Analysis
-
max time kernel
87s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:03
Static task
static1
Behavioral task
behavioral1
Sample
2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
Resource
win7-20231215-en
General
-
Target
2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
-
Size
1.2MB
-
MD5
9c570d450016d56e5a1bdda735539075
-
SHA1
f369d3186cb38ad6472da7b14e814100356020d1
-
SHA256
2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a
-
SHA512
b567f8b216c5bdfd312b833756c29657e49d5a890bb726d4cd37120a8757c9ecbbadc203d60070470e27810b41b7bad2ac8033c1cf960aa66a275c8cc10930e0
-
SSDEEP
24576:JTN9gj3Htgtozpyj4mIexbUSAL2mZ7mzAWbeIYVgOBvWi:JYHyELexbUSCfmzz9YVgY
Malware Config
Signatures
-
Executes dropped EXE 51 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exedllhost.exeOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exepid process 476 2628 alg.exe 2844 aspnet_state.exe 2764 mscorsvw.exe 2256 mscorsvw.exe 2900 mscorsvw.exe 352 mscorsvw.exe 2792 ehRecvr.exe 2560 ehsched.exe 584 elevation_service.exe 1180 IEEtwCollector.exe 796 GROOVE.EXE 1060 maintenanceservice.exe 1916 msdtc.exe 2664 msiexec.exe 2672 dllhost.exe 2764 mscorsvw.exe 1600 OSPPSVC.EXE 2052 mscorsvw.exe 3064 mscorsvw.exe 1784 mscorsvw.exe 2388 mscorsvw.exe 1972 mscorsvw.exe 2380 mscorsvw.exe 1396 mscorsvw.exe 2072 mscorsvw.exe 2304 mscorsvw.exe 1584 mscorsvw.exe 2188 mscorsvw.exe 2992 mscorsvw.exe 2520 mscorsvw.exe 1716 mscorsvw.exe 2804 mscorsvw.exe 2104 mscorsvw.exe 2776 mscorsvw.exe 2856 mscorsvw.exe 888 mscorsvw.exe 1628 mscorsvw.exe 1996 mscorsvw.exe 2392 mscorsvw.exe 2352 mscorsvw.exe 1260 mscorsvw.exe 2152 perfhost.exe 1584 locator.exe 2708 snmptrap.exe 844 vds.exe 1284 vssvc.exe 2448 wbengine.exe 748 WmiApSrv.exe 1828 wmpnetwk.exe 668 SearchIndexer.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 476 476 476 476 476 476 476 2664 msiexec.exe 476 476 476 476 476 476 760 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exealg.exeaspnet_state.exemsdtc.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\system32\fxssvc.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5049454ce738cb9d.bin alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\system32\msiexec.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeaspnet_state.exe2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe aspnet_state.exe -
Drops file in Windows directory 37 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exe2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exemsdtc.exedllhost.exeaspnet_state.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5079FD4B-1D2C-478A-9FBC-59794A4624A4}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\ehome\ehsched.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5079FD4B-1D2C-478A-9FBC-59794A4624A4}.crmlog dllhost.exe -
Modifies data under HKEY_USERS 30 IoCs
Processes:
ehRec.exeOSPPSVC.EXEehRecvr.exeGROOVE.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ehRec.exepid process 1652 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exealg.exeaspnet_state.exevssvc.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 2080 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 352 mscorsvw.exe Token: 33 768 EhTray.exe Token: SeIncBasePriorityPrivilege 768 EhTray.exe Token: SeDebugPrivilege 1652 ehRec.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: 33 768 EhTray.exe Token: SeIncBasePriorityPrivilege 768 EhTray.exe Token: SeShutdownPrivilege 352 mscorsvw.exe Token: SeRestorePrivilege 2664 msiexec.exe Token: SeTakeOwnershipPrivilege 2664 msiexec.exe Token: SeSecurityPrivilege 2664 msiexec.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 352 mscorsvw.exe Token: SeShutdownPrivilege 352 mscorsvw.exe Token: SeDebugPrivilege 2628 alg.exe Token: SeShutdownPrivilege 2900 mscorsvw.exe Token: SeShutdownPrivilege 352 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2844 aspnet_state.exe Token: SeBackupPrivilege 1284 vssvc.exe Token: SeRestorePrivilege 1284 vssvc.exe Token: SeAuditPrivilege 1284 vssvc.exe Token: SeBackupPrivilege 2448 wbengine.exe Token: SeRestorePrivilege 2448 wbengine.exe Token: SeSecurityPrivilege 2448 wbengine.