07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
Size

1.8MB
MD5

ae6b7e429e8d58bfd8595410c18f64d5
SHA1

c2d8d0d723935d4d7c4a2abf3fcd5a5d09ca63c3
SHA256

07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c
SHA512

f7f13afbfe1b0e5ea25d1a0998ae9f196f5ea92dda4224b291ef91699abfc7f34f1e15a5c08ab72afaf2669ad397bf3fa21a260a34fdd89ea7807b27ca51b73a
SSDEEP

49152:Bx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAICks7R9L58UqFJjskU:BvbjVkjjCAzJhC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

pid	Process
464	Process not Found
2608	alg.exe
576	aspnet_state.exe
1512	mscorsvw.exe
1732	mscorsvw.exe
1940	mscorsvw.exe
1524	mscorsvw.exe
3048	ehRecvr.exe
2796	ehsched.exe
2912	elevation_service.exe
2252	dllhost.exe
2684	GROOVE.EXE
2844	maintenanceservice.exe
1888	OSE.EXE
1884	OSPPSVC.EXE
1700	mscorsvw.exe
2780	mscorsvw.exe
1584	mscorsvw.exe
2716	mscorsvw.exe
312	mscorsvw.exe
1084	mscorsvw.exe
976	mscorsvw.exe
1672	mscorsvw.exe
952	mscorsvw.exe
2412	mscorsvw.exe
548	mscorsvw.exe
1152	mscorsvw.exe
2908	mscorsvw.exe
1580	mscorsvw.exe
2628	mscorsvw.exe
2440	mscorsvw.exe
2792	mscorsvw.exe
1668	mscorsvw.exe
884	mscorsvw.exe
1432	mscorsvw.exe
2260	mscorsvw.exe
3008	mscorsvw.exe
2100	mscorsvw.exe
2780	mscorsvw.exe
1172	mscorsvw.exe
344	mscorsvw.exe
2616	mscorsvw.exe
924	mscorsvw.exe
1732	mscorsvw.exe
1664	mscorsvw.exe
2736	mscorsvw.exe
2952	mscorsvw.exe
1916	mscorsvw.exe
1060	mscorsvw.exe
2576	mscorsvw.exe

