552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c

Analysis

max time kernel
92s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
Size

1.8MB
MD5

b49ac48d08067809d2d56c2d3306212a
SHA1

4e27c62c4758e52c757ec8a5fb865f1097dadeb2
SHA256

552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c
SHA512

17593d339760a0fd189287850bbee962a779f5e65a9ff69d28f20066d8377c2196e0e80c4c654458c645544577a0ad836ce59a413617290cd7896b218f40bf95
SSDEEP

49152:Vx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAGm2G+dfefF:VvbjVkjjCAzJzm2G+xOF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
468	Process not Found
2912	alg.exe
1444	aspnet_state.exe
1644	mscorsvw.exe
1932	mscorsvw.exe
2368	mscorsvw.exe
2844	mscorsvw.exe
1512	ehRecvr.exe
2132	ehsched.exe
2028	elevation_service.exe
2908	IEEtwCollector.exe
2312	GROOVE.EXE
2904	dllhost.exe
2732	maintenanceservice.exe
2752	OSE.EXE
2964	OSPPSVC.EXE
2216	mscorsvw.exe
1020	mscorsvw.exe
1732	mscorsvw.exe
624	mscorsvw.exe
1592	mscorsvw.exe
2716	mscorsvw.exe
2876	mscorsvw.exe
2860	mscorsvw.exe
1272	mscorsvw.exe
1248	mscorsvw.exe
2952	mscorsvw.exe
2956	mscorsvw.exe
1196	mscorsvw.exe
2280	mscorsvw.exe
1548	mscorsvw.exe
1040	mscorsvw.exe
2216	mscorsvw.exe
1856	mscorsvw.exe
1116	mscorsvw.exe
3032	mscorsvw.exe
2952	mscorsvw.exe
2956	mscorsvw.exe
2428	mscorsvw.exe
856	mscorsvw.exe
3056	mscorsvw.exe
1044	msdtc.exe
2884	msiexec.exe
1596	perfhost.exe
2328	locator.exe
2140	snmptrap.exe
1136	vds.exe
1804	vssvc.exe
1932	wbengine.exe
1676	WmiApSrv.exe
1608	wmpnetwk.exe
2508	SearchIndexer.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2884	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b0a28249ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_ca.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_fa.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_is.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_zh-CN.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\GoogleUpdateOnDemand.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_bg.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_ta.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_de.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_ru.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\GoogleUpdateCore.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_sr.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8739.tmp\goopdateres_te.dll	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC43C0A1-F2EE-4E5B-9159-5BCC09427F3C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC43C0A1-F2EE-4E5B-9159-5BCC09427F3C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2136	ehRec.exe
1444	aspnet_state.exe
1444	aspnet_state.exe
1444	aspnet_state.exe
1444	aspnet_state.exe
1444	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2772	552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: 33	476	EhTray.exe
Token: SeIncBasePriorityPrivilege	476	EhTray.exe
Token: SeDebugPrivilege	2136	ehRec.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: 33	476	EhTray.exe
Token: SeIncBasePriorityPrivilege	476	EhTray.exe
Token: SeDebugPrivilege	2912	alg.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1444	aspnet_state.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeBackupPrivilege	1932	wbengine.exe
Token: SeRestorePrivilege	1932	wbengine.exe
Token: SeSecurityPrivilege	1932	wbengine.exe
Token: SeDebugPrivilege	1444	aspnet_state.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
476	EhTray.exe
476	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
476	EhTray.exe
476	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2216	2368	mscorsvw.exe	63
PID 2368 wrote to memory of 2216	2368	mscorsvw.exe	63
PID 2368 wrote to memory of 2216	2368	mscorsvw.exe	63
PID 2368 wrote to memory of 2216	2368	mscorsvw.exe	63
PID 2368 wrote to memory of 1020	2368	mscorsvw.exe	46
PID 2368 wrote to memory of 1020	2368	mscorsvw.exe	46
PID 2368 wrote to memory of 1020	2368	mscorsvw.exe	46
PID 2368 wrote to memory of 1020	2368	mscorsvw.exe	46
PID 2368 wrote to memory of 1732	2368	mscorsvw.exe	47
PID 2368 wrote to memory of 1732	2368	mscorsvw.exe	47
PID 2368 wrote to memory of 1732	2368	mscorsvw.exe	47
PID 2368 wrote to memory of 1732	2368	mscorsvw.exe	47
PID 2368 wrote to memory of 624	2368	mscorsvw.exe	48
PID 2368 wrote to memory of 624	2368	mscorsvw.exe	48
PID 2368 wrote to memory of 624	2368	mscorsvw.exe	48
PID 2368 wrote to memory of 624	2368	mscorsvw.exe	48
PID 2368 wrote to memory of 1592	2368	mscorsvw.exe	49
PID 2368 wrote to memory of 1592	2368	mscorsvw.exe	49
PID 2368 wrote to memory of 1592	2368	mscorsvw.exe	49
PID 2368 wrote to memory of 1592	2368	mscorsvw.exe	49
PID 2368 wrote to memory of 2716	2368	mscorsvw.exe	50
PID 2368 wrote to memory of 2716	2368	mscorsvw.exe	50
PID 2368 wrote to memory of 2716	2368	mscorsvw.exe	50
PID 2368 wrote to memory of 2716	2368	mscorsvw.exe	50
PID 2368 wrote to memory of 2876	2368	mscorsvw.exe	53
PID 2368 wrote to memory of 2876	2368	mscorsvw.exe	53
PID 2368 wrote to memory of 2876	2368	mscorsvw.exe	53
PID 2368 wrote to memory of 2876	2368	mscorsvw.exe	53
PID 2368 wrote to memory of 2860	2368	mscorsvw.exe	54
PID 2368 wrote to memory of 2860	2368	mscorsvw.exe	54
PID 2368 wrote to memory of 2860	2368	mscorsvw.exe	54
PID 2368 wrote to memory of 2860	2368	mscorsvw.exe	54
PID 2368 wrote to memory of 1272	2368	mscorsvw.exe	55
PID 2368 wrote to memory of 1272	2368	mscorsvw.exe	55
PID 2368 wrote to memory of 1272	2368	mscorsvw.exe	55
PID 2368 wrote to memory of 1272	2368	mscorsvw.exe	55
PID 2368 wrote to memory of 1248	2368	mscorsvw.exe	56
PID 2368 wrote to memory of 1248	2368	mscorsvw.exe	56
PID 2368 wrote to memory of 1248	2368	mscorsvw.exe	56
PID 2368 wrote to memory of 1248	2368	mscorsvw.exe	56
PID 2368 wrote to memory of 2952	2368	mscorsvw.exe	67
PID 2368 wrote to memory of 2952	2368	mscorsvw.exe	67
PID 2368 wrote to memory of 2952	2368	mscorsvw.exe	67
PID 2368 wrote to memory of 2952	2368	mscorsvw.exe	67
PID 2368 wrote to memory of 2956	2368	mscorsvw.exe	68
PID 2368 wrote to memory of 2956	2368	mscorsvw.exe	68
PID 2368 wrote to memory of 2956	2368	mscorsvw.exe	68
PID 2368 wrote to memory of 2956	2368	mscorsvw.exe	68
PID 2368 wrote to memory of 1196	2368	mscorsvw.exe	59
PID 2368 wrote to memory of 1196	2368	mscorsvw.exe	59
PID 2368 wrote to memory of 1196	2368	mscorsvw.exe	59
PID 2368 wrote to memory of 1196	2368	mscorsvw.exe	59
PID 2368 wrote to memory of 2280	2368	mscorsvw.exe	60
PID 2368 wrote to memory of 2280	2368	mscorsvw.exe	60
PID 2368 wrote to memory of 2280	2368	mscorsvw.exe	60
PID 2368 wrote to memory of 2280	2368	mscorsvw.exe	60
PID 2368 wrote to memory of 1548	2368	mscorsvw.exe	61
PID 2368 wrote to memory of 1548	2368	mscorsvw.exe	61
PID 2368 wrote to memory of 1548	2368	mscorsvw.exe	61
PID 2368 wrote to memory of 1548	2368	mscorsvw.exe	61
PID 2368 wrote to memory of 1040	2368	mscorsvw.exe	62
PID 2368 wrote to memory of 1040	2368	mscorsvw.exe	62
PID 2368 wrote to memory of 1040	2368	mscorsvw.exe	62
PID 2368 wrote to memory of 1040	2368	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe
"C:\Users\Admin\AppData\Local\Temp\552733bb51b1ebaa35967f7dbd89f9e8ca9c2a6098da543b359c9f6a6ea2d76c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1644

