1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
Size

1.8MB
MD5

98634542919726b66b1e305224ce58bc
SHA1

0483a6ec826efffff036c1cbdc57cc9bafc49173
SHA256

1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc
SHA512

7cb17ddbe7469e8ef17680fd4c76e7e10957286eed0c6b78a2ecbfdf1701b59eab2f5e1699970534d7223d50c1f5abd52019ba3c6a57bdd7b44b486ac636fc28
SSDEEP

49152:oKJ0WR7AFPyyiSruXKpk3WFDL9zxnSZEjhMjSax84:oKlBAFPydSS6W6X9lnaQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 57 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
2624	alg.exe
900	aspnet_state.exe
2908	mscorsvw.exe
2016	mscorsvw.exe
812	mscorsvw.exe
2084	mscorsvw.exe
2348	ehRecvr.exe
1612	ehsched.exe
1728	elevation_service.exe
2768	mscorsvw.exe
2772	mscorsvw.exe
2000	mscorsvw.exe
2496	mscorsvw.exe
1552	mscorsvw.exe
2164	mscorsvw.exe
2720	mscorsvw.exe
1496	mscorsvw.exe
3000	mscorsvw.exe
2804	dllhost.exe
680	GROOVE.EXE
2248	mscorsvw.exe
2936	maintenanceservice.exe
2564	OSE.EXE
2532	OSPPSVC.EXE
2824	mscorsvw.exe
1044	mscorsvw.exe
1680	mscorsvw.exe
1656	mscorsvw.exe
2560	mscorsvw.exe
2860	mscorsvw.exe
2828	mscorsvw.exe
2956	mscorsvw.exe
2600	mscorsvw.exe
1884	mscorsvw.exe
2256	mscorsvw.exe
2500	mscorsvw.exe
968	mscorsvw.exe
2276	mscorsvw.exe
1948	mscorsvw.exe
2848	IEEtwCollector.exe
2740	msdtc.exe
2688	msiexec.exe
1800	perfhost.exe
1936	locator.exe
2664	snmptrap.exe
1048	vds.exe
1720	vssvc.exe
2796	wbengine.exe
2168	WmiApSrv.exe
2032	wmpnetwk.exe
2780	SearchIndexer.exe
1588	mscorsvw.exe
892	mscorsvw.exe
1884	mscorsvw.exe
2016	mscorsvw.exe
1480	mscorsvw.exe

Loads dropped DLL 15 IoCs

Processes:

msiexec.exe

pid process

472
472
472
472
472
472
472
472
2688 msiexec.exe
472
472
472
472
472
756
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

msdtc.exeaspnet_state.exe1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exealg.exeSearchProtocolHost.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a2882403db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_ml.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\GoogleUpdateSetup.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_lv.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_sr.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_en.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_nl.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\psmachine_64.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_vi.dll	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe

Drops file in Windows directory 39 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exe1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exemscorsvw.exealg.exeaspnet_state.exedllhost.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{70DEB368-3F72-409E-9919-B1638F7C5D95}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{70DEB368-3F72-409E-9919-B1638F7C5D95}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeehRec.exeOSPPSVC.EXESearchIndexer.exeehRecvr.exewmpnetwk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

916 ehRec.exe
900 aspnet_state.exe
900 aspnet_state.exe
900 aspnet_state.exe
900 aspnet_state.exe
900 aspnet_state.exe

pid	process
916	ehRec.exe
900	aspnet_state.exe
900	aspnet_state.exe
900	aspnet_state.exe
900	aspnet_state.exe
900	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2884	1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: 33	976	EhTray.exe
Token: SeIncBasePriorityPrivilege	976	EhTray.exe
Token: SeDebugPrivilege	916	ehRec.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: 33	976	EhTray.exe
Token: SeIncBasePriorityPrivilege	976	EhTray.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	900	aspnet_state.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe
Token: SeSecurityPrivilege	2688	msiexec.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeBackupPrivilege	2796	wbengine.exe
Token: SeRestorePrivilege	2796	wbengine.exe
Token: SeSecurityPrivilege	2796	wbengine.exe
Token: SeDebugPrivilege	900	aspnet_state.exe
Token: 33	2032	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2032	wmpnetwk.exe
Token: SeManageVolumePrivilege	2780	SearchIndexer.exe
Token: 33	2780	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2780	SearchIndexer.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