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 768 EhTray.exe 768 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 768 EhTray.exe 768 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 2900 wrote to memory of 2764 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2764 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2764 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2764 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2052 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2052 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2052 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2052 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 3064 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1784 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1784 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1784 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1784 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2388 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2388 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2388 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2388 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1972 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1972 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1972 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1972 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2380 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2380 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2380 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2380 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1396 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2072 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2072 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2072 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2072 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2304 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2304 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2304 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2304 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1584 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1584 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1584 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1584 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2188 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2188 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2188 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2188 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2992 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2992 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2992 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2992 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2520 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2520 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2520 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2520 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1716 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1716 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1716 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 1716 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2804 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2804 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2804 2900 mscorsvw.exe mscorsvw.exe PID 2900 wrote to memory of 2804 2900 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe"C:\Users\Admin\AppData\Local\Temp\2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2792
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2560
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1260
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1ec -NGENProcess 1d0 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 1d0 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 1d0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 298 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 280 -NGENProcess 288 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2392
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2256
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵PID:2764
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:584
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1180
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:796
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1060
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1916
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1600
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2152
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1584
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:748
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
PID:1828
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
PID:668 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:1920
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 5922⤵PID:2932
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /D /T1⤵PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXEFilesize
195KB
MD5ead79064e73fddb3e349b81b0591f5f8
SHA1bec33282c50572d675c2eea990acc7289b54be81
SHA256a25cbb88c3512e53e8721a5c6f24da96339f0f3667835fa1a70e6822af3ab96e
SHA512b8955bbb52b9cb0db2a55efa773487ff8de6ef1fc86f2b14aaa2b2df539bf80ce85c8214d9baf3cbf2aa925a3867ad861af546cc61a761652a6f756746a1dfa2
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
72KB
MD57228ffc7a196e8f8a4bb0b49265bc9f1
SHA187196a3142a79620bd491bb4537db4eaf1ec5556
SHA256f58fd73470370fcc9fbb646259faf8821f30d748766851bd5e00a8ac7d7316ab
SHA51254103999cc8be7c0c06cd0149813280953c94c8f736a0d318d1e6a6bd40428832cd0bd38f901de62143b071d223eca75bd48556d42ccaaf0e0649a2bd8840e5b
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
13KB
MD5e3bb63dd08ff75446ff136eb667485b4
SHA15b3dbf050312714c2f1c8808feb5e0e5a03cebe0
SHA2566ecb64a7523a052af91279b74bc8cb5df53fcfd05bfbba58ebcb9269ba6794c3
SHA5129ac7da4094c394ee972dc61fb20165704ab7a90dbe7c2af1190d09b88c9e0e25602b8e31bb125aab718d3767857c0d2eee34b04b0d73157f0dc6c4e2f02cd86d
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
167KB
MD5bccee9b56eedc8aad9fea3483c65ad08
SHA15dbd1b9e061428cb71dce74fc3604cadc9537068
SHA256055ff7e2e5280ce22b4a9de3ba16600792e56ffded4f85acd47354681f4c8cda
SHA512bbec2d583019a8a6136dab9cf9022888721ca3defbb1009382a6a41e9c1cf49f0666d4ba56967c7009ebba7b26d04dcb243a6fb513bf09a0233e114ccd38fe7e
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
90KB
MD5c35eb6e975497093ec74ffc17c201c14
SHA1dbb7674392311c0e363c62f323da754daf4136b2
SHA2562c92c980a5be4d82d215844abbf3a652e545d34092746d65c3e4a752e0ccbc9f
SHA5123e410d17855bde7ffbe71d23224621c9993498fe537221da300804874bac59698f8346b7fba6fcf3811947a62fd40e608c2880a3f8880fccb8df49e5ec8154e1
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
13KB
MD55ff6ebdb0894b88c1d73f6fe896f34e6
SHA113a10cf37d930a891b89d3e19f4a888a8d7e9962
SHA256f92f96d035b99f2a20ff45b3803f2fa1fa7078a0f674fb390524739faaba2335
SHA512a3336038435f2d703db9c55241e025b2b5dd9376ee42ff87e3466ea31dac1ccba82947d5413e1313d34023daf2abe60dadcd8f1559fdc383e2b9b93bccbaa67b
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD5d01341e6f06714422dca5d0157a6ca4b
SHA1315fa39c946cf62227a950fb60a0b08125270b66
SHA256514cbcd2e5fb361a201d81f5484843a3012f813b955e354a7f446ceff74fd16f
SHA512ebf771c62952ace269714f547a0c0365dd5cc020d534870ad12d7295187d810dd192cfbdacf4de1f00960567448a46a0286e66a69da6fad1db65ee902cdbf185
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-msFilesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
322KB
MD5fcf44a28824e793dd2f33d0f1d205b3e
SHA16bce9c0ed39b66bf3d0ec069b273e459880fd0c3
SHA256d68fe21b8e12abd16217a8a5b941573c5e4376805c37196df2e404a3a7160351
SHA512bc1e086a6f97dd76a1894ef10bd829522e62a0c393afc4fed2e4717a87d054e281c525ac5b790c7da345cbc8cc6f46d6aff28bf37f2fe77d65ef9b61300b213a
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
284KB
MD542d31a47e4a23d970da4c37cd29a6a92
SHA19c0ae521c480d5c8a76e4b00eb09d84ee71ef4a9
SHA2563599f28a92926b6e5e653efb8e36bbec2cfce85b84e745deea8317ceaac16714
SHA512470ba5e71d17970c1b546e3df17867ce5cc2de130c9952e7d61cc05315168bcb97d81fbdb2bf56fa63012367d9968046d63ef8ee95d67cd2dd4e2314bb2b3ba8
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
370KB
MD5e9a652ee32d1fe0ce1baa3de0ebe2c50
SHA19266ef0585da810d1bce461c7e30414271c75db1
SHA256731ff509521562f08cdc0e678f5bd30235e84db69de9fbdc2b728dd6636a5147
SHA512fb315e33b3a54497f57e5e148a198fd4626db5ba581b32e74531917744fc5a53f2ea7b38cb413130d99987c63f0cb9145fd41b7b53eec0ca6d3130b48931ba99
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
120KB
MD598711ca65ac397cc10c50c3a15fffa90
SHA14c511201a83325e4bd765d015b42661142416335
SHA256ef4bab8bf4ae45b943adb0c4d9c2ea7fd274270463ff8dd76840e8b93fe0d407
SHA512f6c69bb83a889c9a2744544fcbd1cf3baf4dfc2414d411bb67de574137ccbfb30dc4af3cd7b66eb1c0fa91f26df18ce71c2c781ed7b39ab3d8d483cd6ef31ed6
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
84KB
MD50cdadb31c08250029fccfe7d208c820e
SHA1867ed5bf80790e39b1895e10386b3fec3ea9bb81
SHA256b88a9ce1fec39410d6458a86a984aeb8676a8430d6b1cc4fde556537070aa36e
SHA5129f7e4cea3387f662a0c113da6a42cefbadda98d061479329bed8e527ff3ffe011e781c391c5378264dba17c9f6b328638ee854e10090dba0e3e346c9f4432ca0
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
600KB
MD571f2b140095015b32d8953f80307cda1
SHA1d2b3f457bf925c1f7bc48a5a239515dd1c34538e
SHA256d8e345943673e2c1737a8566aa2617d172e5afd088dea73b8c4b7f24ca23285b
SHA51269b97d76da5a85d0fe1380a7f000c6d62d499ab23e3e1817277a70642c5c0e2d7f46b70bef920cde5b073b35317c33710c1e900a14083a1f7c0b20e0a3ca7778
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
212KB
MD52f4582e3c40f6518cf0e7dce699f81c9
SHA14de09ec02b650b218c9aad31fc81b188f2ddf62e