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 264 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 248 -NGENProcess 274 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 278 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 274 -NGENProcess 280 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 284 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 2a4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 2a0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 2ac -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1512

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2908

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2312

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2904

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2732

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2752

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2508
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:2968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2600
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
169KB

MD5
21f6358132c0dc1623cd48581cf1c22e

SHA1
474c8c56260824adb6aedbfeffbac8d9dd6905ae

SHA256
9ca8a3b0cecc24b68275308cdc6dcd785f86bb3c61655d802b0bc92a0eae0aa6

SHA512
a73c97e4b52e4f6d1c6083d1efea3576583c23e01726deead8f504623e146717296e6fe3a0dd409c15b9be62fc3bb677df7a781f875f7f76b5931dc0cc6b5600

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
233KB

MD5
17c483ef5142eb2803b6098b948ae9ed

SHA1
4ae85f6729da91a15e6684a10db5379596405e2e

SHA256
70c54887fdfe9ab8cbc864f658726269a2ad957f4228b3f6d6d7ab5be327b446

SHA512
c5c6aab3024863a6d46c7ba555db7a186ec3aabc0423baf4df30539b5217f0095b38ee4260524a46a44296c8b4b8dada076736459d01da73cde0014116892356

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
268KB

MD5
5f6c22ed00d9e30f7a1171b0a716b08f

SHA1
e7d21ba6d6dd2aadbc0f5aabee07a11cd5db3aec

SHA256
a6f0b04874aad051ef6b098ff6c5006f1b14849fdf6a7b716bd7df8c2efa538d

SHA512
cfd25040955c6d4ba834f37899df3896441f4c69d61b6c834204f61eae0ac5bf3ffe07e77645175c824c52315d4addb14693e8b152b53959f208c04a77719d44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
67KB

