3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
Size

1.8MB
MD5

1d154a438d5d07b14d845c59c370d69e
SHA1

8f3054b985effcf58c1118b475993afd23f226c1
SHA256

3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7
SHA512

9cf6444620d483ce858e1f156ae93b1cf6a9980d3ec587ca5f8978e05d70b6e74f6dbb2caff208e264082d990595dc0d89a4d2eec5749ec83a0b8abe2b3adf5f
SSDEEP

49152:Ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAUkQ/qoLEw:AvbjVkjjCAzJDqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 57 IoCs

pid	Process
468	Process not Found
2056	alg.exe
2856	aspnet_state.exe
2728	mscorsvw.exe
2780	mscorsvw.exe
2840	mscorsvw.exe
1540	mscorsvw.exe
1732	ehRecvr.exe
2280	ehsched.exe
2232	mscorsvw.exe
2652	dllhost.exe
2432	elevation_service.exe
2972	mscorsvw.exe
2752	GROOVE.EXE
1556	maintenanceservice.exe
2728	OSE.EXE
2612	OSPPSVC.EXE
2768	mscorsvw.exe
2396	mscorsvw.exe
1184	mscorsvw.exe
1764	mscorsvw.exe
2312	mscorsvw.exe
2948	mscorsvw.exe
792	mscorsvw.exe
2160	mscorsvw.exe
1392	mscorsvw.exe
832	mscorsvw.exe
396	mscorsvw.exe
1716	mscorsvw.exe
1996	mscorsvw.exe
2044	mscorsvw.exe
1052	mscorsvw.exe
1656	mscorsvw.exe
2688	mscorsvw.exe
1700	mscorsvw.exe
2696	mscorsvw.exe
2508	mscorsvw.exe
920	mscorsvw.exe
1660	mscorsvw.exe
2664	mscorsvw.exe
2920	IEEtwCollector.exe
1612	msdtc.exe
1220	msiexec.exe
1184	perfhost.exe
972	locator.exe
2128	snmptrap.exe
1584	vds.exe
528	vssvc.exe
1704	wbengine.exe
1972	WmiApSrv.exe
1804	wmpnetwk.exe
2108	SearchIndexer.exe
1356	mscorsvw.exe
288	mscorsvw.exe
868	mscorsvw.exe
1996	mscorsvw.exe
1616	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1220	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a8d6f3b4501ed38.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_de.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_sr.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_sv.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_fr.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\GoogleUpdateBroker.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_ar.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_ml.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\psmachine.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_fi.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_sk.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_vi.dll	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1B57861F-1476-4E02-AB0B-E252471FB356}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1B57861F-1476-4E02-AB0B-E252471FB356}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{48F3D069-F3F8-49A0-87DB-2103F865FE58}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{48F3D069-F3F8-49A0-87DB-2103F865FE58}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2792	ehRec.exe
2856	aspnet_state.exe
2856	aspnet_state.exe
2856	aspnet_state.exe
2856	aspnet_state.exe
2856	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2148	3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
Token: SeShutdownPrivilege	2840	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2840	mscorsvw.exe
Token: 33	1644	EhTray.exe
Token: SeIncBasePriorityPrivilege	1644	EhTray.exe
Token: SeShutdownPrivilege	2840	mscorsvw.exe
Token: SeShutdownPrivilege	2840	mscorsvw.exe
Token: SeDebugPrivilege	2792	ehRec.exe
Token: 33	1644	EhTray.exe
Token: SeIncBasePriorityPrivilege	1644	EhTray.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeDebugPrivilege	2056	alg.exe
Token: SeShutdownPrivilege	2840	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2856	aspnet_state.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeSecurityPrivilege	1220	msiexec.exe
Token: SeBackupPrivilege	528	vssvc.exe
Token: SeRestorePrivilege	528	vssvc.exe
Token: SeAuditPrivilege	528	vssvc.exe
Token: SeBackupPrivilege	1704	wbengine.exe
Token: SeRestorePrivilege	1704	wbengine.exe
Token: SeSecurityPrivilege	1704	wbengine.exe
Token: SeDebugPrivilege	2856	aspnet_state.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: 33	1804	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1804	wmpnetwk.exe
Token: SeManageVolumePrivilege	2108	SearchIndexer.exe