SHA256bb0d1d8ba42944938e3499144d1849d0c27c46b4706e8f7fedf73b0978aa93ba
SHA5123d1f027fda26c303f0a15489625bbbf4d8a6df96d2d1d4e3ece852360df66ae76598d9ced1715c9abc33dd74d4ada7a4ca3f2bda454782b3820dde07a236f0ca
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
311KB
MD5104a6f4488abe10db8fda0eb4622e9e5
SHA10f7cfe9f73499c7864a940020a9ecced86762fdb
SHA25672955d6861bb991d6113726a15884794f27fd70b0ca23d78f60d9991fc401099
SHA5121fe3038e4892c4d2149e7453a7443106f6143e16708ffe029d573f061b2a14bf30e0e64413516b9440ac4c3b17144f5a15774e2951d282a0c424b698cb6cebf7
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
280KB
MD58baedf51e9f9a98b6b349b16d754c041
SHA193d45443b38ee0c84dd771a3b117018467a934b6
SHA256bd337ce62a285fbf8fac47d9939be67d6a819edf2b302bbb64f1a09710c1449e
SHA512794c277d57698780ac29b8dd69afcb900acc05a0203775fb2fb527e54fa28f3a6666784540f2e458609ad775bdc4cd6228e367d9f27cdf824bc86e5cffbfc292
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
122KB
MD53c1bc4564f77d4b24f616e84ac4dd758
SHA1a6aa5e205f2850d058e3f591b3a12464a8cb7e62
SHA2560295da34082a89fbfafe5d8155d744e92602d64b568ba6d30048125ea39076e7
SHA51222d5b53311aa5d3906906a1cdd41418225c28b3ef8396b27eeb60441e755abf8b744dfe1d7a2a169ccd2722fb137c51946f9774a85418d15da2e0680d2b33597
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
157KB
MD5f0cc06632b77db443f1d10e0e48a5e1f
SHA181cbb8f58b3557a948bc39f51478cca7a416b7b0
SHA2567a472c89436aa62f0147a01fe29246fc0aac916553e247e346ec199fc1bdb5a1
SHA512dc9e64fe0ddc0ac80dece485effa49615d6ccf72977dbf2497eea5e0f35ecb9a8567fd5b6fb4094a45b7a297c10ecdfabbbe4e5052334e11590498e6b4f06ab1
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
88KB
MD5f608ece88444659349ad981a029c31aa
SHA1130f66b9aca3e33b1f901dc46ce1b8004491b294
SHA2564a2eeff1ad5f49b3dd798e3771fa3bad97544cfa4ef6ff2eb7055cec31d04533
SHA5125f64e0941a9aca6da30712193e3f31e387ef7f9f6ebb111b77bb6450e0304ee6b2878ca58dd9b5a9073613bf53cf254d9e9edec804df27faad72be9188a0c730
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
63KB
MD551ac631d296d8064e7dc63a61fd888d3
SHA1059830b2cb6b585ccee2e432bc3b1b79686a4a40
SHA2567a74e22a070284ec6fffa8b54403b5962ac093016ac726a56004d0f4ed833762
SHA512bdcb946ea074914d912bd76b5f708e37bfc2cdc557c7674a447ed4e2bcd86a0e17d357a17896f1a1760520f795fa8a8ad82cc5d172b3b5f527817aa48d8c83e0
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
35KB
MD5edebcc0ef7cdd81b530e0e9cc61e0959
SHA107eb170da49a7b2aac182b209917fe39ad815237
SHA2560b813ead9f569cedacde092e06dc78001b2c364076316829a525b03f5d64ee1c
SHA5128abaef76bdd97b3b3d80108940c2b2c030bd5e04a025db196cdcbd6a804acf9a1f54fbf405b38007a6568cecdee6dd0f8352dfdc7012c67c0aa440a6d8c5df0d
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
143KB
MD538eac42c180c7f5ae3a06941127f4c37
SHA1a0b23baefead21007ba7f7e92a9a9556df4bc0e7
SHA256c6381daf895a5e8c17e7500d8e41b6c5f2d55753ac0b44428cbd63227381789c
SHA512818fc6d97dc30242810d028cc3bbbce9e69c543db81d9e1ec0e7d3546d76ac8222c054ce78e5a3eb55dadce2912c4cd120ab8d6b16930ef53a685d463e846ec6
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
136KB
MD5edd7266ef565cae5be58db1f3c89cd37
SHA1258c7df27c2d548c1455f09587eb36e978826f74
SHA2569f2bfd7bb751455eb93b1a150b6c4744049535da3122d45d0182b18942f21c6a
SHA51236090ff241831fbf3c26605736c992b2a5700cd37425851640cd95f7e619f32d9b96d0426e02bc83795314a2d833f002ef5582b6b85f79acb0b32868ad60bd1f
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
349KB
MD5d263dbec16b32251b0166a4184a0cdc6
SHA1421bf75564c812fc1023a7ef105be8147654864a
SHA25643600b18c0edb5e61263e5dbeb7983ee135473055b549f8cbd5508da6a2e66bc
SHA512b3e293e1f6b271c540bb87454884b2b95705d9daad562e5c65d0305ba295781ba7696330fcf87773ea68683b354a66f8655b845ec4557540888430dbe8d7badb
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
268KB
MD5fc2665a64fa4a542c5afa98e12bec5b0
SHA13ec762e5ca28e7167f03c04e78b1a891dd743e1c
SHA2564ea94d6bae76c1573e416e8ef0313bf120f0f2553ba4690f08e04eff2a925211
SHA5122a7ccf8ca8356ad37a2be0f2ae3302b5056687c530ac26173e841b97f1aebdc55480be5e837e25935e3d43bbff3793636e47ff62407a3f74a79a1dfe915618e2
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
153KB
MD582dbaa3860b15fe3d9faf83ba48172af
SHA1fa72fe96f7503e954076ab46572230c3ee60d5e8
SHA25662590e7e6a872ea97a2b25a2d2d9a6e3f79e1bdfd232d2c678c641c86dce8846
SHA512a10cc624c0c70541ed8733b836873a1201a67970b74195247c1b732749e7129d11236949f71417a71cac8d1f12f85d6634bd13a099a50bb0eb142642e3ceea4a
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
102KB
MD58331ed58886274ffe9e52179cdc2a8d9
SHA16a6534057b5d44ab23f3d73481eac986fcfd8528
SHA256e8517ee0ed1da6a97f67c4064f99619cc046161c704167e71346796e42df39d5