MD5
1c1645e54af1d132a2bd8d2a42541095

SHA1
d62fd899888ba7f1fc2774b3997ef5f516e32348

SHA256
76941be69efbc044972b504e1efce667189eb98588089a0684f644d158739768

SHA512
3c81731c7bb369e6b37ec16be3f4125dd6d5fe6a8d950149f3ea1e1459bffc244b9a610c57eb3ae61b18ef5e4bca504e53631d045f4cf1a4e6f32a88c8fcb839

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
12KB

MD5
b8b50aa3cf22c0bd07f8cad8ff82b146

SHA1
c816b0396def0e5f83a7eb26a2d9931bc99fa1d3

SHA256
a145675d3ffb5a11ff5f2e9c3ae375453abf40cae6a1974d932ad779774cdd33

SHA512
afcdce31e71640bb315d3e9cfcff9f5cca5f85b1bc97a577acb8c466f5e5fe7d7070adccb80a95c43b8b64c6c5e1706be0ba3ba4fe864ae1beace4dead1a18bc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
106KB

MD5
21387f48353c55ca7ad5c36d68a5eca8

SHA1
51f1ec97fa17eccda55bafa9b80d9618236a78a4

SHA256
dfe7b20b42c205bcc1ffeaa6ed5a0f65814b94c5d2994c8cda9612c113c43754

SHA512
840a913954e0287b9cf13d2c1f8c9b324e0bf1a2d15e7493d7ff5665a9365e92660bdadac5c79d13a8e335a684db64f26ad3562a862ffcb2b72f478723c12024

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
83KB

MD5
70271f09cc7e883abdf978f0f67be518

SHA1
f2f1be9186402ae34238a05a67be9e9220fdff81

SHA256
f1dcab372ff56aa2054c9a8d5be4d5a2f70b7a865ae62cd649541d5f5ca12f77

SHA512
4a1922e86eb3d5feb7d884d704fc3098371ab30355b288ab3ce3b0aec850ddd93374d47846fb8c99f08b05bd892fbb37335c3d18ea6e29d82d23d49777174f52

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
408KB

MD5
806a62fb4b3c5af1cd0b12b6ccb3f16d

SHA1
e4dcf90a07ef5ea37661f24e07dfe57605d3d170

SHA256
418bb378f640f5eb22bf13f3c3aa3b6bd6e4152c4f3f3de930ea8aed72db5403

SHA512
6e0393f1e1f33b377e85719b4f11723fbb3d478a67a72f92490d48d3c5511976da1c34fc23683eb12a23c09ea7886d0437def269bc123cb213fe6db92be4d33f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
54KB

MD5
99b02c8c54b530e6444ef0713189f33e

SHA1
be2236232efc0235a94bba8fbbc28517bb2e36e5

SHA256
5a233ac335080ce920acb2f221a5e1f87030899697f6c2a73594fa351e8985d6

SHA512
762cd8b1451768c5d32e8b232ffb0f47e76f91adfc5c2d3d8b6d65c6589661a5f7f8c015c019a6e7d0806f8ce1c967e178d967d764f439c73bcc0e1f85ebed57

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
184KB

MD5
ded68a5d8d6ba9d60cd644aea43400b8

SHA1
43b6c34a22bdddf2dafe324da73ae287335019a8

SHA256
11be4de9ad033bd83a3f120064097d87230abfbc82af7a239e76f00ef1a07c84

SHA512
95b03dbd2b9656df87f0dc5fe15d51d1057ecebab74ff40d0206fa3fa1e1a8a67d81a8527365aca94260b0a8135fb7519273fdae1f8865e9ae212b180d2b0072

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
131KB

MD5
7fcc2e2ea7bff3877ca9c91ad388d6e3

SHA1
a5b4e15ea3b9cc6bdf2572e9da838e54dfb9873f

SHA256
1cf09b371907adbb5834373a083c9f8c6024ddcfb8a32a40fe553e939fa1af3e

SHA512
f04ca5896e02419ca2e29e70803931cb5f61fc84015021938acadaa15f889f70258fd46b00e1096bb1740bd48d68924b47fb531acaf8df23343d8a0d3e1bac27

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
62KB

MD5
e0da87dec7b64b4c3d4073fb8db274df

SHA1
a8424125bfd84683aef529e797bd643c72b5c4e5

SHA256
1dd65b88dd7d1c222a2c0931eb4dc92ed9157654dc2cedc79b6c3896082da7f5

SHA512
af1d8ed94b2c1560a146cf6691d9156d43d1d0711ba5baa79c04710113da681b18527efaf5cad90fd16a4a82589d3e8cccb376d17b54b6574b35eb4173bca96d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
632KB

MD5
8700c86bbbff9421b080511a217dcc2e

SHA1
712fadeb8b36354ad7164d08034424fea0931d39

SHA256
eec43c83f45fede14ecc1962bb3c8454ba37af696a20a78ebff7f92a4647d644

SHA512
1ffbe3de50df45b6a4db936f4a49d8116f322e1e56f078fad94d08d1fab0ecc65a68864fe9711d9e7cabd272830957e40fe0a000cb5eac3a8099172745192ab2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
412KB