Loads dropped DLL 11 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1664	mscorsvw.exe
1664	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
1060	mscorsvw.exe
1060	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\14681c2b4501ed38.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\psmachine.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_uk.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_es-419.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_fi.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdate.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\GoogleCrashHandler64.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_hu.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_is.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D8B.tmp\goopdateres_pt-BR.dll	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CB46DF4B-7962-4F27-864A-F4E0E14E8147}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9933.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9DB6.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3BE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CB46DF4B-7962-4F27-864A-F4E0E14E8147}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1364	ehRec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2184	07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: 33	3044	EhTray.exe
Token: SeIncBasePriorityPrivilege	3044	EhTray.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeDebugPrivilege	1364	ehRec.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: 33	3044	EhTray.exe
Token: SeIncBasePriorityPrivilege	3044	EhTray.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeDebugPrivilege	2608	alg.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeDebugPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1940	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3044	EhTray.exe
3044	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3044	EhTray.exe
3044	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1700	1940	mscorsvw.exe	44
PID 1940 wrote to memory of 1700	1940	mscorsvw.exe	44
PID 1940 wrote to memory of 1700	1940	mscorsvw.exe	44
PID 1940 wrote to memory of 1700	1940	mscorsvw.exe	44
PID 1940 wrote to memory of 2780	1940	mscorsvw.exe	45
PID 1940 wrote to memory of 2780	1940	mscorsvw.exe	45
PID 1940 wrote to memory of 2780	1940	mscorsvw.exe	45
PID 1940 wrote to memory of 2780	1940	mscorsvw.exe	45
PID 1940 wrote to memory of 1584	1940	mscorsvw.exe	46
PID 1940 wrote to memory of 1584	1940	mscorsvw.exe	46
PID 1940 wrote to memory of 1584	1940	mscorsvw.exe	46
PID 1940 wrote to memory of 1584	1940	mscorsvw.exe	46
PID 1940 wrote to memory of 2716	1940	mscorsvw.exe	47
PID 1940 wrote to memory of 2716	1940	mscorsvw.exe	47
PID 1940 wrote to memory of 2716	1940	mscorsvw.exe	47
PID 1940 wrote to memory of 2716	1940	mscorsvw.exe	47
PID 1940 wrote to memory of 312	1940	mscorsvw.exe	48
PID 1940 wrote to memory of 312	1940	mscorsvw.exe	48
PID 1940 wrote to memory of 312	1940	mscorsvw.exe	48
PID 1940 wrote to memory of 312	1940	mscorsvw.exe	48
PID 1940 wrote to memory of 1084	1940	mscorsvw.exe	49
PID 1940 wrote to memory of 1084	1940	mscorsvw.exe	49
PID 1940 wrote to memory of 1084	1940	mscorsvw.exe	49
PID 1940 wrote to memory of 1084	1940	mscorsvw.exe	49
PID 1940 wrote to memory of 976	1940	mscorsvw.exe	52
PID 1940 wrote to memory of 976	1940	mscorsvw.exe	52
PID 1940 wrote to memory of 976	1940	mscorsvw.exe	52
PID 1940 wrote to memory of 976	1940	mscorsvw.exe	52
PID 1940 wrote to memory of 1672	1940	mscorsvw.exe	53
PID 1940 wrote to memory of 1672	1940	mscorsvw.exe	53
PID 1940 wrote to memory of 1672	1940	mscorsvw.exe	53
PID 1940 wrote to memory of 1672	1940	mscorsvw.exe	53
PID 1940 wrote to memory of 952	1940	mscorsvw.exe	54
PID 1940 wrote to memory of 952	1940	mscorsvw.exe	54
PID 1940 wrote to memory of 952	1940	mscorsvw.exe	54
PID 1940 wrote to memory of 952	1940	mscorsvw.exe	54
PID 1940 wrote to memory of 2412	1940	mscorsvw.exe	55
PID 1940 wrote to memory of 2412	1940	mscorsvw.exe	55
PID 1940 wrote to memory of 2412	1940	mscorsvw.exe	55
PID 1940 wrote to memory of 2412	1940	mscorsvw.exe	55
PID 1940 wrote to memory of 548	1940	mscorsvw.exe	56
PID 1940 wrote to memory of 548	1940	mscorsvw.exe	56
PID 1940 wrote to memory of 548	1940	mscorsvw.exe	56
PID 1940 wrote to memory of 548	1940	mscorsvw.exe	56
PID 1940 wrote to memory of 1152	1940	mscorsvw.exe	57
PID 1940 wrote to memory of 1152	1940	mscorsvw.exe	57
PID 1940 wrote to memory of 1152	1940	mscorsvw.exe	57
PID 1940 wrote to memory of 1152	1940	mscorsvw.exe	57
PID 1940 wrote to memory of 2908	1940	mscorsvw.exe	58
PID 1940 wrote to memory of 2908	1940	mscorsvw.exe	58
PID 1940 wrote to memory of 2908	1940	mscorsvw.exe	58
PID 1940 wrote to memory of 2908	1940	mscorsvw.exe	58
PID 1940 wrote to memory of 1580	1940	mscorsvw.exe	59
PID 1940 wrote to memory of 1580	1940	mscorsvw.exe	59
PID 1940 wrote to memory of 1580	1940	mscorsvw.exe	59
PID 1940 wrote to memory of 1580	1940	mscorsvw.exe	59
PID 1940 wrote to memory of 2628	1940	mscorsvw.exe	60
PID 1940 wrote to memory of 2628	1940	mscorsvw.exe	60
PID 1940 wrote to memory of 2628	1940	mscorsvw.exe	60
PID 1940 wrote to memory of 2628	1940	mscorsvw.exe	60
PID 1940 wrote to memory of 2440	1940	mscorsvw.exe	61
PID 1940 wrote to memory of 2440	1940	mscorsvw.exe	61
PID 1940 wrote to memory of 2440	1940	mscorsvw.exe	61
PID 1940 wrote to memory of 2440	1940	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe
"C:\Users\Admin\AppData\Local\Temp\07b640997151e0a83dafd6ed0034e53ce7a4ff1f7e5fb70c52b4359e996d5a4c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 24c -NGENProcess 248 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ec -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 240 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ec -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 27c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 284 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 240 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1ec -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 248 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 290 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 294 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 28c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 1ec -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 274 -NGENProcess 29c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 2b0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 290 -NGENProcess 2d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 290 -NGENProcess 2d0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1cc -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 290 -NGENProcess 2e8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2e8 -NGENProcess 1cc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 290 -NGENProcess 2f4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3048