Token: 33	2108	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2108	SearchIndexer.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	2840	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1644	EhTray.exe
1644	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1644	EhTray.exe
1644	EhTray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2276	SearchProtocolHost.exe
2276	SearchProtocolHost.exe
2276	SearchProtocolHost.exe
2276	SearchProtocolHost.exe
2276	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2232	1540	mscorsvw.exe	36
PID 1540 wrote to memory of 2232	1540	mscorsvw.exe	36
PID 1540 wrote to memory of 2232	1540	mscorsvw.exe	36
PID 1540 wrote to memory of 2972	1540	mscorsvw.exe	41
PID 1540 wrote to memory of 2972	1540	mscorsvw.exe	41
PID 1540 wrote to memory of 2972	1540	mscorsvw.exe	41
PID 2840 wrote to memory of 2768	2840	mscorsvw.exe	46
PID 2840 wrote to memory of 2768	2840	mscorsvw.exe	46
PID 2840 wrote to memory of 2768	2840	mscorsvw.exe	46
PID 2840 wrote to memory of 2768	2840	mscorsvw.exe	46
PID 2840 wrote to memory of 2396	2840	mscorsvw.exe	47
PID 2840 wrote to memory of 2396	2840	mscorsvw.exe	47
PID 2840 wrote to memory of 2396	2840	mscorsvw.exe	47
PID 2840 wrote to memory of 2396	2840	mscorsvw.exe	47
PID 2840 wrote to memory of 1184	2840	mscorsvw.exe	48
PID 2840 wrote to memory of 1184	2840	mscorsvw.exe	48
PID 2840 wrote to memory of 1184	2840	mscorsvw.exe	48
PID 2840 wrote to memory of 1184	2840	mscorsvw.exe	48
PID 2840 wrote to memory of 1764	2840	mscorsvw.exe	51
PID 2840 wrote to memory of 1764	2840	mscorsvw.exe	51
PID 2840 wrote to memory of 1764	2840	mscorsvw.exe	51
PID 2840 wrote to memory of 1764	2840	mscorsvw.exe	51
PID 2840 wrote to memory of 2312	2840	mscorsvw.exe	52
PID 2840 wrote to memory of 2312	2840	mscorsvw.exe	52
PID 2840 wrote to memory of 2312	2840	mscorsvw.exe	52
PID 2840 wrote to memory of 2312	2840	mscorsvw.exe	52
PID 2840 wrote to memory of 2948	2840	mscorsvw.exe	53
PID 2840 wrote to memory of 2948	2840	mscorsvw.exe	53
PID 2840 wrote to memory of 2948	2840	mscorsvw.exe	53
PID 2840 wrote to memory of 2948	2840	mscorsvw.exe	53
PID 2840 wrote to memory of 792	2840	mscorsvw.exe	54
PID 2840 wrote to memory of 792	2840	mscorsvw.exe	54
PID 2840 wrote to memory of 792	2840	mscorsvw.exe	54
PID 2840 wrote to memory of 792	2840	mscorsvw.exe	54
PID 2840 wrote to memory of 2160	2840	mscorsvw.exe	55
PID 2840 wrote to memory of 2160	2840	mscorsvw.exe	55
PID 2840 wrote to memory of 2160	2840	mscorsvw.exe	55
PID 2840 wrote to memory of 2160	2840	mscorsvw.exe	55
PID 2840 wrote to memory of 1392	2840	mscorsvw.exe	56
PID 2840 wrote to memory of 1392	2840	mscorsvw.exe	56
PID 2840 wrote to memory of 1392	2840	mscorsvw.exe	56
PID 2840 wrote to memory of 1392	2840	mscorsvw.exe	56
PID 2840 wrote to memory of 832	2840	mscorsvw.exe	57
PID 2840 wrote to memory of 832	2840	mscorsvw.exe	57
PID 2840 wrote to memory of 832	2840	mscorsvw.exe	57
PID 2840 wrote to memory of 832	2840	mscorsvw.exe	57
PID 2840 wrote to memory of 396	2840	mscorsvw.exe	58
PID 2840 wrote to memory of 396	2840	mscorsvw.exe	58
PID 2840 wrote to memory of 396	2840	mscorsvw.exe	58
PID 2840 wrote to memory of 396	2840	mscorsvw.exe	58
PID 2840 wrote to memory of 1716	2840	mscorsvw.exe	59
PID 2840 wrote to memory of 1716	2840	mscorsvw.exe	59
PID 2840 wrote to memory of 1716	2840	mscorsvw.exe	59
PID 2840 wrote to memory of 1716	2840	mscorsvw.exe	59
PID 2840 wrote to memory of 1996	2840	mscorsvw.exe	60
PID 2840 wrote to memory of 1996	2840	mscorsvw.exe	60
PID 2840 wrote to memory of 1996	2840	mscorsvw.exe	60
PID 2840 wrote to memory of 1996	2840	mscorsvw.exe	60
PID 2840 wrote to memory of 2044	2840	mscorsvw.exe	61
PID 2840 wrote to memory of 2044	2840	mscorsvw.exe	61
PID 2840 wrote to memory of 2044	2840	mscorsvw.exe	61
PID 2840 wrote to memory of 2044	2840	mscorsvw.exe	61
PID 2840 wrote to memory of 1052	2840	mscorsvw.exe	62
PID 2840 wrote to memory of 1052	2840	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe
"C:\Users\Admin\AppData\Local\Temp\3868480ab81844d743abe67b835775316f665992a147e24a48272c785361efd7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2728

