44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138

Analysis

max time kernel
152s
max time network
164s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Size

1.4MB
MD5

1a3c051b7291b92c75b4788e1b779191
SHA1

3d58589357c7bc8e7a8e8aa6cb6fcd9b0b1f7586
SHA256

44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138
SHA512

5b0ef1fa4a943ae7a5e92f918f67be7cd31e206e01c0608d10b9280b65d724eddefc2a0d8584f5fbfe2b9e9a00203388e9aa3301dc18d2f2f9265f92e22f5bb8
SSDEEP

24576:SuaRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:SuaRVlbnXf9gPTTW7H1GXC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
472	Process not Found
2496	alg.exe
2592	aspnet_state.exe
2880	mscorsvw.exe
1472	mscorsvw.exe
1088	mscorsvw.exe
2428	mscorsvw.exe
2188	dllhost.exe
1664	ehRecvr.exe
2800	ehsched.exe
1912	elevation_service.exe
896	IEEtwCollector.exe
2976	mscorsvw.exe
2272	GROOVE.EXE
2660	mscorsvw.exe
380	mscorsvw.exe
364	mscorsvw.exe
620	mscorsvw.exe
2092	maintenanceservice.exe
280	msdtc.exe
2868	msiexec.exe
2656	OSE.EXE
2856	mscorsvw.exe
1828	OSPPSVC.EXE
2512	perfhost.exe
2712	locator.exe
2492	snmptrap.exe
2692	mscorsvw.exe
1780	vds.exe
980	vssvc.exe
1248	wbengine.exe
1348	mscorsvw.exe
2792	WmiApSrv.exe
2352	wmpnetwk.exe
2832	SearchIndexer.exe
1944	mscorsvw.exe
3000	mscorsvw.exe
2824	mscorsvw.exe
1948	mscorsvw.exe
1536	mscorsvw.exe
2264	mscorsvw.exe
744	mscorsvw.exe
664	mscorsvw.exe
2580	mscorsvw.exe
1732	mscorsvw.exe
1436	mscorsvw.exe
1560	mscorsvw.exe
3020	mscorsvw.exe
2460	mscorsvw.exe
1136	mscorsvw.exe
2848	mscorsvw.exe
1548	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2868	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
736	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\wbengine.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\System32\alg.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\locator.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\vssvc.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc2b73a94501ed38.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\system32\msiexec.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\System32\msdtc.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A460FDBD-01C6-4800-8EDB-C87720E1D9B6}\chrome_installer.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1480F57A-1A7E-4A4A-BA58-2386C2BBEF0C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1480F57A-1A7E-4A4A-BA58-2386C2BBEF0C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9736D360-E6DE-4817-9AED-48D4916C6796}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1616	ehRec.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Token: SeShutdownPrivilege	1088	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1088	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: 33	848	EhTray.exe
Token: SeIncBasePriorityPrivilege	848	EhTray.exe
Token: SeShutdownPrivilege	1088	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1088	mscorsvw.exe
Token: SeDebugPrivilege	1616	ehRec.exe
Token: 33	848	EhTray.exe
Token: SeIncBasePriorityPrivilege	848	EhTray.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeBackupPrivilege	980	vssvc.exe
Token: SeRestorePrivilege	980	vssvc.exe
Token: SeAuditPrivilege	980	vssvc.exe
Token: SeBackupPrivilege	1248	wbengine.exe
Token: SeRestorePrivilege	1248	wbengine.exe
Token: SeSecurityPrivilege	1248	wbengine.exe
Token: 33	2352	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2352	wmpnetwk.exe
Token: SeManageVolumePrivilege	2832	SearchIndexer.exe
Token: 33	2832	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2832	SearchIndexer.exe
Token: SeDebugPrivilege	2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Token: SeDebugPrivilege	2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Token: SeDebugPrivilege	2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Token: SeDebugPrivilege	2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Token: SeDebugPrivilege	2156	44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
Token: SeShutdownPrivilege	1088	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
