c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1

Analysis

max time kernel
4s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
Size

1.8MB
MD5

831b49636c1849562486351c0821e912
SHA1

7116013653d7acbf91f56c57f6c3eddc9df0f47f
SHA256

c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1
SHA512

f27f0b56e0bf58b4ffd25469c599f6d88f8f62fb3070dd3eec3bb4e3bf6da9a9a60d62f2f20d0e4ae3087db91b5486e7a078bcec04faaf996d4f8b19b4ea153f
SSDEEP

49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAtBtP6+3vj:rvbjVkjjCAzJiBwQj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
480	Process not Found
2932	alg.exe
2548	aspnet_state.exe
3052	mscorsvw.exe
2020	mscorsvw.exe
1888	mscorsvw.exe
1196	mscorsvw.exe
856	ehRecvr.exe
2684	ehsched.exe

Loads dropped DLL 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\System32\alg.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\b1f703a656fe8faa.bin	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_lt.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_sk.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_sv.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_tr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdateOnDemand.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdateCore.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ar.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_hi.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleCrashHandler.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\psmachine_64.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleCrashHandler64.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_zh-TW.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_uk.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_mr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_pt-PT.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\psuser.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_hu.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_sl.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_te.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_bg.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ml.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_en-GB.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_id.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ta.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_th.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdate.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ca.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_kn.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_lv.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_gu.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_iw.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_no.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_pl.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ru.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_sr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\psmachine.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_el.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdateSetup.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_et.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_is.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdateComRegisterShell64.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_es-419.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_vi.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdateSetup.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT4A3.tmp	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ja.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_it.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ms.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_sw.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ur.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_zh-CN.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_am.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_fil.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_es.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_fa.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ro.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdate.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\GoogleUpdateBroker.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_nl.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_en.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_fr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_hr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_ko.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A2.tmp\goopdateres_da.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2188	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1196	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
"C:\Users\Admin\AppData\Local\Temp\c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3052

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2f0 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 32c -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 33c -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 11c -NGENProcess 21c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2fc -NGENProcess 278 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 25c -NGENProcess 320 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 334 -NGENProcess 33c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 320 -NGENProcess 290 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  PID:2336

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:856

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:1600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2776

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:840

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:2920

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:1620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2300

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1812

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2904

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:892

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:620

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1724
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:3040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
8d73c096bc3d99d2516349d9e619a7a7

SHA1
62b4af35fcc39f1a43898331bb0d1135f0a53e3f

SHA256
294cdf34c0e240db202523e1f53333ccfb81914254119b2dd960637d41549b36

SHA512
7e209e561ac250d8cea0376009c2af1ea35a7bd8e254da8a952dd4969bd2c056498645714771ccab61f2c171b6abcbf5fb7a28e72b6aa5c416290fbcaabe75ed

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
22262c0f548dbcb151a98c583a8263cc

SHA1
2756d31e7a79ec01a0fbb89b33e47854c14752e8

SHA256
dd3f6afe974457b48e5b5ea6bebee40c79b2e0369ceeef836eb4fd8c91437e80

SHA512
b44bb3cfcbe3ae54e858e43ffa7c71aa3bf343c240b40aa4fa9ca80d9c70e196539cb8aec894060f063d8df93149e7afb9669a98ccb9c417223e5e6648c13753

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
9e8b09ec59584b1606845d953b5850d4

SHA1
d7eb096fb71d3887742d3e36dbf15490949413f3

SHA256
0b876516053f520af11e4a1c739e080c744d51763804228d9e96b6bd8b05bfa6

SHA512
8d54c3aaa6f50182b8556063303cb36a4a148dc9c934b70df1c240bb6cb8dc91447d3cfcc2e2e982bd987869c56025730529a3d0080e8ba26a398340b07153b1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
46443074c9a7243f6beb45b2795522d7

SHA1
098eb0ecc01878d4d247eb5fce058702b07c1381

SHA256
004e64eeeb1093d7b990e5e0d2e52f643efae319addb6eddb46a8e1e61ddc8e1

SHA512
39275a7d72fd4700464b7a997e702a379aebd6ecadf352b1f871a3e6253f36af7d86504946e27aa7a0dacde7de223864db1f885d194d3f5f8253dd8cbf0dc6d1

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
32KB

MD5
62639f9c2e1320b7108f825ff86a40b4

SHA1
74399f42baba54d6afc3e595b0d482073a803298

SHA256
fe65b9bcdde1a81d204c5540c6568aed249a7e94459081ebcc957703e6b0594c

SHA512
0e60c8a48f5af9de9b12c74c94ddaf8d238bbe8e768fe437d6038329f0c42d1077fe074c340fa64ba5fbe7bed082c67224f09b7ae9aec56afa29171933e8afaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.6MB

MD5
f14c930f80d2f282b227aa83693d7a6c

SHA1
e2ca3f28770867196ea7576f4414d43769d03267

SHA256
e58b09707145ba890808150fb1dbe28df2083fc0eeb377d39c74d17e0dae360d

SHA512
f6f8a7e56b777868294b05d56cd0c5ddef588909360b91fd8baf4299305b4ed4ff5de9ec64706be12c2863a68d54cade59a68dd98cb6cd863300ae817ff9e9fe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
707KB

MD5
2dc87ed2ddd12aa8960b209931be7fde

SHA1
3ba6c1a791bc0d738101b20c4977cf4925161496

SHA256
af393f01e8c8cc4540a3e45a01ca47e4cee719c8631cc9fc910efa2b008f109f

SHA512
e7f41869f2973a4196e261f14b941919c48a26d56d68ebff6962c6428ef328d4021709adef511d2f7808d1ab5143cb4076463379f6ff7ffcab8928722d583c63

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
445KB

MD5
038a7e9dcff7f0c4424bd977b1a926e5

SHA1
e4483037330a5b8920814e073f1689a0332dd61b

SHA256
38fcd9c57de6dae0f357ac81afde36c029b398e301147b2b42451e3930ba94bc

SHA512
a4b3b6a18805ebad3488bb008e6d1f2551c41f8cfbc169408f99459380dacacea6c042a3b193e6032e7e58a3759a92931a12df1448c96be0871aa53f5c70a359

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
686KB

MD5
770c67679495d398c6ad49cac3d317c0

SHA1
1a80f08188f40efc4c95101dba0b24f892c611a8

SHA256
5f23b510403937e67c0581d7b25f6d624b02e83a7dcd46a0a32c445b1c361512

SHA512
9f9d406007ea6754d5b288858b8ad0c5cbf18e55ab2bf7ed2d3cfdea5e0925a166d5aa51862a63aab76835f771c70a80b494d1bc5df490380f657899e949c92e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7ed4147d6948cc883f2f26e2dea8dc4b

SHA1
ffc1543ea69d17fe5f5896296e1c88b5ca0f5bc1

SHA256
710b9b10bf8af524f46858062e3420fb470e8d1052115b63c0de05fa66b902f7

SHA512
db88283e0e304b03d08da006884b2fbb46dc7a4d40926f8c8e77c9536173767a7ce572861c82bb7b589e539d2219b033772e6dfb3886043e1e78086b4a5af6fa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
192KB

MD5
746b76eaa2f43bad12cd74bacd26cd33

SHA1
a85fa76f9635500edf471e86a3b0ae95d3cc99c0

SHA256
22f4458c2d03fed9d2b58b69833d62d6416846cd11ab179e12a9f6920e21a074

SHA512
e4b79a87c5fb0fb442691f0cdb1e2d25969e8812e1b433bc49ebb1b2d31c21505e4f38fe5b1624927933c67f578a7ad5832f172fb8daf921c1b4d67d4b23cee1

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
797286f6bd275073e20ba1d6dfc4ff1d

SHA1
1f889d4ed1188976f33ea15dd44f652dfe1225c0

SHA256
b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459

SHA512
6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
71KB

MD5
3c56ad1bdcb8281d034c49e9b9929bc3

SHA1
7e7638e63394999a4f82ab0fae9ead633197b7f6

SHA256
8f4dca2e184bfc36efcbefc358044dc7fb9b2dbb87988d2324a64fb25041121d

SHA512
28ca3af1b50ac105809d427aaa8865d27a507b5d74bef8dde7906c9f33eb12495fb9323f2cb252d12ff0f8d53fd1552630ad8013d546f058ca416b64e5546c0c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
70KB

MD5
d2edabaff64c89715acc79bd38139ee5

SHA1
054d387a391a3fd4609c7f4dd91e366cb43adf66

SHA256
516b32bf29ba5f9dc887b4a116c5bd3b967631089d50ac849fcd13541ee218da

SHA512
d6cb48624be5a61065e77e8fd021261c3cc7232a017743c2982343d16ae06ea39bd54d028c0215a04e8ce8ff0e3f44e6d2c4032b078dddb0d79be79b55e6b8b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a8365db265197ef17d2ddb4db52e74ae

SHA1
895836cc30fb2709752c197d309c77c5f5577e9d

SHA256
fb447e98e33606714e9b68a1ec464c61b1cf96120eac2455c4c807d2451d3236

SHA512
26a4e966c740132d658985aa9b3ea5e2cc713cba59f4085e10d2d4319ffb2531b224f1cdadee185c5b4a57442a1f5d225e6b8f87350e75de29ce2b67f9db05ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
421KB

MD5
07b455ffb98ac6c58f7d691291115a0b

SHA1
bdb4fcc7a788959754a204e62bc4cb7e4578810a

SHA256
d3423c85a6abcf9947e1e7cf62249bca32bb4e7915f6b9f075c9a8625ae1931b

SHA512
eae60b6a76727d1d2e8d3984e699d23bb5256ad37de8cdd5e5e1fbd47cd7e702d3fbefd8d9ea65e010ef0b25fd42c38f49126964a286890a9fbf5e97838b760a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
82c9955a4bba8ea0542b8c809d4df630

SHA1
8ad7370232dc246d2a9a7bea163e300681f2a311

SHA256
3257a56ed1ea078afc235d6f7924f8a5f1402ef9b43df8410be0dfac792e5eae

SHA512
784d3ea5776f5bc6f7ddf73a39bf6c4349b236633afd5283de397ae510ff7b2a4c84becf8bf7ef03e550547835ab08d5ccb655d5958180f2b1038f9b0d8a995a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
130KB

MD5
81435dc9e25e1070a8beb7075d0172e8

SHA1
6a9121d4a5d558b9482b8a20b9caee2321512963

SHA256
803cde6195635e0259826c8dee90268213be58051e90c7b589a998cd3df6903e

SHA512
0ce40dd94dfab920b1f2b994bb2be23ab47db51860c8422ac93efec6c89af2033743fc3afb16831a03ab8c4b0ecbd14d8135c6b77f7487b234f0a8e2ff2a014e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
583KB

MD5
fbc5e82e02c460761ebeded054697a75

SHA1
c06a7dcb2fddfc7253566f15b2328a09a0fbf914

SHA256
57bdd097fbcb8dc2e9409c9ae04e3a4c651b8de9854e9a48f5b6a08ccc30d1de

SHA512
8f465949d7b985f0ea6b4e2b798fb803a371cacafa6d4ab13a0cae3c4995c2084315ddfbc9e144ff3a925ce26be813a8f83e5c2c99ae5970b4659bd0df9f68bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
233KB

MD5
889fb0235fc6f4725379586e5dfd64cb

SHA1
6c7fa0e87721653ce102b3c1de5f13ed8af1b001

SHA256
c06c04a43571efb54c4b37c1e29017dcd3ee21e103d34316ecfc7880d48ddf49

SHA512
3984851c187fd2889c492a0df1152860362c44e8bcfaf9cfc28150fe537285703efe3ffedef5beb6762fa77328fb54476f680bdacda0a7fde0d261b0dfa6129f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
310KB