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1dc -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f8 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 270 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 260 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 1e0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f8 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f8 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f8 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 288 -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 1e0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1e0 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1e0 -NGENProcess 23c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2a8 -NGENProcess 288 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 218 -NGENProcess 1d4 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 250 -NGENProcess 1ac -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1e0 -NGENProcess 258 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 228 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 260 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1732

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2652

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1556

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2728

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2612

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2276
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
e649d868b98b3efe7c1c87ec517673ab

SHA1
ddd03fc96c386f2a6658e7834f10d150f195c837

SHA256
11a3166884a298ca5e2fab7a5886e5f1f946ce8970c0c9633c77b6a7507cafd7

SHA512
f2afff02bd9d67d70af5b0ed5a5a080901d2b57fc96d0d7386d5df7add1852d19c3abc594c1f388833727c5f119c76cb89cc57ba9e181650e1fa2ec1e3d9d325

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.1MB

MD5
b6b738a082c8bfdf9cf6f384d12af4c6

SHA1
6a8785d873e3606239ebb04af30ed13b86076aaa

SHA256
43a92cc497056c9262a3f42610fa78ea4f5299e96c81df6e2472da01a9b1e970

SHA512
1b4af3b9377ffb5c207998728d5b587a21d01ad36e66734c2f6c81692a14e5907f09b318f1bc4d30eb7224beade2c3c77d51851fc9daae6b8b4c08aa5bc312fe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
960KB

MD5
41f7d90fb7fccc42fb64c1179ff6730e

SHA1
6a589b0ea515ea55659aa4092a0d6c8e2550ab94

SHA256
7792b7f3ddcefb2fbb7c352ecbd5da6f782671437b009a5c1664cebc21106199

SHA512
aa27068a11ac79b8146d4acc3ed6f3ff097cece4c3fb6b8ccc25cd213eb5562ae3ae16d8ab26f0ae5ffd5ca9f8981a4e9f7558caecdc4bac6a7b2432ec8ac3ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f1c09d9a3c509d4138d355450d6b839d