848	EhTray.exe
848	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
848	EhTray.exe
848	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
3060	SearchProtocolHost.exe
3060	SearchProtocolHost.exe
3060	SearchProtocolHost.exe
3060	SearchProtocolHost.exe
3060	SearchProtocolHost.exe
2996	SearchProtocolHost.exe
3060	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2976	1088	mscorsvw.exe	41
PID 1088 wrote to memory of 2976	1088	mscorsvw.exe	41
PID 1088 wrote to memory of 2976	1088	mscorsvw.exe	41
PID 1088 wrote to memory of 2976	1088	mscorsvw.exe	41
PID 1088 wrote to memory of 2660	1088	mscorsvw.exe	45
PID 1088 wrote to memory of 2660	1088	mscorsvw.exe	45
PID 1088 wrote to memory of 2660	1088	mscorsvw.exe	45
PID 1088 wrote to memory of 2660	1088	mscorsvw.exe	45
PID 1088 wrote to memory of 380	1088	mscorsvw.exe	46
PID 1088 wrote to memory of 380	1088	mscorsvw.exe	46
PID 1088 wrote to memory of 380	1088	mscorsvw.exe	46
PID 1088 wrote to memory of 380	1088	mscorsvw.exe	46
PID 1088 wrote to memory of 364	1088	mscorsvw.exe	47
PID 1088 wrote to memory of 364	1088	mscorsvw.exe	47
PID 1088 wrote to memory of 364	1088	mscorsvw.exe	47
PID 1088 wrote to memory of 364	1088	mscorsvw.exe	47
PID 1088 wrote to memory of 620	1088	mscorsvw.exe	48
PID 1088 wrote to memory of 620	1088	mscorsvw.exe	48
PID 1088 wrote to memory of 620	1088	mscorsvw.exe	48
PID 1088 wrote to memory of 620	1088	mscorsvw.exe	48
PID 1088 wrote to memory of 2856	1088	mscorsvw.exe	53
PID 1088 wrote to memory of 2856	1088	mscorsvw.exe	53
PID 1088 wrote to memory of 2856	1088	mscorsvw.exe	53
PID 1088 wrote to memory of 2856	1088	mscorsvw.exe	53
PID 1088 wrote to memory of 2692	1088	mscorsvw.exe	58
PID 1088 wrote to memory of 2692	1088	mscorsvw.exe	58
PID 1088 wrote to memory of 2692	1088	mscorsvw.exe	58
PID 1088 wrote to memory of 2692	1088	mscorsvw.exe	58
PID 1088 wrote to memory of 1348	1088	mscorsvw.exe	62
PID 1088 wrote to memory of 1348	1088	mscorsvw.exe	62
PID 1088 wrote to memory of 1348	1088	mscorsvw.exe	62
PID 1088 wrote to memory of 1348	1088	mscorsvw.exe	62
PID 1088 wrote to memory of 1944	1088	mscorsvw.exe	66
PID 1088 wrote to memory of 1944	1088	mscorsvw.exe	66
PID 1088 wrote to memory of 1944	1088	mscorsvw.exe	66
PID 1088 wrote to memory of 1944	1088	mscorsvw.exe	66
PID 1088 wrote to memory of 3000	1088	mscorsvw.exe	67
PID 1088 wrote to memory of 3000	1088	mscorsvw.exe	67
PID 1088 wrote to memory of 3000	1088	mscorsvw.exe	67
PID 1088 wrote to memory of 3000	1088	mscorsvw.exe	67
PID 2832 wrote to memory of 2996	2832	SearchIndexer.exe	68
PID 2832 wrote to memory of 2996	2832	SearchIndexer.exe	68
PID 2832 wrote to memory of 2996	2832	SearchIndexer.exe	68
PID 2832 wrote to memory of 1700	2832	SearchIndexer.exe	69
PID 2832 wrote to memory of 1700	2832	SearchIndexer.exe	69
PID 2832 wrote to memory of 1700	2832	SearchIndexer.exe	69
PID 1088 wrote to memory of 2824	1088	mscorsvw.exe	70
PID 1088 wrote to memory of 2824	1088	mscorsvw.exe	70
PID 1088 wrote to memory of 2824	1088	mscorsvw.exe	70
PID 1088 wrote to memory of 2824	1088	mscorsvw.exe	70
PID 1088 wrote to memory of 1948	1088	mscorsvw.exe	71
PID 1088 wrote to memory of 1948	1088	mscorsvw.exe	71
PID 1088 wrote to memory of 1948	1088	mscorsvw.exe	71
PID 1088 wrote to memory of 1948	1088	mscorsvw.exe	71
PID 1088 wrote to memory of 1536	1088	mscorsvw.exe	72
PID 1088 wrote to memory of 1536	1088	mscorsvw.exe	72
PID 1088 wrote to memory of 1536	1088	mscorsvw.exe	72
PID 1088 wrote to memory of 1536	1088	mscorsvw.exe	72
PID 1088 wrote to memory of 2264	1088	mscorsvw.exe	73
PID 1088 wrote to memory of 2264	1088	mscorsvw.exe	73
PID 1088 wrote to memory of 2264	1088	mscorsvw.exe	73
PID 1088 wrote to memory of 2264	1088	mscorsvw.exe	73
PID 1088 wrote to memory of 744	1088	mscorsvw.exe	74
PID 1088 wrote to memory of 744	1088	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe
"C:\Users\Admin\AppData\Local\Temp\44eefb1547627570229e42ffa56f2a9f643a48c77d99c94987c33911d2b8e138.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2880

