a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
Size

1.2MB
MD5

50af73f56bcfb61ccf5e00487414b7f4
SHA1

5f38d45649003b3147eb485857929b8e9ede3bfa
SHA256

a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34
SHA512

bcf194357b4e7e6ead4fc6ac3b2f02b52374af5c8aab53f1196a3dad2e138706c89bd73972bc2ecb4698a8eef9a8599e4be06c49ba3838db7eb83804248c2808
SSDEEP

24576:DTN9gj3Htgtozpyj4mIexbUSAL2mZ7mzAWbeIYVgOBvWi:DYHyELexbUSCfmzz9YVgY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 42 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exedllhost.exemscorsvw.exemscorsvw.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exe

pid	process
468
2844	alg.exe
2344	aspnet_state.exe
2608	mscorsvw.exe
464	mscorsvw.exe
2788	mscorsvw.exe
2476	mscorsvw.exe
608	ehRecvr.exe
928	ehsched.exe
3008	elevation_service.exe
824	IEEtwCollector.exe
832	dllhost.exe
880	mscorsvw.exe
2288	mscorsvw.exe
1604	GROOVE.EXE
2388	maintenanceservice.exe
2784	OSE.EXE
1236	OSPPSVC.EXE
880	mscorsvw.exe
844	mscorsvw.exe
2396	mscorsvw.exe
1592	mscorsvw.exe
2088	mscorsvw.exe
1240	mscorsvw.exe
2772	mscorsvw.exe
1276	mscorsvw.exe
580	mscorsvw.exe
1900	mscorsvw.exe
2156	msdtc.exe
1316	mscorsvw.exe
928	msiexec.exe
2336	perfhost.exe
3056	locator.exe
1464	snmptrap.exe
2340	vds.exe
2740	vssvc.exe
1156	wbengine.exe
1132	WmiApSrv.exe
1708	mscorsvw.exe
1700	wmpnetwk.exe
2720	SearchIndexer.exe
944	mscorsvw.exe

Loads dropped DLL 15 IoCs

Processes:

msiexec.exe

pid process

468
468
468
468
468
468
468
468
928 msiexec.exe
468
468
468
468
468
744
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

alg.exea24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exeaspnet_state.exemsdtc.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a48d2893db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 37 IoCs

Processes:

mscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exea24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exeaspnet_state.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B899D7D3-50AA-4BF1-B83F-8FA003A86750}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B899D7D3-50AA-4BF1-B83F-8FA003A86750}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

ehRecvr.exeehRec.exeOSPPSVC.EXEwmpnetwk.exeGROOVE.EXESearchIndexer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1EFCD814-DC6F-423C-B376-A08BE7F748B2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1EFCD814-DC6F-423C-B376-A08BE7F748B2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2436 ehRec.exe
2344 aspnet_state.exe
2344 aspnet_state.exe
2344 aspnet_state.exe
2344 aspnet_state.exe
2344 aspnet_state.exe

pid	process
2436	ehRec.exe
2344	aspnet_state.exe
2344	aspnet_state.exe
2344	aspnet_state.exe
2344	aspnet_state.exe
2344	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2124	a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
Token: SeShutdownPrivilege	2788	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2788	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: 33	2372	EhTray.exe
Token: SeIncBasePriorityPrivilege	2372	EhTray.exe
Token: SeShutdownPrivilege	2788	mscorsvw.exe
Token: SeShutdownPrivilege	2788	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2436	ehRec.exe
Token: 33	2372	EhTray.exe
Token: SeIncBasePriorityPrivilege	2372	EhTray.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2844	alg.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2344	aspnet_state.exe
Token: SeRestorePrivilege	928	msiexec.exe
Token: SeTakeOwnershipPrivilege	928	msiexec.exe
Token: SeSecurityPrivilege	928	msiexec.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeBackupPrivilege	1156	wbengine.exe
Token: SeRestorePrivilege	1156	wbengine.exe
Token: SeSecurityPrivilege	1156	wbengine.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2344	aspnet_state.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeManageVolumePrivilege	2720	SearchIndexer.exe
Token: 33	2720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2720	SearchIndexer.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: 33	1700	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1700	wmpnetwk.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2372 EhTray.exe
2372 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2372 EhTray.exe
2372 EhTray.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