MD5
cb3c654f190dd322dfd453477a337aaf

SHA1
b5374a97d3034e6a13999cd1fd3b1989895bd156

SHA256
a3ab3742e87e884b6c2392523f062d328bc79fede12761245d2d7ac670da2511

SHA512
2e062951ac071edae8217932c6a957aff49fd927b559b4d64b6b5e2957cb8a44943633bc8475a7a61d67ecbf16cbcecbde1cdfb3cbabd6fe7cba88d70cbc5a48

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ec427758df079b299ef7d43c3bd3c60d

SHA1
d684a5fd8e8c396af33e624a32a77cff281dc08d

SHA256
97a618fe5483444f9e7a74c4a04a4e5ed86ff8b33bd146aee52571d70fb2a47e

SHA512
a6a0db48abb346ab46d409837b27737c0cffdbef951fc23aa2e3fbe363a96790598665b81e731743a447d1df80d1f65254bfaec5e2572f7832d365c25610b935

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
397KB

MD5
06c3fcc883280f98d34b9419d2a481e4

SHA1
8c41e1db6759532f551b3043ea4674cf3a14d745

SHA256
0090c8c4f5cbd7152a956f245cac3d0efb322cb72e10f956528f0487d1b75b29

SHA512
d3c31cbb4013cf0e944bcdd17ed624830d8d86cef3e2a5f40c57dc23af638e6c26d4e698d0fbada9ca3e6ac8fb71cb8d6eb38d29b75f19f22833324bfc92c0e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
705KB

MD5
e6b83463cf6f65b35ee84e37d0a09c33

SHA1
c89f7db4ea78d5e6c392fb7c7c05613a194df418

SHA256
1f42f0a940d3451187c28c8c4461e38af5721652edc6238760a45c7dd40ee21a

SHA512
ea41677d702bd8b6e0e0609faf064553a85b7d572e35c3d3fd07857b70836f29cf5532cee878284f16d7809e8af41fc8de79e5dd37611b6355ed708d154f7a85

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
229KB

MD5
b3fdf82691f12f06ed41fae8a14995cf

SHA1
e545c2b25b83ada8b3cf394a7667446c330e8473

SHA256
5fc9332b68a72f2ef87a4c64dd16b2917b2ebb3d5b729030c61ad06101bb8e9f

SHA512
aba2cf0b0cbb6bda4df5422e584486b53c971d623f9eebe2b45b470a54ac0b970f830e08b6be33386aad2242934f82ae8c6941e53539e5ec4eb2102a650fed99

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
209KB

MD5
64f03ec9624fac8707f585f17d6c24c3

SHA1
2e3bccf0b38b2bf22cd08216587fdfdc99eb77ba

SHA256
383b3366b7a8b1b13180bef0ca04d8dd17c41d8efe108f10a1168c89308e6c20

SHA512
914be3f7876224a03a07386a74bfe8be7156603ff4c4b8816863ac2600c9a0821de9650a826bc2b279490e12e5a772825b25bd9440482bd511037c4544bf899e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
211KB

MD5
1591e88973331e0014091d898d491530

SHA1
863d7f5bae9d0206c083e72275c9668241c3a61f

SHA256
09d40e109c5cd6d309268bc0350070a784fa471009b8e7cf22fe11e7cd6e5af6

SHA512
9c6a0a945288deb6a7e10c5dc58e86f0c9e954c31a7e0da21ddf3cdc96e69767b4bb0e7b42ffc0bd65d19290028a5b0ea5a6b7c31fd02d04ba8ab822865a808f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
575KB

MD5
6d3b67f73f629b659d06612151755804

SHA1
3f07d92544f54b88332070cc121f176af51c5f78

SHA256
71782069971116165007d3e79e3251051f8240b9a3fa92b0553bdd873a20f0e5

SHA512
4dfe5b3a365f7a8a4168828c60c268237bc98612e4e7cc9d59627bef33a16e94a34d0554fd0b33829b87592599e642820517f2e23a3c3ae5fb8fc2f18a2606fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
487KB

MD5
6a438d90590d64f785263a0c9d2e26c3

SHA1
cd9858733ec63791c436368e05dcd076afcfed24

SHA256
83fdb5c988ee7e582bb7646621942dcf29f445f9b0dbfd8cbba0f0abb91fce60

SHA512
1e89e24f1e8389b4dc5c218a7899ab1733b6687b4a39a67aef4923f03de7b4411817a96beda1c0ea41a969b748f2c417da160799524ab931b3511c2ae447b374

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
15KB

MD5
682de1a293ce2d8625312bf3162400e5

SHA1
57db17e70a17f7370288c864878c10de4c454d99

SHA256
99a7f82aca378e9046a28b8b4d712249fc67349d59479e889673b2c92417f2f1

SHA512
7185b86ab102c051bd3a29d0d683ac8fc7ffda665f691637c557c6db2b5be54b4cb13b7b29642a898701dbafe569d2bd7b50a2550a5f9c490fd18a39250574ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
99KB