976 EhTray.exe
976 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

976 EhTray.exe
976 EhTray.exe

pid	process
976	EhTray.exe
976	EhTray.exe

pid	process
976	EhTray.exe
976	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe
1984	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 812 wrote to memory of 2768	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2768	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2768	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2768	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2772	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2772	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2772	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2772	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1552	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1552	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1552	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1552	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2164	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2164	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2164	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2164	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2720	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2720	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2720	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2720	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1496	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 3000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 3000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 3000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 3000	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2248	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2248	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2248	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2248	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2824	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2824	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2824	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2824	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1044	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1044	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1044	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1044	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1680	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1680	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1680	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1680	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1656	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1656	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1656	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 1656	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2560	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2560	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2560	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2560	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2860	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2860	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2860	812	mscorsvw.exe	mscorsvw.exe
PID 812 wrote to memory of 2860	812	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
"C:\Users\Admin\AppData\Local\Temp\1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 250 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 264 -Pipe 1f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1dc -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 278 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 25c -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 250 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 1dc -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 258 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1f0 -NGENProcess 2a4 -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f0 -NGENProcess 220 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 1c8 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2348

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2804

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2532

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:1124

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
2b293f2effbc76e809d88f19bb2a01e7

SHA1
c3ef0621519f119eeff8d193324ec082ff91eb37

SHA256
f8f88d5986ed97e8405e3db2f676e275a979830d88d879e14d2f9d79b89357d8

SHA512
0f9e8fec99f3ccf0a25f77c481f2bdc47700fd112d19da659a17b3a42fa950a1711e179bb22e9930140255d847674d9d29946209b2f7f2714aa771d4a74341ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
11.7MB

MD5
eb458b4943d3388a94e591d3c033051d

SHA1
0930b6b80ecaf8ca7bfee765e3016a6f61da7bf8

SHA256
75bde09882834339635692f3699821baeeb6184e1c5f66e2544ca4c57468f679

SHA512
349b53f2b4fe6f823c0346d39214a051e4fdf12c0f8ea4769905d8198d8104b87b9c8d4374b40519174fb6083b843b118ea981db137c22b6749f1f43033da911

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9c9b06673dfd58f5063ead423f4b35e3

SHA1
40145cf217f89195e7acc4558efe6d0ffbd86b1d

SHA256
3b0041e9b68185278466dc477a87987755ac5d25b8f6522cdf0c95aaa07e22eb

SHA512
f3fa1a346602de5b3e4458679c563a9c62dddcd4526f4751cfb20ca4bee043acc4bd8005514703a6745471946f36458d5d66b082b73194d61c8e12e68b11aea1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d26f9ed2ab2a3bc9fd1725a84fcffbbd

SHA1
a5fee0bc95516df0c7aadffc02757061a3be5f7a

SHA256
99336508d67d919d33dce6f13237866ba3077763f800afaf713b40bd1cfb88d9

SHA512
e942bb8223e7167b451bfef4cd94d912074077ba66f4348d9b973d30b8f53c8c86c08e43a7bd1f1a5d0ce8076bfd827db67feb504a1a47029307f3b231c70827

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
256KB

MD5
e0ebe9f08699299e026e3144645fb192

SHA1
e1bd4d5716385e4b4ae83b8ca1c0fc32e17180b2

SHA256
35e8031d9116be404d3e815e8d859113291b5b6a99a5f4271f76748db1a50f2c

SHA512
ec5187f76ececa4bdd4fb8accc664ca13da76e25e7f6496249fe4ac58a0872ae85eff3c1059308993f7a98bd25227edafa8d650d9ceb1d3f861664f09e3e5086

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ac7f2c974f44fa4e03ececc899383c9c

SHA1
faa07ceac0b8a3e37d1ed587e8b18155977b90dd

SHA256
71504b01521148bba9696cb98038bf13185c3830c7571a17b111e5b8a4fd26d0

SHA512
735a9394f2dfea72413724c61ace615b2f69c3dc3776fc0f7a94bc6e547db3cbc4bcb63bf19d1d40d4250d7f3de25c219038240613ca157a1756691c88678036