SearchProtocolHost.exe

pid process

1528 SearchProtocolHost.exe
1528 SearchProtocolHost.exe
1528 SearchProtocolHost.exe
1528 SearchProtocolHost.exe
1528 SearchProtocolHost.exe

pid	process
2372	EhTray.exe
2372	EhTray.exe

pid	process
2372	EhTray.exe
2372	EhTray.exe

pid	process
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2476 wrote to memory of 880	2476	mscorsvw.exe	mscorsvw.exe
PID 2476 wrote to memory of 880	2476	mscorsvw.exe	mscorsvw.exe
PID 2476 wrote to memory of 880	2476	mscorsvw.exe	mscorsvw.exe
PID 2476 wrote to memory of 2288	2476	mscorsvw.exe	mscorsvw.exe
PID 2476 wrote to memory of 2288	2476	mscorsvw.exe	mscorsvw.exe
PID 2476 wrote to memory of 2288	2476	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 880	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 880	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 880	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 880	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 844	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 844	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 844	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 844	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2396	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2396	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2396	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2396	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1592	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1592	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1592	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1592	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2088	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2088	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2088	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2088	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1240	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1240	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1240	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1240	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2772	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2772	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2772	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 2772	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1276	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1276	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1276	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1276	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 580	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 580	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 580	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 580	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1900	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1900	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1900	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1900	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1316	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1316	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1316	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1316	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1708	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1708	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1708	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 1708	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 944	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 944	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 944	2788	mscorsvw.exe	mscorsvw.exe
PID 2788 wrote to memory of 944	2788	mscorsvw.exe	mscorsvw.exe
PID 2720 wrote to memory of 1528	2720	SearchIndexer.exe	SearchProtocolHost.exe
PID 2720 wrote to memory of 1528	2720	SearchIndexer.exe	SearchProtocolHost.exe
PID 2720 wrote to memory of 1528	2720	SearchIndexer.exe	SearchProtocolHost.exe
PID 2720 wrote to memory of 2900	2720	SearchIndexer.exe	SearchFilterHost.exe
PID 2720 wrote to memory of 2900	2720	SearchIndexer.exe	SearchFilterHost.exe
PID 2720 wrote to memory of 2900	2720	SearchIndexer.exe	SearchFilterHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
"C:\Users\Admin\AppData\Local\Temp\a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1e8 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 184 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 184 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 278 -NGENProcess 288 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:608

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:824

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:832

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2388

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:2900

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
6dc47e4b4ed6b9d9ac84da55083ad7ac

SHA1
dcfe4059e0baecf103d6239267e990d6165e90e0

SHA256
6ef0a5a67e358db151e6149a98b6b825fbde3d7f6cb03dec97ece4666c84b86b

SHA512
9e1e5852f9e5e05181cfd2db50434b3024b812e6980cafe6ca2bf435edc634e379a3e86a3eb314e26d92d56f90e7cf0b6a841703dc9d67701a04c63ff3eaacdb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
4.4MB

MD5
da77574d83d31c68af71edd75d5e00a9

SHA1
83af7d2d34d9eb87f2c52fa8c9e1fecb42e96b5f

SHA256
e1dfe9160700e2eaa3c171b41bb5fbf5448d2918cf1e0f102df780bbe5ce5514

SHA512
e94c9737509b30749f375bee835d6f72a89056ebd8e2d3a992dde9f97f37307aea0cbfb6ac5d8e291ee624a384ac441d6e838bb40df0d934c0bdcac8eb0956fa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
ac17f042179282308f0757a0f15abb68

SHA1
8d37b353640bbe5b1c233c3c7dc0500fb01c52f6

SHA256
a14e8103db0d41f1e40cb6fc9cb2c349d0e8b36fe5ad37ac0fecc0ada8076bd1

SHA512
4682aa1b0b616408ff2d0050ac2813b5ec189fe47dcd42c866ce6506e412ad92af84fee2d4a0bd698c801b4f7d92028d5ef37087b6f213ea2bd7ea62ba57969c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
2.6MB