SHA1
8c739bad7880d3f7b0c6b927df637f28ecb5cf96

SHA256
5a40fe70809a3f447f5dec0ccf7ed0d4ac8a4a4d4083955c387aff08a1a89757

SHA512
09f9c833adc93d1f2f9c677aeae0833951c30b0d9392390716f0b5355772bc5ef3625154b09f8368f67731f0f766173e1c256e34af2c0b3e7c8e4483bf59e68e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.3MB

MD5
0abc614055606edfa97404c0200137bc

SHA1
4fffb1c9ce789af4308a032636aa102d5c43ccd8

SHA256
2d69aacafef6f681a4b8c02b4db3b1a7d0969b2c469bfcb90f00c3036817372c

SHA512
e61251284f005a34255e9c9f9874906b1e49809d945d43c065fe4ae910a9db0eca738c412553139b40ac28adf906302c5eea0ec0ba4a4de4bd7b02f7f72c0c2d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
90d9b586143e9ec74adedf0df94e770b

SHA1
1769e3750d4eb9653921c644a21260b7def56b31

SHA256
149dbcb291f421d753a55b0440d75b94f6525886e2b3851573256a53aa69f76c

SHA512
12a166a5acb1e5935b823cab853ecaf4836457e3235f1e7c45c54d2579e6393d8a8ace71ffa9d7fd451b3f297114339cb3bd3a22dd4ecb92bb6e6f925503693b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
40077e58c61fad92519e140e0dc34022

SHA1
2cce66177530344f88e37eb84f0043be701bf444

SHA256
6e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0

SHA512
20e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
512KB

MD5
026396a4d40d932852100f0e1c2d76b0

SHA1
5237c0cd4b879b1ee2311b3f082ea8f2470a445b

SHA256
17db132651647b061063861136dc2e44522de4a2d8d46b59994ff367e1143dce

SHA512
cf264023f0b37f2e169d46b2ef9bd45a059ac08a228261d8ae32f03c6ed3aeb6316f76d7dea325cc1fda2c7dbab7706bcbcec5f529a036204c0af1e8e90f9360

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e2f46a44e13d3f989d96f577ac43151

SHA1
49ea680aefa0e6cd9abc24542e1673872bf00e68

SHA256
eb92d65aad36cd19840167a904aedb7332291668d8f3b304c02788abdf8f1e00

SHA512
b2086491397a57fec8ece9b17675fda047138949600e46c1f69e428fb5c58176e8439750bb6404a62f516403b2d2f3c7cd5d6e836df82d296ca9949bd44bc15a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
9353a2c67880e2d1dab3ac2308e8df5c

SHA1
6727ce2ad943c8145b090be0afbcdb91a761798c

SHA256
6261d6c02f099ad29eef2fe87182088d4940054e2f0357839e023079de9f1bff

SHA512
05b7f6101323931cf548a35fe9a4949471309650d96c1ecb26aafeea6e6235b4c9da4b2a1dcdd89e6440ff9aeeb4318498e55cea0b293a868125115239f19115

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
448KB

MD5
199e480dfa79a5e4306cd12b11a64fca

SHA1
3db5d4bc62b94a2a5bf661145a10894040496f00

SHA256
193780e6cad9261a88ba2c3ef10e088b0c8c48fc7be7a256c149db0a96c77928

SHA512
85df37ab4e434b7090fcc1e62ba0c03c6fdd60faf0c20ddb0e4b11311966b3033480e52e670e3f8b21f56b24556ab4e729b8de88fd12297b5fb9278a3729fc02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
180bb370cb015d2beb42afb7d7706c23

SHA1
54cdc71c2196b5a781e292a26bb38d9d58a216c3

SHA256
6a8600012f7af75d09b6460346c8f8144601aae084c52f22c4d82f1742f1de99

SHA512
ce057d64ef25f1e3fa4a6c04164d25332da83c0dad5da62ca63fdeab6c775785bfd1d5f4b7170bb7478f1b79f55e98e31ff409b96d0ea343fc22ff7ce4332973