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 23c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 23c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 24c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2ac -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 270 -NGENProcess 2b4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 268 -NGENProcess 278 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 268 -NGENProcess 2c8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1664

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:896

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2656

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1828

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1700
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6c5e5b98bc4a7b4420ecd57a79eca97e

SHA1
984685939025fe5ba49ce9b7aadda92a48839681

SHA256
3e065cdbf75ab5e64195822361e0b902c00bc079f234f00096e48864b40b9a26

SHA512
9fa561a816e8d1db522922205a3d3a665dc42fa613d7d7eaeb89530ba69e6c806572c87fb10813bd07524e5f9a5f3bab3b84e86f10c56f1b61d0effed6902da6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.7MB

MD5
9fc27ec7fc24d3b6812a2a75bc5bc122

SHA1
3602a290e2a4e9262595a852e84c97c46f8525e2

SHA256
17cf05edf5cbb8a0135be7c8b433d91cb409a0409533598a6e8857b6a42b714a

SHA512
d9c5d776ef51148dcbbd59602533302e8b2c2fef8491d778b9631f349017a3b3e3c65e6b7be52a045a160ec559a8922275fdc9fb3f72bae21b12853101b431f2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
9f6b9cb071452949452930ecaa34ec00

SHA1
2ba180500954b97014087028e92437339f970c87

SHA256
95ca9a8ea551f3bc7c092ece31ae62dc228ce5a96509e1b18f56f27228f63ad9

SHA512
2c48c52b0e65fb400f54745d9bfcdb565ace6d9e51399862bfd3074298aeba9b056ba8d5c6fdce7a84322db88a7cb0b5a1707944230925c1edf65563fafc6d56

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
471d0d370654edf43ce6c6b6cd4af2ee

SHA1
cf14eaa615493208a084f9c2acca8809f6609543

SHA256
6b6add28f7bb98aee743ea5aef1136f659d575ae61ac810f54d74479773e4bb5

SHA512
2dfb25ceb35f0516370a2cd97b718f2dec1a610053ebf92cb71ae9c6d9ae30bf019ceea4bda40434690a0df87da4f42de29ed03752e3cd2bdab6679bc1a0eb07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c7a25f9a97cb8b12c80fff14aaa6c601