MD5
369a09eb5c314e39abeca66a077db372

SHA1
d0244f1cb77f8f7f7f3008814ae1f68993fac760

SHA256
57e7bd412f46cba112733e9a3e0d1d5934ef2a900fb4ea67612913468c5b357a

SHA512
cbbfef7d9a8166ea5c4d2f49f32f798e80dfbb5a0cad38cdcdd56fbafd359f58841f6291322244fc9d000bb337f4863eb168c3c62165644c1233bee08f9ee842

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
c16c22f61c7ca1a8deeb944ab2fcc2ca

SHA1
b01ab409e9cd68b3a14f37cedb8ed7344bd3a79d

SHA256
3a4cfa559b4132aae11eaab5a2af643d2d7754c924b8ae89a4c74211a3aeea7c

SHA512
8b11d36e1be54a9c4cfab52f08c9095fbf35ccd6417c7322fb3992c27ca3b5110a922d3c24112956a2605e0296a599a938a4a2e023027c1eea1cbeb7c0330c55

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
7e1d58c763c2b8335a0e6f9fc3bf93f8

SHA1
b1543e3223e50c2f9d24bf73184f357de3d2f4a9

SHA256
13c17af1d1dbadc62aacda9aea517f502f7e0256537133a599f3592ab7b4960f

SHA512
75143cb05c0bf879283874874671c6e1509ca409aea023aeeca40560dcc92ead4da7d64788c4e4053cf68e780ad36778e190dba490b2cacca1f71938d9d92cbf

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
803b15f35ea605f6ccebcefcbbfb8acb

SHA1
6837ba43c08f8c557ad97b6dd04065c363535639

SHA256
f41a2c132e2d89bef88de66587d78a0615a6b41b27210a28dc7a465434ffe9ba

SHA512
ade6e0161a8dee724670767273ff50bd79270f9dca804559a37c05c4dbf7af315a60cb7ae4309ef39efba167ec5ce7e5806c05cc10c9418a8833bcfaa7cb97e5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
512KB

MD5
77850ceb2a300952e23fe99f98b70962

SHA1
8c21398f884f1806a0d8d33de2e9cd0b7daa7a42

SHA256
4f20b6903100b9d6442a4ce08ea98d4c1e6aa6a997150413fb1f7b745ecabafe

SHA512
177020c06f9b544790e944125979fa6a773951c30a17309d601b562ee80858a68a7354bc5d8dbadc4d930f84eb3ebbae8a056936a8f200a650be17ebb874ca69

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
26ff8a0ecfad34d913b70cc0bb349258

SHA1
a31852456425243b8ce7b44eee6d725360da9ab3

SHA256
d07dba969f5759dfe35efa7eacc394e2fed6af94c91c8aca181d7dd0f5506e6e

SHA512
81f4ccde58a5001131ba2c5536a4e7506687f5daf65ae567a700d30b53236d6491ab28a4148c079c9564543ea5c63fd1e548eff92a896c87d68f5debae5e4cea

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
72c922f2f17fb420d3dd777d1cc899c2

SHA1
47a8663ff01b97ca4d49a98798395671b7c83e2a

SHA256
d9039fe5dd7e8c1c97ebc4d0f7d6fec3a558dd8ef0adf1467db185e11b39c122

SHA512
913bea0902666292692bccd692f655f6415ca0d83f16feb7beab1decf5d966a9c81be759bf8478796f862ee18162af36169241ad68c3d5da10c9c4242f368fed

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
4a90f979005182f42a43092d66f9119e

SHA1
6f9da1362cbf1b75456615c0b34c64531e7c92e4

SHA256
45c7de564c14191a78f1c7f75cba411a51d9678bd137100c34ab0e9684df71a5

SHA512
4d883c31e62b4b025afbda6edac91f1fd69b6ceb87481ae07690af25ec433fd29abc1303c71691a6996143476036d2b089af74a836b95358d4deca8c8bfdddca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
192KB

MD5
b307dfc6d5af8d8be66937ace8b5aba4

SHA1
51ac7276a9f9c342924bd7c1d03df21a36b62e8e

SHA256
3fae61f755a5a0b79742c29a46cfba99926c61cb51e410fd869a7c1f4e4cb29a

SHA512
502affa34af80f5bdb38f82fd25626196f30661635e3e0c2ec1476869e30ccf42fe77db9f750f429b8847660ff1932a514c89d049f319900de3cb6e1d3320d37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
576KB