MD5
ac04464adcd661f57e25d60f647687c7

SHA1
0fa27d042b59da2084b22ceb07a494951443a6c4

SHA256
4a6111a8830aa06a95b5f937eda55ac26a43a0b20c850654ffffa0f7da340feb

SHA512
cce5ab1896343576a85d4eb0afc38dd5717c72480d54ef72b6ce8b1d363095471e398ba67728c67875a2ed9987ecf9bf440b75e19c92c6edd1cc084751be6c63

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
0c1f64cb7267c2bbae81bccc10ea4eb3

SHA1
04cb4571a3ebf5e60d09334c663ffa82d1c71671

SHA256
9a0a8952a9760e9fce0e02746a7185599e96acc3be96bb2cbe5df6f55a453cff

SHA512
7d6ca89ac993dd2ae6fd0e7247ec734bb7aee07f6d0e8a249774b8f5737006276fc9de60c3d5b09c13a4d31c9fd3ab43cae4d07baa56592fad813df56f7528c2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
275KB

MD5
125c8d88b090ca6a90986e316abf56b3

SHA1
116afa780e012d650af730afeb951f3e4a31d32d

SHA256
76755f78073d000eb4aa44ccfad6fc06144d27a0a4c3bbeecf01049d5ffb40b0

SHA512
3afba7da42d33defd0f2367b921becc39a9560cf77a2c5d69514816ee003e26a8715c2304054c9ab30c31c5bf9a805bbccb0cb531142f3c869ef10348b6ad226

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
192668183778d0aa33386bfb2cd9aadc

SHA1
61b785edc565a7deb38e619f6ef22bce6780c908

SHA256
edc3d2b62bc341ec4890b43912e76bfd0fa86dac6a46864be0575067eed9d455

SHA512
bc96cb9a57c89c1ec889d711387f077da8dd16e37d30f669256844c88692c1e5b174fbedfb70dc4841870165399e170b79e44821f520e21dcc7e64d1bae817d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
620KB

MD5
bf21fc70fd3e619f05b5230d99e54fc1

SHA1
4a7dad62c2f6d1fdacaeef2aec947dda17ae2a73

SHA256
ddb1d0642e65e46a2133891cee7715af7afa69b67f5ab3b74b95746808a5e262

SHA512
0480721e722b4ba356e2b4041f16a7e9c7f5584aae361ad80e49ec27fe13f6626ff72d554c2600fc2fb4c1acc48bc45eb10a12e7679655caa6d5f07556b1d3a9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
2e6a2c68c81e66f7bbeedede9eba098a

SHA1
e315b127dfcabc3d2d90b511354d4cf9fe70d6e4

SHA256
5267f93f2f06ea7368e46b195985c1ff40149dcc0a7cb6f7da1ff2cb296f4fbf

SHA512
828b7fb66a4585090a369c438c657ea8155f14c37a03e3cdacc48dbefc37f1d46a970532ba9427e151ff4ebdcb5aaa0b1118bca59e698e1e2515881e8ac59cb6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
02e8ab5df78b75be4b15f5e9cf8825c8

SHA1
e5ebf0ed47dcbe721d3eae8486142cd8cb111787

SHA256
0655b9f769556c598fc58218439464d21093b805e8041983080284b31e0565f6

SHA512
aa3ffeb448fc3ec0058cf1f5c0b5fa5ac015f6836ca14defcf58beff3e8ac2eea6345a83c14894b0a110a2bac410fb73fe52b9a12d47c147dc9a5db32eef800a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.0MB

MD5
b22857f884d94e989da6264a4789a6a7

SHA1
1e6c7eb09a337b7338a25e9a6eacb37a2b727be0

SHA256
66dde31d79244b0036b6da72eb32ddc8c967f7a59af00ef67522bf530bf7fce0

SHA512
dc2d61fdd7d8cdfccce8a9bf090961206794d9f9bea89bcb823e940e19cc04e6a40906484853481e0ca8e2a7e36e31280e2575c9356fe0ff40383461e64a65e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
420KB

MD5
9c60f5ec4363c0cfa9f99b2964aa65c0

SHA1
bdd0d01da67fe53cc54a49a9cf3eaa5bc0699849

SHA256
a5b36a71eec786caf7c0a7daa8153a16e47f59da977f375d760971608fe53216

SHA512
0aaaf185948da97b4ef7129426040a9983ebfdd192f297bce707d057add826dd5d6cd3703911ab65d735681a090a5975625428343bd16ba053d52f05fa1dff6d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
112KB

MD5
009c76ebeabaf7b450151d5cb32bc97c

SHA1
15eda61dd64a1e75741f7c31ced616ffcdeff86f

SHA256
0fd26b3d455b219e174acb61b1785d2f45a1e93974daadd76b8598b0b50a79c2

SHA512
10fc20cfe7aa5e53fa4deea6a21b36d79c66564cda1f0d17e14230eb08456029c477b511890389a3cb4ea2a0af3ca289b78557d5f4b28774ebe50ad42297f5ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
489KB

MD5
e7063041cd6f664f896030ad09f8a3a3

SHA1
ce42757aea9d284a8c8169a0c88db26079df2da5

SHA256
fa14da0936b73b4996ef2b0ee1f5a581f205c351feafdd62f5dfee39371d1cd5

SHA512
d1ed76206330fbfd5bb4d4c2a815d0c67f5c239c690745665b2d6c7068d02bec4ec55f047a9189bb99c44fce090839a57cc04625a01854c48c5f91204210b7be