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
32KB

MD5
b1a6a4d875af3e883fb4d2e4f1d0b937

SHA1
1a06c5a34a7f878d3042d9e9507578e4e9382fa0

SHA256
839f5bf22471103e221f522a86704c6c55daabb0303ea652300cdc16fce5bbcb

SHA512
2fd14174bd40ac54e5f97d316c5b1d25a6f76fe45350af2f8a8bc84dbc222affdf7f84491645676efc035749917611e56c7d611df52b767f888fd7f2e6156a8f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
855KB

MD5
d5716854a47e06f36101c2ac349ac049

SHA1
0c3f192c796667c850f94cb4e09c00eb70941e7e

SHA256
51d59b414772a77abeeee77498000f539235808b3687f9643a0bfc9812176422

SHA512
0bfe4b9b0008c4a3258238b003dd6edc5115e497bedc37f39349f5870663742ed78804e124b3be0fee733efa81d200fd3c2cbd363ccf5e1da7d125995287f7fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
336KB

MD5
90d593d84967387b683ff25975a6f23a

SHA1
36935ca9f508691198cace63febb7373fa8b9fe8

SHA256
c327411348ce92d53e9b7d37a11636033cba3d9d24397291ccaecff4e28021b2

SHA512
6fc1da077a530a19000619c5af01c091c844d6180ef198aa12e3ac2801d62bc29ec7fa7dbd9496234a452d7892463581e7056deed865f642bd3778c2bc95f871

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
835KB

MD5
14839e9e85e2572fd4641d3b3593f18c

SHA1
a6b1b5f3ea328e779a33a0322e9e89e112cc506a

SHA256
d1dc442cf9cd76d903a205f4414f00a302ee18752e0a54f31c89eb56e4361533

SHA512
cdd0235afdf95496360413280116ea245fe5cbfd34bef82741ba699c6f9a28b3abb2fad18215254863147173bf467205bb073925d92c7bee71936e54b3bf01e4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
333KB

MD5
b6c7652c787435e09d8a66ae73a6672c

SHA1
bd2eda478ceab489d4ae6be017812464a78f6ca2

SHA256
22cfedeb09137d109032b73db433e179d48f62be87c6144746f7a94efab924f7

SHA512
8188195f58d3f6778fe8570563db4d77fb8b54edf0769a45834c654738e81c118ee52d1d9935ebf524a50ac0f58cbc9acdb2d470a47c5febf341ef95ae86e969

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
fb913859b57188032f15418556e48fe7

SHA1
1ab75d292a878ee4ce12f80fee7fc2e7df23167b

SHA256
0098fc43b2d01753f8e5511bc5d298acd761af67cf01206bc7ca8089a2753ae8

SHA512
964afebb0afafc64504b91e0f895b6796bbfeac0609ecf2fd39953ad4776f4f0b97cd15ceae014b685afd37ad48e641b4aa22d422a0618a91fef2cf015afa54e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
304KB

MD5
0c92848e04af3595c7a57de915e06516

SHA1
c29c2f10420ebb36a2868304e530f1f928ab3607

SHA256
7dcf28be446050e3d30a7e54834985c7b2dd08e3e2997cca9b0e3f1978ebe3fc

SHA512
5f8cea92dff26fb8d728c24bb39435e24186739bd77c6fb22bb4fb510df8bb969963194c38ecc1832b8455fc0607ac6f9cac0e658d9be2c1a2ee4691646382e6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
92KB

MD5
c422e5f21ccac52348f22ef5a7f357d3

SHA1
7b5a0b230d3f97dda9bcc22d1c5be3e642d20654

SHA256
e624b58a1eb660c1879c4f553ac0ddfe85f23342b4e5de3e7d8db537fb54464f

SHA512
31a1cd71ef1a89d760631b80d500d5ab6be65b52a3ec792c010bd9857c192bb5e1059a894afe6e54a1d92090dd97b98ae458a0701196b68254e27e3dc9838de9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
094028648a6eede52e38c53d6686b6b4

