd177fac

SHA512
1348d63a32481e9b38fa6da0b894fd73ecc74f4e052919ca917d82821a139da7a7e13744864a82c9986305dc54b165c1afd8eee8c425329a30d1306f1667c0da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
298KB

MD5
606aaded3d708468a0a3de0b5bf4d203

SHA1
8bee90188bb73245f5f7791b24f51bad7a56afc5

SHA256
e450ac1a55fa0c0307bd19079f84dd790f906072ce49fd5cfb3397b52a1a9e86

SHA512
e02ac2d2d71fb3502ab8e602d18ee9396e9ecc7744fc6bf1809976ac38fa958d0dcdf72ebb6650df017b205130ee0db0fa7a1ee3b1c27af8782bebf5c3d5ae23

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
260KB

MD5
9fdefc88cd03eb048cf2baf005f68cc1

SHA1
8b81319db948b50925bcfb1cc8379407a94a857a

SHA256
81a31e9f7aede2c3f8647ad32e63a7f3e9b90b8c3df97ccf8cc40cd170708d01

SHA512
67b5e44e6e7a43fdfc4c0fc913c3331010c667a65285370882b9ffb162eaece13561b3cffda5eb515a622d5c5aec907c670e9cbd6ad5154c8060e24f3ee9c720

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
bfeb7c9bffab09079daf8b0d741c7e65

SHA1
5467af346eaf979f3c7e90eed98bc46d833e132a

SHA256
8e96c9121830a811596fa5506128487017b4052aaa555285062087ec08e21ed7

SHA512
21230d7f1649c6bf374d7233136556b252a20cfcfb354a2f100320affbf0f945355dec015f9c1bf06dd3080f6eb64a1fe90ccf9359efebccbd83190292472706

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
6d7e0d1a67275dce7dc7c957ecf559bd

SHA1
8a84999795bdc35c98b27bd040ad2f3cc035038c

SHA256
b0276bc714febd8a128a4db565fb2591a6f3d4f1eb77b81198818db925ff888d

SHA512
32e05df12e16c5fdad55d5dad2ebb958c9d0a10e824775baa9f5fa2c0957eda1b79fea95c42f51d535652d34338a00c9edbb0838df0d0d1c916d1b76984cf209

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
b899a5cc1bf197bd17c1ab360cf71d06

SHA1
cfecef6ee3d4fcd8254f274569f91b974f24116f

SHA256
dfb663751870466f0a1d3e945a47016357d4ee206a4258292ec801f4255a8e6f

SHA512
0fe70166706e33b3723bf9144c873d643dd3d24d2afd517309cb1b4ea5ee45616d2e486a05b40d17a32bdd451dba7b5cb5b165c94d01f90cd5a1b6395efdce4e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
337KB

MD5
3c1a62d765ea43fdd1ad956a05f3236b

SHA1
d824c5743808f5e137e29e95d90fe48a4de0b620

SHA256
472badb3fd99ef94ed0cec8c0f2a2f08412bf6d8b20f98490d07d8d25084ec9c

SHA512
04373ee6db7d4afaf196d3384c92929bdc510b2e3dff5c697a48fbf3f40cea9d6a6873b6517a51403681091b1c5f8cc35eddeafd1ab9792ddf91f5d5d9cf634a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
264KB

MD5
853e5ce213e864ade41782fdc1eb5554

SHA1
232831723ffe414c2cb6b8bc086469c5b9a340b1

SHA256
eb86bec099551a5665d597d80343cf915f459dee1e2925fde85242c11ca2e420

SHA512
5e1a733124a4f0f80f95a4856221cc7dae96825b21b8474b945030c7bad0705ffb3e5c2c9e5dd8c032df3bbc285b684a82157372ac0132fa92d0aa20e74db5fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
52KB

MD5
2d3ed657755f06681f08289208eb0dfc

SHA1
8f3df24a7c93b1d9ea7ee04db6de099f2a25a2cb

SHA256
acc8972567ee20c1b6ea4a9ff2f6c4434ee0b315f1dfe548a6670d130e7e5126

SHA512
540686b732c2a8c8f0ae964d1a4d114d38efc115cf0bc7fc2f9f9f9079190258f85f675474d310c9148e64b7ac345864bac62b6fd307a97256caed800ee8da19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
206KB

MD5
03c6ef328e2f62c6ad6c1348433b3179

SHA1
9d8d4355befc42c1509394f69bf504b791833c42

SHA256
431425d99b80e5fad189e5fea1010fe5ab84cb1db0d6f5c986251c443708ddf3

SHA512
b9be202144cfd721b7ae7eeba367972cd47a9ac2f5955451896dec4924c4f1b6f0f788ffb38701154dda741c6bf3f0d1668cb50efe084b13506279fa1989dafa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
041293c6e29551ccf50428f44bd1e49c