SHA512ca6af15fb4feb967a38fe5e29489b10b80f53eaf2a0659195c3ed86f592e3d4641053d73a155a43285bd3eed7501f409b1cfbc929b1dcb48614c1ca927dc308c
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
617KB
MD5c1d3dc9862e19c4bd170d3bcc48b3824
SHA1bc570452f96340a508b5e167aee8c482a752ee26
SHA256c378779973eeb1de903bc1d960669a054e767ce528c49c7866ab5f2329642329
SHA512567a97ecdf6f45ea8af29c701366441ba51ecc059f451ce9702d316af374cb588631fd10acfa27b172abe193d080f9d86df9cbff96eec1e5207ecc5bd0780c6b
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
327KB
MD53973160d3c96d05d79a37cdf0368c19c
SHA1175df7a14b44f7b4da22c629f361c4564988b32b
SHA256b5aca0c7893dfb77e0771a18e188291489b40080af209ff0f8ac14326cffc1ba
SHA5125cacf0a82062f8452f0e22e486b6397dd1f15c488c9cc77c1a5cc5580e4cf778ed39c7c7d36ee960db46cb8df4a020f8c68271e91eb893a4c27c36eb0a92e0e7
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
77KB
MD59c0cdedceda7a5040061cdc34ccdd467
SHA15bd1b5c799c70d9d9589e95bbe1e925964a66241
SHA256ba8d9a38cd4c84e87bc74a549fb95148535c91a4b5021b4abc93bdfdf8bc37a0
SHA5127a21ae135291e9c62e1800c088ac753b7c35da772317a43e86186c2b8b36e83dd1cd71be130477bbfd72dff40906002b8e5ddc969b034c755abfb3e6aa336d37
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
472KB
MD53a66328de22ce7cc34587786a5e3f3b0
SHA1965e33bbd9db92df26fc8c0b644c84f4377c9562
SHA2560acdb6ba36c69f5d32d61b3b361cbe54a509bb3957334a6872373fb6acfa02fe
SHA51255687a9675cce28d3ce98567a012606c9aea58cc82ba5247023a2dcf84f971946d65640ea02ea365cfd9e011413e2878e34691f16165fbd9714eded116f5d858
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
576KB
MD5eb2b5e10f286c51f79d6c7eafef05a1a
SHA16234a1910980d9f4f49887e37ef919cf569ba617
SHA2563d879e02bc0daa8f1e59c684cb28ac35ad1de7d8b4ca6c2645e6283a80aaca90
SHA5125e52a8c0f2509f8b220997bd22d4bd79fbf87a4a5ada7ff395d412de73fc2a1cf33bf69fd350c2015684fe94b77a976f1697c2ff77113b82315c7f8b9ee5fc58
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
45KB
MD555c335055461d63da47bf1a980ecdc5c
SHA1284f1c34ef76601b9910c9dc4531ff7aa46c5367
SHA2567634abcdeeddb91a84ee5b97aa02e8b8373687584762411777653814c87ee394
SHA512a8e5cc954ec3d588520908fa61e653c1e00de374de8a8e609eb560e5fda2c5cac2cb7224f03249fed77a429946f2394e8681178fec15ffbfd770700bd117f808
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
285KB
MD5a3d807c83e09221366e30eba24fcd2dd
SHA1e8fdd6ef945b0bfb2caf120ebfff30b05e6acab0
SHA256a60ab40d3010003fb6179e83ea69780982525d91d3a7e1c189c8abe67f37d608
SHA5127751852f8487255bddd4014a6f09626f57d5be58232ac9e0d8f689e5e0c87163d8e67f93100135d0e775e660040814a605bd60bcc4bb5c63f71fb814e6f32475
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
210KB
MD5d2d730ff7a6b62d439e9abb7edbdd365
SHA1a0569ab40a6f3301466b5a316bf86d694755488e
SHA256a0d93eaf091ec60f6b80a6865231f2489408e0bfbd5f3f145816cf33c5e0131a
SHA512a76c645673d3c4271d2bdca22a7c1c8a6f7fc5badee54654ed3af0d80614a58064623d40ca6a6460741d1caa5f1d3fa19b7e478fd40a11f56a93be472bc4a7bd
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
256KB
MD5420a867f6d317487fbf51023e7d9eaca
SHA130a92f8beb9322601ed0acfb96ad78321043faee
SHA256a5f43229ce426616f531e1e48863a1af8b2838966a3e6ad731fb026fd38eee04
SHA51252fc46b4558ee39dc0c6dd99931e996e161dd8db1609078790e87fc0abfc2445833dc3b82bdf5c7d9f8057f3e6ab880696a8316030ddba07e5894f47d24ffb98
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
109KB
MD592e5ee396c1b63d96e1c45b0a045ce38
SHA196a9241ba12080c1ecc6483e5b68551516c3ae00
SHA25672da6755de4fe735af3dae77d8c2c6eb89a1c0022d88618e7b1390ae5fd5c559
SHA512185a4f5933b049346df878bf73cbd95ca49839a24fab8b6ada1bdec93b5c08f9942be1d74e2f4f9ca31b78a529b9ced31ae50eb743f76f025f029ad30c0798c6
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
96KB
MD579c6719919ad242a33114dd194ca6509
SHA189e819614faa3da608d043197a1e7724abd69b09
SHA256748251e6ce23790268b2c80c17f1d0bde75fb9958e3efeaf35c651af09e16898
SHA51257087d6b653b41299a9baaab6c2c52c1789e06561474fe2ddb76de3fb3d9ebcb4c9bb7af654078a4f6e8b21755f8245e2ba56fe7ffea1e5230c0a121cef628c5
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
656KB
MD55987f0254466c0636fd2bb8bddee91a2
SHA1037256f333e1347c2a95d515a0e61fbf67140831
SHA256657afc23e10490616cd64c9e951eaa9ec68b32c4c2ced1a340c4eae2a2d49504
SHA5123fe50836517b1f1452a3660d068c5d50725a50f2748ff3ecf59757f49af6206bbc2979cfbbae1c73b015953bf93410d1adc08f900f4ef13b6e5b451d07e5e730
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
176KB
MD5bb4621286e6f9c421da5d076a4faba41
SHA166951e0f8708a6e9aa0e0d98b9aa07ac8167511a
SHA256e37506e5c834a135caa98c3c5dbc4bcef3b0f91435e8811975b6b52671f10be9
SHA512b3b9fc36fd93116dbf2182ec995ab11e79dd990fb0a9f3c5ea24ff030ec46ac03fa6c9cd70b0e07619833e110392a74e26af5f2489aff077f5c52486c252436a
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
128KB
