7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 22:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
Size

1.3MB
MD5

25df8f6b370771098269fdf88f8d85eb
SHA1

8e61fff795cde5adeaa94be872d5860317a2bb28
SHA256

7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af
SHA512

c3b4ce29651fa6e3febb23347428787ba8465c6bbada918e1fa57857723f987aa16d018f91134899b82759ac78ab26a4fe7a38b84ad4d74cc3072c662d1c48c0
SSDEEP

24576:4z2DWZ1N3RUDHNmdPCAaq8Nozgi/rE0TOj:k8HNUPCAaq8Wdo0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 57 IoCs

pid	Process
464	Process not Found
1792	alg.exe
2348	aspnet_state.exe
2552	mscorsvw.exe
2436	mscorsvw.exe
2768	mscorsvw.exe
1876	mscorsvw.exe
2772	ehRecvr.exe
276	ehsched.exe
2408	elevation_service.exe
1232	mscorsvw.exe
2208	mscorsvw.exe
2960	mscorsvw.exe
3012	mscorsvw.exe
2600	mscorsvw.exe
3020	mscorsvw.exe
2668	mscorsvw.exe
1480	mscorsvw.exe
1608	mscorsvw.exe
2548	mscorsvw.exe
1972	mscorsvw.exe
1168	mscorsvw.exe
1648	mscorsvw.exe
2888	mscorsvw.exe
2944	mscorsvw.exe
2580	mscorsvw.exe
2608	mscorsvw.exe
620	mscorsvw.exe
2332	mscorsvw.exe
1652	dllhost.exe
2808	mscorsvw.exe
788	GROOVE.EXE
908	maintenanceservice.exe
1824	mscorsvw.exe
2168	OSE.EXE
2028	OSPPSVC.EXE
1960	mscorsvw.exe
848	mscorsvw.exe
2856	mscorsvw.exe
2656	mscorsvw.exe
2696	mscorsvw.exe
1508	mscorsvw.exe
2380	mscorsvw.exe
2940	mscorsvw.exe
1236	IEEtwCollector.exe
1616	msdtc.exe
2680	msiexec.exe
1680	perfhost.exe
1564	locator.exe
1668	snmptrap.exe
2596	vds.exe
2128	vssvc.exe
2760	wbengine.exe
1744	WmiApSrv.exe
1460	wmpnetwk.exe
1704	SearchIndexer.exe
1528	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2680	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2eb480a89a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{89C4F14B-4003-4E4F-9969-A2103971EDD4}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7377454D-20EE-402D-9691-D344250F33AA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7377454D-20EE-402D-9691-D344250F33AA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{B090796A-641A-4AA2-A771-1756F0F27904}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1072	ehRec.exe
2348	aspnet_state.exe
2348	aspnet_state.exe
2348	aspnet_state.exe
2348	aspnet_state.exe
2348	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2720	7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: 33	1508	EhTray.exe
Token: SeIncBasePriorityPrivilege	1508	EhTray.exe
Token: SeDebugPrivilege	1072	ehRec.exe
Token: 33	1508	EhTray.exe
Token: SeIncBasePriorityPrivilege	1508	EhTray.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeDebugPrivilege	1792	alg.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2348	aspnet_state.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeBackupPrivilege	2128	vssvc.exe
Token: SeRestorePrivilege	2128	vssvc.exe
Token: SeAuditPrivilege	2128	vssvc.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeBackupPrivilege	2760	wbengine.exe
Token: SeRestorePrivilege	2760	wbengine.exe
Token: SeSecurityPrivilege	2760	wbengine.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeDebugPrivilege	2348	aspnet_state.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1508	EhTray.exe
1508	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1508	EhTray.exe
1508	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1232	1876	mscorsvw.exe	39
PID 1876 wrote to memory of 1232	1876	mscorsvw.exe	39
PID 1876 wrote to memory of 1232	1876	mscorsvw.exe	39
PID 1876 wrote to memory of 2208	1876	mscorsvw.exe	40
PID 1876 wrote to memory of 2208	1876	mscorsvw.exe	40
PID 1876 wrote to memory of 2208	1876	mscorsvw.exe	40
PID 2768 wrote to memory of 2960	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 2960	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 2960	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 2960	2768	mscorsvw.exe	41
PID 2768 wrote to memory of 3012	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 3012	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 3012	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 3012	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 2600	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 2600	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 2600	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 2600	2768	mscorsvw.exe	43
PID 2768 wrote to memory of 3020	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 3020	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 3020	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 3020	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 2668	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 2668	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 2668	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 2668	2768	mscorsvw.exe	45
PID 2768 wrote to memory of 1480	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 1480	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 1480	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 1480	2768	mscorsvw.exe	46
PID 2768 wrote to memory of 1608	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 1608	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 1608	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 1608	2768	mscorsvw.exe	47
PID 2768 wrote to memory of 2548	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 2548	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 2548	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 2548	2768	mscorsvw.exe	48
PID 2768 wrote to memory of 1972	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 1972	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 1972	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 1972	2768	mscorsvw.exe	49
PID 2768 wrote to memory of 1168	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 1168	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 1168	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 1168	2768	mscorsvw.exe	50
PID 2768 wrote to memory of 1648	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 1648	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 1648	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 1648	2768	mscorsvw.exe	51
PID 2768 wrote to memory of 2888	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 2888	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 2888	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 2888	2768	mscorsvw.exe	52
PID 2768 wrote to memory of 2944	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 2944	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 2944	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 2944	2768	mscorsvw.exe	53
PID 2768 wrote to memory of 2580	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 2580	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 2580	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 2580	2768	mscorsvw.exe	54
PID 2768 wrote to memory of 2608	2768	mscorsvw.exe	55
PID 2768 wrote to memory of 2608	2768	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe
"C:\Users\Admin\AppData\Local\Temp\7185506f49c41797d120f409714f3c433d7102ec222ec9369cf9485fdbbcf7af.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2552