SHA1
7e023b1a3a73b6d9c22dabea035b22bdf68ab5a5

SHA256
a3f5f015dcb6ea634ae5ef9549070ff34aa70c040769f2abb5128ce95a436324

SHA512
4074d9666431391c27bb45e196636113d8ca814248cc05eddb76019bbf1e5fb8c360538acb166ddd565d9b1c9a7d81bb6d474550eb59837d0d774496a5277f5d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
986KB

MD5
29e7bf6345083e16a07921ff29f13cac

SHA1
0c87feb3b86a4579c7c516e7b1952bbc3ada9b39

SHA256
82ecc3b9f512c659b46b1343e47fb9ccca393a5cf91ac3578c29c9853444997e

SHA512
ea7a624105651da45f719ffce0c4b664d00d0a8f5c8ee7157bb09d673c7edf4411d433525d3c7e59e6bd399cc5d20fe5d38aa2ed0272314ca8a1bfe29a9e860a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
354KB

MD5
8ec8a2f3f6b9e9c61704badce99a199a

SHA1
ee771c117fab247d0c8707e8764e65fed769d1ec

SHA256
0749a0882b2a28be19f7686bddce8b9564871b452e913efc24cffb185f2e13c3

SHA512
fb87476698bea08c7322ff28ce87821e9b1996524a64b78aca3cf54f78a58e796145212a17d326bd4274c5aab10c088f85fc069d3045551bf0ed304ffb4e8d96

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d3a641d428ade9055fbd58e821933c1a

SHA1
c78f598a089b83456e287fc69b639d8d6f4ff5ec

SHA256
7ba7151b558c30a1e2f5496273674b8dad229308004c7f59413b038c5bde7e51

SHA512
8d5fc384277ba7dde01cd5fcb6e779e6b817ba596b6b61a1dad729289efc1a08f4bc2ad86f0ef159fc5604713beefa859a15d9c7e68a8a4234c65f9d89d3e110

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
424KB

MD5
a41be8cccb2003392886a7c3625a1a21

SHA1
949e1edd3d4a8c087448b8444374cb77d19a8329

SHA256
a0f6b1cf964f0bb141fe9422edc453675bbcdb86815d76d60dac8dc26129f9b9

SHA512
634e775c4ba33cd9dd1163e80c446e69dcedd60aad7ed298016aec3620abb3d5aee3329815ad41e6e67729699960e052f683b1124f7379826f2c02317e24a95e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
a868f3fa726d6b200fa798738984963a

SHA1
2a135848f1c8da262c905d230ceaf68bc4255a6e

SHA256
c74bd239d2ccc46b5c4d2abd91216b5d88b85814eae4fc1e67219f85347eecd5

SHA512
c24fab90ee6f13832ca621e1be9593b81cf8a88029ed49026c67b50b48772e55d022fd7321b6e62a6305587948750705c3a3afc2c3d422a9304d94a53feb43a9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
990KB

MD5
710e3ef486f9b2b4150f0d748e23201f

SHA1
9a364990f17f3f97cfe5ff38567a5b127942097f

SHA256
16b0f3407418b3d1ddb1bd7e83b2f9d668c31e5cd090847c10e6f10e81b46022

SHA512
664383582f7a23bad33f976c3587def1eb8c21353dc4a4c715b146104f11b05cd67ea7ad1bd736424152918dc77aa741fb40d839809cbb3968988b088e15b250

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
651KB

MD5
b32832db1137c4ef8aff4a099b491a76

SHA1
1722b19b9ce1ab68d56f88b941882cf9ebc60a3b

SHA256
9969e03f041436cc0833c5047c8e29e0c9851c02dc96a19d114c8c50b58ca990

SHA512
4a7f9732721f40cceb52d2b6f4d1754061b90cf53a28a5cd2bfef0cfac56403bdef766121fc00e712e880e05710aca586f0687970cd704bb7f400a9b43681b24

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f90aaa1e0f9fd545a57769d01a79da93