MD53b917f8cdbab9ac3e4ac1aa65343acff
SHA140b0a0e97417f8fb36abf2eab2cdbfb153a22bf6
SHA256904e8544beb68062b5dc01ebc71b85b7c724daa79cc96459da2e39b28dd93820
SHA512844e3a901e1f30430dc1f645ce91cf9f9fdfcd22bf18a9117e46154f21d3ff448e0fdcbdf62a9ac168948808d9a6ae8d9f46b9f4ab2d3ff34528c5554d9e1180
-
C:\Windows\SysWOW64\perfhost.exeFilesize
587KB
MD5b43b228b36371862bf9f23e52bfc288c
SHA131839f8d25e2ad938fc258b71b31854cd2885a84
SHA2567f45d98dae7e2d5f239b1c17363dbb51555b544f467cf8e5ef2c1e9ed44f0311
SHA512ba22bc15177f98a2f491f7b13f25dd251bdc2fd484709b95cc4d1c449602e38bbc502920cc1339dc2698ced299ca235f04de11f1e67df0c096efb7edc6223ef8
-
C:\Windows\System32\alg.exeFilesize
161KB
MD5e414224448a46accdd3e68a8f4ee64d9
SHA1b3fc2d9814b9c992b6c02255ba5e207197ff4e9c
SHA25674408cd412f0589758be2bbd4efbff3608aae9700e6f3cda8db1d53a33503858
SHA512ff391a438b868f2732e0b78aa4c8d83cea09b2212ec6c50a2d9e8a9ac51906f36eefa99ec25e0a476c25e913ffa756ba1c8d003725ba4d23296ff7870bce776c
-
C:\Windows\System32\dllhost.exeFilesize
263KB
MD5477d8e169db45a24edd83b2b6ad77824
SHA130e89e5b8c13f5634dd49dcb5d0bb09cac8abc23
SHA25670c892318becc45dc94a017d8c87a881647adbb20be44abe58d0cfeff2e6a8e3
SHA5125d297dd9eef51d2947efd5e625e03fffc1a70bc375e977fdc9760bbb4cf0ef376b9151a1b3fb2110536742faa177ea6fa7d954aebc583d189eec4d0e6a04090b
-
C:\Windows\System32\ieetwcollector.exeFilesize
180KB
MD587408c7c5d5a327ca2f016448c94f8e5
SHA1a642e9505ad37fe5e8af1c3e00834f28a3489256
SHA2563caf387b1c304b47302335a472d4d14d46ee356aeda74089dbbdc9588f901c75
SHA5124d712b0ac6bc8fac5899c1884d2578aad327d7fc256c955fa84aaaf62e6e2850330c933ea0656bfccd24c28cc61186a6e41a186c2a3207e9cbf46ea9c5c34583
-
C:\Windows\System32\msdtc.exeFilesize
158KB
MD5a459a9f4ae49d15c547679d56e777f2d
SHA1f191128ca1ae5ece4f55cc4d231f504ffc538392
SHA256a805f5014951aa4c3b4fb104c8a873c7da492ef1092e1a9bb0035bb89ec834df
SHA512dd71c0bb788efb5d7ec40b0b012be5a7c2d1acc30cd86829613266d320ab6999d4f7d07e9c894e2377ef52b9d11ca7cd45229af8bf4f0f60e2be2f5d40848cba
-
C:\Windows\System32\msiexec.exeFilesize
58KB
MD54e0e6269ec414863112e631e8d794273
SHA1e6b8d77d437208efaf767398a86a247a701bfe5e
SHA25673d17381b8c2898c76b040906019e54844b65a48b62f3b74fa85d0112ffe5d1a
SHA5129acd1d2f8a3325a45238e1def853115988107ba83fae480b327c6bde6ddd8a632e3ffa0992164a5ac8ee35bad1fd7dcf2ffa0bf4fa3ccd591073f72f6bc17b96
-
C:\Windows\ehome\ehRecvr.exeFilesize
1.2MB
MD5beebdb966627a658e7299489a3442916
SHA10b4de9573a3da3af3b4a2bd488ce7686bbb2f9db
SHA2563930f5fb5639e7a57961436da56c98a81671f78c8654982c4a0cab9250683e4e
SHA5125d5f17f623fbd01d2ceb50176d6c32cec5b98f4cae11bf2d10ea3fe9685f6206f7c246da198904a67369908713b8b7b76bbeebc3fc1074112952b56729c2d7f9
-
C:\Windows\ehome\ehrecvr.exeFilesize
79KB
MD515164aa40df91b45807a4b17638e8611
SHA1002a1895c3cc23c12aac77187453e9438e253114
SHA25607140fc8775dc6f4fb73b5351550337888a80cd6475a899e49c7c593649b87cb
SHA512d85b0311bee90985d8e6bff6da239a18bbf193596e0c10838a677f7a275f07f0a49864dac31b82fec173eefd6c79ba3c11bc410d78de7528a3381358b839956f
-
C:\Windows\ehome\ehsched.exeFilesize
138KB
MD558c1e34b577e14d26b268258a6232cc6
SHA130958499186f4820e586bea2502d28ddacf1b699
SHA2563678f689825f2d6e895a6325c84a4e47220083a5f972664c67762cee50d4dbc4
SHA51254b7c2982d8c2ec0871f879d16bae50445947ae59c0278c2c0acf4062e5ce1a8294c99986bedf11e8e9db79e2e53797159fde4ce8f1ca6a3d2d961b55fc00f2f
-
C:\Windows\ehome\ehsched.exeFilesize
691KB
MD5b207305b2d103e87d27c0b343e5203ba
SHA12e0841aa2fe1c0a73e1d45525d8fe89cfb098983
SHA256468a3ca3928f40941899298f64b4b3b30f61366326c84d0fb16412d39662dd5d
SHA512206d9eb49f85e57ade9db90c4855f432776969906bbfa1568d0aa0cbe621cfd8829e519efb8ae450ff8ac9a9503a262081334dc4b6aec7bbea01c8aef8764ed2
-
C:\Windows\system32\IEEtwCollector.exeFilesize
674KB
MD546d9f066879b20b9677663a1d9dfb6fa
SHA1600ed5accf5c66f81bd769a32f8b4e76a192f2b6
SHA256820b3cbe70c07467ca97524731532850a08f5ed9068891c586b616b9693a0061
SHA51281aab219e6fad336da370201710bd15308e877918429db8c26f8b9e0da012606d6fa4cc5529f9d8936734d1bb2c187607c4cfc174181cd05ea40e34ecca19088
-
C:\Windows\system32\fxssvc.exeFilesize
259KB
MD5979beb8cd909cd9dd4edb8d11a54b92e
SHA1c784d43ce6a5bf502d28c0a73086deb2a763c2f0
SHA256d90763954a7136e39aa750e500e5803fb1f158ae9af6f338d7b56a490fed5318
SHA512ca40657c246ff62ca8d1e61332354fb46b6823467f904b0410206d987cf85a9b0bb2993f61fbfbd87ac26e67346a2a44e1ab007a9cc8026b0798ff35bcc07a84
-
C:\Windows\system32\msiexec.exeFilesize
52KB
MD581e53282450871198d871a0d3fb4e1fa
SHA167909690a08b45b6569d25fc1ca327aef41a2465
SHA2564a21a849d1416209d79b801b4fb6cee579b569b76a186059dd413d82e8d6a121
SHA512bc5c93f0f198c876d661a183e091bca1bcf628b176eb78730e072abb4ef44cde5f2a54f18f2c5ac7aeefbe5f8e3ce6ef53c8f3f165c5415c846118f0dcff760d
-
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