SHA1
ea4f238f6437a97463a26abdc16ee407557f1f10

SHA256
d527fac1d47af7ebd0b5b78a076b0599255fb9d9f38a7cec57fc097a189c4493

SHA512
7be39f49deb15ea6ec343c931a4e9b016f7fd9d05dfb3350d3ce19f5fd4c48434a1b8601da5f74a7f557de38a9127d05ce36fb8d6f6cecfba4155110f6210cf1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ec2fdf87c0607f49d3dd1e66e69b0c23

SHA1
74c720388ec568f18ffd2da1807b89f14f7fbd1c

SHA256
9bbe22555769741b4705f8582b41ae8bca22ec0ae23a4524cedfeef3839a839b

SHA512
664c7173556544e4106017da2feb41d7653ced02bbb7fe3f31d0c61cfc84667bb3a0e93c100db8048e4c0bdfd038d0f314f353177fa50f0f9e7250e47f5be337

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
896KB

MD5
92055a56188c53ef5bc586c30b8145e0

SHA1
9ff74575050117c8c53316be655209fd7afd6614

SHA256
6a279a6c7257128da83023d4966c4fad7c865742db5b793e1c30bb4bcc94ca4a

SHA512
908ac8ebb35a8999fbcab2139c4d1c383d65b34e0bb1d1b041cee95637dd7635da9e7e9b21024874bd2f7a971ebfe4d36fab7160bee30a7ae4e6639bc0766d97

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6a12491b1840b9e5c02833b9137e8c76

SHA1
7b3f7f0236a8dbe14e11e8e891a18a6eb173d557

SHA256
da4ef0a89431610a9fbe72ac87472e12bffafe0c020be427d05004dbeb3fb158

SHA512
7817a21ba63632343ec0c26d1ddf48199876f0e362a782c471308157d454787ff2938e6c78e80aaa65aef94437943fb26e32c753fb37293ef08be7098e218c1c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e6a1d8cadd5083998d00e1e24807490b

SHA1
aa84d73e923f3e2e8fe55246f6181a37cdd89ff0

SHA256
42ceea1c1571599f8d34285c798c036aa20ff4a9b116600be253c4352f9cee62

SHA512
89fa977f5f68c928346cd33768557097ec8373eaa984d83634018fd49c646081ba8fe1ab7238abbd1ad6d449b6a634030e36bfa7a92e3c78518fdf2fd80723e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
0f162f5f52ac1673ef33f7d8ca0488cc

SHA1
cbbf45bcda2f02f165fe62cc50e499b5640c3741

SHA256
61d765ec5d754831361a319112ee2c504de6b66566cf7d08b589012eb7cbab31

SHA512
cfa2de69aecaf0bf51aa498278bb2bcd633d59bb5ad584d5f249296b8c4f4e96ed599cbdb017737cfa8f62d4241c3d440e1fcebcb3cc64ed7856734a35d9fc04

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
36aa9de14f3cb5783beb4cfa31b0c62e

SHA1
b61b7b9efadc245c6fe220e1186965e2a3bc8900

SHA256
09a463f96234b67aacfd75fef498659c806d65b28c12c5d4e75cf41edb3c85af

SHA512
6633b3aef20e024bbf61eb90514db388b21ecc54adc07aacb728e3d6880d025c1e0f05690d48bdba7edff4e9e82e3cbb5153ab42f89bf2e56eff52e962ab32c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
3930659f735be6ce731f670682364e7a

SHA1
aeedf48f01ed96773ec0691833946f550759ae17

SHA256
e5c79d01f7bb90a75ef2c4470e75437f691e5b51e752eab1ccde5c605c5a1b7e

SHA512
1aa675a2ca7beba3669a49075aa6e8788bcff8cc1ca3069aee889c44c4910652bc173f306b8eaec8b525d0049fd065c899ff1daa6744930674f1367aa6a8348c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
a3b9fe8c937a2590936a2a538704ccb0

SHA1
58197149366bd7d500c121f1077e6f0c56948074

SHA256
ab0a351398808f5f1f73aef9fa7d00ebb83cfa6ec36bd7eaf798818302f14457

SHA512
4e52a9d6e7abddf3d8b53d9a51e4d0654a935c63441df2318507ce5802886b67d57aeb75dcede77387a6dda79edc5454942a5ca37e7d1417075382acf51d07d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
19f07b7a2631a36ce6d0dd0851751875