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
499KB

MD5
63da0e3bcd93aef3c6771e01e2a3698e

SHA1
a498330f11163d6f33e919d9fcac1891f003089e

SHA256
9305243f3829ab01b46db1f8ea0263d07130800b39d8941160544bdc19fb84da

SHA512
7e87d11cf2bde1c518c461c74acd2963e25b1ac4368e73e20b6e4d555daa8125c39acc3bfe12bed94c4da9d50463fb7d873b06644b65192b0e9f2fcf01603765

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
05a7704df8590045409681936bee408f

SHA1
91b99ca698eea374e3cd8ae4a240eb63e5fdd0a5

SHA256
70314a0dc3544d397c4b75727ec63fc6533b583946f750b90d95782f74ff7239

SHA512
f7daec20df0e38b59e853be699a224e9ee5b10e21b53504a4db95b17c8837d8bf4d87b0cef94093a2a0e805a67fbaa6cb87baabb93c42bf86fa0ebd85e40916c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
31394d49aa62b234266067e136258b22

SHA1
d9c90ac0c4c3b92c51ce392cd3667379a4545224

SHA256
365d37246b559990659e254b8a955e4d17b4c0aaa69f6a9576d534668a74b84e

SHA512
71c72831c6167b49e4424b09a469fbf533761a5a77f85e82422441c13c860cccf611b5ccb89793a2037f052c51003d180812aefaa17f5550e2b36cb45f588b76

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
768KB

MD5
7f9a0f81044fa566c3800537dbdf6ca5

SHA1
d7a2203e884c5c6a51d8b401a318e6f6d99d5030

SHA256
94df49cb6eeb97d2edea13db46ab3a83c60ae175a25f5921e2094f037bc36647

SHA512
ef6ddff8456db595aa050fe2791da6f33a3dad56c8e745275c0d3276b103b0e68febbd3e324de01a7e513a9c409db2b51330cf3a9ef5fb31e3fc83f0e9bd6b0e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e3040cd6fdf8dc286c289ea4e1c249bb

SHA1
e0a48349f865a717cdcf3bfd928dca3c854f8f12

SHA256
78ab5ef2d4413fe1e7ca9c8d5ee9fc694ff520dc568b7f4c69926ae591de24f8

SHA512
32351b7b7577ff2b50f45666adf7d2f1bfd23886a4f30ab965c102ebfbf4c632594aa03e7aaf1a1e6335d0107111d1f707f909e34fb36fd1b7c76bb61f73d62e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
2985139b68d845f8e593da50f17da868

SHA1
7e798fcefc11d2d49e84ba10de69c5820e9a313e

SHA256
924f25f1e942717a19b3389346cc5a495c7ca9b296b7b8932e0a334ee61b22f8

SHA512
cb57fbbcc815b838222bfbcf0220abeeeff89a8b4ed50d81e012264a68c921fc9d049eec30ec7b222f8faf0c35217c34a65087fad21896f5d403c72edee5c18b

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ba2e13be23ffecb4d9191f7eaf06d988

SHA1
cadc5686421125e5f4210590311a8d8a783344c0

SHA256
9ab40400644650d064b57ddc962341bc51daa91d45c1969f2df1d0db9559b305

SHA512
03650f85fbd44f5cb3926ef75ee07926f08327ab771f7469835ec8f0bb60e9228f3530c216a792cb7852bcb6fa091f92e3620149d362b2a3a173ce26f553985d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
38df96793160402062a225eb911620e8

SHA1
e201d1925e8993087ce2a83d56ada7b7bed40751

SHA256
9835958b8ed713da0db80f52a854a8cb3ac3ad4c282b775278b82f6e6e562c7c

SHA512
36f86aefea01fd63945d0416c6276ebd39ef9ae7f7957b77c66542ab4ed565f5c3a4ca3d0c0969af34646e06e7670fe2eedd4ba4c9fb2215e7fba6d3892f0868

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
5e39653b78e71603bacd7c7226294479