SHA1
4cda9bea3d115f305a45c0ee8a52cb6805b51489

SHA256
26e4a47d57638299debf92af62565492c2f6ae76402f8327f4e9dc7000e042bb

SHA512
39cab84c640c2609934628ea1e4b0d3a2b0dd14aea9ccf27cef9d6f7486aa91c6bdc7341ecfcf3db13da27cfc9f251ee876dec3abd1edc016c66945f00894fd5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3dd01b09bcb247915ccc13b2c9919258

SHA1
20a4bbabe0a8d57cf7a3af6b09685fbeecbd1ea3

SHA256
22597cb5927fbc7665bc21a88fa91c85d6da7f5f075c93c93524cc1524b77588

SHA512
ea445e402fa42784085a12190f625cb999a35e11e06caa30f4810c6091f013ea1704cea0a5cd543d261c4b6ce00e1332d2d7ecf98b43b63e5882e7d3b7231ea3

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
155c64d02e00befcc6d9652d573733e9

SHA1
05e39755549e841c9d6cd778f0552b6aa5ee54d6

SHA256
08eeb3619ebc2e9bf4aee237262451dddc7449a272aeda91dfdce633a7372214

SHA512
d600f404bab937c9b52690e5de74dbcd46e9cb6f5efe1af73d27e7226ef4c148b55bf671d0195867b88dedbc830cc9148d08688cd4f57c398860645682fd57f8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
768KB

MD5
766f9697ae0c86acc6649260caf81f26

SHA1
2cd5767447ca9af442c6172ea3cccaf507f91544

SHA256
f2c4dfca9c1ac42c3e5b78ad1cbb9e0f1fc502c910555b31877e3efc11d68411

SHA512
abe3b87e0d9497c38d79e048c33a15d1f401317bc87294ee1c8f8071ede799cfe2eacdfb7d1419a73c59adcbf7dda40cb965b667159a83f3a9dfccf9996ab999

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fdfd169e9fc74dfeb509f7356084c726

SHA1
a482a6ddb32ea6281141eed19f0d169bda3b104d

SHA256
0cbb06b8d7218ece091f76844fd2a498c60baa3c1468c87cede7ca1ebc8bbc07

SHA512
8817940831a6e4da60474090a401ba8892ba3c7a14ac9af2b5c150ce41cebf429d8f92442fdec3d1cddf9b40591022ff04ea34fc830ea838075947458522205a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c45c236ad92d4d000eb216e84e2ef272

SHA1
8f5d0622fbc4126cfbe9551e2e40d9bb6ae8a065

SHA256
7d49b047447c3260383ebf6bd3cb750ba44777f8b977be3569129558404d932b

SHA512
6bf350f7b30223d7c34d7e09d76b16fe039274f278396a5274c87e90419eff53fa43cf520fcd64821c26f2a96a648be623449a2bc191f3836f6bc9a9b6c8aa91

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
60KB

MD5
b8853d93c44d4003133f573eb2e6e787

SHA1
574eb06f0b6880c948b10d78a58565d010a40dcb

SHA256
b548aa1e9983498e7ac169f37a0ac64e763703afa33bf66b40e9a84eb9b9e7f7

SHA512
49108d4e04d77a24c5825420ed005a50dca4ccbd01c7aa65be9d4a65529f048e50254cf524d7965a04904dc2248614093f3491e73f341c9f1f79331d1a616b44

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
476KB

MD5
73ff13d34967edeb8d1eac8e00d0936b

SHA1
fca423b8834b82c4a2509f11df74a22c1e6a1ee9

SHA256
136630128b48b6c639c672826c14fc033210117535ea7a6178e8a392afc1b0d2

SHA512
07f28cd9cd53a932618fec31bafc1c6924e150d7ba88d70be2f1dd4659057f0615b0eb8851a0fa22954e216e3309ae93803b1f55d78a74906ae61c2453bc0db5

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6c11b92e2791d47fa64286b8b1b2569f

SHA1
e4958e9725973d571c2638b662f8bbdfc0875f6e

SHA256
f07a50cb76f03e7d42f42d36944bff64496fbdc1b29202d2c303e29d3cf81166

SHA512
bf47d527f37c9bd79fb345c033a0518fad90388e7e2c83e13d5586ad3629228302757e268acd0d736d6070f1ffe0d25a8c1d3cd7ac4d180c34c1626bd07f5226