256KB
MD55f13a3c9cc396f7b66358373e970182c
SHA13cbc66ddf1565242de4f0981a62403c229bbb383
SHA256ac8bb1bbb34f702a47a7b04c2136c571c07098c7a335250b18746c14237bb670
SHA512be16df09ed9c286f4c70d300808cea7ad60777c1233cdc8c9bc77e1335368fa9e006ed202d2c5a75941bd238a52b8c245644e44ab13d2969ee953ee9b92933c0
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
194KB
MD5de6842b2c08a42cb903486646112b7a2
SHA1c48f09d49ab02afce110685ba0680627e51aeb10
SHA256016babea81623fae45b284d848a0f7532773f1b0b3900b78b2af67f7aa6a9669
SHA512227429201ab874c89a8fb749b20648b8d74843869a2b117b5267532477764131d9ea28e9e06ca46d52627bd6bd366526cb0af689495c70b027668ab057ee1155
-
\Windows\System32\Locator.exeFilesize
577KB
MD5cea4c4c069d28db4cfc28cc1888f9a38
SHA11498591dacdd0091f482f14ef77278a92e5af2ac
SHA256bd53e10e6165b0beab8e0102b5e3174f82214363d78d0ff294c93680995bcf74
SHA5125352e44e4c1754cb9c3420d9c7eae5811b7843d71ef386fc49b72b688ead081874129147b895a64614e1133ee3a7d1149da4fd8738499aa7ce646b106abbba51
-
\Windows\System32\alg.exeFilesize
152KB
MD5ff3b8802a36fc12af6b9e176e17f90f8
SHA1999da414ecf7c2ab21bb0e058c201c0a03073038
SHA25667c353ab384c03fe691f752f3883a177af68ba2e8a8a223cad1eeaeb5f21808e
SHA512ff05d441bcf923aceb17cc7c9a52c49863cc3e916bc28a51defe9d5a3c89f977ab53882d7e08b64941a929dbb4144352e68ef73d542cad96c173c6df899455e9
-
\Windows\System32\dllhost.exeFilesize
172KB
MD5f0b44e392574176c1d3770cb6350be91
SHA1a59f4a5db47c4c3c0d94ef96bbc5db7f9eca39a9
SHA25647b24735627a2e1397224c8bda4c42bb5fc62748e0648e91e1402a3c4dc10a63
SHA512985ab895abd8e8c53b4dae57233f3a647fc987809f8234847142d8e16a36cb185c5678668bfa4227f7427a703f2aaa565a3c875b7af4f7413f42b5ac033523bf
-
\Windows\System32\ieetwcollector.exeFilesize
383KB
MD5250e8367fbab07b1b1666935c04f31ef
SHA148b4f49fddf3a1f5e15362b1f87a566e71fe1f63
SHA25657856664ab27ce24e4237d3e4b49bc6bf433fab86a28b9cdfd73809656ebacd8
SHA5121dacd5d0a7884f78ff9a316cf83978a527c616c963cd5355673041aaca2ed1d0b61cb4bcb81b850f834a94f32e6e73e1753ab23feb3e8ffa15c66bfe14354bd2
-
\Windows\System32\msdtc.exeFilesize
173KB
MD59e7f74da13caed2c10d4cd121df672c5
SHA1bf5da6bc1f6e8513f66b3d05bad2eb71edbb3b6f
SHA256d1893333a90d1291e74e9c11d84313b83317adce99621bd35ce4ce9d7d884ca8
SHA512a9112641e26908fcc74e4c4081b4bdfc438db02ba9bdbecb17bf7af807f31d4e31a87ea857d25a5d000b29ceb1b100e1a864ecf33ac2a15a2384656974ac486f
-
\Windows\System32\msiexec.exeFilesize
126KB
MD535dc8c9b2a33c656e7a5b7c99138bc61
SHA1109a87541d6bbb4a5f5e72a2a324a2c9175c5f7f
SHA256c32c0170f6aabec54fe6d7e87f4b4654a80590d77812f089645cdd73655047b7
SHA5120949f72b2b21b1a1efb6f6791070e65217a72ae9e0e950f99cd97d7ae8287a833381ce3990322c8e8475cb3d1277cc74f71c8e29c32f3b8f3d12be209e6acacd
-
\Windows\System32\msiexec.exeFilesize
118KB
MD52b8bb6fc241cb807d5669651e11d035b
SHA178c4249f5d6b01d8a42bea5ae8d035fe6e8d6008
SHA2568b832da097ef62bbce3b0ecd774bcd47b911221a83e1fd1656f25029c5c9dc39
SHA512a24cab97c1fc1374cf37c66b2a804fddd6909e7536311092af52dcfceefdd7b3a84631613dd968fe2c0e29281782824334a08477320830128909a5005f35a291
-
\Windows\ehome\ehrecvr.exeFilesize
259KB
MD5f9bfb6cfbd5d9b27c99c8ab36b1a2cb9
SHA1c2832bb79c2aabfd7c74145a2de271dbdbe6aab5
SHA256614626a9108720e72371ea01d3ba3e86145ab90e61f1177713982f6508dd0afd
SHA512006a0f172067a18fb50563616634a5fedaf31263f3c5bcada70dd79156d935b61ef233cf3e4840ade017b788e1fe4ef306506be59c7b33e4519ea9726eee5583
-
\Windows\ehome\ehsched.exeFilesize
172KB
MD576b33ba0c2c467e04366ea49c447bdca
SHA1f2ec57b79cc58e3329b81c28b75f6822043633c7
SHA25649a84cb2d7445467a8aa06b9443a10c1e254e037d6d9b6503c91a46f272f0e52
SHA512d671bbac708c97edda13d894a75957886b09d3f211b9183f97583db4c448df7e33155b7788c20c61ff4b595217701a7b288c93f3996cfc24db99cf94b597c144
-
memory/352-189-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/352-91-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/352-96-0x0000000000610000-0x0000000000670000-memory.dmpFilesize
384KB
-
memory/584-148-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/584-140-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/584-244-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/796-184-0x0000000000260000-0x00000000002C7000-memory.dmpFilesize
412KB
-
memory/796-182-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1060-191-0x00000000008E0000-0x0000000000940000-memory.dmpFilesize
384KB
-
memory/1060-209-0x00000000008E0000-0x0000000000940000-memory.dmpFilesize
384KB
-
memory/1060-187-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/1060-210-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/1180-179-0x0000000000840000-0x00000000008A0000-memory.dmpFilesize
384KB
-