SHA1
2e9c01d876e3ec7dbac1b543b774ea2afe249dfe

SHA256
4b66b5619867e55067a39574dfb2f4f40a5e054fdf3fe34a0efab7ea4327620e

SHA512
ee279cc9bc06e753fd01ec16860d2fb37e7909607672ab59c0ec1c301bd161f412303ed7eb379ad177b3c89c4630a8d19c840cf1a19eb2d9d8ca06557ffcbd88

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
da559419df8a3ec41dfee5ecd7b1af16

SHA1
db807e825e43a44fbe100e18be4581d004515a65

SHA256
5da7815ed247842251a1b84cf2527b74ea5803c6163cb9c1be9e246670ca2884

SHA512
65390d4c4fb2bef1d45d01f3f6003a7b9059e0a8f0a4fcd79510c60d29aeb17692e154a5c80ad128bef0c40b5304595ff03e2604ef1903ad7dec23f3ef22a050

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
ef79b59dbecb946f398537925d5d525d

SHA1
c68314c73c584a35ad0b43477405f4fa5af59c42

SHA256
973de07140f1f74b5f89619bb1d26a504936c41d70e0e5c19790ec3475751d4b

SHA512
793c2eb2b40dbdfa27e0519d930a38e6d52b8c741e293a2be8872f777af82e28c90076c011a2fc9aede5a78d0acfa70524d5b958b574dfc2d12cf044a77ad417

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b0adbc0550886a1b90b5c8dd82a12374

SHA1
d36843d1ee968880cc3b543992d454c116131b3c

SHA256
a804e4a868e9c8435ca8b1421bb36af9eaaf69ff87850f52d3d5fdc3e96ef50d

SHA512
5080baa01db51d7f0f294512184a1d0da1ea611842db6b53f44452c94f4471d9d156ed1d8127468c49895265019eefbbb2499ab86f204ad287ee0e71050f5ee6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
0f5925e0ee8daf3eb924903f62bd58d9

SHA1
7879135fe34093b61b9fab298505af94eb6591f7

SHA256
d63dd739573b4c9625cb4fd2aad9f5cacc79ee3f533d59fd998c4fa8d18251d5

SHA512
a67d382c625a5dfb2a822f20c9c275f4befc0120a47d703db45b93e5d4e9599c76c85a97398662b0ff3f4019cb42856a37f55a83aa36feced0008970e8539135

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f4fde996a43067164afd1f8bf0be9b21

SHA1
af18da8304a22efc37c689c4b9ebef992902dde1

SHA256
d00120f1fc65bd6c60bca9f91a821ad38edc714b0ca1c4790413835661d090ac

SHA512
1afeebf2482374b0931838da4a579afdb8cb4eac49b355832b33a5a197939f62d6398a8dc54cb5969836bab95093ada2ddf6d93fd02596f5637a565dd150ddbb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d9d29f4815d0b0fc7dc8af6ecef498e9

SHA1
e5ba21475ff4a3455213b24f17093ffcdeeb6e7a

SHA256
cb008d40485b7fea1e8773d77f6e2f38d51657f7ecee5b1f7daca81de4bd13e0

SHA512
b50ffea33990cc2260a7d7b7e5aae04ad9059025f82fb2ec9bf89946bdba0947bf3816f0df8e09c07e2056ad2104079c55be8706a9348847f91694db4b66231b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.8MB

MD5
4032705183dcbc50920ded1da496e22c

SHA1
1891e5241e0a30f6639bfcf7da6dd277d665105e

SHA256
f25d67f7758db437f5f732c77c683e42536f1f6e01ffd648b693d65717b94426

SHA512
e5a406c102a36e0272d38dcec1a4040025c58157ce5ee84545483f737fb89def0720222f875cd20fdc462b2a2c0ae5bc2b69b150056c468f656590aeb515d56a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
468e814b0b6d9f7f112c9c98f4d01747