SHA1
8179f9e07f2f69d761e66208eb47e1d68a742caa

SHA256
def2a7d37b63f8273bda3ab587649c81343ee9c3d596f463828abf99270dcb54

SHA512
c5750f1e06cd819a2d6a2a1062f444198735da0cf7f13173b7063328472f83b8ed83bb14ea6b0c7f0e67d76955ce0273ad1b75962cdc05ef65773cbf08789a66

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
15KB

MD5
9c53f92c1ac8e578e91e795bd9027e56

SHA1
1eb50a714f6d2eec26e1d1954d16b2e20483cb9c

SHA256
a5a4a05094a240fbf1a96322fd26dcb80f6f288bd25c5f85261298ba1248619e

SHA512
a1254b1faa878a5dde830c8c00ab2d1e650b2ab43eb70e03715a7337008c96ed6dd3b6d5226aa3025bcaf143142363d87438fc0455c08e33cdfeead21c4cbaf6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
514KB

MD5
1e2e5fea2ca426c84ccc50791dd80cbe

SHA1
36c7e032ed8130852b8533e3c0c2bd0f5700bfd7

SHA256
fcacfb72568736c9f9c01da3b9ff43c49ff02ac0d3e0f949f7fba63a40d049b8

SHA512
563bc6e98fbc687158628bedbc6218e3ce54530900546b70fe656f7d06c67dd60dbbf3908d76e7e56780245c1dc5e2b96e06cc36d679c77b28c1f580fc8e586f

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
98edc01fb15036f6f7c617f2f8afb895

SHA1
f077d435b22af0bb96fdcea326774c681356bd20

SHA256
18665a6da049682a2760e1024083e418dc55abb6563ccd003b77df35e8a7d0fb

SHA512
e0478f6a1184be204a16a1869a49c796215f013cd28eadba2fd06491336b455c3be9283dc88c8d54a5602ab885140ab4aa2949bc9f2abbbc9d7024505459f166

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
cc6b0d82fb8307f03fd4f3e93cabc38b

SHA1
998712b29838b94b2c0e0f2cb3afc079b99739e2

SHA256
5f651ebffc5d63d73ceb456a6047b1b0703d6ccbda4e8e59518386ec4762eb48

SHA512
3babc07205e3f5f24b05f0429e0a71f6000596128420c1de9efdece0e4e407b1667f71b8968ce115f54f25cc9eaeed961b03dbae49d0c7717e5bb9ec73a6a61c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
128KB

MD5
a0616d2b6b7a2f2f1384e5796b92f8a5

SHA1
e7fca7245543f860fd0525262222580462c1a7c5

SHA256
3d3c77d62bedd5e9f67a154e171f03af20c952313ff43b30e4b6eb3613066700

SHA512
36303a871c3e3a8044f33684be0be6bf570dccab05cde048a63df675711f7af5c00d4fc94a289114f9375a53ce86556f08e94ff17c6c453ef1dbe51ed1536ebe

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
3c27eec590a448f19a7ec13d5f363923

SHA1
a80f63ad685703fb3d4e0a635d4250689cfc7ae8

SHA256
31fe852d77bf3bc98207b38607fdf64de42ec3f8f067cc2db0deebf02cb547bc

SHA512
350e564b72d07c713c6027660d6da5a9c86a2cc5d58cf14f7069c39ffcfad7cc12705f1104610da0663b2327216edd2dde8da43a4f28215c0da8e2e7b3378088

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB18.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
224KB

MD5
3187263412292363352ff3bb18ed5988

SHA1
d64c68cd42f4106b11a810a76b713375486a8db9

SHA256
ac5abe4a8e15ae79f4c45a93f26cf9579d05a93932ad7e40974ca107db5a11ae

SHA512
d9d4fdc9e1b65c16ea5757925eba88b98a8dc79cf188c0ebf6dbe3a75283df6d2e35e167b9e36e073cb6a41273acf4276cf1f51db731ec408e9236797a6c5ae3

Download Submit
memory/556-287-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/556-152-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/556-146-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/556-145-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/684-96-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/684-182-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/684-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/684-103-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2028-162-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2028-131-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2028-124-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2028-123-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2028-130-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2076-387-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-384-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/2124-165-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2124-173-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2124-295-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2124-167-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2144-335-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2144-196-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2144-280-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2176-409-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2256-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2256-7-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2256-6-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2256-144-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2256-0-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2256-273-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2284-285-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2404-289-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2404-317-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2404-400-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2404-288-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2404-386-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2404-290-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2404-368-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2404-362-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2404-359-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2404-347-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2424-401-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-397-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2664-331-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-319-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-320-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2664-318-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2664-330-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2664-329-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2692-380-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2692-378-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-369-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2692-372-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-164-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2720-45-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2720-19-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2720-18-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2748-322-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2748-316-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-324-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-303-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2748-323-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2924-346-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-337-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2924-342-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2924-371-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-370-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2992-113-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/2992-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2992-108-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/2992-140-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3048-281-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3048-184-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-183-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3048-190-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3048-345-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3048-304-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download