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2252

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2844

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
c27faa334495205adcad4ebaee3d9edd

SHA1
63b054fdbd8eadebcf0e532ff0242d8eae40b3f1

SHA256
360dad15f2dc19ac9b3b609f7dcad75d65a9605f8b64941ebd70fd2009e00e7d

SHA512
87c9681ba92dd0395a178a6951eb1930b6f98bbcb02c981dba4c28764b4f92eb77637c4023f2f6680cd607d85fe232909dbc61425fa5db1ed292a3052c76c789

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
42786eb4375f8d6c243b3908500672b1

SHA1
819f7fa686a5dd25a82ce9acc13c84a6728baab4

SHA256
c6407c9aefea920c2d975c11ef2019f9cce6637a48076e336504863180292166

SHA512
fd6eb1b0d01fce57612b48f2cd57e572d9a5317bd1a9e01bcd667e07bcef5b521a3b1ea40ba34b40316f80f430a8249057eb6a9a3f64d341222308616c66d7de

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
811a28471fca50c3a67b564f22af6729

SHA1
58e27765972ba98d110fed97802819d8d9f0f4c8

SHA256
45f344b24e26e1e6f735c2f0ab475d0560e77c1fccca6fe2ddebc2df1d2922a2

SHA512
f391f1af394ee87b45dc73333772308421765206a0b5115453561719df0075688b95b3e279d0981fb4d0b7e00fdfcca9f0eb49fbbbcb1a52a09c5165418e9542

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
2c52e83f1c24a591350dad5ad3b94135

SHA1
f420554736fc3a05465a43ebe9fba799312b2d35

SHA256
504521d08a09366c55bb16e5c15b1ff962a25901de01fac1618bf0f04c75bb47

SHA512
f1d0a50ca4ad4751bee6705b61692d06f49a4216d006530510be74b24c5ea700e024029b0d43c206ec9133f25637e87e8da2baa11910c23a7c59dfb4d90d8a2b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
84dae9f314d9638da215135b99cbd278

SHA1
54040f5749b162f09df7d3a5a515dc3b3827a0f0

SHA256
f8cf3d367ecf3ed6e8c772b502ba8dcac355d489b6f8124195c87b03c0707957

SHA512
c8aff798bf68136c0e62e8462c0ed4b427750f339dd85714329498ba280079d2dbd5cc5eea708de13491f20470bff51369124be1bf01211d97bff2afe5a3ac35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
8.9MB

MD5
c822b135c199d69e676ac5da5f7d0ceb

SHA1
ff34f8a04024d25a808e91390d387d02ef638a0d

SHA256
9e3ff335c93647c5ca0c1c77ce444ddf714472c644bf1a9d9f404cde1c718a75

SHA512
c24570ccf5591044c5631da9d29a7dd0eaa9e1b9022ce9725825c81ae75a7e14177079d9029d7270a516d99b91e5146c91dd4e56eaaac1d89666993e0b419614

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
6acee5c575e61ed6a24559f4ff67d7c9

SHA1
77fdecf342d4980c13f8ee89512ccf4669539be3

SHA256
7badd86a7b94abc413d841c1306e3695e291b89f9f4621dd54dafa5b84b0f106

SHA512
59d411675b3fd2eb02824403c4331367bac343b7cd8fd78d60d2ccbe000b0dc8377cc8e04c535726156f663f9ca5f8149291366a206df73d4958c24dc2f57de0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
991e35a82825b8277ae1489cea34ee33

SHA1
21a0df9b780b6eede1a973f80fc51a944e21cf2d

SHA256
cc7b5bb74aee33fb25da9ff839339d7950bbe7d6bc634b30b51c21d4ea462be1

SHA512
189ee174792469689bab2dc5944437c9a1374180ffe44da5567b5c8025548174b957017f49d6949bbeb9350035e1e24e9176f7c81a0316b5e8f7d62195d281cc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
58a864aaee84bf668535873c9fd2b7f3

SHA1
bbf2b9529c48a81ba36ba4a9fda6a25e0da57bde

SHA256
a37e15670ffaafda321b98327039bcb2fe3cd03d751a3065593dd458a86c84b2

SHA512
6bc3a265b4462e5964f5b3ee4c05db4267d4ec6df19553862303d03fd8dc8f44115d6383a3141d920cf05dc9e0c793c1d97e1f0abd3b9f14773c170c7801d6fb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b7b53d166e523c9b4c10629baa0ca1bd