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 234 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 234 -NGENProcess 264 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1d8 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 24c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 264 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 248 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 264 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1d8 -NGENProcess 23c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e4 -NGENProcess 208 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1b0 -NGENProcess 1e4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2772

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:276

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1652

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:908

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
0265c73f25ec7a07227e49d8589e8f0e

SHA1
74ccd47653ad95a998d31f9a3d11b54b29143e89

SHA256
8c9bf5fd57d3606e9cf12b8647bc48e2299f5f7a2eacfea812f4957dcac9c2a2

SHA512
82d488ec3460b63f501b313a5381ebe9c3bcdd6364b4aa75e688e6a5b762bae089a6249113b6976baa6bd35e05945eb9eb0be076d04eea0a86f07cc28c36e835

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
5.7MB

MD5
a8d5244e3017a7e2a45f601d4836cf86

SHA1
8dae22822d3e5761d6356464124377ee84a31eb8

SHA256
2b92d361757d1c296e70f47f867ae227f8d874c445a264a60367805ff07e7925

SHA512
f75a3ee9a7ebd08ad6b67121924e933dbe4bed5bcaf96f8ae61c53c53b2d2b5918cb4fbe4528bfd9175abae03b7b1b10c384d46245294eaa1e7cacebce97f8d9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e8dff42c4f7c2d23076ab93a1d7abd58

SHA1
4905163887f22af15302f9c00bffdb60a01da646

SHA256
056bfcf952a7125d290bd0dac65803bee4093ef0638e25fe12ea1bbf73049b3d

SHA512
19d61a0ac19b47eda0a4dc452d2d7405fb39f772a2db890396cc0b8db5b23a41850794c6dd253678dc073a8075e1e3da6869ac66e58bc82a14ab5d1c527d9565

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
5d2e1426222c0aa6af693eaa98bdd976

SHA1
41848c6dc8634bc3f8353d91a36813f976d54ede

SHA256
64a3c385e2ee11112fa15608e70fdf7a61cde74a32f4d4fd481a08bd0d3a9f69

SHA512
44317c6560a852fa16f2b3d65f4ec405a1edc2d1157b4a7ee4b3764c29f5d9cfeb001766dce6134df5c535706398487edf69d971d1cbb0cdc0139d0982eba74f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
406KB

MD5
1bba6c1ee27c8f40de83c23a990166fd

SHA1
92321b5ddd431b992a0a922d3680a8f4870f9cc4

SHA256
63cb7e894362d1075fb517e4f6ddbd8999f8c681dc3d61aec9214b99ab287687

SHA512
8eb09c811f5220e71142b77bb4b9c8f804e3db4157397d512b1ecf0e0cc8b36072ad2d02b384958cac1d36bd1ac3d5bd28c46b07c15c40599e26e6ee165ffa1e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
21ddbf9575749c395a19db5429e8e72e