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
9c6a950ef106ad79d409b84a57460cd1

SHA1
f9b0bcdb7e33b7b2088eb3d7425de454c2ee367a

SHA256
eef607287470cbf7e745792be95a13ff4ca0a8444677bf15d28e9e1816e63371

SHA512
34c85fc22ac27ab2dc7e3fd3b2c8ea2fdc3fe7fb1ebab1273d80c5d29d67c607d72ccb0f36dc0c971f0fbba61bf7702ccb02c8a5961209344213bcd191e003ec

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
57KB

MD5
b93f1b8615987a14a0bf36153968e8a1

SHA1
d07cc65df677c797decff84add6d44d8429a37da

SHA256
201fb0c2ef703fb76a4556d35c6d8f27fa7a62c73007d199af41fb833357f4d8

SHA512
6785e8c0f4f26063087e042e3476a16460c3eb0ca60dc6928731aa567713b55edbfb9de567dfc934f42be3376bde5542ebc4bd814387293c1b9e1ebcad4de275

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
867KB

MD5
63af50d780438aed1f7cf2c06b8f4f5e

SHA1
af34447e1352de148bafda57031d6b527c4edbfc

SHA256
65b6751dfff2a84cb489ebe252b1760ea4ae1455c47665574f1697b3e3302c0e

SHA512
99a8d700eb11c9a18708a151f8e192d1f010aca363d1050e26906a794e9ba29157ce5a1b3af8dd420a6e398fd2e9202e77ff709464a26c407509a9915cda47e4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
63KB

MD5
3dc3bdc26d03dbf993398963b84b2f6d

SHA1
7b1d7a73478c5125f0fb2f0c199be1d4b142dfef

SHA256
7055d25975cc13b27aefdd3765e2faf8133d4bf1e8f676915e9e90e77c837105

SHA512
80f710d8180bc5e4c6e892fdca7b1611f4a883d84c5393e597048411b16a9135b6c8765c6e9c2fe3d166b281e802f7beee176c7a12b6483f06b4b9d0d5e9f538

Download Submit
C:\Windows\System32\alg.exe

Filesize
650KB

MD5
cb661e19f2c9931a6d6ab3f3d74d42d8

SHA1
20c9a163cb7b3da3104720baf29dcd25fc3ff025

SHA256
9cd63c0bf791276e24ec780614d1cf0432a02ceb04874b3574b78eb7fe5b2f62

SHA512
40a4e3c3555d3e9d1777f75e218990016fdf9e32124bbdf8a7f52d821b4119f47b269e424562a9d0b3417e82fd2011630884baeddec60ab00b68750e1fe78045

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
363KB

MD5
dc92f93d5e049cf55ba40f6dc42aadd5

SHA1
1d48a83f3d4e61084f08affa24aa54498d08013a

SHA256
d4f34e7316e92a088a4f8e36cc27543d40cc1906383ce04f16e996a7b55d7bca

SHA512
9fbdbfe74eae42cc2e0f10b5a04e55eee92b908d90f38939e3cc941859c79e54e9c0615a722ce7ce90df9167e895ceb0d03aeba5af7c53bdb15ee8a95b6b78f8

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
533KB

MD5
2d38f5dadb45b2a998c54ef281b31943

SHA1
021a17f0b0c1c7d56318c813c3d5c2acb41d852e

SHA256
e1fd573b7f882702abd16e669c77b2d9704aef97a38e2ed2b0c2ad25d0560e9c

SHA512
e518e65a9fc6783f3c25b04c93ecc9887399195083512586d5411d9eb7de91a265e0fe40e487908c82ae3275a359365083e7dce2a874a5ee43ca2a5706f16f70

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
37KB

MD5
5dfdba46035e1d82edc027bd300870ed

SHA1
d74fdf94a34707b41e2654b865a8931b2534cfdd

SHA256
729c2d4119bb3c4d169a784a8878b1095e7cf654ba3a9af84c6d227f0f5e2917

SHA512
862bfdff8c4c0b648ed3afbcc9e266e62b3beba301f3b37a310a11090dfbf9eba2382aae5f4dd7c144a149b88a17bd69ba1178f9edc07e6e54a24c7d9fb88b06

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
28KB

MD5
84e2af0f72470020d4d31a4268bcb86c

SHA1
8203198fdf8cf6f743ede7b7d8cb07533218a6be

SHA256
19869fea65c46326c0e3bd63c52621920e30d88dbf3ddf8a6b180f00cf55200f

SHA512
28f6a45bfb503305bc699f5dc72e4c7996379a02e4d41f4be41ae002c6be20c8587cd0c13ea164b7125fdf971e5bb2142965b884a4c6b0c1e54fde5f0e8d0eef

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
5KB

MD5
bd9d55b549b56ad020b6484245300a98

SHA1
722a41c394b51cb028828967dbb3c585ac0cfc13

SHA256
c6d3a88c391a26b067f04726f1f126c36b2d5c91f6c6df51c7a6c11fe309adb8

SHA512
b5bf5303b6e42ea189ca09dc18028e108dd265423f8050ce28c241232f2bea70ea07d9e5653ad155961e5de669126ad039442f9413a035d68542adf298a027c9