SHA1
618027c2ff74f9dd168acde2efae8b248d4074e5

SHA256
464ccab337b63e23f1885546707d07bd91a78e9c719f2f113786accfcf21ee00

SHA512
e35136cf0b9f9f38d777757ae8db7326d54b1f7c3bca855f99319fddf93220d9c51d6ecf044acc56803fd13f64f274513467376e2773f77456e99a0f9da8284e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
6a6363fda57c4fcbda5676ab8fe4bfdb

SHA1
c2c6910ca6873ced2a87cd834377e02a2605df07

SHA256
d3701290a844cdcc16566469de732e1878ec77a0b99854c5075602dd0d9eddba

SHA512
52489671f407ea278cc0ce1cc16a57c654697ec168c0da4eb138d2bb01c3bf89ed4287aaf1c0f6233850c84d802527f23d4fedf602256b7f6e1c45127c2a2c4a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.1MB

MD5
dec84c4031d7e81950df669cb322c17b

SHA1
5bf95670eb5eaff07e787a80462906249e9c1d96

SHA256
9c013a2912023fc96361b553ce3e9df6fbb224f2f8bbb6ca28a018968afe6e93

SHA512
0744404c4a5b502cafe6cb7d673afad75ea63a6b65c61df654ac73487ee7a8e984ec6f44ad29ca6ceac3b3fdbe785b24b32e396752a2941309c14e68d3d61f81

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
737de0eaa5436fc1aff70c65ea6d5b04

SHA1
22df3cbefa21a00cec714161de8a27da8298ca85

SHA256
ada0e09ce44bc873ac14de829f738d14e8536fbbf33e64552d311a458dedf4d2

SHA512
28cd3a2df4cffaf9c8a9cb067d23031150b013b99feae64c139eba7629b82296708941c67823b0fdacb2320f5e0daf54cfed50f9fb0a9fa8278f821744f43be2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b3b68440c953ad4a9d2f96753e703f89

SHA1
0686cbf6d6cc1787074523a3853d8d7978b35ba1

SHA256
45554a77588a23142dc75a9d35053a49546aeff4d987a88b5fa1d408cf9f7cbe

SHA512
3091a76b51a6fccf5be0e442ef895de6278978f6f4d91f20f76950b69397eaee5d21699f30cddf18506b04f30c7ae95795bc00c160a63076d0484b976c2a9909

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
5f34f9b712eac58d4c260f070c5c302e

SHA1
9938dfa33d534c3e477e0283fba923f922987311

SHA256
aff514d7e36e748c039ffb92839889e980a449837358b7fcdabfe3ca2f3e826e

SHA512
ccfe59d614322ce4b53093fda890c1d5defdb6dfd326656bc8af11b7e3d24602576630b884102c233bf30463db53a21a0d6e0a6c82729fd83703feb437ab096b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
192KB

MD5
b6114354e5a8aba85dfd92be6df7f97d

SHA1
1969f564712f60e458e399c7caa860943b73fcb7

SHA256
ff04c47ebab19e057706849b7d7fa67c1474560783e677d810d167f88749a032

SHA512
b89eade430aaa0517235bc6e121861036af38c4b3c3542f29a34b2a59959c6e8fe02017c480c24de7fe3a4738107f2ea989e7da75c12b358248ec108bafbe2a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
a7470496ca1b05dbed5f967647da773e

SHA1
1b1d0f919f3c5ce75fea4dc057c2b7fceb863086

SHA256
af5e8a75545dba92a8c3e12647bd166ac284bf0edaa4f790984bdc9c63398997

SHA512
119588919d6d6e83414059ef7e809952641338b03cc3ffdf8d7e1887f1fbb08971633664fe5f5e4257dac3eb8c756b5933f84de85a5bf0108b0a2b914cbcdf9d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
790KB

MD5
14f7c190756e9835a71f877d5d9df30f

SHA1
c82d5218660dde2af17ab713b9a1b9c2fb618ba2

SHA256
18db8cea91f93cc29a498d2bc5feb20d0758e56dc0f37bd4a5a867acb4bbbd28

SHA512
2ccd786d32866e04d8d0eee4596179a1a515884743b130b7fb6b37de3a8e7a08bd85885ccc5c08290a49c80c376abb7921821d17f235ff0d5e6b0499abf1808f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d36b5731ea98c00cced4a901c9fc5ef9