SHA1
484398a6dd3a3345d76e865b9d646b5ed7bf198e

SHA256
f29ed30dce4d6d353789c75463da0d731fd09680830163a58c9c9081c9a0d101

SHA512
2029359c96a08336d663facecc3b5e91f58cdcbb952ee7a1ebd61b19159f6be9686c015ce5888c61680f893d140676a865828be9ebd1c57493cbfabad92bfac4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
971KB

MD5
40dd72148bc71b7d69d5532180536c9f

SHA1
c939e7b7df11d9ece600537f11a4c79142c76cd4

SHA256
8839422d0f3633fe5e7e7961ee6b854ecfdffa92138c5946a3f68cd3759c496c

SHA512
7587af40fbb359d561e61f5b6c5ab3f57281c71f31336eeb11f1171399f8783358bbc589f0e90d57d12ab9a74fbaea1dd1bdad79241143c8611dbd55ecaae048

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
1df955a680bd5d1d23735f7a800540cc

SHA1
10ac1d41bf96648563cb70c1ccd9ceeed76736e9

SHA256
42f43e953c6888968d3fdaf8315a1f3e8efdbe5b413500feeed7a724e66e4c7f

SHA512
756d1401f1e37fe0c99a1376e8f1cabf5b60403212bacf1d4059a5dbc30c31873e7998736cada71693dcd607f8f0668d10ae1e13ec634b2e64e8cd2ae66b12ba

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
e7fbd196bfb322d0ac22befcb0dec7bb

SHA1
7404638cd026db76e8f20bc01f2b1700bae1e525

SHA256
9bc733ae92c736242a2e175f0a2fafab9a216ffca5a06c71e5f3a2ecf81f23f6

SHA512
683a02f21ee31ceab1195c69f9d1c520bc6d12f6aa7a2d4a7f894a5f3d6e7a84170bb906a2cf917cfff76caa70b9fb5b7c6d140d05bc76a6d602cda2a8255a7f

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
53209120dabd197a0f80f3b166fe9c02

SHA1
62d3ee65e4b8ab8ffa2a290db53cd6db840556dc

SHA256
f140369e0007bb43493608de52bdd5bc0451a6f5bc2bcb475681ab344671a158

SHA512
de31c72f4330338c3b46a8afa56c9883a249df1d5d5dc8bd7711fb3c1f42572d1c986d71b50c2732feaf5bcc0c735cb86cbba4766b398099e1236f810e4cebe3

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
af0cfe183014d3bc2cd10162c061d1de

SHA1
8686be75019e918596154983392972305453fabb

SHA256
ebe143336dd38ad6286ce6bc94df3a3fc08d52801154c86eb317e7015a77fb83

SHA512
a351e85a1088a42d3e5c7d9ce1594cd9dfc4ffb19faee0231d0aa2e8a73f720f2fe710d096133df1e0ee349a072eb689a4de9ffabc732b74cce90b8cb7933743

Download Submit
\Windows\System32\dllhost.exe

Filesize
553KB

MD5
e1c3f993b45f954f84add58359518e61

SHA1
dfc9272ba049f047dae400b74ac096ff925cb8c4

SHA256
5935c3cb9182510850fc4d268277b9e9a8036f1b27e940cf363545e441d351dd

SHA512
27fc3736b97566dc2c3ce8e39ae4ac9f1146b18267f27024829882598c353d0cb026949f2caa52a2b086c0482425b2f5c59762652d275c4b141deced1583e3a0

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
13d1281a5430a438fec83a947a745cc4

SHA1
2f3a51af09f5691c36394ad4045cb864aa09942d

SHA256
82f89de767fcb9554fc965308baeb730a73fc2109fc19c2b7e88ea7fea0da8d1

SHA512
48143ce3c82aab281db1f569e926ea23919329017755b4513409ebe2c3b6a382751b95239229c85f877ef6742a3e7e3e7f731c970f5ab75c96315fd87778c682

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
59e9bebbae75443b573934e2bd4de68e