SHA1
ef2c4aea4861f4c4977a0e209a9ee134ab564248

SHA256
a42f1c8144ab1fec4b912f2d08cfd600e6bb642c04f204ad361fdacf5e157c8d

SHA512
083da944d8c928e23c52178e80368659d728b4e50d3289696374a84d8869f1dc18b2ddc3f2e701b33ec7074e6f554e204fbb1aea0fef233168bed8b866142c94

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
147KB

MD5
c7c821c6b7d2c163e719049b34d87759

SHA1
a5057c07fba4d55cd0eacb5ff834d3947ffe377f

SHA256
2c9988d6bd1ded5b063b04d86fc78d829706dd92dd03fc984cf0af885f3508b9

SHA512
f6b671f43a1b2886eabeb12c7e685d93143a47802525f0ffa7741f0bad1aaf8f3bdbe4e464c087989ec386b92e20c948f2022cdc02b8cbe88ef27509c3dfa50f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
341KB

MD5
8eaa894c1cabba6038d61c39a27533c9

SHA1
0ec844533b2e19585d0070dbb30836162abaadb3

SHA256
e1a1b46bfe7897f819caa64b063e52328aa736881940bd1fca2a7a33ca26e7b8

SHA512
3ff4da823781595c7277a9bb60afcfa30630ca9376893f2351716486125486a4ba4beed3033ad47b6e7cb369c14d36ad4de6f3abd77fe67a5c0f43a6756b1f7b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
463KB

MD5
851df160969bdf8465557920fc1b46d6

SHA1
3b2d4c7f2807b9627305333be550613fd3593e1b

SHA256
6c61a5b1cb53cbaca86f1ea56a4e8266deb8b7d684ac8e9badf3a31d8e222b28

SHA512
855386f07dec5ba7b9357fbfedf2a1ee17a4ad866ef295bcd054e95d67c30b8cdc7b79ce3bb07948d1dd112c09b3d6e8efd4a041ba500a477eedbc316f39c50f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
953KB

MD5
33f6fcffb22a4c63394b118d0c61cd1a

SHA1
7338106663db5a217325f513da2e6645868f4f38

SHA256
82b27740e3ab12ec46a38652ec2077515961e73a628ee409b0313ba3d8142cf1

SHA512
9e8fa8bdbbd99de5b7136e738df2025c994212158af2d32ce5e8674f12a15d5bf99ff87ee33d03c3cba5a5a9b900dc734517d08ff34b3f80c6edbdcfd4f88227

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
193KB

MD5
a31de697a7417ef0f21f4555d8a6ba65

SHA1
afc78ac9eecd37acfbb1d92a391071a2d1f201f5

SHA256
978556177d001b94452d586a73049fe046d33d221baf7d58b7632d1001a61864

SHA512
7ec6a5d8108189f3bc17dd7f588a500aeda54c0f70fd8012497a7c8756dda3f820ec2a416e2e89d2cc6b116d96e394c471c732a981de8798fe9a18d725b704e4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
704KB

MD5
e88df7c4d7b893f23e43357f183db0a6

SHA1
465b9490822ea4fefd593b20cbf1a9b9055db214

SHA256
605e64aad8fddc0f6447dea39d3de7705b0b234a8fdbf0b90609978a1ddaaac0

SHA512
59e48f0ddd2c23e0bcb4c2097efc44615c88677d520c9b760fa680194d0869aa631b4b22fab434539ab9d2da0342a97c7ac4ab20de273d2a82f202a0b46b71c2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
20559f495ccdcb8fd5e9fc738efa6fa1

SHA1
5683c938531118fd6140d8fc31d1f07d3d58b783

SHA256
f51e3851f61556a05ac2e352230d69fc08c84a3c8a4e1af66fcc6351cda784ff

SHA512
4b7e75585a81391df6d0384908141307f10a2ff4f0997f92319b931d643f1b736ff56be0e9224d4c1f994d1c778bd8f01aaaebf57a55632069d474b5e5e616e0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
376KB

MD5
7f816fae3f4d9bb79a744a286f10efbe

SHA1
779f7b609cd201ebfa55daf43081e03d80d99e56

SHA256
a620cb33630a63f9d1a11649edfd87affc764cf34a5c3a8b3796cb282d0bf995

SHA512
02b8cc5dd9280b9090162750877361649650dc1e32f35c4aef151c3735216602dbab4422d7de7fe42d660190ac8e5406db71dc2d6fe9ea6b2f0e6ada186c35a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
543KB

MD5
e744197acc9e26497166ed763b146f91

SHA1
a762a3e0ca2e8b93f82f3cad75e08235ede26920

SHA256
611b5934e057ceeceb8f74698595ce4a3f928effc2e8798ccb4cc238afb26506

SHA512
7d24bf199ba833f3b82e67b91af6f4fd1ee62d72bbc8c244f001992e9d2251b957d2e36dfd9b821bf48a6a776e7311055d2edaec6f770adf54690cc0ef05efca

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
70KB

MD5
e472f6f874a76a652cf171176b3bdf71

SHA1
68762a7e93f52281e421266f3f46dbad03d72090

SHA256
941f4e79f0143da6c38592face33f6003cfd1235a4aaa541b98cb4e844b30d3e

SHA512
e18e95693d64c0d906f1c0774a2c92cf2f1771093fb9ac1f9e4d4d9b220c71e48d2b6c7266c6bbed71715fb4e259a1bb0bfb59aa1f26964c20e440d344702f04

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
671KB

MD5
91e4059ad2a83ccafc4352bca281cb45

SHA1
576fd2fd3ec7eb9a171a9fe9c4067c0aa2aff4b3

SHA256
bb0813183a9c8f6ffee62e7c945139080dd1a232e16f0b5e1d93adca96645cbd

SHA512
1868bf2910415bfa99c6e2efc9f3105927926171816c304d05d3447ed9ee86fac8634f206d54dbe72560892299567f941e3140430b1ef177decb5d1807cf597d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
159KB

MD5
a9decb62e445675666717415480ea792

SHA1
bdf981156d214dfd0af9aadab2c68e1be86a7b99

SHA256
904ceafb1e5098c696a0c2d0861c778621472e43d9aedc182451acc42244a965

SHA512
76235182c5769a599814a461813d147070884946712715713721f6ec796747fe825e865e3141e2364731e3285d32ab7b318882a474337cad1eecf9b3d9711ca7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8e1c868565d46bed61dc8d67fa34bda5

SHA1
1b6c88cf35609248ec775a6b2c8fe941ea64490e

SHA256
46ea067df9c1dcf1ae1b236191c926d67a99608ac8cd9ad1e96df0fc9c10d265

SHA512
25a8329ac34b68a099cf9a47b401ad69b649908b1c543fd78597f543ae9c816d7a2608ff2a9ae3abd86415ac9adf5cc1ebaf45f8d65dc9b591bfd008a37a830b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
945KB

MD5
d3ac3b12059dc7a15926f1eac0567720

SHA1
730716df981cf312173b76887dcca353ab1e1652

SHA256
bf586792c91c7d43c08b85c75f4296f7ff4819926a88faeb032cc47c2c2da20c

SHA512
17aac1a624554b1137d298ce7fa5a90408d142e79ade08a3ff23c5ed536ad3a87954f052fbcc4ad1f9ccab3c23f0d2fb0bb10d5985435258ba0f41127a0d99b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
24d6a066d6f5070e338b35d1ea7cc725

SHA1
48b156080ab2163ac0093468c4c14532533699c0

SHA256
567f78ec96636cc0e368255ffe074e3504768409978190e01c67848fc023b8a7

SHA512
295a07a2deae05302c569f2610bcbb862c8c8d813db6487c3c145cf324b825c88fa2a6d0b45557ab6074314cfd9b505429cbc12f40f16dc706a81a2bd6987edd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
0df1bc45a4cecdba42a55e7cf7960ff9

SHA1
8b5700919d331e1c5b99590735c3b1f9481f0f56

SHA256
003e9c1d420ec2e824868864fdd5fd659d63b5055b573f18ebef7151d72c3dce

SHA512
dc3dfe23667a756dbdb60dedbc82ea667846a4f242dd834c14f6464e9c4a9b95d46a4b382ddde2295f8efc0e1fcb6704ddd41dbe3d83a46402a577647aa64011

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
543KB

MD5
7a6ea3171112a3689bf02fb27a1ba492

SHA1
f44f6ffa87a0f29913b09f7323e27ae0539ad8bd

SHA256
307639a3f62b9f594a0b3db5ff9658099a41dedd6711da93629ad051bc47dde6

SHA512
0f483486a2a089ce059bea96301d81308472ab5bfce35bf93b25a7966ee88cb71d73d730d1c735addd7b3b291f5aa621000f9ab9d8ac9d48c3a856b060d509de

Download Submit
C:\Windows\System32\alg.exe

Filesize
300KB

MD5
71ae7b8afc686d8d2fd4e869aaaf4b9f

SHA1
b4c67e3be2aa91d656c53adde5c6b108ded4496d

SHA256
53e5b9be79376ca69fbe432276b524137a0eed814e2bcca55a04d2f9a67a7255

SHA512
d71200a70bc5fdd092b08c194dea1af4d090b389d093a66592a1085a8a5e97f411d5c5dc4b83d66461d2650771f625500becb6e632452ccc91605cdf984fadbb

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
38ec30b6ce62dd6bcd89b34b91311736

SHA1
c9fdf98e806429b0b068125f6f1d1d087c00d5f2

SHA256
184b3a8f3eb349f6e827cf668367dda8269d43b673005ea0252a46a135397b05

SHA512
ac094a112bc4ccd788aa119442a5b409a214a1e44b2d27d74189115b0b523316ab50b33d3ae12d9a4545a30f269b336be9370a9dabba1f60af488249e3431351

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
8ccba5f5a4c125257a865f7915ab434b

SHA1
3a8d00c436c4c20d204d9deceb01f258da060cb9

SHA256
fe7cff39077ad5c22442fba2d97c15cb00506fd8abdf526f3bfc2523741e4f7b

SHA512
9b6d4ebc47c1a57df086a2eba855678eeba9b6a62296652133f741fe9a57eb99dacaeb6b5c19e0adfcd2308a482e4d7fa48ad8e5e912296009b2ec4b0f1199b3

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
109KB

MD5
5fe99b4f5060f213e82db89a38ffcfdc

SHA1
a86447ff23777e33f38c9b80ea8d2245de4acd87

SHA256
a0d02adbe8176afa7f06d67892213e753727123bdaea6ac086541593d9479140

SHA512
af8c6d02553c2b37f73e4c974f03225ddfd67436626aaaa0e51ec546bd52fbd6468b334d2f0c924a802f49a6b87b806f45cc16756b9ee3350bb96cad70f7d414

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
516KB

MD5
f9414da106f9152fbc0ad52d5a41db21

SHA1
1653580c383b28bc2a03d22aae0f41092fa5b86f

SHA256
ce16ea3bf3ba2fb83c215911f19eabe4e4c9e2ff5559b943d2b43197b3a79677

SHA512
3db70afca4b9dd7d3ffc491216efed29d5cf06d19bed4f971ca208625bbd1a670aa5cd9eb6f72eabae71703ac9afe19796536b9b9b3e757a9773c64c8982b2b0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d14542e329dab62e6bad1fc4336e2f86

SHA1
d2141b8ddd882f7be79eae025d71a384b74d973d

SHA256
9eb90afdc0f8db03e16db09fa2c80e51ebbdfcb8b785676bdda05d87e8c2064c

SHA512
f5efe0a5f6d0e0541e6fbdbba41e1d5945c6fcf64198e0cf9a82a6d305808cdd636fe7f9920da4f00f864f81b4b2a5a0ae23afbe327f7ba62ec09ab9c0871d3c

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
07c4bc81095b660748f4338d5d0fefe9

SHA1
3535303503393e00dfc740d63b93f98854784d5a

SHA256
48dc0437bac814f57de3b8f5f33811dfeed87d511da33396db22ec56a9189938

SHA512
88a68c32e8c78ffc262dd0a41190bf459676ec276f1d86c2d4b509c48826af747efaf762aa1ac6604168795d5d163084e279b87bc12c57139a4f1b717f9c2304

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
136KB

MD5
eae53cb2307f829b6738834d138ed2fb

SHA1
a2d2c1121488ffb1d027481c670d5586d11b68c1

SHA256
542ca351548c16e39c3a1f5871a904b65ae27df09a808d2cf89d32af0dbc5817

SHA512
0c831cbca624e8d989d51ec7932eef30514ed867bc630d00c939eb5d0cb4d50a1e352337ed8fc7298f82361c226528379adb27c5042a63529f93fc48a60b0a35

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
ff78ef3bdd4dc31aa6781aa45690fc33

SHA1
6749ea4a6d80f7857e2bebd980c1523d7a297b45

SHA256
0e73dad92e397f91b50b2bfae53333e8396919d4e3da262811b2051cd46b0b9c

SHA512
331527e9e0aa6e962490f53c2a13aa7800d67be292d2a07779ef00d1f1379da1daebcf14ddb6712cb4d7f409d87ae2cab1ee8bf97d5fab08afe92f28d29bfe75

Download Submit
\Windows\System32\alg.exe

Filesize
1022KB

MD5
0d38a7a994f958072f95b34498ab97aa

SHA1
f15bb810a21f3de328f88b3eb10d2517b38d8c1f

SHA256
6f32845fadbf951c64b18f2fed61a042bee8918db378838998531222d7c5f0d5

SHA512
073fdc1a0efb1ee571636c759f5fdb6395e75e2b5e48fa9bff37ade2ded1c6253d610cba205e50fabd92ecd212ac36c9f8e2edd2af48a42f4b60bc12a7b2012c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
1120439b5469b1c2f66a7acec5deddf1

SHA1
9e159532f932dc16b58ed477c6ac1fdca90770d8

SHA256
2458dd13df3136450783f2815c6d018a1439f5adc16761595171b7cb4a45ab0f

SHA512
04dfe569b3e87bfa0ffa943a1316b79eeb5cfc3d3996249124adcd831ded33f70bdd5afe50eedd004c5801b09682b8361cb3404092b995dfaa48a385edd2e23a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cdd8220b169bdc93c09965ab6a70250a

SHA1
117c199e432599048551e0acc18c1307916b6cee

SHA256
2c2c30b3b8f0537890beb4451c42c71ac672abf6fb54effa875e28198e1d1319

SHA512
094edea9dba61a2239b1155b34aaccd4ba6a6413f6976354163271a781682ef2183d13dbab589047b063bb07c4594f8f25dc674539c6a033991d48276bcc57a8

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
b6c1bc87be61f11bb877d1a9e18fef99

SHA1
482f165f17ddb663f92d798359965264b05b1138

SHA256
072e6c209320d0b2cfd80413af7ed9072452bf35724f67acbed014e087833058

SHA512
14aaf098aaccd714e1de2c871deb1e0d988e9f21981d500e7342e79a410f908299ed41563ee181054d49d530628ee32762516ef5418907a64223dfe6a52b93d4

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
82KB

MD5
80edd41676ae317bdfc82bd11916c5a0

SHA1
f532a73b4715c45cbd02dc1a89f836c68c8cb562

SHA256
6e6c487585a18406a7b00e7cecfd556595879afe3505b462d218f42c330838fb

SHA512
0dbd46358796a73a80ca01d581097831e303b9cac8ec7dca51103f5db58211fc60b4d7b576988f4d8543a70bfb6ab3858d532c943b43148a96ab62de7131df43

Download Submit
\Windows\ehome\ehsched.exe

Filesize
593KB

MD5
cbbb7a7f9f00e570fe6ab306f3e960b2

SHA1
cbb4be9064ceecffdd8fc917eb44c314571d97cc

SHA256
d8e7d5f4977c5a2d34062923846e5d974029beab325d9dc51e151a89d1921db6

SHA512
d8b53a2f11ae9591ee377766408abbfb8e41b85058c00b4647eeecffce9ec706c51362cf0580e8874c4703b096f8c0fdd65a1452d7063c42fa43625befe23aef

Download Submit
memory/276-128-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/276-134-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/276-175-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/276-178-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1072-151-0x0000000000A20000-0x0000000000AA0000-memory.dmp

Filesize
512KB

Download
memory/1072-159-0x0000000000A20000-0x0000000000AA0000-memory.dmp

Filesize
512KB

Download
memory/1072-152-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/1072-150-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/1072-181-0x0000000000A20000-0x0000000000AA0000-memory.dmp

Filesize
512KB

Download
memory/1072-183-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/1232-199-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1232-198-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1232-200-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1232-179-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1232-176-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1792-94-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/1792-21-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1792-16-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/1792-14-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1876-160-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1876-95-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1876-103-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1876-96-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2208-207-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-205-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2208-206-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2208-197-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-193-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2348-113-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2348-27-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2348-28-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2348-35-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2408-186-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2408-147-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2436-56-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2436-89-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2436-55-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2436-63-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2552-45-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2552-75-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-40-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2552-39-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2600-235-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2600-261-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/2600-260-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-259-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2600-247-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-242-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/2720-1-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2720-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2720-156-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2720-77-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2720-0-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2720-158-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2720-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2768-78-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2768-149-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2768-84-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2768-79-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2772-163-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2772-167-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2772-115-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2772-122-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2772-141-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2772-114-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2772-180-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2960-216-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2960-231-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2960-210-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2960-218-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-232-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-246-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-230-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-226-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3012-245-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3020-255-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download