c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Size

816KB
MD5

0950c8f577424fd78fae4996959a82ef
SHA1

5a5ac016071f4bc1f483600231949403322a8edd
SHA256

c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee
SHA512

c3cf3453605f825d5ea952240ef6f45d4ef22e09d100308c1ad0be57fc5dc5722e4a64e1b8a9be4816d49654cdadcae372cdcb4fe3f61bdafd24d4b84ea2cd4e
SSDEEP

24576:cnO5p0vVuXp5SF+5JwXgb1081v3iYYKLJxNk:tD0vVG+F+bmgb1+cxC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exemscorsvw.exeelevation_service.exeIEEtwCollector.exemscorsvw.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
2812	alg.exe
2800	aspnet_state.exe
2600	mscorsvw.exe
2644	mscorsvw.exe
2240	mscorsvw.exe
564	mscorsvw.exe
972	ehRecvr.exe
2640	ehsched.exe
2180	mscorsvw.exe
1288	elevation_service.exe
1548	IEEtwCollector.exe
1344	mscorsvw.exe
884	GROOVE.EXE
1476	maintenanceservice.exe
1528	msdtc.exe
1596	msiexec.exe
1484	OSE.EXE
2568	OSPPSVC.EXE
1996	perfhost.exe
3068	locator.exe
2572	snmptrap.exe
1368	vds.exe
1968	vssvc.exe
1588	wbengine.exe
1808	WmiApSrv.exe
2652	wmpnetwk.exe
2284	SearchIndexer.exe
2156	mscorsvw.exe
1952	mscorsvw.exe
764	mscorsvw.exe
1712	mscorsvw.exe
2872	mscorsvw.exe
896	mscorsvw.exe
1700	mscorsvw.exe
1920	mscorsvw.exe
668	mscorsvw.exe
1720	mscorsvw.exe
1852	mscorsvw.exe
1040	mscorsvw.exe
944	dllhost.exe
2072	mscorsvw.exe
1472	mscorsvw.exe
2388	mscorsvw.exe
2044	mscorsvw.exe
1736	mscorsvw.exe
668	mscorsvw.exe
1276	mscorsvw.exe
1008	mscorsvw.exe
1756	mscorsvw.exe
2864	mscorsvw.exe
400	mscorsvw.exe
2164	mscorsvw.exe
1052	mscorsvw.exe
532	mscorsvw.exe
2904	mscorsvw.exe
2520	mscorsvw.exe
1260	mscorsvw.exe
1508	mscorsvw.exe
1728	mscorsvw.exe
788	mscorsvw.exe
1200	mscorsvw.exe
2164	mscorsvw.exe
348	mscorsvw.exe

Loads dropped DLL 31 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
472
472
472
472
472
472
1596	msiexec.exe
472
472
472
472
472
736
472
2520	mscorsvw.exe
2520	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
788	mscorsvw.exe
788	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
1980	mscorsvw.exe
1980	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
1120	mscorsvw.exe
1120	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exemscorsvw.exeGROOVE.EXEmsdtc.exemscorsvw.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f3a6db013db14c9a.bin	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\System32\vds.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

Processes:

mscorsvw.exec32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exec32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exe

description	ioc	process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{164A39E5-3304-4C1E-B694-6846D87EDE4B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{164A39E5-3304-4C1E-B694-6846D87EDE4B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP706F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6345.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9DD5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7BE4.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeehRec.exeSearchIndexer.exewmpnetwk.exeehRecvr.exeOSPPSVC.EXEGROOVE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000306c84eba44fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{CB3AE2B7-3982-4EB6-9EBC-C596F9BA4612}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003050caeea44fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{CB3AE2B7-3982-4EB6-9EBC-C596F9BA4612}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe

Modifies registry class 24 IoCs

Processes:

c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\Shell\open	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\Shell\	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\Shell	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\Shell\	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\Shell\open\	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\Shell\open\command\ = "\"C:\\Program Files (x86)\\ASUS\\Grid\\AsusGCGridServiceSetup.exe\" %1"	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\Shell\open	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\Shell\open\	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\Shell\open\command	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\Shell\open\command\ = "\"C:\\Program Files (x86)\\ASUS\\Grid\\ASUSGCDriverInitialClient.exe\" %1"	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\Shell\	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\Shell\open	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\Shell\open\	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\URL Protocol	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\Shell	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\Shell\open\command	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\B9ECED6F.ArmouryCrate_qmba6cd70vzyy\\LocalState\\GridUpdateFile\\ASUSGCDriverUpdateClient.exe\" %1"	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AsusGCGridServiceSetup\Shell\open\command	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverInitialClient\URL Protocol	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\URL Protocol	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASUSGCDriverUpdateClient\Shell	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exeehRec.exe

pid	process
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2324	ehRec.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: 33	1796	EhTray.exe
Token: SeIncBasePriorityPrivilege	1796	EhTray.exe
Token: SeDebugPrivilege	2324	ehRec.exe
Token: SeRestorePrivilege	1596	msiexec.exe
Token: SeTakeOwnershipPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1596	msiexec.exe
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeBackupPrivilege	1588	wbengine.exe
Token: SeRestorePrivilege	1588	wbengine.exe
Token: SeSecurityPrivilege	1588	wbengine.exe
Token: SeManageVolumePrivilege	2284	SearchIndexer.exe
Token: 33	2284	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2284	SearchIndexer.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: 33	2652	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2652	wmpnetwk.exe
Token: 33	1796	EhTray.exe
Token: SeIncBasePriorityPrivilege	1796	EhTray.exe
Token: SeDebugPrivilege	2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Token: SeDebugPrivilege	2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Token: SeDebugPrivilege	2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Token: SeDebugPrivilege	2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Token: SeDebugPrivilege	2508	c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeDebugPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1796 EhTray.exe
1796 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1796 EhTray.exe
1796 EhTray.exe

pid	process
1796	EhTray.exe
1796	EhTray.exe

pid	process
1796	EhTray.exe
1796	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exemscorsvw.exe

description	pid	process	target process
PID 564 wrote to memory of 2180	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2180	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2180	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1344	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1344	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1344	564	mscorsvw.exe	mscorsvw.exe
PID 2284 wrote to memory of 3024	2284	SearchIndexer.exe	SearchProtocolHost.exe
PID 2284 wrote to memory of 3024	2284	SearchIndexer.exe	SearchProtocolHost.exe
PID 2284 wrote to memory of 3024	2284	SearchIndexer.exe	SearchProtocolHost.exe
PID 2240 wrote to memory of 2156	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2156	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2156	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2156	2240	mscorsvw.exe	mscorsvw.exe
PID 2284 wrote to memory of 1604	2284	SearchIndexer.exe	SearchFilterHost.exe
PID 2284 wrote to memory of 1604	2284	SearchIndexer.exe	SearchFilterHost.exe
PID 2284 wrote to memory of 1604	2284	SearchIndexer.exe	SearchFilterHost.exe
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 764	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 764	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 764	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 764	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1712	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1712	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1712	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1712	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2872	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2872	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2872	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2872	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 896	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 896	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 896	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 896	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1700	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1700	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1700	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1700	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1920	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1920	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1920	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1920	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 668	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 668	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 668	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 668	2240	mscorsvw.exe	mscorsvw.exe
PID 2284 wrote to memory of 1140	2284	SearchIndexer.exe	SearchProtocolHost.exe
PID 2284 wrote to memory of 1140	2284	SearchIndexer.exe	SearchProtocolHost.exe
PID 2284 wrote to memory of 1140	2284	SearchIndexer.exe	SearchProtocolHost.exe
PID 2240 wrote to memory of 1720	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1720	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1720	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1720	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1852	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1852	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1852	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1852	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1040	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1040	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1040	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 1040	2240	mscorsvw.exe	mscorsvw.exe
PID 2240 wrote to memory of 2072	2240	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe
"C:\Users\Admin\AppData\Local\Temp\c32a10cccc846fca45ae6711cf8845c11d0785ad7306b55cb837f335b23869ee.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2600

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 280 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 308 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 308 -NGENProcess 280 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 1c0 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 26c -NGENProcess 31c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 238 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 304 -NGENProcess 29c -Pipe 1c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 31c -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 300 -NGENProcess 238 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 268 -NGENProcess 21c -Pipe 218 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 234 -NGENProcess 304 -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 314 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3a0 -NGENProcess 3c8 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3a0 -NGENProcess 3c4 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a0 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a0 -NGENProcess 3a4 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3dc -NGENProcess 388 -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3dc -NGENProcess 3a4 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e4 -NGENProcess 388 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 218 -NGENProcess 21c -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 254 -NGENProcess 1b0 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 22c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 218 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 218 -NGENProcess 24c -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 24c -NGENProcess 1e4 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e4 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 230 -NGENProcess 274 -Pipe 218 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 274 -NGENProcess 24c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 204 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e4 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 26c -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 204 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1dc -NGENProcess 204 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:1332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 2a4 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 28c -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:1912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 2b0 -Pipe 1b0 -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:972

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1548

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1484

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:1604

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
9ee8869a7aec70ad7e9d92e5c15db4b9

SHA1
c8e2a16adab0db0860e3695e7a9e30cb640622c8

SHA256
c8d8a84a782861607ca9ee8d60ebab8a48a44529f8b7e6a520e36a4d1c5b2226

SHA512
2841c4457bd9c8af2820f00e22cbd97f5e3d48f14cedddefa618e3a46bf3594f49406a370187c54e58806c856dc069d07f7140c34cd191ea3062e4b9cf1578ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
1458a19fce9a4dc07b075ab97c71ff72

SHA1
0a652a81f53fd975b7a1fba5e25d0ba473788fa8

SHA256
91a4b4ce9177468f54d9f3df018497c2c1af4bdef8ab2ae782175b38771f5004

SHA512
9beffee2740d3f3ff6bf1be7ecb6a36fd375ebba9c4e3a6eb68754ef491d873a39b71254d369617e7a66d23df678ece1edd13d2fd6a1fcc95c31e773de60abff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
d63f69c465a250a71fb6ecbd1746eac7

SHA1
27784da6b5de20166b9a32381577420bd96f3041

SHA256
d96942ac9b626382b2838a5691cc16be25686ddce41f96dcd1d8db5b9e2dc5e3

SHA512
427fc192532eb3fdb8ccb3c309a0c19096372a38d944cb72b62d941efc175946a2e27539e32794510ca05feb29a68c2645bc83b8b68903772465123c8cb05d74

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
c611f87e0afcba72027bc6c598adc1b0

SHA1
cfd56cc04436ce3a81e42e88142dcde5bde535f0

SHA256
25b172d5a315699caf883b419f281aaa2a3e80ffa66f23fb8b164c23810d281f

SHA512
6497ed290ee7ecbee2a8c9067cf0d1e224e7c9beffec203b231fcdab1da1025d5e099bd245c03d8f17476214779aac17df09ba3e30bde2d2e71824daca582145

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
30f9af571dc87256ce1ebc330d6eec7b

SHA1
ad387fa285e1e35c60483d52b8a099d19ca89a3f

SHA256
a6b5980a1ade907704ee84e4b3fa75e62b6dd256ebb879d3b7b9e72c8ba6de16

SHA512
d452e7f5b433fbe8e7a39d62e6e2ff2174fd178ee056a8022cbfb75f6046724c431aa3611e23b1c4a995f601a808eb2677998eea50986cbf33c2a1fc0997eb78

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
afba879e8c7b5f5fdc43102df6fe9699

SHA1
8cdd03743983bf679f7aa067c5a2d52c3f1d28f1

SHA256
03b703421fd7e51de74f71b77d78f950973d6a08564e8005028208461c9c3a52

SHA512
3029b3044431c768a6a870b598f7b3e995d126d5399d454065bebc03239ae99fdca6b26248721a24a47d04af334ee3fe2719878dfba56d554c80b286791d0fbe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
f520b3e337663ede5db9dba5ae864baf

SHA1
8a0933e4a0f9605436375b6d28ac2c5ca23aa64e

SHA256
9f4f81e135d89086efbc5255c5d99495d2d2c8952686bdac323fa35d990f6bc3

SHA512
b714319807f7ef5c1f39afc9d9e62790b76c8e6b9b8649cf6322566245b8a25cb232cbfe1af0df6e4bbb2fd7153af78e63957cd472752c7ceffccd6d8417da0d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
7a7f434c086bddb132a7849d91caebf7

SHA1
e409eec47748f1f88ed93075e7918c8c583ec31b

SHA256
abe460bcb1157546bdbcb8eb59369b76cf18fd26e0e0807c65cd17097e92d811

SHA512
779b98008c6b1108ea9082f25515b0977bf5284fbbbcd59c43966381be2cc00b2ca9ff87481f0129a127993a18b77f3a6c8d716887eff38a0bb52d6c94834b50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
416abb7d9a199b247d0cf4dcdd9f8f1e

SHA1
caf978cacfc0b9d53bd1cc65a92063628e329665

SHA256
6a071f300d57b7790b2e236475911cb20788bf945dbe3dc48ae4a60e599644de

SHA512
e3a750cb806ce2dae61860b7615aa7fb57a36c2d9442ee6a955aed0fe61676a38e46af3b7ec1dbd5cb2836672516c10d8633ce02e700dcb7f6ec5160420ded01

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
f08de0e98dddaa1b11e158f63d227099

SHA1
89c220ab1e24f6520e6ac616b687a463a1e2508f

SHA256
c649a01a215bdf0304350f49f96e465401e4e769d88f1c44362c384fa2eedc53

SHA512
9b2d4094f5d53bfb81160e92bc77aa6f6045a2d55e50e7c353fa18d129dbc1e4a068b66bb9a1a1f84e6be2b5c884d5aacb31f1b82644308daed53c5fc90cafa9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
9de22bdfe7a25b27622d55ffd4994f22

SHA1
68a59b358dbba725850cf4b324377affd84c2f1c

SHA256
6b35ee4aa5aca4cbcbc6f251a77360538fa56c7220684a872eb60afe6bf9f4b8

SHA512
388fd45a747d90451aa9fb2cb2fffee67fb3c1be6e64bd3495faa27a294793f82a693485ef7de526551affe260e2b765f4821abd6e93fe46fff7d3d3edb9949a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
e5a4a3a5b09972380d96be833c07c137

SHA1
f45271462e8ba64469e1bc04807ace381cffe763

SHA256
76a50f1b74298b719d30cc7550958277a15d249802510f040be22da50f8e5a50

SHA512
98ec86db5f9d5974e1d870076713c2a37ffe2f43935c7c5e09744b7d48e279aef1f2908aece0b7aaa05a7fa2056ee7a47321edeb8e4c53f731ae50270dc7577d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f3a6db013db14c9a.bin
Filesize
12KB

MD5
13cca586165b34e15e0738e8328a92f7

SHA1
59c0d51c0fa3478900cd55a8a7392d5b015c03c3

SHA256
2522b5c6ae022315137659ab471eba2de27ad5c1352bba719866ae14a66f7ec5

SHA512
6af3e633da6f21cc22af14043f9567dcb03bdb01b3692c77cc015fd62e67f1b0ea1573408cb0f2bfcdecfd2fcf9a61540b9e9a9022860b49cf8bb8f920c4fb91

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
5058d71960dbf644c23796df62c5d63c

SHA1
8059005ffe86b943409ab0cc99e4edde827b665b

SHA256
e6d392eb968df90a92d81afdda5ca57a77cdc759e48d5c3282ad81455c495211

SHA512
45fa19194c584492615666878a8ff24c7e20575e1fac5c01c2fea26bf6cd74b46fc715f9275bc798935b251c326e030e4ba05e61e98c6e5ef27b27273d3e6452

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
5f87c66ec31363a65204b791cb365496

SHA1
52494d882252f7e1f27223a503bd162af24d4a34

SHA256
d36c0915c3e7d40b708350432f85f34029e90fd9ee75310677cdd62953e1a054

SHA512
316f53cd50d71b68f6ec5d9f26fdfdc7a6a82604f18ecaf6f2769e32a1a1df6e954dbda131c259429638809b3f2fd62a63351cd5c0e1610339e301589ddd9c84

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
2c5789cd32269da0f690d941f668bf26

SHA1
f30136503eee7afcecd210ffb9661183784a0bb0

SHA256
d0067e4644b0f6b43f19c19b83518e76688dee55473bc0baaacfaf3c85401e79

SHA512
8cc9a21b388e061022d83a15f6774e68a722c67019fc12e53988f526e674678ee42b24419670ed826a783e9e2d40a181a1d3d1483caa66694e16621ab11466d8

Download Submit
C:\Windows\System32\alg.exe
Filesize
644KB

MD5
2b0ba651892e396bc7645c6fd17801c4

SHA1
c6629ba939550d7a7323b986722acc8e76c2eec7

SHA256
708ee22f46ba6c0d6d8a1ea3767a78b6fa26df12f9a61217ca657ae35de16fad

SHA512
42487679855283be4adfdc6d93f7898760ea8dbfca86926bf59e745089365f2085696a65d4c5e4fc356f690e795bb11a85f9eda1bb6f83e0fbf5847da3cc4c69

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
7161582379a863c668652ffea86f7658

SHA1
450a58c51c6093c32c12cf409ca7fd1cf14b1d40

SHA256
e58a77da9f47c51a4e1576f464ddb8cc5503938cbf2a14e615c43d674023dab8

SHA512
4c0bb68ee1dd2ae90f2948c0b175eb118f55112ebf868b56953041aa5fcf81c0c843f7ec2a9e54e831371c2d884650009158436b0f8a112445aad392c2980cdd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
b16dbde38d2030d1241a61206ba8b412

SHA1
a281f708013a7cd0cbad0c0515ff7439eb305850

SHA256
630417f7054d2124b5301319b5ed24aed2be3c81cfb371be92a9078b28f31d15

SHA512
f09a1c5f5e564fc44bcff7454a4bcb9731289d159634c096d2f3808045627899fa1fb322fd1c9fac00b0ba54b6d2f04954db4e8022cfda856f19910309a9e772

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
eb68bcf3c43306507fe3618188227ef9

SHA1
98717940c9e2beed15e55d653756f087508dabf9

SHA256
87f63f739da3fefb12504212886a972eaaf9158a0fef5d841bb5493517183c15

SHA512
d52f90ac115fa725868c11dc37279ce629e6784718a7e82d1cf3a5ebc8065b046ed88cb558d64c6256407ee30c39b3f4966cd963e268369cb78a95ae3a0c88c9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
067e697f1252a24b32d87d6e9211c5e1

SHA1
2979f734d59d9dd6994df2ac8f165fc602a3dcbc

SHA256
27a760a2f3f8850aa18805823e8440e831645e10ac1698c678f6a6b279a4d52f

SHA512
dcafbcefce257156d84be4899d6d68650893f21669c98de360ab830b1eeb14ac4965ae29993defb18d78d3dd53323cd7f808a1a5e925c9dfc2adcb5ad471633b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
811a18d00b66743ccc170d5cf30d2064

SHA1
40275fab0958af5962aa393cebabf3a0e7795513

SHA256
2a1f5967463fccaa5b62a8fdd442f91c55476f973243cfd52a37715e271e4aff

SHA512
d0fc9178b760d7a546ec45b8d6816d6d06986065be5d0d5b951cc7fe5320866ccbf7594ff2ce08a6eaff47668f6bd2384fa3a25c54b9af8fad05f2f6caf77b3b

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
9fe9d05d83464a041bd2a0f1f1e4d444

SHA1
f5b8b72f1351a1f665ea58cb8000857475c330d9

SHA256
1041460f642f41ac23fc5a252bdc340bbf2739f65a23505f05138b8a6d735cdd

SHA512
8541045ef5394abdc3e8fc07f873982e2c692f4ecb9253c8ff989833e18713e3251fe4546db6ac9dc15743028a4ec34d56150266fcf06ff71dcf95c42d2808cf

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
9490dfa178a14ac288b22180e85f10e9

SHA1
bd5cf1883342fcfabe2dd8f563a8ae0ff308216a

SHA256
e8fd2ecd42c66768b24da476ee7639e6627026bcde18d6a6fce51b1640c064e3

SHA512
0b23f5d95f53c343d52868f78707f2bcc0fa1e9fbdb57aca0df6ee888274e390ac5232d2a95b5d178901db962145fb799323e34bc118cfa0941c8c3ad7402305

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
d44c388db5518474fff18fa989b62eeb

SHA1
26d53afbbe368d850b1d45f08bb9dc951d727a57

SHA256
80bc8198f6589a3be6080ca8d5872fef75c6744d71100c39a0656d62ef6a2bef

SHA512
b65e8edf70100616cea94ea0e6a0d374dbc603c141d68caa24c6c50ef253caa57cecf06287646810ead2c726dbdeae00a7d799e138095f5a9d22e45e9877fd40

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
e1a9d62bd911fa2386ab2d723279388f

SHA1
0b6c2eaafe98c71c85f0f02e2ba0d25668d14147

SHA256
01d95d47c58a503c683072f23f889dafa59ba3ce0072713fff56b421ec6c0efb

SHA512
110560b681c9e84b4a2ca23bc79a7a4cfaf94388877c434f909aeaa6c451c92e79f44357ca0b742cb888c221e3659d86dbf8f11c26ddae26dfe899087854f077

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
8dd1eea688285c8a946654e581a7f104

SHA1
5df60b1ef6f9e69c4746b823f51c807f85dc3397

SHA256
095c1d6a64bd067c42490b913d5d14bd41ff011cf8e3fedb0eec6d5b3ff606a7

SHA512
59c75fe97279679f7180515b74e06f3ed46a06b4ca9ee0bcd4a56b0164e0c9988bc9e02ba084ebb10b281988e7955aba326e0906ad3ef2d292ee4860d0b02b9d

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
476e5605d01781ec8bed70f1e29f80bd

SHA1
312fc85074231cc46c46ffaec2acc7e3e2f86163

SHA256
dfa7c0eb21cde5405c37b37dd36080a78d1a3e075fe529b9e8dc6513ea4248f1

SHA512
6b77e555ec7d7137785c2c0a010d3f9f506924499e4f04af426bd827b769ea8b77012df1b4d2e880731862403c4e7a252a82321248a1e409406875a83d75d1a6

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
6e8363b679aee5b6ab16efe61e22f9a3

SHA1
28f59c85736ed21b381301d2ccd90b337b2a7a98

SHA256
d8aa2982d5de81ee7438b8e8b2edd14c4f39ffc0ae5d980726d4efeeca1144a1

SHA512
b23b97ee9d0879c4807fb84a68f6d74f6dda9b945a75b21d571f472ea0d108b348d5c0f67f18a8dfb57983816c0a5640ecfb865e93c8776d9234c374ed4b7a5d

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
94566d30cc9af24db626188a17eb6d84

SHA1
ead1762297bbeaf03b47c7b2f51c91a068545333

SHA256
e2a2dfc329cbd71c2392d215ba26244985401e80341f6b4eff0552389bbccbd4

SHA512
527f7d6e95d699638980c5a90f1ec6bdf2fc03d89fa6b2457ce216be829627f8c354b27c649e6a0532f22d4695fc46819a140c79769daabe541cacdf4e2f606e

Download Submit
memory/564-136-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/564-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/564-67-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/564-68-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/884-289-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/884-299-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/972-109-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/972-102-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/972-521-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/972-85-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/972-367-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/972-104-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/972-86-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/972-92-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1288-127-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1288-134-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1288-129-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1344-250-0x0000000000340000-0x00000000003A0000-memory.dmp

Filesize
384KB

Download
memory/1344-248-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1344-340-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-346-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1476-179-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1476-177-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1484-322-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/1484-321-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1528-320-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1548-507-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1548-246-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1588-355-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1596-308-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1596-316-0x0000000000510000-0x00000000005C2000-memory.dmp

Filesize
712KB

Download
memory/1808-358-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1968-353-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1996-331-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1996-334-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2156-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2156-523-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2156-524-0x00000000723F0000-0x0000000072ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-195-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-123-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2180-115-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2180-116-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2240-49-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2240-55-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2240-48-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-124-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2284-376-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2284-363-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2324-196-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/2324-504-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/2324-380-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/2324-371-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-244-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-0-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2508-76-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2508-6-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2508-7-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2508-1-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2568-328-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2568-418-0x0000000073CD8000-0x0000000073CED000-memory.dmp

Filesize
84KB

Download
memory/2572-336-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2600-62-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2600-27-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2600-21-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2600-20-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2640-100-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2640-108-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2640-99-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2640-511-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2644-38-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2644-60-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2652-359-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2652-361-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2652-365-0x000007FEEF190000-0x000007FEEF2B8000-memory.dmp

Filesize
1.2MB

Download
memory/2652-364-0x000007FEEF300000-0x000007FEEF39E000-memory.dmp

Filesize
632KB

Download
memory/2800-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2800-98-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2812-93-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2812-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3068-335-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download