SHA1
7dfc12fd2cbaff788fee5fe39aa64ff509db6b57

SHA256
2161d53f6a440dcf4cc54d6844b80e6043c5b408bc578bb0a68c93f4c32c0226

SHA512
8d89737d560aa57df97a75e1937e387f5bd673613437751da57020394e41639bdc328958cf10a3080fd9714fb186a7ae3f9efa30920a9563b98702e8ae73b9b3

Download Submit
\Windows\System32\msiexec.exe

Filesize
1024KB

MD5
0bfdfdbfdfa279e936a18b8065471040

SHA1
48b2b842d1daf9e603511bfcd2151b6e650b2d50

SHA256
fc3f9214548b73e8bcc28f260d6447b00bf2702c1bfc739659b509326baa43f1

SHA512
1611b3e52779e921c8e7fee0c97b8a326046fecf0a2193918eef8aa691becec7d808df2040ed650d7f259a4d9fd8481be2fc11942de55ef879582b289cd958e7

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0e3d6a2800bab956117e6fa3c8deeb07

SHA1
f852695aa2fbfd9bbb6937f567158d21a39604d9

SHA256
e9eb97974a205ea36dc97f4bb9e362ee38213da4e3639b45fa6cae995ce1d69e

SHA512
2b8822b1f46229066fcb6abb1b569bd960a86f35b31efc852194bec6f2b6d602494b42c471c6180df3913ae110df054058594c1324bb3fe7587e137d49827334

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
913983b9e1c851b9d5358c3e00d2107e

SHA1
2111fc59dea9b10a0505f3618e898faab5571099

SHA256
3cfa8801cd3034199bd3817885c099b7e65983e18d37a89211f633fdbc1f170d

SHA512
16a26bc97a0da519e800b7977d0beb4d5751aa65f8b174c84a469ac144067643af748f1e492b087a38617b8cfc477d3a2d78ce20661dcb46ab9ad539a1e97a32

Download Submit
\Windows\ehome\ehsched.exe

Filesize
320KB

MD5
711a9fef14a94adb145bf5f0dfb139af

SHA1
bc8a0698b35866b23956bb536167b3932d4d94d0

SHA256
67405453fba00803a2c71d64d47c568dd8e081bf5fc2cc49f624dc85686ed984

SHA512
4d66443df17baac6adb892fd8056ecf26c6cc1279a843830c2954e6411ddb2cd4789b75939945514881138bf4825a0d61e57be8d5b96b03cd6296c9a0bf6e9b2

Download Submit
memory/1540-307-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1540-162-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1540-168-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1540-160-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1556-366-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/1556-386-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/1556-385-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1556-358-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1732-340-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-184-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-183-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1732-191-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1732-281-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1732-353-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2056-13-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2056-159-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2056-20-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2056-71-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2056-72-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2148-7-0x0000000001E20000-0x0000000001E86000-memory.dmp

Filesize
408KB

Download
memory/2148-278-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-6-0x0000000001E20000-0x0000000001E86000-memory.dmp

Filesize
408KB

Download
memory/2148-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-1-0x0000000001E20000-0x0000000001E86000-memory.dmp

Filesize
408KB

Download
memory/2232-296-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2232-365-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2232-380-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-331-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-357-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2280-197-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2280-351-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2280-284-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2432-392-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2432-337-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2432-335-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2612-399-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2612-401-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2612-403-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2652-300-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2652-372-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2652-309-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2728-381-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/2728-375-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-175-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2728-107-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2728-108-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/2728-114-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/2752-350-0x0000000000AB0000-0x0000000000B16000-memory.dmp

Filesize
408KB

Download
memory/2752-349-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2752-397-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2780-123-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2780-177-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2780-130-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2780-122-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2792-334-0x000007FEF2B20000-0x000007FEF34BD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-390-0x000007FEF2B20000-0x000007FEF34BD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-332-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2792-342-0x000007FEF2B20000-0x000007FEF34BD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-489-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2792-388-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2840-149-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2840-148-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2840-295-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2840-143-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2840-142-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2856-96-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2856-95-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2856-103-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2856-182-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2972-338-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2972-488-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-336-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2972-394-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2972-354-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download