SHA1
7f575521d3866c257659645161277981150c994e

SHA256
c0d5d1176b4673a8690e3f42054aaf583d76fd9320920a15d4e2458c5dddaa8c

SHA512
eb3c953bcd3818d6fd054a8c382289c4e0cfbe144a98e523782bfe8907dd4fe6936fcf10608191a7668c11069c5ba70461c9489eed0825ef656445b549ac234b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
a9fdfa45822c151f38eb980c5e38598a

SHA1
77dd14c6a690ed97ee764398033b327c5fe95d42

SHA256
63a95585d970c0ab5b60d16343ee571e178e85ce78827a5bce04910861e568e5

SHA512
653b792e174ff093554a747d72ab89806a24e83398cf952a7401a1fea87d4ceabcf4082f7785b4c828fddd53f5d1f5c01a7ae9051e7ca81bfb03aa022af4f3ff

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
153c7c5f75ad964b8393e2333ad604f2

SHA1
bc84ff9f60dda5148a7965075cad4be2eb3fc403

SHA256
9b92025a322ed1a2e55bbde7d275b627321eddb7359c528bab672e3a8268540e

SHA512
94d5be728d470eb4515679086d3bba6a87f21c7e0c07090bafb3631d93d8ad7ecdcf1948ddc982f34195735ac3097c19ef1756a4507ff4d1b94413e1a96bfe01

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ffbbe3931ddf5d22b302bc171cfab0f3

SHA1
c33b08bd11c57ae50dfa8e767d9dbbcde6787631

SHA256
1a824b4c200990b29ace35f713185e7bd46d5b9a2af457c190d0d83271b93edd

SHA512
dd515169ae90c9a6ad557c965ec3fa70e302cd19dace10a5ab05b43a55753907111476d03121d513f267bd6bde47e0a510fb47dc1128bf2cd81593441621b70f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
960KB

MD5
1099290630e0b05a4378b4ccfa4c5ea1

SHA1
520f4bd222ba625af7c27b4172dd2827966ef48e

SHA256
f03e3adb51223bafbc3bb1b8e34c6dddf1db09c18c902455eb67e85d820c007c

SHA512
e5745ace9c345ac1f17800a8f7d1dbec7b5338cd441ae00d2c88998e8ff5318db4790639c5035f4c2367dd4929a8b0fdd51b9d2a0d0296c7a4bd388e282e623e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1024KB

MD5
be910414216654780ee18ff6d8ffdf83

SHA1
68c260f62d742d09738d14a8acad2500fa77cef1

SHA256
70a60efa81ad64b170fcdc932b25123744c11fce95c2e18f7e44962ee3736f49

SHA512
cae4d28df4f415609064372745fe3b5190ab87e8a41c46a2b16a9087e640d24f29c932647010561e25fe969cb9b19289a8ec7b4c5c4becc47be6493623078e1f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
3604f10912a2f48aff9285d9033ba7df

SHA1
64f759f82a164cc30a5aee46aa6d4456b14efaca

SHA256
92f315a48a1aa1883123f546b2be22db5eb7f2f46c05fb7586a9bda49554b950

SHA512
9ad04bf87d530e6e62a1e2436fe0c3331afe710e63ff720d822ac77c09a00649e3920eef881e3a8364e34e760ed9f6299e5389c055f583dd3b005d725d86559a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
bdc04215898732770b30731c1f31b12a

SHA1
e060619ce3f808eb27491d06a278f96cf85ffd55

SHA256
7bf9622a0e9c45b914f835886a0b05f1bdd332fd70b96ea6da86b29fd82344fb

SHA512
d9636be7669e7db8a7d43e82b123e44a615531bac83857b92d56ecbd33fb9fea9855da7f511d8a89a7e6483fbd9f23e2813148adb381716fa458c8a688f91d09

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
768KB

MD5
e495d530c5ca90425445968d3efa702c

SHA1
12e543fb4040fbbb6408c8477d53e860095b0afa

SHA256
1273f022e32142f845d84f75b0e0591a505f9d50984c6772ce3fcc19297ad81e

SHA512
746242aabe4a0ab93e38c0ab22ba1a4595816e800c235a211ab858966cfd62c82611f6edb2dd8537a0c674389df3424f25ca692cc305a7346437ea6a6d184624