MD5
1c008ceef301f9cc50392ce91b617c2d

SHA1
90113b044bcbf1093f32104d262a0e6707e1e919

SHA256
dec21e2ee4a4203ab4ec63fa167c9ba80bb6dcee51b3f827eb05ead7753fd7da

SHA512
b817419d8e01e9e62f84ead3dc134b547aa2f149926aef778b5d1e05cf84e502ac427177c9a0577a2bdedf088e86d4d172a687295be410375261af903d5063d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
453KB

MD5
747404634d454f263a5f9c0dea5e88a1

SHA1
b629f1439401b1327cd20fd86aba0b75bd371b87

SHA256
786d4080af16bc68813239eaa4a3de5b50aebb0f0c0a87ba1f604987284560cb

SHA512
44dfaff118a973c4f8a9635af7056d460bb4f36a0fa9579b33c18120cb27bceaedfeb80e4578477b335385393c1497706ba1e529599e2e5710c4a6cc40be6de3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
e5f27dde116c0e3132ef664994be108c

SHA1
ab1f85fceee3b8dc06e161d203858b88e7d0a893

SHA256
92e23362632931bcc2fad6a8a38e474268ffa8edd2600019c7c652d2eccb2c5d

SHA512
8b1aa0162f1f5d6439695f00be53e084e8de7e82946989138d770f66f26b040a5877ff21f90b5d99d38f83fd40aa02e9d6d416acc9538079e1b4d2a4cb3575b1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
128KB

MD5
48577beb49da3221be55023215fe241e

SHA1
1bf8be3521fac2cc3642c57277441840cde43cd1

SHA256
9b2a77002a09fa394f1e4dac1374a7956332e815764b6aa2e900b6d02b125f5e

SHA512
a2f6128a939dba1527723225a43895a0c123af1aae4c991d5374a0a66e612e9de94c1a9a79d4401d0d8b4101d5169cfbfd6f706aaa6835116082846bce13ca8f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
80d853932fc94981101eefbb342461a1

SHA1
2db6d458852df0a3016df0e01f15b7cdba15fad7

SHA256
ccbd76f714c80b4c27555f1dde35f3fa354837e7ed50c8f843f37d6265357249

SHA512
242d1e02642f67467d21180d2a82d5c513fb732a3c47ed874cb3bd88c45686604fcfa5ecb82e1db08c2a1f60dae0dc339f2101e0cdad5ebf7652bed12666e55e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
23ee2244f9370d48a82aaf4653cb81a8

SHA1
4edcac60d88ad4ebf92feffdc83b155bdfaf606c

SHA256
09b7269936826d16d4e00e3e0706b24c3d7ea64027631b30dd7f7cc523e8ef0c

SHA512
26f37224215af86f64268ea95145d280550da689dbe19b829adfdfb075537a5d596ebd056b5880b4ad723f31eca039a278bddc1c9ee7f679e01a4b227854f108

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
577KB

MD5
955287f244f328d189bb2b8096c2c7d9

SHA1
b08940ce60a67f7bcae717ec9da20b0dc7042361

SHA256
3e4d2b13a7d9b31d887788d8eaa0e7aab461a135ccd3da143c04af5e68dbbae0

SHA512
1038de171aaaaa518901ed3406a4ff4f76b9e9c0219c5fd7f5782988e79ad93b96ff10555022a0f0ac4dd231896d9678b306778f7310930b0847c06b177c24f7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
d1de2b2fd6b3f17ff9abda26c88ea2c3

SHA1
5145017ed0cb21b0c5d758dc6507e0f5018c2ef3

SHA256
7ddb953da6a1345fd4cae538dc6b00c3a4c3dfb7a50a98936f5e31e3d806ebb9

SHA512
bad2c279d1bacf58acf455986fb6272fd3e8c7c06ab8f500865610bb14855211ecaf88032e28932549750b6d51831d60312a762cb0295f76cd34760b89f50efd

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
640KB

MD5
b1032a04b4e76ca84a84be29ffcd49ac

SHA1
40de51f7cef048c2c714db55cbac4201c18d1229

SHA256
c326f783eec6a953bbc887e4f2dfb386c731f30c1ec443527e7689d5c8e37f7a

SHA512
2a620094e59108b5e3377928f6fbbb12143de7365621657f28187d76b238e5d6c31a0dadee74a1048bfc4b17e00e5982e8e8ffd5c6e9f90c22978f0c428a16ca