SHA1
9347124bda1c7f7ba3a527aa97e8731a03e8c7d7

SHA256
be231cf98ba5de6f7bbdba55b6dcb58ffd37494a1073f0ab0facc881806f1548

SHA512
865fd2f9b68b2a2aebd943791d021bb06a662b8d9b605c25e6131bf70c3e3881e1924096a7601747e15362908b13268097b9027443243550bee6e1b6309aaf8d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
204906a69d30385a49721ce111004600

SHA1
4e970741018295423b1645c6e2fcfda9e611ad48

SHA256
338103680623a04df4274c738f6328eae7c838f04e66c51652a06702474a12cf

SHA512
6ed77bebc09dfe01dd95c448f1f024c87c78e67321cc945b9140e934a38e8feaf3b4383b4fd988fe4226b3fc9ea720508e1d228760350812b43529acb5c332ba

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
1412d6a7ad8801663e354e34617aaa3d

SHA1
b485c650e3b90035bd74475fdf07cdc773681552

SHA256
350211b829995cc658e4e7911976de7af00b1278e58000372e2626362cf6bc87

SHA512
e4bd7a493f7a241f66a4f1175ed02944b727aef08d252e0787e48f57285c82219b797a25624682b5d49e97a27394cede6b57a3c29c8f7f12529cfb5770a9a44d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
f7c0e4b8b71c49fcb8813961d20212c3

SHA1
8b6c374c83f11b3ca6eedb1fd1d5ee2bf30d57c4

SHA256
17959a4398db7cb63c847c370e2431b6c9229f78d35c546b3cd6f46c8ab1b9c8

SHA512
73062983b209070ba8a47002d32dcb777d79b49502fa911788a5166a322043c7e4e6ffba86b4e063bd32de24c2cf25e83dbee2c87b1882c70243caffc2a14852

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
e2e2d767a76bf9875f028e7b0eab90d4

SHA1
188633e57c8ddba8c139119c1533dec130505400

SHA256
86337b70d41b9d55aeeada525f1b1411c4715a55927f138dd6f1aac02b9809f4

SHA512
ff989f7e085c135c66c8ecea462f49a6b0eef03d2a799100b1b29672c5930a262a9e73a1589bee934590b0b5f3a43a37f826c894b6744e448c0a712dea59adf3

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
cb32c55d17b12a9a87d4c35631c5dc5b

SHA1
9b8f1c5797e55dab485b8c4f3b555787cea63fd1

SHA256
b543c5961d82ff7cb462b69ee752ea17f17a28576d1bf0c828dc4742aa71d55d

SHA512
2ea8d0fdbf4026d1b6951bcaf20f6de65b2cdf7aaaf08cdf7234b37ec6fbe0505c01916013e0a8e87ffd92efab697170429d7e1011b67c29fd41f65a853b07da

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.4MB

MD5
dd5b83af824a61879bff34b51521abb3

SHA1
847f5f9324ed38d486f18faf35fbe6bad1529d65

SHA256
27dc703a7fd265afe701d62a269ea3b75b68b26b6a92ed4c1bba530e0a1722bd

SHA512
764b8379f687b904e0307702683a8dd52ecaafcf98ab27f970514d4969a47638fd041538742070e83a8971ce98124c5ef658ad91d9901bc937cc935c28a165ea

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
ff6d6527b6ded68103e6664d0163379d

SHA1
321305ccad311ea304cd79b4e527e0e1ecc0fd92

SHA256
b261dd4e29c4eaf5930c6abd9243290e38db6cfb42b8d4d97b564c181cf3f4c5

SHA512
4faaec79b6945da05f4c97f8e7906d5e5e8699ff7962cf30d67c2be1c9c56aeb16362231a43030410b03f5b11f6c0a682e2de4b41c6d3de9cd4155e92cb60c89

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
3c98516e5322d50670212ab695f4a4fd

SHA1
ba51680093edad3775fdb7f21d9146571eb6ef9e

SHA256
50fe22a8e0dee7b48036316ee0ab1a20070439fcffc62f8125cf8e9e0affc464

SHA512
fc100d58bb3aa6f3d2a493add0fca28e28bba9c80cff7164348a63f9b6571aeb7b57aafe6dfa1b284ee1a65fc507e0a90f957c70fd04e2b0cab7aa7de48d0ce8

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
ef94b55a2bb2be7edb62e05dbd755d4b

SHA1
fdef6d71a4086fafc5e435862bbf66858464577a

SHA256
50e4b53d3531ccb84327c6f6232aa034a5b9e0852e7e1420cc577fd5c4da43f5

SHA512
ed3628e9d8bd68124792b81a73e2019033585f5ced501853b16f519d219651b899d8cc0a91318450c56e6e644ff4cfc5efeb07ca89df772959941f0eec70a4de

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
83433e822e848d5ab0508ce586012235

SHA1
8a9bd04bafddb43afee99c0b47c68efa3807472b

SHA256
1fbcd7878f6a5f84903f0e5e219dd617bd467519a1b76e59fee2bc2c7a519fb7

SHA512
5e490fc3116fe6736b35b4a194f6c96ed534506ffc7c1317a6a4c23d75365020e691bd0eabd2fd1424b5282a1f613c04611aedd5ea3cd8a4516efc47011d9d62

Download Submit
memory/364-255-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/364-239-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/380-251-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/380-252-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/380-234-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/380-228-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/380-223-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/896-243-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/896-166-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1088-147-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1088-75-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/1088-70-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/1088-69-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1472-81-0x0000000010000000-0x000000001023A000-memory.dmp

Filesize
2.2MB

Download
memory/1472-55-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1472-48-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1472-46-0x0000000010000000-0x000000001023A000-memory.dmp

Filesize
2.2MB

Download
memory/1616-193-0x0000000000BB0000-0x0000000000C30000-memory.dmp

Filesize
512KB

Download
memory/1616-163-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-164-0x0000000000BB0000-0x0000000000C30000-memory.dmp

Filesize
512KB

Download
memory/1616-165-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-216-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-201-0x0000000000BB0000-0x0000000000C30000-memory.dmp

Filesize
512KB

Download
memory/1616-199-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-198-0x0000000000BB0000-0x0000000000C30000-memory.dmp

Filesize
512KB

Download
memory/1616-195-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/1664-118-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1664-119-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1664-125-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1664-142-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1664-181-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1912-155-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1912-149-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1912-194-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2156-7-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2156-0-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/2156-77-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/2156-1-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2188-113-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2188-104-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2188-170-0x0000000100000000-0x0000000100228000-memory.dmp

Filesize
2.2MB

Download
memory/2188-108-0x0000000100000000-0x0000000100228000-memory.dmp

Filesize
2.2MB

Download
memory/2272-189-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2272-202-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2272-186-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2428-93-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2428-157-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2428-86-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2428-88-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2496-95-0x0000000100000000-0x0000000100237000-memory.dmp

Filesize
2.2MB

Download
memory/2496-13-0x0000000100000000-0x0000000100237000-memory.dmp

Filesize
2.2MB

Download
memory/2592-105-0x0000000140000000-0x0000000140230000-memory.dmp

Filesize
2.2MB

Download
memory/2592-18-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2592-17-0x0000000140000000-0x0000000140230000-memory.dmp

Filesize
2.2MB

Download
memory/2592-25-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2660-233-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-232-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-219-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-211-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2660-207-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2800-191-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2800-131-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2800-250-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2800-248-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2800-140-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2880-65-0x0000000010000000-0x0000000010232000-memory.dmp

Filesize
2.2MB

Download
memory/2880-37-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2880-31-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2880-30-0x0000000010000000-0x0000000010232000-memory.dmp

Filesize
2.2MB

Download
memory/2976-218-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-192-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-200-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2976-179-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2976-175-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2976-217-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download