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
538KB

MD5
84b870c50b5c0189743d7e44989374b9

SHA1
09a8b881d6d2136c67ebf91031fd7340cdb2b27c

SHA256
a2d15057244cf7a5766614b66b0a1d700ab563eb918a89ed58edb8345e0be43d

SHA512
c7a26e25ee9633c41859ebf8b30f6b19bdf7771629e679d979e89fcaba9d1570db46068b61d79fc53f7c5d9e2e9655fb04e0efd3c1b3d0b21d451cddbde18f4c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
340KB

MD5
7b2f34551dcb333794c21e1debb0fdaf

SHA1
4febaf0f95af81eef7e72a85472a4bfd97dbefee

SHA256
042072e2312eba9c8dc5b1ea57b811d5f4167174b737337da5aaf5cfc2f61f28

SHA512
1085441883c3e49e362ba319f91a507b4814afb333716a88e8383c23fadcf98922b6ac5d540129783e1d5237ef0dd7231642275303a71b29bf5e4d28273a83e1

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
23KB

MD5
02688bd0847647cbf4428c331919efff

SHA1
6829a25f4fe779b9de4640e2a38a47aafc41d561

SHA256
3e34d751ba7611b3c15e6773e95e34b3cf92499caaba08298a6622530d91dc1c

SHA512
4b8b6b3a3246d54705c164f006abd069bfb2b5ae388966c4b05a1ff1ac1236d558e28a4fce0a9e659f61c7752e17e3a8f0f79fcf9a59ada4f66ed0dac1fdc2df

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
16KB

MD5
37fdd393c950eb41654fda3eaa8f8e64

SHA1
c39bb0b85e5fc9c4a830985b8378aa72ae4de5ce

SHA256
40f0d4e3315a876fe42db607a883bcf00c73e203757354ab5c1a1f00290aa773

SHA512
d93acf56c375e764866ba5d0ff49055d811b3f14b27a4e288b5e2cd98c6c0f92c200d216824e12159571810b6b622f7f61a60b816f593e26f338db87ecde9704

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
484KB

MD5
450e218b348a411a82942a21a02f6306

SHA1
b645b492695be45daf7c55dbc47997267eeca107

SHA256
dcb1b9da1a7ee5db91a1956fd41414c61131c0abd44204355036c42147ff3e94

SHA512
e148a80cf148f58a49affd5478617020c47593e9882fc9e136cca0151e604d2efef38042abdfa3756f61762b7ce86f6ba7a210b475b793da9a76251c8a7aacb9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
96KB

MD5
d2a880b76bf31894afa2d1a932a7907c

SHA1
ffc542f90b793db151687997b23054161732d1dc

SHA256
33dddd67eb0da318974cba08bbe1d12663553d3ad4eae87657060e238fb977aa

SHA512
fd2c0b399693d4aa36e10c1736981047c48ea0a8197b2252fb6f6fe01549d82c1c7414ff2d0f45f90b855995496edf906d8801b8a3c5310223e5267b37f0c3a8

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
276KB

MD5
bc85868439b42dfa9137b4e0f08e2ff2

SHA1
724ccc1211337e80211a259b60d21877d1a7c943

SHA256
f41c83c8121f209f33d88f71a9c5c2f4586cefb6190b23d3cd083392380537ed

SHA512
24ac8af9c8e9fb8c8df763077b6bb34208ae87554a1124d47378485b030465f9a51e5c6f733931fa81b54ba383163d5381408064be847fc9a4d1437980a13967

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
139KB

MD5
4f4fd9cdf8b3c59015c4f2365b032a63

SHA1
9c281235e818f55380cabe0ee8e5248b10f604a2

SHA256
bd69de85c52cce719c64576a4e33550fb00edec04e7b13e87c4b665cbbfcee5f

SHA512
8efe29d6c5604c651031eabefbad93c03b13f1d966454828f0ca9d806f0a90243babee0d56cdfb285d4519589998cbf27131cf6d2370ed35505d856aa42b54e3

Download Submit
\Windows\System32\Locator.exe

Filesize
58KB

MD5
ab7ef3df68dd19c3744f6dae1fd1bc4f

SHA1
ee2ab0181b92ed0e234faf02883455576cb03cdf

SHA256
0b2b13c93a0fc569d5396cc210adc2d757fb96fad14550b4195965dad7f147ed

SHA512
ef8e9dd29fa9d37766d79043e702662885818e46380c19bc29d43c8777fd46bcf39db1a4cb623243850cdeea47aecfc574e4acef86f528ee501cce75fb9f5589

Download Submit
\Windows\System32\alg.exe

Filesize
663KB

MD5
a6f50e68737817cd6b04d30d97686107

SHA1
d8b6f214deea805acb6d60c6e78ec512315dd28a

SHA256
cff015eb69a215f030341d1e4c0f8ea8220e7c0f51e2cd0f73de7d756e788da5

SHA512
c4472d8a29d67506fe3c94af894fea2e0a4d3ded1eb164a52382969b86dff17e8279e40020201687f696ab2215173349e10f33a1b2b749dc653730f2215e74ac