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
0cffb2a0dd17c003c90373c5077558c6

SHA1
463f7cf2652205651ee9ad82b5f627134af5c25a

SHA256
c2a25dc4c7f1ea92a7c4cac1eb6dde815794a8b7c342fa7bd15976411d289683

SHA512
e6c38120240851116cf637e3a2f00fb7d5e37a1b569197773e26f74cf47a901392f24130ed731b6a4ab3b909cb8a7840b0e5fd535a7482a1bd80628e3b5371d9

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
e67a6a2a7e98d52924b0258e127dd07e

SHA1
461072f42353e72e693a70c0dc6ac9bc229a18dc

SHA256
24c6fde70edf98d93218c2dd64d2e1db5960a694df189fb261fae9f8820d9f4d

SHA512
7252e64e49ff88aab23e35b3faff154d1d74e35e9a2d3744d3d58a52f4f7a39a600633e9be7804ef3fde237e0130571b6629b3fa0a177f5568eb9332bfe562a3

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
b64efdccadf1b9a89347e1cc540ede7b

SHA1
3c1834846b9fc640b7ce3526c1bfddee877804ea

SHA256
aa2514552a68beae6471254b18dcbac440e9391a227005eb6907bfd6d087321a

SHA512
37d300349edbeea52c71f6cdf2c14e81c043ecb921dc54298d19930028002962fd912866c9b1dbc0695d12007e7b83283fcac93d3788551123876fe57bf38aa2

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
e457dcdd6aaaf9cea59a82ef9e5cca70

SHA1
e6dee940af3da24b37d4debded653512a7c771b3

SHA256
c52d0cc3a2c959991948e257b8232ec37cf6c21e2d4368dbf7a12a0a404e7bc3

SHA512
48a9cc0a8721a1fc6a45502237d51757bbdf79c6a4ae56c4284d01ae768cfeeb8713f8afdaa7368ca4c01e82d145e9b8ebf0187bd396b804d711ca8fcd9b9003

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
6a34df3fda1dfa429ac8e794fe32901c

SHA1
eca24480ba4c25cccb520edf2843c4060e2c9d46

SHA256
d692962c1efea463aec48e865128deaf7952debbd591bdb1dfe125618716578c

SHA512
c21555d605dd4870f2ddf0ce66650dc0b812e01342f95ca3591dc9e4f558a2b32ca497879f1be75523e43dea543d42144d966b62c3802443c0d90f6e6da998d7

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
3bf8f5f3502564b314c13c0da47d9da0

SHA1
45e86f07a71e2e7019a3ff9a6ac1e92438b4448b

SHA256
03d2b30f18e74dd71c452f6584ea03b32687333b20e387d74ecd8b15b2ae80b2

SHA512
bae97c04495ec72eec186bc6989ad36d64f61cf083f1ef918b6238e1abf311ac798e1a256503a597467246302e7f8e7713dfd4585af530866130f113f6cf65b1

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
574fdcd0d35577552f320ddb25439eb0

SHA1
d3889b13bd1f6993592ea6d2c41c36fb0dec8821

SHA256
9245a98fd9a74711226d766d6d39e48e2cdf32443050432ca142c19bc1f19162

SHA512
8548239502ac3c0aef0774f36deed049d2eb4673f5cb1d13e35fe4fa91f4f022efa6c0e7017736202d448dd9c9431be28837d301744e33cd114bafaa7d789b86

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
dda7a218d9fe14f2465e1ee519c95333

SHA1
a27e5f5e43cfc59cd89eab0211dd1186a16891d1

SHA256
365047eb4afecbb532a75349a7bc0d95768b0bc27c7f7cf808e3315e28b954bb

SHA512
092a8329ffae7ff67c0eddc10bf7703765b1a8a60d094ae0237d343c4244bc24e950f3d1c8c88e0f358a7a9046d9cfb66c263c1db75f4f31bbd0e262f580ba64

Download Submit
\Windows\System32\msiexec.exe
Filesize
95KB

MD5
a2ac5da042a18225e91c5cf5777fc587

SHA1
65f7f2f7282741f7aa38386f63b2f824474ac497

SHA256
68ef5be364f3e5f08293f24e5863e79534e10fc12900cbc94468a25a06ec3311

SHA512
93381291d2da820b02b7d8d2c53a5933e7e33c29535dce960a83bf18ec3889ed406ada472ab0af13428e8ea51875741ab64b858164cdec6b0aa0607ab622a79d