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
4aac2028d5c6bd6356bb0e692123c439

SHA1
de4f4e0ce73ebdaabb16d53d10eb72ebae8f493e

SHA256
d5d629f7c577bfbb3f3e18279e282a4c0820b25ea20de0edafbe8d89ab0f72e9

SHA512
0d62bddc32b27a2a0a686bce0f7239a9cd161f9ef0393fe55bd84d6a1189180570af7233bc306b4385db3c785214ac2aa776f0c56b1394905ddd548da8f53813

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ff94c63c4aa15626ab7299cc68d8ef98

SHA1
4d14137134799e6526b5e7e671d07c5db1662a30

SHA256
a42cd15520d9d63417775aa20424764ec80401083284f0f2f58b4fc4607311cb

SHA512
2fc8aa820fcbcc073c0fd08ac82f43060078a5987f52450c6e3fb1550b53f0d7d377b78fa6419fb985b77080f1b674fc33693f2d3057767cb9d5823633e575f8

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
f9fb5fe966817b3156715296e7b5942d

SHA1
ef8bec3adbbecc5693d09bd8ba7afac3b04cd412

SHA256
6e7b8aa1cc64506c111dd77d31c71049c95759502a82cb1ae972e01b78554839

SHA512
3dd44b57476b04e381e2e13f05d22cbf50c7dd491b2614c26388f1cdfd630432bfaba2582bf19efc17ed4724968b4e5025ac7252a4a6d1dd018386e86d029cee

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
56e21b45891cdc42df762db1cc669008

SHA1
a8a982591d860c343e37315f32cd2101d9fc5a44

SHA256
c481c6f8721c0f898f4852d98ce14a02f84ffc31971700ade563ad2ed79ecce8

SHA512
7b1216b9bdc7ee850379a4e33c1fc2538b0c0f8d741beab33fa245be909a34683e5750c4064c399c2bce7dcdbd31f09df415faeec8f81127956e70c65f45bd53

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
247b1bb56d3110de57d40c8da8a0c3d6

SHA1
7199db8bee4682d12b4895caf73de852c779728d

SHA256
86e7b4fedb62bb338a60f3e0197b879695fa0fdabcb762babebdfa306adada03

SHA512
2c1e43f2fee05a984a951d8c512be30e4a4185af3973e78546723ebbc575973fd238f719a26529477dd7dd651442f5b23e0343d645819638af2376d821185596

Download Submit
memory/576-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/576-173-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1364-290-0x000007FEF4D80000-0x000007FEF571D000-memory.dmp

Filesize
9.6MB

Download
memory/1364-285-0x000007FEF4D80000-0x000007FEF571D000-memory.dmp

Filesize
9.6MB

Download
memory/1364-338-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/1364-341-0x000007FEF4D80000-0x000007FEF571D000-memory.dmp

Filesize
9.6MB

Download
memory/1364-286-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/1364-348-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/1364-352-0x000007FEF4D80000-0x000007FEF571D000-memory.dmp

Filesize
9.6MB

Download
memory/1364-425-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/1364-427-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/1512-122-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1512-104-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1512-98-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1512-97-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1524-149-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1524-143-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-142-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1524-289-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-462-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1584-468-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1700-378-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-367-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1700-415-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-414-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1700-373-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1732-114-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1732-168-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1884-351-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1884-354-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1884-437-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1884-358-0x0000000074738000-0x000000007474D000-memory.dmp

Filesize
84KB

Download
memory/1884-344-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1888-335-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1888-326-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1888-384-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1940-124-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1940-125-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1940-273-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1940-131-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2184-1-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2184-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2184-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2184-265-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2184-7-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2184-6-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2252-288-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2252-287-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2608-158-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2608-88-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2608-62-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2608-59-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2684-353-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2684-303-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2684-299-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2780-469-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-387-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-443-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-407-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2796-174-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2796-181-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2796-175-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2796-315-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2844-317-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2844-306-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2844-324-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2844-323-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2912-190-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2912-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2912-337-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2912-271-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/3048-160-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-184-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/3048-185-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/3048-186-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3048-334-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3048-159-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3048-301-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-166-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download