memory/1180-190-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/1600-270-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/1600-280-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/1600-279-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/1600-442-0x0000000074148000-0x000000007415D000-memory.dmpFilesize
84KB
-
memory/1652-276-0x0000000000DF0000-0x0000000000E70000-memory.dmpFilesize
512KB
-
memory/1652-273-0x0000000000DF0000-0x0000000000E70000-memory.dmpFilesize
512KB
-
memory/1652-173-0x000007FEF48D0000-0x000007FEF526D000-memory.dmpFilesize
9.6MB
-
memory/1652-175-0x0000000000DF0000-0x0000000000E70000-memory.dmpFilesize
512KB
-
memory/1652-290-0x0000000000DF0000-0x0000000000E70000-memory.dmpFilesize
512KB
-
memory/1652-177-0x000007FEF48D0000-0x000007FEF526D000-memory.dmpFilesize
9.6MB
-
memory/1652-185-0x0000000000DF0000-0x0000000000E70000-memory.dmpFilesize
512KB
-
memory/1652-260-0x000007FEF48D0000-0x000007FEF526D000-memory.dmpFilesize
9.6MB
-
memory/1916-205-0x0000000000920000-0x0000000000980000-memory.dmpFilesize
384KB
-
memory/1916-283-0x0000000140000000-0x00000001400B6000-memory.dmpFilesize
728KB
-
memory/1916-196-0x0000000140000000-0x00000001400B6000-memory.dmpFilesize
728KB
-
memory/2052-448-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2052-452-0x0000000000A40000-0x0000000000AA7000-memory.dmpFilesize
412KB
-
memory/2052-461-0x0000000072F40000-0x000000007362E000-memory.dmpFilesize
6.9MB
-
memory/2080-6-0x0000000000530000-0x0000000000597000-memory.dmpFilesize
412KB
-
memory/2080-232-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2080-0-0x0000000000530000-0x0000000000597000-memory.dmpFilesize
412KB
-
memory/2080-1-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2080-70-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2256-54-0x0000000000610000-0x0000000000670000-memory.dmpFilesize
384KB
-
memory/2256-53-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/2256-135-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/2256-60-0x0000000000610000-0x0000000000670000-memory.dmpFilesize
384KB
-
memory/2560-220-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/2560-122-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/2560-129-0x0000000000BD0000-0x0000000000C30000-memory.dmpFilesize
384KB
-
memory/2628-15-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2628-89-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2628-19-0x0000000000390000-0x00000000003F0000-memory.dmpFilesize
384KB
-
memory/2628-12-0x0000000000390000-0x00000000003F0000-memory.dmpFilesize
384KB
-
memory/2664-441-0x0000000100000000-0x00000001000B2000-memory.dmpFilesize
712KB
-
memory/2664-445-0x0000000000320000-0x00000000003D2000-memory.dmpFilesize
712KB
-
memory/2664-218-0x0000000100000000-0x00000001000B2000-memory.dmpFilesize
712KB
-
memory/2664-222-0x0000000000320000-0x00000000003D2000-memory.dmpFilesize
712KB
-
memory/2664-227-0x0000000000A60000-0x0000000000AC0000-memory.dmpFilesize
384KB
-
memory/2672-248-0x00000000004E0000-0x0000000000540000-memory.dmpFilesize
384KB
-
memory/2672-237-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/2672-460-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/2764-277-0x0000000000360000-0x00000000003C7000-memory.dmpFilesize
412KB
-
memory/2764-267-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2764-458-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2764-37-0x00000000004F0000-0x0000000000557000-memory.dmpFilesize
412KB
-
memory/2764-459-0x0000000072F40000-0x000000007362E000-memory.dmpFilesize
6.9MB
-
memory/2764-43-0x00000000004F0000-0x0000000000557000-memory.dmpFilesize
412KB
-
memory/2764-36-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2764-440-0x0000000072F40000-0x000000007362E000-memory.dmpFilesize
6.9MB
-
memory/2764-87-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2792-107-0x0000000000A60000-0x0000000000AC0000-memory.dmpFilesize
384KB
-
memory/2792-203-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/2792-136-0x0000000001A30000-0x0000000001A31000-memory.dmpFilesize
4KB
-
memory/2792-110-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/2792-115-0x0000000000A60000-0x0000000000AC0000-memory.dmpFilesize
384KB
-
memory/2844-26-0x0000000000920000-0x0000000000980000-memory.dmpFilesize
384KB
-
memory/2844-32-0x0000000000920000-0x0000000000980000-memory.dmpFilesize
384KB
-
memory/2844-25-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2844-108-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2900-146-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2900-77-0x0000000000380000-0x00000000003E7000-memory.dmpFilesize
412KB
-
memory/2900-72-0x0000000000380000-0x00000000003E7000-memory.dmpFilesize
412KB
-
memory/2900-71-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB