66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 05:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
Size

1.8MB
MD5

7c7baa7241554b7aa2dd8c53241d8de2
SHA1

c262d137af558bc96002309470efffa74dfe3194
SHA256

66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46
SHA512

d733f8fbaca6d9dd7915fcacc8d42d4bc1de47a1bd26355528392ebe46bacecb77a0cf29d19a61e73e193e92debffa5f5d4dde90483a688be916ae514b7c64be
SSDEEP

49152:UM9QPdxwfE7WlFwKAfzuTiDFUFk0LNiXicJFFRGNzj3:U1PdVQFwKZCFgJ7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

pid	Process
468	Process not Found
2508	alg.exe
2520	aspnet_state.exe
2844	mscorsvw.exe
2016	mscorsvw.exe
2268	mscorsvw.exe
1900	mscorsvw.exe
1308	dllhost.exe
2804	ehRecvr.exe
1632	ehsched.exe
2964	elevation_service.exe
2892	mscorsvw.exe
2496	IEEtwCollector.exe
2408	GROOVE.EXE
628	maintenanceservice.exe
3020	msdtc.exe
1928	msiexec.exe
1976	OSE.EXE
1316	OSPPSVC.EXE
2060	perfhost.exe
1076	locator.exe
2248	snmptrap.exe
1792	vds.exe
1272	vssvc.exe
2176	wbengine.exe
1892	WmiApSrv.exe
1728	wmpnetwk.exe
2384	SearchIndexer.exe
1540	mscorsvw.exe
1544	mscorsvw.exe
1356	mscorsvw.exe
1592	mscorsvw.exe
528	mscorsvw.exe
1596	mscorsvw.exe
2044	mscorsvw.exe
888	mscorsvw.exe
1164	mscorsvw.exe
1540	mscorsvw.exe
2464	mscorsvw.exe
792	mscorsvw.exe
1920	mscorsvw.exe
1704	mscorsvw.exe
3044	mscorsvw.exe
2692	mscorsvw.exe
2184	mscorsvw.exe
564	mscorsvw.exe
916	mscorsvw.exe
2296	mscorsvw.exe
2284	mscorsvw.exe
2120	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1928	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Windows\system32\dllhost.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ec1f64987df8f25a.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_ar.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_sr.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_zh-CN.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_pt-BR.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_sk.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\psmachine.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_ms.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_ru.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_de.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_tr.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D63.tmp\goopdateres_it.dll	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{79382B64-C73B-4FFC-9609-9CC4FBC59294}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{79382B64-C73B-4FFC-9609-9CC4FBC59294}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F3DDB3EE-6E4B-43C3-8423-254B2AFD2F47}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2404	ehRec.exe
2520	aspnet_state.exe
2520	aspnet_state.exe
2520	aspnet_state.exe
2520	aspnet_state.exe
2520	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3048	66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2520	aspnet_state.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeShutdownPrivilege	2268	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	1928	msiexec.exe
Token: SeBackupPrivilege	1272	vssvc.exe
Token: SeRestorePrivilege	1272	vssvc.exe
Token: SeAuditPrivilege	1272	vssvc.exe
Token: SeBackupPrivilege	2176	wbengine.exe
Token: SeRestorePrivilege	2176	wbengine.exe
Token: SeSecurityPrivilege	2176	wbengine.exe
Token: SeDebugPrivilege	2404	ehRec.exe
Token: 33	1728	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1728	wmpnetwk.exe
Token: SeManageVolumePrivilege	2384	SearchIndexer.exe
Token: 33	2384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2384	SearchIndexer.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeDebugPrivilege	2520	aspnet_state.exe
Token: SeDebugPrivilege	2268	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
1528	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe
2232	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2892	2268	mscorsvw.exe	39
PID 2268 wrote to memory of 2892	2268	mscorsvw.exe	39
PID 2268 wrote to memory of 2892	2268	mscorsvw.exe	39
PID 2268 wrote to memory of 2892	2268	mscorsvw.exe	39
PID 2384 wrote to memory of 1528	2384	SearchIndexer.exe	59
PID 2384 wrote to memory of 1528	2384	SearchIndexer.exe	59
PID 2384 wrote to memory of 1528	2384	SearchIndexer.exe	59
PID 2384 wrote to memory of 1072	2384	SearchIndexer.exe	60
PID 2384 wrote to memory of 1072	2384	SearchIndexer.exe	60
PID 2384 wrote to memory of 1072	2384	SearchIndexer.exe	60
PID 2384 wrote to memory of 2232	2384	SearchIndexer.exe	61
PID 2384 wrote to memory of 2232	2384	SearchIndexer.exe	61
PID 2384 wrote to memory of 2232	2384	SearchIndexer.exe	61
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	62
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	62
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	62
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	62
PID 2268 wrote to memory of 1544	2268	mscorsvw.exe	63
PID 2268 wrote to memory of 1544	2268	mscorsvw.exe	63
PID 2268 wrote to memory of 1544	2268	mscorsvw.exe	63
PID 2268 wrote to memory of 1544	2268	mscorsvw.exe	63
PID 2268 wrote to memory of 1356	2268	mscorsvw.exe	64
PID 2268 wrote to memory of 1356	2268	mscorsvw.exe	64
PID 2268 wrote to memory of 1356	2268	mscorsvw.exe	64
PID 2268 wrote to memory of 1356	2268	mscorsvw.exe	64
PID 2268 wrote to memory of 1592	2268	mscorsvw.exe	65
PID 2268 wrote to memory of 1592	2268	mscorsvw.exe	65
PID 2268 wrote to memory of 1592	2268	mscorsvw.exe	65
PID 2268 wrote to memory of 1592	2268	mscorsvw.exe	65
PID 2268 wrote to memory of 528	2268	mscorsvw.exe	66
PID 2268 wrote to memory of 528	2268	mscorsvw.exe	66
PID 2268 wrote to memory of 528	2268	mscorsvw.exe	66
PID 2268 wrote to memory of 528	2268	mscorsvw.exe	66
PID 2268 wrote to memory of 1596	2268	mscorsvw.exe	67
PID 2268 wrote to memory of 1596	2268	mscorsvw.exe	67
PID 2268 wrote to memory of 1596	2268	mscorsvw.exe	67
PID 2268 wrote to memory of 1596	2268	mscorsvw.exe	67
PID 2268 wrote to memory of 2044	2268	mscorsvw.exe	68
PID 2268 wrote to memory of 2044	2268	mscorsvw.exe	68
PID 2268 wrote to memory of 2044	2268	mscorsvw.exe	68
PID 2268 wrote to memory of 2044	2268	mscorsvw.exe	68
PID 2268 wrote to memory of 888	2268	mscorsvw.exe	69
PID 2268 wrote to memory of 888	2268	mscorsvw.exe	69
PID 2268 wrote to memory of 888	2268	mscorsvw.exe	69
PID 2268 wrote to memory of 888	2268	mscorsvw.exe	69
PID 2268 wrote to memory of 1164	2268	mscorsvw.exe	70
PID 2268 wrote to memory of 1164	2268	mscorsvw.exe	70
PID 2268 wrote to memory of 1164	2268	mscorsvw.exe	70
PID 2268 wrote to memory of 1164	2268	mscorsvw.exe	70
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	71
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	71
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	71
PID 2268 wrote to memory of 1540	2268	mscorsvw.exe	71
PID 2268 wrote to memory of 2464	2268	mscorsvw.exe	72
PID 2268 wrote to memory of 2464	2268	mscorsvw.exe	72
PID 2268 wrote to memory of 2464	2268	mscorsvw.exe	72
PID 2268 wrote to memory of 2464	2268	mscorsvw.exe	72
PID 2268 wrote to memory of 792	2268	mscorsvw.exe	73
PID 2268 wrote to memory of 792	2268	mscorsvw.exe	73
PID 2268 wrote to memory of 792	2268	mscorsvw.exe	73
PID 2268 wrote to memory of 792	2268	mscorsvw.exe	73
PID 2268 wrote to memory of 1920	2268	mscorsvw.exe	74
PID 2268 wrote to memory of 1920	2268	mscorsvw.exe	74
PID 2268 wrote to memory of 1920	2268	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe
"C:\Users\Admin\AppData\Local\Temp\66363cc7938e771eb249e67df751a49deaf2980b0a02b5a88467023364a0ce46.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 258 -NGENProcess 1ac -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 184 -NGENProcess 244 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1d8 -NGENProcess 1ac -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 274 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 1ac -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 244 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2dc -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d0 -NGENProcess 2f8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 2e0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 304 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 318 -NGENProcess 2f8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 318 -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1308

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2804

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1976

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
23df36bbbc91f61cc7fe8b78c43840cd

SHA1
85bd991b1db1aab43a172b8a9261df068518b2f2

SHA256
33c17322e087813370c400e196f9650087ba8eb4d1b1649bd4f4d82a449883a1

SHA512
3545a36a0f8d04f193a5ac04f5be247f7f856ffd54a7529b21954517acad15e39dbb3a2e15db90b5848b877f666f630fd36f357bd54bac2c287d2ff9a236d89c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
10.1MB

MD5
da109f11d4a87fffed2b616de3e9874d

SHA1
7a3a251804e5018255c59ec1289d0746ffb0b2f0

SHA256
777528ff848328f218c0beaf08201158bd813561ee8e4686f5ae4d090ee250f7

SHA512
24165f65d42ce5c35a08cb37f06ecc624445ded4b1168ee55fb4792c0ee311fd100b711eef6e1816619757e84f94c29b71b4ab96be33c18ba772bc938204e99c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
509d291affa1b7c9ec4cbfa66d79477f

SHA1
46b61085502d9ed74cf16315c1eecf59ebb6502d

SHA256
2fc8afce7f336f6de16d22ba90c501ae42731baf96a1d31c5f3b0e91853e1b13

SHA512
b4367a1f08838e74425c13132d8e7bf1b456cb05631419257f4a01d8f1358e7ee9f7e9fa35aaaea2f3d9602e648c8cccecce955d32b731b8596e0d3c9bb64a78

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.9MB

MD5
ac691c9b9d8d1fb7583caa3731ad1e2b

SHA1
d1c154ade6a0dadfc089c5aa26114ddf34c0316b

SHA256
b75e89d95c711b0ceb895d95ddfdfd8e67d0622156770f613ca11d820eeb165e

SHA512
f3b6ac104e979dee91fb3482c4c6b5cd473bafe720d410b8569f6e7987087f39f4fad0fceb57c5f0490cdd44a34b97c8d910d81111bfd28d11dffd0b9d0b0c0a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2c1bcabb080e96cd6d4cd04f6e1e0163

SHA1
46d4ce3f9164f1e893932cf932567ba0892e3698

SHA256
7ddddb17f8237583c04f05be965c8dd58d7817729d6eb1430977a10d1d6c5a23

SHA512
bfc82171737d95f55a3aa071833b2b7b487cc746daf2c0d5924985212ec0ab756afb09a804ba008e4cb5e949576e1947071940b4540339fb872379982e16d07f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2da5ab2bd311f16a40f91e9c3e64e6a7

SHA1
7ee579262960169e36e1bb3ced611979cab5a7d9

SHA256
0945c38e427566f9ccffabc8a23e8a79e9d276abb54e932771e8bf583176b442

SHA512
dbca39c1e643c391afedba77ddd081dab53591d62311f068793ac5f0d1f3de78f98305a1eb3e40e6e324798709af041ccc12883d3259807ba85265df1a274e07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a5784269dd47156efbca254c7d75bb34

SHA1
630d3f622f7b751bfd121d4972998b92f17e0b8a

SHA256
ac4fe0091f637bd05222f94b903096f8ad5806948a09b87761e753c20aa8cbf4

SHA512
4a99844ab9fff4cb5df09f9f9e4cc2c03b7510b08fc61c8c47036be37869ca450cec4a1403826f8079b2c9b149e00795a0c3f5b14106067a2810de18c2900b11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
dd4bf08ccddf7f6733cb0e3b153fc660

SHA1
ad70a948e85ac8786bacfe8ec3b60b31ebd0ec0e

SHA256
280b13563bdb2f6b56589a358bbb4c048bf01b5dfb516ed1e47a32bbfdb24b6e

SHA512
d602f5b1e4fa5897fc7f5401985eff753fbe6c540b5598937d7ed1b1c6702c044a536fa329e0484f14ae39c35e7738b73132a401fa3c8f386adfd2e9ce2a3da0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
996769257230ad710c8ccbf34302837b

SHA1
12655e5f22e7026caab5783d29793ea3f0d20a5a

SHA256
b31f536410f9ce26b90d5e79e781f4e6a19d30adb769f62fca53ad046c41b2f4

SHA512
c5fe1963564819191f20d026c747cbcf0b62afb5ce4ed8f6abb735d88bfee74ef6695bb3a3a73c5a3dc678c6b85e22a8d7607061484ce7e64a91d4f0f5787012

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
35d29e41c53c2c41212b23cf3d70be9e

SHA1
60026c6f90d667688c1e0ec19c05cd8e3a2957d0

SHA256
8db449eec5d6068e7273f475793c544bc326dcd9409fa5b2aecb23b58faac1aa

SHA512
12ebeb01aaf28cd264d6ac698fc03c6079469dc6c92affca34b52724d556c27752271603b61766558308e451f1fa48758eb7cf702e394d82454c791f24616d83

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
07e338fc1ebb77528be04404ce5e1a3f

SHA1
03374569b9c645414c6c218eba0ffabe20e1d692

SHA256
b024c66bb9b78bb0290fe5ac0d7125e192b16176e7a176fe0931a94bce2f9ca1

SHA512
7ab55274c0e1aad4a2731542472597de157155c5190cd7c56f46e4b32dd661075c67cdcd0068f159b214c2eafcb5a02fe4a53bcc524afa4b9d1da1c241bb5e8e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7bd6c86ff079ac855de6ff0039e4f034

SHA1
413e9bcf9bbc20cdcc95e66ae308be0d5085f148

SHA256
00d52f5086d1146abf719b7b7af4eeefbb05aa38a4e450e237f40e5660e5fa0a

SHA512
a545d228eab9541917cf7fbc72a058bc0da602ead553428812db717de3e956a9beeeaea2d7de076ca4fcfd68863b6c46b649f947af2ed312ef62ad35e90af046

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
896KB

MD5
db28cf37ccfc85b577ca89b2ee451562

SHA1
813061127a305a5db56f6bbb4c6a5b33bf4150fc

SHA256
25b388414fe730bf57da81aed2ae9b4265dd861d7a9002413d63dea724401ab2

SHA512
8d64312c0f4d74cb38b590bffa715705b608dd279ce762404018c8625b2f9aec140415abb8d7758c9fb284b29d6aa94ec6c95575bd3a5c9b8780866882a2dc8d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
768KB

MD5
dde4cbddb7926efb8ea826b6cfdd9557

SHA1
430e0b19ef049ad7d51a0d88f63af3aab14f333f

SHA256
8d4fe2794935e236c992a4a1b2e8a89464e55d4a832d380dd3e26f1b5c0d0f7a

SHA512
44723610eb54cbd5070a3c757d944109a89334a7d5b4708c5a7c363a03469ccaaee8e369f7031cd780049e8221384dbecfbcfd418f9efa2c1745e7f4cec79f30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
867c8d8868b98b9ae6f892a85f7eaf38

SHA1
bf2bfa606c6b2d413ecd79dff89125d9fb5a0ce0

SHA256
507a97c5c9e78ee34ead9bd6a4515b8ed65713de5569d80f6ab6738825defc1b

SHA512
4244975a8d86301c2d22c9d7d62ecd2a1ec87a0587590e95d0a7e7bf78d6cc742ec28d969e6e41e144213ba77c0eb1fe24f8dd86d293ae82cfd47b07d238c940

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5007308786ba5b6ca3868ff44ae730dc

SHA1
1f5c68b0f812709ed15b33c0efd2cd32448fbe64

SHA256
6cdaae4f149f7460d69bb86da07599eeb3877afadcf4e4ced289742970dfe25f

SHA512
9378ab761ed58f92ef5feaa87aee5cd64ae74e016959b8ce142fa5d602dc3c8aad6609ca84f362e4739553176ffa08ae29203cf679f46cf88e635d2ba48d9960

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
3d68423b0edc698494167a06df974548

SHA1
386b0340c574cf03f23d9484b25e713db1428fa9

SHA256
a88ccc05b3d1736bac24c6e0edcc22cb465b9e55a75932cccb2cffd7338bae6d

SHA512
1b8c61d5fd3b54cf8bc22ec2dbd0d4c4b84754d33d549f6a6927e86a05ce168f6062ca6749dec5fd18a7550c4f44cae468473c181f57d418335948e7c8fe25fd

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
b92ed32f0dff9576b20c160d728f74a7

SHA1
905935dd61c58801c21faff291f4169e6a28dc34

SHA256
af07d742eb3eec672cba4e06b9f517c82f2ae47810afc24e2dfa973575f0eb5a

SHA512
1cbbb63e932bdf476efabcea3aed1ce7abe26c56f63529f9798c903d232ba5a4357f256a4955998381bef4b5197d46c40dff03314ad39b2f927a36b8150803d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
384KB

MD5
c9926502163222fe62c768d6614c1ef9

SHA1
3a480c0d1accc387f51da1ac680fed464925c07e

SHA256
3e9f5f7954682e72d314395fdbe06436de7442813324a6bc39e2507a2c95d133

SHA512
cb6e658bd4106b822e14c532ff3b86b60b54bd055fca03105facc3a4f5e4379bd5d0ca4b6cf0a4427ba79c4bd31752c0e52299e6ac23dea7193ec51c0b7ba55c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
657972ef41fe5e5c2c089830ba7e4516

SHA1
ab965003a82b8df6f13bfb2c578c973ce9bb3a73

SHA256
5a20d6d6d75e7b90c5d49e97156a0d44f858fd9d66eeff05f3a96ebae27a9ab0

SHA512
0566aaafd951233e1f1e82e1594716b072b9327f5525aaf12fed90e901628c2f70d36eed8e01b2379b7664b4b4c61f62c34c5e4ea3a54342c37b420039f12fbc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1f98c57c9128cd0b91ca83c185a6fde4

SHA1
eeee1bd01a45ed5cfc6c135512418737a6354be3

SHA256
d82e61939e4f3711f3fca4a9a52680674623d24c286b30b1936d79d6a511950c

SHA512
c393d621cfb0356c2e41974512cf94c04a82f53108c51abeff9333646ea532a8b30cec1c7ab0a74556252e600abf8a514e0675d08e29e5b5910bb6bf4cb2a80a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.2MB

MD5
d0ed528d29612f32bf263d5c36686193

SHA1
43c3e657ced4ca6766a6a7011d0c3c1524e66d63

SHA256
5174508221b06c8da803fae6b748b6dc61924d5d3038c87d0295708c0028f579

SHA512
e1337e40ef7677d1a2c2457c619b10dfd58fc5a80191a2389ba8cd20b5da1c2121288b3e0b7450492280735e9921607194e9a0c7979bfd9bc33ef9c1cd4c7f7a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9c5be17c1167aa8a8a996556aa334ec0

SHA1
477e2b15b4d161ac17a550d7f65e36f2b02b7029

SHA256
b9a636985da752c74c2769e6161bceee68881dda58a4ec81942ad384a4483275

SHA512
2c453b4b1d3478c79887b1f81bc2888ea4846813b851c5e93fa8c3fb1b2a890dd5693d0224b0611bd47a0d39b5b3d5feb374eea4140fa8b5dd6c2e46d9e2a022

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
128KB

MD5
ea57c27abffbaf416f4905d523cffe85

SHA1
e69baf7fcb8150d0f94b302e3fead9bc8f5ea5c5

SHA256
29982785571db60e36bf8e334b9d81da26e3855f9b2203a81df3ee647f103fa8

SHA512
36d40429346a36f40c033928f48c3fe1e1866065cba5ef97614f89c5d0b4630906521178116f331e99d7edb66281948a41efb1af2820e8bbea9a390b7659fe1d

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3e8a0c0dc985016c74e44a7f06957b48

SHA1
6998448cc625aad7fa10ae423ae001521287afd7

SHA256
cf8bc0f12b1a347af917906a06ec162c70e2eb784cb3675fa478b5779bc4ad56

SHA512
d0af7e37f451e7d609b3335ee200c09ebd66e8e8c02d24f5c83e57bca29a2fd156bd50500eb40cac852a7e4d6a76f224f0bd752b25911a02ae53600aeaf6a9d3

Download Submit
\Windows\System32\Locator.exe

Filesize
192KB

MD5
5359b1167976a73f8eb277ff0eabcf03

SHA1
8950c01cd5d885ee0a7d89a0d23be521a21d0ecb

SHA256
cabb4aa2c4416fcfc7c313656e8579120f2d6de09fa1d7b645bb788e7d09ca66

SHA512
ecbf1375828aeefb3ae7ce87de1f3f94f24ce075fb736bed7069351f431ef08ae9b7d7027ce1322c3afb446c83f79a645af8b4e17b57014a7f635deca5654809

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fd10913225561ff5ee5a52a428170c3c

SHA1
12ecf6d1c947953a3626c86f5ffed2de62b64688

SHA256
af983372a645c4a1a3fafeffd3b3d8a9a30f484b389362f28d9ce64e4cae8b3d

SHA512
b6c015aa73811731338b85adfe31bcb3c0b13aa790b30ca221da8ae337eca2f5aeb8372fddf7ed240e47351a27707ea4139237e41d9b13004cb141c9e1d50a0d

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
3e20037a78a8208cb4878e10c9107436

SHA1
a16b28379689841199e0f98aa048ddd5f46aa90d

SHA256
8a1ac72f677ab30a7e07da2a8900291385c8f53bb69d13774ba403c7627047d4

SHA512
e0f187164ec8236f2414ac1634120d12d6f8bdf4df71abd6890a0695e9600883083d358bf8aa9295cbac9874b82fa4b351003ce0d864146d7c9d6e4a96f7cbd7

Download Submit
\Windows\System32\msdtc.exe

Filesize
448KB

MD5
630f6bcd5b16f7e0c64812e3ace662d0

SHA1
ad6b15060ef67e2d29a59366c809e1d0be62943f

SHA256
c0de9f66088a0f7da9da9afce94b4ee6770e59ea9f891aa680e1c191c668c605

SHA512
b1d95c70b1f12c7f866566508b98ea26ef45e591c4024202cbf331123a5b6ddb8726ff0b1d37123006239cf19bd7a6af7b4b8133d559c16c12294ff1423a2508

Download Submit
\Windows\System32\msiexec.exe

Filesize
285KB

MD5
421928b239f086b14c04837ed568b561

SHA1
c9d7f841e7295bd3bb94f46723470719efd05dbf

SHA256
c2056375d9d01258fd64eaceafa245f87b31f72cf560cec889687fb424f41954

SHA512
23ca4999079e619916fab55a4b1e39748614720cbc694169537f7b2acf776bae33daff633723a88227397a1bed49c649750f1c23f3b629349f3475dd1378f00f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
896KB

MD5
52e7311e820cf558857f0060f4969834

SHA1
8d92ef2ca062a5816e516260c26bfdb1223f6e79

SHA256
cfb938fbe31ffec71bac02fc6f29d6963e7db644b85022e96f15c781aed9237a

SHA512
ea24752e3de7bc252c0aaacc86db41f58ebe9eaf4b2f6f1c249841e2ba32279c1334b1ed4b9489d4b470b4d8d3153d5fdeeacfafe9e3ca85922c877889396bf5

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
85a16c79c333001c81dcc8aa275fde88

SHA1
e99156127e28d7f2f8518b20366cfacea19d144f

SHA256
4448ca26195bc611b3838c9b9753c87bf49fd03f2abdd37a731b94305a26f061

SHA512
8fb6948f992022ca2eb8aa1e99e666fbb0801a19fee4cb08207910b87557b5ee4e9cc067076fe7bc9b6cae97494e74f44b8a2d7ef6938d0dc9fe7e42ab9601eb

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
59c88347d33c8bc06e63da6893355518

SHA1
989779b0a6f35052741927c69a59a95ff5be5190

SHA256
fe3e70c95ed4393bf1b8fe7231e0bcaab14b9120552b1344ed712f444dc86a52

SHA512
681223ba4abe91cb6b165f84a94f25efe190ecfc5b6da2f8cbbe62f969820222c8432b7f5dea72111165f530a5f3cd965e5f746456c1f7f05ad412259fe25a7a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
768KB

MD5
13a7c52f075320e1a160ad095f168413

SHA1
52b6a52b87d2a57300ad7532cfc91c1b1406f307

SHA256
016ef39fa11026b8b138c1a82b3b5e3c7c319ff57940dd38175bd0b081095c29

SHA512
faa7989635b542e9001bb5d1238666a9f42adcd402f18b1a88a4ed8d527e5af7f062a199191055fae565052cd37a3b9c90598078f8f76cbbd98af23c8af76e46

Download Submit
memory/628-326-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/628-331-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1076-373-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1272-389-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1308-158-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1308-153-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1308-150-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1308-286-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1316-361-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1316-401-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1316-360-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1316-352-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1632-262-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1632-253-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1632-251-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1632-347-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1728-403-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1728-409-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1792-382-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1892-397-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/1900-277-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1900-134-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1900-133-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/1900-140-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/1928-330-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/1928-391-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1928-385-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/1928-344-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1976-348-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/1976-346-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1976-395-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2016-106-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2016-132-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2060-369-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2176-392-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2248-377-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2268-263-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2268-114-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2268-115-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2268-121-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2404-380-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-323-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/2404-325-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-320-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-384-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/2408-342-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2408-338-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2496-376-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2496-288-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2508-13-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2508-157-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2520-85-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2520-164-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2520-39-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2520-33-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2804-256-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2804-296-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2804-254-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2804-265-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2804-247-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2804-166-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2804-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2844-98-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2844-126-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2892-294-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/2892-285-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2892-367-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2964-269-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2964-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2964-279-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2964-359-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3020-332-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3048-245-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3048-0-0x0000000001E90000-0x0000000001EF6000-memory.dmp

Filesize
408KB

Download
memory/3048-141-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3048-7-0x0000000001E90000-0x0000000001EF6000-memory.dmp

Filesize
408KB

Download
memory/3048-6-0x0000000001E90000-0x0000000001EF6000-memory.dmp

Filesize
408KB

Download
memory/3048-1-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download