58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Size

622KB
MD5

b0379f229ba95c489aa1f59b887d0377
SHA1

3e243a4f743014a6ef378e075e6f77b92d3dc44b
SHA256

58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b
SHA512

dbf9a9a10e98a8d4107874f5e49e6b3fa36ea19e584368f9b68c2738531707ac925e974ffc50ef07110c0008b9973df5a0aae826079b38a6507e94585f0a1bed
SSDEEP

12288:jgv+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:jgvUOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 48 IoCs

pid	Process
464	Process not Found
2676	alg.exe
2576	aspnet_state.exe
2024	mscorsvw.exe
2488	mscorsvw.exe
1448	mscorsvw.exe
2308	mscorsvw.exe
2760	dllhost.exe
2820	ehRecvr.exe
2388	ehsched.exe
944	elevation_service.exe
1552	mscorsvw.exe
548	IEEtwCollector.exe
1684	GROOVE.EXE
3020	maintenanceservice.exe
2252	msdtc.exe
2744	msiexec.exe
2596	OSE.EXE
1368	OSPPSVC.EXE
572	perfhost.exe
1820	locator.exe
596	snmptrap.exe
1116	vds.exe
2212	vssvc.exe
1088	wbengine.exe
1960	WmiApSrv.exe
1556	wmpnetwk.exe
1584	SearchIndexer.exe
1660	mscorsvw.exe
2940	mscorsvw.exe
548	mscorsvw.exe
1840	mscorsvw.exe
432	mscorsvw.exe
2936	mscorsvw.exe
1616	mscorsvw.exe
2300	mscorsvw.exe
2264	mscorsvw.exe
2868	mscorsvw.exe
2680	mscorsvw.exe
588	mscorsvw.exe
1940	mscorsvw.exe
2740	mscorsvw.exe
2584	mscorsvw.exe
900	mscorsvw.exe
2680	mscorsvw.exe
1052	mscorsvw.exe
2664	mscorsvw.exe
1768	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2744	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\locator.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d7667d9f9b392089.bin	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\System32\vds.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\System32\alg.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AC0193AA-201F-4A60-9BA4-8A4089BB5837}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC3159C6-F4B8-4224-9055-91DEE35E4A43}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC3159C6-F4B8-4224-9055-91DEE35E4A43}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{CF3E780E-C02B-496F-B026-78F5AE76A3F5}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{CF3E780E-C02B-496F-B026-78F5AE76A3F5}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1320	ehRec.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: 33	1136	EhTray.exe
Token: SeIncBasePriorityPrivilege	1136	EhTray.exe
Token: SeRestorePrivilege	2744	msiexec.exe
Token: SeTakeOwnershipPrivilege	2744	msiexec.exe
Token: SeSecurityPrivilege	2744	msiexec.exe
Token: SeDebugPrivilege	1320	ehRec.exe
Token: SeBackupPrivilege	2212	vssvc.exe
Token: SeRestorePrivilege	2212	vssvc.exe
Token: SeAuditPrivilege	2212	vssvc.exe
Token: SeBackupPrivilege	1088	wbengine.exe
Token: SeRestorePrivilege	1088	wbengine.exe
Token: SeSecurityPrivilege	1088	wbengine.exe
Token: 33	1556	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1556	wmpnetwk.exe
Token: SeManageVolumePrivilege	1584	SearchIndexer.exe
Token: 33	1584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1584	SearchIndexer.exe
Token: 33	1136	EhTray.exe
Token: SeIncBasePriorityPrivilege	1136	EhTray.exe
Token: SeDebugPrivilege	1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Token: SeDebugPrivilege	1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Token: SeDebugPrivilege	1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Token: SeDebugPrivilege	1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Token: SeDebugPrivilege	1788	58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeDebugPrivilege	1448	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1136	EhTray.exe
1136	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1136	EhTray.exe
1136	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1328	SearchProtocolHost.exe
1328	SearchProtocolHost.exe
1328	SearchProtocolHost.exe
1328	SearchProtocolHost.exe
1328	SearchProtocolHost.exe
1328	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1552	2308	mscorsvw.exe	41
PID 2308 wrote to memory of 1552	2308	mscorsvw.exe	41
PID 2308 wrote to memory of 1552	2308	mscorsvw.exe	41
PID 1584 wrote to memory of 1148	1584	SearchIndexer.exe	59
PID 1584 wrote to memory of 1148	1584	SearchIndexer.exe	59