Download Submit
\Windows\System32\msiexec.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
67cc7b953c7e9d6224a0067e92edd7f3

SHA1
5101295ecf6fb79e17e0bdbf07964382a22c3349

SHA256
a32955cc3c8ec6dc28c3fedc56c9168df77cd24b46a9fe2ee3e23ff7249d6322

SHA512
5c32ddc30b5fdb192aa2b3f1c0e3368108730964f2c4076f1d97091029fd3ef68dd2ca0494f0549a475342562912e21df421e2eb2dc5c5a355900f604c977d64

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
32f23c601c31233d57d564c59a7c0804

SHA1
d8f9ada4cf83716811634a646ff481ff3eb0978b

SHA256
c29aeba3da019e463b7d09eb3b33763c4b3f04469d69936279e02e390c515909

SHA512
1bf8e5e0c24bf5fe646a1c520104d5b252efd9c6f626933686218f4a33c0cb4f6a2256357854fe6ef2f89e7e593d84d3528cb753dc8409ed899d619f6249fa89

Download Submit
\Windows\System32\wbengine.exe
Filesize
576KB

MD5
52074b586cabc78014d8e4185718a5f0

SHA1
c22daffcf923bc63cab6aa7ab094ac3eec89ebdc

SHA256
f565029804fb30ab355ba611b5d035f93f9e8b54c90769daa710e646997239f4

SHA512
bea414908f28b139bb9cf77f179c2f1929bac30247406bd7a89ed8652fc83a11d721e9ce4410e6c46345e72a1bc3697be48936f9caf2c94146904bdee4be0371

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
704KB

MD5
1f4c6888cb0945f27e41b2a0706c166e

SHA1
9a624d6d91e305c49d507df472b596fc54563c1d

SHA256
e288468025f7cd4759d0b454c7b38aed442b2e76900184661b6730ef50ecbfd8

SHA512
541d5ad6b7ea75e98ad5c70106da27e566c98548eb3e6867aa362717f10ad130d4f4dfc1544f6b7e6efb1743dcea0133a418f6b98ae5591dce4069c5971feafe

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
a6bbd3a190ea2347a76cc9481a772b83

SHA1
d9d84d1fb412a0db87e78a200773c4a65540f8ad

SHA256
bb53d7f2853b64f4b8562ed4b5bfd8b71c8b14b6dd99612c470e5c49819497cd

SHA512
6793a2236921776a558c8ac5de4da246d4c0608137bb8489c0aff67e8624427e004c65ed9df2cb6a0fb168a5d7d1f4901f40873dae10d9e32b7d437abd3a5e80

Download Submit
memory/464-89-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/464-61-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/464-62-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/464-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/464-55-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/608-115-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/608-114-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/608-139-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/608-248-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/608-122-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/608-199-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/824-168-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/824-273-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/824-157-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/824-278-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/832-196-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/832-197-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/880-198-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/880-223-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/880-225-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/880-222-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/928-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/928-243-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/928-235-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/928-135-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1236-266-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1236-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1236-277-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1604-226-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1604-231-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2124-7-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2124-2-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2124-0-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2124-76-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2124-165-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2288-229-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2288-233-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-239-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2344-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2344-28-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2344-113-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2344-34-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2388-264-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/2388-241-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2388-244-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/2388-267-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2436-276-0x000007FEF47E0000-0x000007FEF517D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-291-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/2436-237-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/2436-195-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/2436-192-0x000007FEF47E0000-0x000007FEF517D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-183-0x000007FEF47E0000-0x000007FEF517D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-279-0x000007FEF47E0000-0x000007FEF517D000-memory.dmp

Filesize
9.6MB

Download
memory/2476-97-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2476-103-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2476-95-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2476-170-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2476-102-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2608-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2608-75-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2608-44-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2608-39-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2784-251-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2784-258-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2788-150-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2788-84-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2788-77-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2788-78-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-94-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2844-21-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2844-14-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2844-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3008-143-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3008-152-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3008-263-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3008-257-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download