Download Submit
\Windows\System32\dllhost.exe

Filesize
453KB

MD5
e7fe5efac223d7aa24804553aa5cfadc

SHA1
ab7c6795b9ae21cfd7e6e5cc926537e9a3e2debc

SHA256
a2dc4221855099267c209e837c9af1e4495e9a51895e8e23b330e08fa684339b

SHA512
7307c639ff8592f9ee0d624ed13136c6230fb5c59ccde0472e4ffd62d0d228d3cc673150de15c92ad61ee38597ca11bdc4b946642b73b67a6ca0e95ed695514f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1KB

MD5
18b687a667b9d054f16d2321a72d6c0f

SHA1
09fa0d9bf1489329db866f394ebc5e87e869210f

SHA256
fc23dde93ea3e200c2e17896d95e09161767eca258180ad3196dc13471c1bacd

SHA512
0b6c5c4ae35edf891a481f1535627d07ed392efa7c4da31afa1b95ded4627bf9f4067172d1f5b974cdba4b0f782499745305fb46793fde8f0dab5233cd5690e9

Download Submit
\Windows\System32\msdtc.exe

Filesize
31KB

MD5
e0009f3de0017759b1e2904aacaa58fe

SHA1
ff858e155720fb4b9d08b66af1a416c91b99ab23

SHA256
a007deed91e0b9dd0ce912fca903dd1f18b393b496d1c20f664abd9cf61e2118

SHA512
d96edb3d151324fec18113a96b97a706147e79930a3d19310720a154bdb5839e27421e8c59093e757687d23193164c2dfd5354b615ef577cf408ddbc0b9ef066

Download Submit
\Windows\System32\msiexec.exe

Filesize
60KB

MD5
69abcca5c59eb3ea5b0b30583bc69d16

SHA1
09c4fe196cd944ad9e1adf38df6a1f27017f52a6

SHA256
12dcc6f92b15bd9dd1216fcbddc17624c7e28ef3e21eddf8b3cfb44cee513a4a

SHA512
2fe8ff2ea6981008ea210af877a886562595fd065421e583cb8657d324419f9d35a5fe19925bd8816244aaceaa3aa08db2e2d70bf3ea5b455db2ccee957fbd81

Download Submit
\Windows\System32\msiexec.exe

Filesize
10KB

MD5
fe7770d788d35cb95897c2231274e33f

SHA1
e327411d77ae1dbf1c6d3c6b00f963cbc1990654

SHA256
91708ec1ee44f606129cd76893c5f2187559f0b62e7f2c1a837fa661c4f55da4

SHA512
92b3e4a8fd6ae464cbd3fe72ba3c4021ca9d43aecb25abd6b3dcce8a7be6e413de19a1988091da197951250ce242924c88b8048d2aa4fe6196826d2772cf1137

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
377KB

MD5
a77c45fb05ce3d7434f57b81772a63da

SHA1
6e7f4e8044b6efcb0076cbce731dcbae3d139768

SHA256
41d61948599e02d4a5b77ed66ac850f82af446d3ac3137d8c5527bd128189660

SHA512
0946d336a53a2cf8e159aeaaf10bdf0f16682cf9a074049c92c42d3d5033e8c0d5b8f14d06af17a4893f46e31cef28f08c2ee14705f04c19361924227ae124a0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
433KB

MD5
f3ce71d073f52887cec3bd9a3d061772

SHA1
7d4d9358dc0713c48c0efa384b07373fe4c4952f

SHA256
b9596b32aece2f0a1b29755d1cc439e898e0a553d1effe65c4b1bb0f859a3f89

SHA512
e05a7acc026be84372527bfb0a8da6d6f88ca587284d78c4a575469f780a06730990d5c216ca4e276c57e1c7c0b5b401894237b0a3573ff567868b81ad7790ec

Download Submit
memory/1020-570-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1020-567-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/1444-181-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1444-95-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1444-103-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1444-96-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1512-325-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1512-184-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1512-196-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1512-189-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1512-182-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1512-340-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1644-113-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1644-108-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1644-107-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/1644-140-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/1932-123-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1932-124-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1932-161-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1932-130-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1932-131-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2028-357-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2028-218-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2028-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2132-342-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2132-198-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2132-205-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2136-232-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-548-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/2136-371-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/2136-233-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/2136-361-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/2136-382-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-366-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-569-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/2216-445-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2216-572-0x00000000730F0000-0x00000000737DE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-566-0x00000000730F0000-0x00000000737DE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-571-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2216-404-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2312-320-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2312-321-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2312-386-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2368-143-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2368-221-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2368-149-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2368-144-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2732-554-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2732-543-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2732-350-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2732-344-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2752-568-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2752-359-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2752-368-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2772-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2772-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2772-319-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2772-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2772-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2844-166-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2844-164-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2844-172-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2844-239-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2904-333-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2904-421-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/2904-328-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/2908-234-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2908-236-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2912-16-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2912-163-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2912-17-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2912-40-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2964-447-0x0000000074588000-0x000000007459D000-memory.dmp

Filesize
84KB

Download
memory/2964-374-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2964-383-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2964-387-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download