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
54c39993c5b7fd7fa5605f7850973b51

SHA1
afa1aa81e452179010b9d188dc15cec24d0f1ba2

SHA256
e2ee9d3c0568ebb36bd65b9a9457ce1d55dfd49895fa68def9f9cc67dc9c8b7a

SHA512
b6f50aefa508e81af4e622ffe8436de8ab327aa0af7a45da7e8c0fc663ff343f4774ba2b280bdf825f0fa5936a800908208e8cf82029dd4c9c2acca0d81f9773

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
d8c9582e791ae89b4f060bc433a4e8cf

SHA1
fec8772ff40c7f28fdd41744a3e42e31eaedc135

SHA256
73f94803c41217f2a5ebe0556d249dbce9fa713f7e0ad55b85e837f3fa80f99b

SHA512
26d108a441046632c4347f67c8117a2d1dc19c6c36b8a393d0b398796fa29733cc896a03ff090eca0900e13ebb5d9ee4c334d1a1773059a82df827d0f06b75ce

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
525cb2b0af3aba5cb9f88fc41f452eca

SHA1
20746a88c3a11a958d7819b3664eedcd985eb563

SHA256
95c426f70ba483c884dbd5cde14653d1779d0b6d11dd71e06391857db9ded1b3

SHA512
2f41b1edc63258b156fd605fe44e85d32132f85b6d789c0867b4cc76449dfd60ad315f93d2185bddadee1b178ed331775aa53151878e99ca706c8e14c5f58b7f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
8e08955be4be312b42786b1589694b70

SHA1
452869d37366fc0c7839e97aa3d1bfbf870f21b1

SHA256
9e7cd6b8c1cd81c47c4eb6805925efd99c323f858ebab6532eae596a8a35b2f9

SHA512
10070f7af58f8ae00d17858e935da1034c084de4aced0d422a6fb3dec1a56751c4c664de357c6fd19139e1f28aa82b96766739eb4330d717ba777356b13bbee7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
419e33c5a69b2c07e7b08731cb896318

SHA1
bc93c377d16239cd9238049c07962a3afd8b96ac

SHA256
9cd0ce321d0b44d31209af9d511c7f31a19c9e8fc0c8eac6c49824d31e4bc9a3

SHA512
7c3b236839b985f01774f11afac93d25032165cf49fc61eef7287f1df6fdf335a322f083bc22654ec21710e9b9575c5c87ba5f904370a260473e24e46e13e887

Download Submit
memory/812-214-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/812-151-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/812-145-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/900-181-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/900-95-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/900-96-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/900-102-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/916-216-0x0000000000A90000-0x0000000000B10000-memory.dmp

Filesize
512KB

Download
memory/916-312-0x0000000000A90000-0x0000000000B10000-memory.dmp

Filesize
512KB

Download
memory/916-293-0x0000000000A90000-0x0000000000B10000-memory.dmp

Filesize
512KB

Download
memory/916-217-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

Filesize
9.6MB

Download
memory/916-320-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

Filesize
9.6MB

Download
memory/916-215-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-389-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/1552-372-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1552-390-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1552-366-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1552-376-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-206-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1612-200-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1612-321-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1728-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1728-330-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2000-361-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2000-339-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2000-341-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2000-346-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-359-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-161-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2016-131-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2016-123-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2016-124-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2084-164-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2084-294-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2084-166-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2084-172-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2084-171-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2164-388-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2164-391-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-381-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2348-310-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2348-182-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2348-183-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2348-189-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2348-306-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2348-196-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2348-190-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2496-349-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2496-360-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-355-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2496-375-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2496-374-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-163-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2624-59-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2624-49-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2624-50-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2624-58-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2768-328-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2768-311-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-307-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2768-301-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2768-329-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-318-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2772-326-0x0000000000BA0000-0x0000000000C07000-memory.dmp

Filesize
412KB

Download
memory/2772-331-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-344-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2772-345-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-144-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2884-1-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2884-291-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2884-6-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2884-7-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2884-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2908-107-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2908-106-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2908-113-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2908-142-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download