PID 1584 wrote to memory of 1148	1584	SearchIndexer.exe	59
PID 1584 wrote to memory of 1300	1584	SearchIndexer.exe	60
PID 1584 wrote to memory of 1300	1584	SearchIndexer.exe	60
PID 1584 wrote to memory of 1300	1584	SearchIndexer.exe	60
PID 2308 wrote to memory of 1660	2308	mscorsvw.exe	61
PID 2308 wrote to memory of 1660	2308	mscorsvw.exe	61
PID 2308 wrote to memory of 1660	2308	mscorsvw.exe	61
PID 1448 wrote to memory of 2940	1448	mscorsvw.exe	62
PID 1448 wrote to memory of 2940	1448	mscorsvw.exe	62
PID 1448 wrote to memory of 2940	1448	mscorsvw.exe	62
PID 1448 wrote to memory of 2940	1448	mscorsvw.exe	62
PID 1584 wrote to memory of 1328	1584	SearchIndexer.exe	63
PID 1584 wrote to memory of 1328	1584	SearchIndexer.exe	63
PID 1584 wrote to memory of 1328	1584	SearchIndexer.exe	63
PID 1448 wrote to memory of 548	1448	mscorsvw.exe	64
PID 1448 wrote to memory of 548	1448	mscorsvw.exe	64
PID 1448 wrote to memory of 548	1448	mscorsvw.exe	64
PID 1448 wrote to memory of 548	1448	mscorsvw.exe	64
PID 1448 wrote to memory of 1840	1448	mscorsvw.exe	65
PID 1448 wrote to memory of 1840	1448	mscorsvw.exe	65
PID 1448 wrote to memory of 1840	1448	mscorsvw.exe	65
PID 1448 wrote to memory of 1840	1448	mscorsvw.exe	65
PID 1448 wrote to memory of 432	1448	mscorsvw.exe	66
PID 1448 wrote to memory of 432	1448	mscorsvw.exe	66
PID 1448 wrote to memory of 432	1448	mscorsvw.exe	66
PID 1448 wrote to memory of 432	1448	mscorsvw.exe	66
PID 1448 wrote to memory of 2936	1448	mscorsvw.exe	67
PID 1448 wrote to memory of 2936	1448	mscorsvw.exe	67
PID 1448 wrote to memory of 2936	1448	mscorsvw.exe	67
PID 1448 wrote to memory of 2936	1448	mscorsvw.exe	67
PID 1448 wrote to memory of 1616	1448	mscorsvw.exe	68
PID 1448 wrote to memory of 1616	1448	mscorsvw.exe	68
PID 1448 wrote to memory of 1616	1448	mscorsvw.exe	68
PID 1448 wrote to memory of 1616	1448	mscorsvw.exe	68
PID 1448 wrote to memory of 2300	1448	mscorsvw.exe	69
PID 1448 wrote to memory of 2300	1448	mscorsvw.exe	69
PID 1448 wrote to memory of 2300	1448	mscorsvw.exe	69
PID 1448 wrote to memory of 2300	1448	mscorsvw.exe	69
PID 1448 wrote to memory of 2264	1448	mscorsvw.exe	70
PID 1448 wrote to memory of 2264	1448	mscorsvw.exe	70
PID 1448 wrote to memory of 2264	1448	mscorsvw.exe	70
PID 1448 wrote to memory of 2264	1448	mscorsvw.exe	70
PID 1448 wrote to memory of 2868	1448	mscorsvw.exe	71
PID 1448 wrote to memory of 2868	1448	mscorsvw.exe	71
PID 1448 wrote to memory of 2868	1448	mscorsvw.exe	71
PID 1448 wrote to memory of 2868	1448	mscorsvw.exe	71
PID 1448 wrote to memory of 2680	1448	mscorsvw.exe	72
PID 1448 wrote to memory of 2680	1448	mscorsvw.exe	72
PID 1448 wrote to memory of 2680	1448	mscorsvw.exe	72
PID 1448 wrote to memory of 2680	1448	mscorsvw.exe	72
PID 1448 wrote to memory of 588	1448	mscorsvw.exe	73
PID 1448 wrote to memory of 588	1448	mscorsvw.exe	73
PID 1448 wrote to memory of 588	1448	mscorsvw.exe	73
PID 1448 wrote to memory of 588	1448	mscorsvw.exe	73
PID 1448 wrote to memory of 1940	1448	mscorsvw.exe	74
PID 1448 wrote to memory of 1940	1448	mscorsvw.exe	74
PID 1448 wrote to memory of 1940	1448	mscorsvw.exe	74
PID 1448 wrote to memory of 1940	1448	mscorsvw.exe	74
PID 1448 wrote to memory of 2740	1448	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe
"C:\Users\Admin\AppData\Local\Temp\58c90b0f3828390ab83ad56a3308ba6f967dabb495fedd51782115074cbb556b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 264 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2e4 -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 264 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2d4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 264 -NGENProcess 2cc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2cc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 30c -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 304 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 304 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 314 -NGENProcess 2ec -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 238 -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 388 -NGENProcess 38c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2820