MD5
0f5d49f9b37a2cf5756fbdfc943092df

SHA1
95c6cb0fc72d312231f3c05743fc59dbf0291fc2

SHA256
568ae51ead504a1775291eb1ee52a425cf9032cf1f85c0ec49ad68a459519ddb

SHA512
577a8c385847475f0ad7007edcc1d8d15ec790131006f0dbe02b04592e6507f3c3c5a2bfb90df05a4bb8a3282f98b020bfd496096c413d18174109a7ca0e8bb4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
53KB

MD5
412c080de20e76d303833762f6554363

SHA1
f8e58c76b9bb19d3ad222386e349a7dc9f92e260

SHA256
974b64f7eece92d15543e8be636a0bc54d11ad116a417bb2c2ac0388a0bea538

SHA512
6a484d2f87bfd279720153ba26198df060c2e2309cd9ec1d220d32264c72e3bb4a108b9f947e7017b2e178cb94540aadd993834676074c6128733a78dcf83654

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
36KB

MD5
8decbfec98d6cb71af0e84bf05a03c60

SHA1
073631dcbdacabf004a7e77aa17bdcd658768190

SHA256
7d657c56450ccb5cd3c5f4e61c426cf029310785db4e5def5cd5220ba6dac159

SHA512
2e70f51f68f8e1b9ed0b78921492869fccf86ea81845a9335a0665c1f74d640d7348419182154d2b3b57d096759cebcadb9d67bcc4dabae161c0b4f1f6d3bd73

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
e922563dae648d20abe142e53bf673f9

SHA1
4c59d46bf0dbd84db85d81abf2ddfc182e8e1654

SHA256
7a6d0fad8567914f1b08c0d74b62e6d549f6df2f968f0b91c27d6f1e101b34c8

SHA512
0f7a1e7c4d5b34269a1ddc7f92c939aa375d111a4ffff9dd28044a3d560850b45f8dc372bd9022371a634a9427f539636112f54648640f1bb71a442353a0897d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
611KB

MD5
31adb7f7108b28a77d4e02acc1943039

SHA1
48c2e23a91279710439b9c61e2aef74c8d947997

SHA256
7bcf8effd711de9c7bb135511285e9b195c75164f61d60903fa8be70a8405b96

SHA512
b5f4d8003d3fc3dabb6e3a7b56d2569b57b24e622d45b8d619e5eb47c0a7b5198e579bf664b8a33976f24ca996cc6701a38425a8322e279a3bf36a5720a02d22

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
286KB

MD5
846522d2689304577ac2a7fc9d7c0c43

SHA1
48b2e98459910d32f7845951564bf7b2dff41754

SHA256
c6cf63276d76a8599285840e03c4d258f398427c332450bf2cd17b07c2fec318

SHA512
db314cbff174fb9a5ae4dde8add84250284f2fb0669dd453ae064b4633b55bafb27bbe9983f359dbb2de8cf784d971f4a089c5b73a4c444d5a95d1991f5ea053

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
6f3d5ae556bc5e8a7da1487bd7a62b30

SHA1
9b73feedfb6a39a9d51cab42f9b4a154f6489766

SHA256
07f311fefb7edf899d4c3ea6fd8d10680b410130b7488ed8bc56fdc9a947b3ab

SHA512
fdbabf1341555ab9c3daa3bfc764d7375be8bf0d1d8bbb29e581c681db7986015a7639db261262aca71ee777936b714af1a83022cbf7b1aa7f1dc7a93e3d40e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
a81c61b601a548c5e9130486bd0054f1

SHA1
7afddab063291be9e5adf7801f39a6b9010a6394

SHA256
9312ed801c2c854d9f8e1107c3f5f044bf301e757f679c462001d7b06a16700b

SHA512
ad765e37f909211a3277468cdec905ac95712c4535cdb9fcb6332598658ae28b0d04f60d613aea589d878d4d5fb9309324d59babbfed2d50616adfa78960b9d9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
329KB

MD5
bef6fa0f526805ecb6565cf87a025722

SHA1
32a02b5d7a9f3fa22fa81163d62d9d93c5105d54

SHA256
98d0af8a8e7483a770f92a92bbba86ff08dd55006fd31dc8a862c600096ba389

SHA512
d630cfc9af0b6a9fd3c59076c4c775ebc5884a83821f7f441617d26687bf8f28028026c4ad48d19fd167cc8f09a39e221a1013185e80f14cbff3eb73c2de58d4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
447KB

MD5
7b16f57785b6641742807e8de8657bb5

SHA1
81d901b59a64d4b389f35bb3b26793e7942ac4fc

SHA256
9658195f02ee659091d2de7c69e50689475bc9c0bb8c24166b0194ccd14aa005

SHA512
f224c770f95e20705e0081c954d53c7c37cc7df096c489e5716447c8196cdd8ea2493bf88cc9832bca4469de9f21ef3eea49e48791a46966b4b9ead7c17c22e1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
11b961dbbe105b9482e5300f2701ffa7

SHA1
3540b9db0b78609128cbadf8e8e0e5fbd55f8020

SHA256
58b953ff5d572a3bd3bba5b433beafc8b0b6abfb4316896dc0180d9faa46f1aa

SHA512
c7a15dfd3b61c4c0fd75bb66d9435c2a01aab578d036699a45c5cfe81fe2fc917eca33e44d9809579ecf9dbd34de79d4d9cdc4c0fc08b2d0fccf767a72867339

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
73a287ae16c2818ac50ce94e8ae108e2

SHA1
599ee2ebc38000111ecb999aefd848468b125610

SHA256
e4c4fef83dcff93dfe4677c244695235ef3635879e5f64f00085de787194cdf2

SHA512
3878b75634aaf1758073e6093842f33fd2498a455ab9432949d3bb48cb647270733957b50812cb28edca1969bf64d0e7286fc2657e9facd2d98570732f2a7fe0

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
307d395bdf9155c4128d7297bd49ec44

SHA1
a0e4b36ab944191378e59bb7813db6b39a017f94

SHA256
2b4435b9e03a64eb19ed34ad9c66fff04e73445b30edf241970499586542379a

SHA512
3a6e499dcc5eb2819c5913f4fc78d42bcc15a56cfc0692e91902101eda08fef0ed1ccfdc01b8b9fa864468b768d21c367bcacfedee28ecc4e71aebbc1d8dabfd

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
496KB

MD5
0467510c2051b1f60ae00fe6b5afddeb

SHA1
a1a28fb8dbac3b6291e57e70971697c0a3696a38

SHA256
89f704f9e60da57f55d868dc1fe689e5ef357d021adca838703f05bcd26b52e0

SHA512
98f66fb677f649b8da8915fd794707fb5147823dd7c079f332b18b45617b80d5f16f364ca7db33ecd2521e63bbe5d1ea215ff9a77e30ad7119655a738a73b16c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
605KB

MD5
a4eb386c2c401f00fef39c4971524c6d

SHA1
7c3b4455e924758a095316776015303d3e381404

SHA256
7351caf7c9d6e606e258a95340550fd5e46be6af4e94435a1b34357504328b7c

SHA512
c021950a29d9873a18a8e8e05b72504f61a16802e6331846a4deccad8537b01838c17ab2f654cd829ab74bd3d736707f98afa778e31454257d5414e0bc711642

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
434KB

MD5
5cfe5b96f2a8cd35f90e64c7ed0d797c

SHA1
4b8307e0bac192459fa5bd8b1f4cdc0416c4c1f3

SHA256
c6382863b8da65e4f8ba150be61cba2435663144d7885186b8f1f823e05c6e7f

SHA512
78c8022a616787a673640b331cfd4c2bb8196fb229092abe48606ce598250e1c8635bc1891eb702723831acb6f640ef3c227707c82b641fa084ac49e1cdbb80b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
145KB

MD5
5d95cef3dbbcac73bd6c22fc5d47fc90

SHA1
fe1994973bec8f18bdf352fbe91de3b1f04c3925

SHA256
0b02d4d037b287fb610a5ad9bd988b8cac8d7f9441f92758b495d15cd6aa9cb7

SHA512
2ff199dfd8a372cd1ecdb855db95f33c3b81f2eed5399c235881de393999c668589ae8892b6cb2abc877e8a21305698a3451f13481065a7c979e80a299f17ce7

Download Submit
C:\Windows\System32\vds.exe

Filesize
550KB

MD5
7a77c7cbf31cc77f6c2248be2b56e2fc

SHA1
e76922099175435796f6214911ac2f7f43242684

SHA256
7694f28f587bf86fc87571d694f62f81e81a4b07e89ff0d730ce34a4ccf7f539

SHA512
60d926bc2f4fc733fc3fa132bd2a9f8dbf6919b04f2328da9cc6d32fff4d9454b03c69e4c49c6e85c39acbe4d2a9296687bf1def10c6c1a13ecf89696ea19698

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
8606c13c56efae5657a58d20701329f4

SHA1
c6dea5cfd95db99327d3df2748c201e3305464cb

SHA256
50a58fe5d3e74c1345aa681c35b2354e061f152bd70024660dd38ad09ff951ee

SHA512
bb51dcdbf3a4bb63573128c1e23640eabb4826d6182d6d2505d375bf8fc0aa7535d7c2cd69b2e6a5ff269e92695b0ed5510e97894c0ac3672dfc375a67ed1a8b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
e0cdf612725a26c3f4f8fac21634a38e

SHA1
f944b5418d5f8619785ff2973ae8bb177955e445

SHA256
4240e725f4e928bc75cd4cb4c224f403c3ae5bda4a5d271e340ad436b60abbec

SHA512
0997f38505d05dc5f074101cd805f57f0af3cea045bf3b66c7235a14b5c2e8bac0921bcb9d6984ac022893490a556b6fa37303b93698363ed42515be39fe604e

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
420KB

MD5
8e40c73cca9f86c7375442f8ac1ed0b1

SHA1
d46a4adeca7630d57f167181d897cbc51f97e55c

SHA256
dfb55c5291b0767a747b0216959c55dff4ff29e8510934540ef8e1bc17ceb086

SHA512
f7e0c301cb2e85221554cb0b67affc1b5178b357de5720b04b7c6f755f3d8a2c9fc1abe77a6edf1e325de36164ac6995046a711f15c1e19015ab5419c3c6d730

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
206KB

MD5
a54e859f447290d29257b4a9502f7bde

SHA1
57d9a4a8ecb6231b0426e0a5c2b078236a45adb6

SHA256
44ecf87536c7d3052fd6dbc8d31975dc9a42ed4ef059bdd98c0abf90d74aa65d

SHA512
712ac40124b7a3f312538f5387b0058b35e33b055fc669a9eaa1c4d161585144f926179dc9d9f08ede72039e1b5ac5df3bae94758fd9cac3bfb1a924c8f99075

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
256KB

MD5
286dda571132e02303711f8450c928c4

SHA1
f8ef88b3b83dfa88b488f402812ca508e9da0404

SHA256
54b86a254c1ae9ad40f54247b918d540f96493b51763463b114b369b5608cb7e

SHA512
342da6dffb69f676e256d2ea373e7ddf1110e7bf6d18f60090b4d8549d3e5bd1a82360db5718915f29890dd9aea5dc976f017100cd7522c7dc8c43695b8734a0

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
642b63d6034bdeb8c76d34e2dd8b6826

SHA1
2f3c3283b5877ee4c6a790e2e307578bc0708501

SHA256
a7bce9904a1aebe6bce8505e855006b0283c24f81725f7e52d1f390f71128b03

SHA512
940d691cdcc9b81d3d62bea48dde3ed42d79553ccc2460d74085686db71267b76fa128a1d226eba5d6d38250d91543c8fabbc9b4a9cecf4c2ac1e119e358513e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
72KB

MD5
b5e3e18e60e686282e25cd4772cf66c9

SHA1
9a709848e60be22d8e72429ae31d9ac36a9661a4

SHA256
aba10363a86bd9b7c9064613f8268bbe8ffafb5ffd881b5c4371f9cbe872db0e

SHA512
6daf688ce1c22effb55936e7026b3f90448b714d75f319792083b157944775c85e66011eb7ca67649d91f8e79eb19e281db5edce4e3481d22bbc102e06a4f9a3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
426KB

MD5
5da55029352d60e5d6b685e69980aedb

SHA1
9e69c101e851b0a14abfc723ddf90cd098a142b8

SHA256
56f61d0c74a469c6828c6488511d01d5cada0d24748681b8a359632c45bde17c

SHA512
5dd5cb534d3f13ccf20d0339ee654ac3082722a4d7e986a77bd47084db171996a4b770705cbc4abcd112db83e37b10ebfe3ce8e22fb3bf53cb3e8eb477ec55fc

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
514384004b6143e1e9c0a9cf377b8853

SHA1
3bc0ceaec9eb58418a7c1ba04cf5a4df529e5540

SHA256
d1698a2d0a5ef55bcbea1b6b93737717a838388cd7cf966f0ea9f7a3b5fccad5

SHA512
1f8f308ad2343788d12e6eb855a20526099d1c1da4155ea871be1627fced7eb673fdf8fef23fdd53529d41f1eb04d1ce0563422a75faa58a0aa2f40034dc5fd9

Download Submit
\Windows\System32\dllhost.exe

Filesize
489KB

MD5
cba0a288efcfccc8ca0be14b68911366

SHA1
a9e99e2e6d5d10b22e32462c12a4606c3ba7c08e

SHA256
4c81c3d26199c8bac58b6bdb4c27755069010935ce3e60fe55efd2850d06c9ea

SHA512
c410d381eab35c95a91e8d438424023e70f9d4ec7eb7adabc92ba428307e9ef84846ca17f3351514c3013ff61795f56c8540e5be4a2bd59449faeb0629da0b76

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
8f484e501f403dd880773c0bdd8eb7e2

SHA1
247d076fcbcbc3f893b25fca5aea890356eccf33

SHA256
e29138ce18524ac8ab646ca6c8ecaecea123dc301e5b4ff76c975e75596cb1d9

SHA512
d6023f86564d9e4ea7689a70e972d7516e4e60b2c173bed6444745ea77101f5074a7a41494dc4abfd6205a2510c317a9fa8de3249919a1e67f1b2f80cb2ac411

Download Submit
\Windows\System32\msdtc.exe

Filesize
293KB

MD5
9a9d749b68ea49f96df643abaff8a90c

SHA1
2b2900f3f3b17132c6ae6f1ae7285c94cadbb858

SHA256
37694927495a02686331844eddcbc2aa494c3ca34787d54a356c9d9e7d23339e

SHA512
39b83b6285708818028a54120108c1287de157868c1681b91af556c0d680f7d588799459219c6c838cd5272c3fb604ca068711740edbb573b3e50e57fecb49ce

Download Submit
\Windows\System32\msiexec.exe

Filesize
228KB

MD5
e2ed9e5b77fe20865f567881809adf84

SHA1
ad77e99bd58ca0857f4645b910dd4c4cf34c9b47

SHA256
5549204eea36cabba898730df606dfee0c6361041db3ce89d27592d58f1ec3dc

SHA512
04ba10d102f7e45eaf16e91ade81dceb8da0f1cb5336d7ac4ac8b38230e1cf5f14afe5a3c75f5225de230501761fcdb2e1f385d312ba42739ffbd71178ebdbf5

Download Submit
\Windows\System32\msiexec.exe

Filesize
108KB

MD5
61478f047c060b59d97db0faf24386c5

SHA1
53075b1c91062ebb705fbed92b3822b52abcf8b1

SHA256
eea5f19f7c330ffe5aea857101937fff55982035713dfbe564de613c37d158af

SHA512
8a141178bee073584f32d8766be656e2f727bf45c079f6eee5f5e93fa2d343eeeb752abf70351a167687a3ed925f159f6c358c4a8f33bf1d4200b6247a767021

Download Submit
\Windows\System32\snmptrap.exe

Filesize
259KB

MD5
40093ec3872881c302bbbea2a8dc0766

SHA1
d2042ff186599f7009e3bb05e7c24f60616d6536

SHA256
04af3a86a3e07365859aa6b6df63149e3885a7b35c2b05c2563bdf489c19bf8f

SHA512
cb3e5a722547984dab4712858aedf4fca97a69f0756d22cf5c87e873790e07b352a0656db3a21bf360894fbf74074fe50a34fd4aa277327f5e1ed0a755f7aa55

Download Submit
\Windows\System32\wbengine.exe

Filesize
448KB

MD5
e00766d5211f9d78a7a32eca099a108e

SHA1
e6ace58db9c6051b272757db6720e40564f38445

SHA256
86c9e09ca179e3901391a17089ef0652bd485620cec45b083d5c357e5deabfc4

SHA512
fbce8cfa1cd820e8c4392de4959ae954cd81b6c7fff94c2e7de6801f7ee5dc90d07141b45a64971500f52160b996edb5f597c0cb4ac241a743657f29f57c8b25

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
90899230b582521770862b707aedb98c

SHA1
5aa0c271dd2c0d82fe6b71643726b5fbd42e5b2f

SHA256
819442a650250d896022c0e7e0242d679cec5a6d4bea69852d93ebb24aa6da09

SHA512
bded949d3db20624196cf92294248a9c8316db5c626e4e71de583b6bbb195bbdba9799a5a07b5206edbb4f792349795ba2620e6d24828fe7a4ce6d88f6777726

Download Submit
\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
c48dffab0b56ae67379f7d4d5bd5ab52

SHA1
27f32a4ca907f1d7311b97b727798dd4a15255ed

SHA256
587cddf9f3e7fcf33a48e319648efca5018a6c3128ef4f47d98ccbe4e4bd9938

SHA512
4c3ada07a0dec9161c8471d912d743fce83fad08822bf1933c047b0e52161dde5e2ab4b0399a5c26989579b2730ce6523a673b81d3fca5ca2c5e92da25402879

Download Submit
memory/568-207-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/568-200-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/568-197-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/568-191-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/568-327-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/820-338-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/840-236-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/840-174-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/840-237-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/840-175-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/840-177-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/840-201-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/840-239-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/840-330-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/840-334-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/856-219-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/856-147-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/856-145-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/856-156-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/856-130-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/856-137-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/856-131-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/856-198-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1060-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1196-125-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1620-187-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/1620-184-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1620-254-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1620-181-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/1812-497-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1812-220-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1888-173-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1888-105-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1888-111-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1888-106-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2020-95-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2020-122-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2028-206-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2188-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2188-6-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2188-0-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2188-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2188-332-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2300-214-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2300-337-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2300-216-0x00000000004E0000-0x0000000000592000-memory.dmp

Filesize
712KB

Download
memory/2336-522-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-523-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2336-504-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2336-524-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/2336-517-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-511-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/2508-251-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2508-244-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2508-241-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2508-516-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-498-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-514-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2508-515-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2528-533-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2528-255-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2548-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2548-157-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2684-146-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2684-153-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2684-213-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2684-144-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2716-242-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2776-225-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2776-161-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2776-164-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2776-168-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2824-496-0x0000000074028000-0x000000007403D000-memory.dmp

Filesize
84KB

Download
memory/2824-502-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2824-226-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2904-333-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2920-178-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2932-154-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2932-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2968-230-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2968-508-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/3052-114-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3052-87-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download