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:944

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1136

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:548

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2596

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2461186416-2307104501-1787948496-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2461186416-2307104501-1787948496-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1300
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
4f8798a3c055a40de562a690d76b1187

SHA1
49ad5a40a94de72f49de7e6cebb986be3ec7954e

SHA256
d710418677ae8890fd238704cca806a2fd6bd9e8a24a12d69cf205cf0afc3a8b

SHA512
d20c58491ab5e6948ed3a339028df2db9b58a518bb99a47a6681c773fce7f7d6bc3098961c863cdbb149a9e427d02a5526ea0e3083af31e893456525dd36ee55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
af45e72085d16e3a3a94d2c955fb3df9

SHA1
a78ef855d19e9cc9fef12282c444d729a0d938ca

SHA256
147c4bc52483da2a3d4dd2f8a244ace31bc707b48e4c8d61db3996088b9e3fb4

SHA512
6027d815da9f278781fb7054583a7176ba004d01634bbc196c7520823e416364bb3a6d61363df36fe54fdc5d4c4935292999c7ebadd2eba5401e75c5ef9cfa35

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
4ac8e6ea1a223a599bac46535eaab13f

SHA1
65fb9704e1a373863222d11db551b9fd4aef82ed

SHA256
da859108a60c7e05e3e3f685bc6a90c25b044e385a6b12333f64303762492d3e

SHA512
b71e73d450f295982943f6ba81f7da21d988afe19dc8a5195e6e3b5f5c6913524219d978171e5721190295f8ff5290c25a40f407c949424183b57f44598d3668

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9ae9af05d92968f9f82b95c6805af892

SHA1
7e4e0ccb19a1a3c1926e19625701bb62c94105a4

SHA256
fe32e1c44a36cc5be834b0dbb5e66ad4fd06839324c65cad10e54cb97a043f86

SHA512
64d3809f4da791b3172170c2ebe0858176d8d7d79b37133a0bf1f210df7a13eece6eb6d27a3f68e8dbeee8be397769265680d327ad4876c69c0a57f8936eb332

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2b1b18a70810592abb7ed789deea956

SHA1
1ab7592acc4852824072ccbadeff24ee38d8e506

SHA256
ea1f8d3ef78ff4fbb27638754e4b56b20537c5e0c917397dc1ffc2d741bf584a

SHA512
8572ea29a10326c1ede9e4fb6c1395721780d3a441acc7b0289599b7e81481c93c8d364e3bcd67a4da427b4995ae4fb74b7c6c2dc8727195471e7b6cf72b35da

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d188724ee0be60e7e60318789d7614a6

SHA1
7c9df52b8f66bc6b4bf22061d3144435fdcf47c1

SHA256
c95534d227f8d5a2e8ed8c8bfeed1ad65c8b696576223a32ce9fb650e5e47f18

SHA512
40b71d542a6eca343bc40ba806f7f6a1ba451f4debaa372e4707fa9efd2944a2b494b58e0b9bb6ca5764144d62c3da0bddb18d3ea60c41a079e8b09f2d49706e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
940396fd7490427bc84282b37f5935f5

SHA1
068fee008dda01c5febfd5d3011f1b3882a9d9c1

SHA256
ed317a58b7356d304f754baefa51faeecbefe45e01de8407cd17bd5c3b30b692

SHA512
fbdb7af7aab6119deff8a1d5a6fb2a054253187ffd64aaeaecfe5192ba50d6cf73736f9403d75db974cc101125949c8e20bdc67ea92f5d27d745ebb36851631c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
6dfbcbdd39b5cead01fe85820cfeb125

SHA1
b7da23629c156d32b27eabe4aca15e34062d8395

SHA256
fe88d59f87325986041782769763a6d6fce75ae3d909e8cafc4c27576a7b1514

SHA512
8c367c880eff5aae61189ec818bea552e8f23c37dee8e649117d579fe4dc42ab80e6c19d83a77fc8e04cecabe0a88dab0072cc4f65c2f26b022221e9005ec42e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
4424887c0653f9d447caceede4014f3d

SHA1
8a80852efdf90e17935546fc6b39802714fed275

SHA256
14ac932722845df72ba669410522543af1eff27e19ce2cfd29a0e57d2e4a8c84

SHA512
f07a7516e25029430df233becfb9c7b1d8c3ee84b8d9f89f02241299fb5fdcfbbb303138acaa58be4763c2cf33d669f97725bf6d08d6001531937b089390121b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
529eb866661e640a1293335f3661be8f

SHA1
1785242535c76f41a0a6c1bfed6cefbc276bca6c

SHA256
65f9b3a8662e6a9b68f4b4236200a3b7453aec1231beabcf2a3194b794159210

SHA512
222fda8240fbe41d674c27b9f26189afa316e04cdb59ac3a1112d1e05885a84bc55c0ece51a120c75c7afa711e8ea8353541839ed4c8ce50e88dd8576c151c11

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0b9315c50ce6eb322c41c43cb01435d1

SHA1
171d30a88983afea30f4ff52e67a7c4b7f3f2c77

SHA256
60b689e15f8cbf6b2ce1df94f9a2b6e4ceb92dab152e6eb8fcce671c57768773

SHA512
fdd4ef81f0625177e3a77e46379dd2c3e8c0eea23477d956c256beccccd8b697b79fb94695451be2db5133df1fa51f499e300755a9ba56b2b2edabe783d0c6ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
9d2437b9e681cb8cc2ae2d487eb54668

SHA1
1f723975242b303097f4819e6fa381d055eb1d6d

SHA256
4405ea07af329878e3401db1b95a783548c548c85d8ddb405fc0f9f136b72868

SHA512
0fa06bbdd7b8a6ec08a99c0f861b2eca78210d07f1b0e5ab64796f0985777d703751ebcbb2b15735bbf79b98c999269c324890ea1f63cd86eba008a2b04eb38b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
2008b79c82848f9b5545935105075735

SHA1
c411d142842ca9b2b46ded0a7567e88627122324

SHA256
4916cc7f43132751d6c09271bacef66d4c6a8d29f3707c09018934732d1264c5

SHA512
1a398823286881ac12ad93e3f7169d2924ee74194af22f8d9e287fbed0362b33290f7fb11f65f38c1e99ac00d926801661619e721f1bee80db01d7aff86a0bf1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
5b27c1ef17862ffa350e896021655bd1

SHA1
fc12c9206bd1dec749c51b96d9ec89542e58e262

SHA256
1b4778179e7d775d26eb5d268b35337576f6d6debfd1381dae8a71d432441553

SHA512
8997325bc6c09254086dafad065183ca29a3a794ec95902aa10f45f161e68ac77b8614fa5c3bd1332a657f5efccabcfb3646232d16a841f59ab914d15f90cc47

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
94222db4bb848e3b8d83062726a24bf4

SHA1
8db60dc355d17978bafde353c8f775ed25f356d1

SHA256
c7745c85ed93e7665dcecbd097ae5a5f5a3b198e23811d4bcfbc5b5c0fa97488

SHA512
6f44246fa85503c4c9914e21a2d19d9ffdb4dceab1762f6b2746d8710fbd15b432f5f7ffdb5db9b5174debe9a9754ae7b7f7a3e876b2d6b1d2e2cb2cad3a82fc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
31b50145e642987376a9c37be55e6d98

SHA1
62298e85a570c06d5b9a7855848a7f578cc94538

SHA256
7c197555d7f81203dbc2d0a2a2f3e39ade11a1b382866860f30cca58f8a7e968

SHA512
a2524d5d15a862ddb939c758857978bf450c213ab1a05396219ce838f749f5983db4f0ab56643c0b0d1542e8de8549831fd94cc696454bd57eb1d1ecd37a06f2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4f16915a3266d14fe70fc6ba94c4475a

SHA1
ef47352de3ccc50611773bfffba8ac2e4ecfd340

SHA256
d67af78b62e0238892ed497d0240bb250d0e2c3763b99ed11c7d2ddaedf868e8

SHA512
4b1af4fc81fad7e9e2ef0332868ee7cf74f894fde9f0449c06552c3c89e7076b0696f189c1aa8d68b3a84d15254801dfd4ddc7ec4797844cd67da49cab1c489b

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5bce3264b8b5a46c445be9b04a401bff

SHA1
8469c68f2507ae658968746f626fa6217d3aef5e

SHA256
72da619a994c452856cc56aa343426518701b5f4fbc29a28dc6dc317cbd6f331

SHA512
181385fafb2c46309e282562a3014f0b6c6faa1f6e726f4edb7bf2b79dd994baaafc7562e00bc065bad76ce35916c497fc8d48de3e083f921b78814c6f883ae1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ac519df08cf1f877be6b428ff5ace385

SHA1
c2d7cb7569d2f29a548d2bb5a414fcd3a41c1952

SHA256
126f5a6de28d1c09dbe52a7863b734caf6182340cf2014c91d252f8dc4df8c74

SHA512
013d6aedc2ac8604bf8f102d13e9c9114732851b76bb79df70a9d7f6b95ddbc44c2f7d76721b7b50d60c9821eb352293fd6300de436237900f25907b4f75fe83

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
fdd1e7c169838ccfe58d8923cb6d087a

SHA1
992775f5c0faec6bd5450fc2dc7331b5715b27b7

SHA256
c47b1958dc8e02c16aa9109bf64f17fc62cbd614fda0d2e25b6635bcabd9f71f

SHA512
36ab27a7f12250610e2dcb3024274a2360b1828112d39a065249749341a6d0619b628bf02dfaf09a08beed147dd8e5300d131aa6eb8685ab99c036bf54e06e7a

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
72238c6214f20d5211b850b52ecce7c8

SHA1
94e104c60e8025185a9776706f898b67e3ecf1db

SHA256
b1b03472c57be15ac10f8805ed153a082207d5b605f565a1cf68e11a2251ef74

SHA512
7949f37291f3cdf114ecdc692bc22fb5b5680fadc11d8de9bc6cc626047bba1696c0637de26603cec25b07e243eea95f537954affba2fa2f9e82fb5318ec19b9

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
df9dc318522e09d6f50bf1871ad8a6dd

SHA1
bee6fcb27c82decb9087fbe926b2447f246cdb20

SHA256
d26282b3e0f640b9c0f5ac1b83ef3ef13a497c135a3b2a79f5497aeda3bd49fc

SHA512
8069e605b89402835e133e5961506e5321e35677247239a2fa4cf98f72dd8b3d0b0fe942d7feb3196dd81c23ed8344258e9eaa858f6a63bdb286f6edf50162ce

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
9432cf6ff2299db84cb82684f5cb44ce

SHA1
6d234c723215fa8f5cc00d5757887ec54b1fd04f

SHA256
ccd4f69156f0864f5109fdde4795d4d248ab67ae3ffec5f7d158b22878c829d4

SHA512
0603d3bc9c93812584900cfc4b051f12bdb4f654ef493aa1045027454a721d6e34713a037e2951eec49a0df04570d02efc8b69a6c52e8a78faa0bcaa8659d139

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
3a2b7cd9bbcb079f46ae95f925992b21

SHA1
bec4f21be089f3fc738b73c7c736c8874a936239

SHA256
22496684ed0eecdb069b35987e01bc6b7111e2f6d17b56cf93726292c19493b4

SHA512
f95f3dec0b5fe0293dd2979b1f96f5b55b400aac62dc59ae2dcb0c1f676523b15b077bb65ef1a3c2b12c995dfe16877c5e234b56f136d99f570d88d05e9cc55f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
309b0c9acbe8c1eb98775d5cd09d2fcd

SHA1
4169a732daa7171776de44c0c90730d984e7227d

SHA256
c0bdd8f7736b54213c5d91d78483ab9d2eb7d7f3331041669de9274065e41792

SHA512
653dff23ec5243930be2509209ec059327ba4ce8ff6ebd848bec2a866156a621e8b04296efd7fe770318b5c503379d51149d24d05d4c9faf27b80521557596ca

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
32a8da9e37c4f6b4926e84cafcd60fa2

SHA1
da7821219cf2ad1e639c980cd70f6e66f471a2e2

SHA256
c9b37970e7899bd655662cae0dc3290f5b76c48232805d552d563cc91d78edac

SHA512
e4d851ba79017f6307a6728c5fb5951ad2ed4d894e59a249888d10cd83bc3d025725871b14c5f4139d8a39b6725a82e1c6d23a60262afb2e7c53edb960df0eb0

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
ac41f46751fdeab7205cfe373e98ede2

SHA1
ac1688b2cfde50fd495396a1c51633822ef1ae41

SHA256
3fb8332169bcad59f9984f2e85a6f6503b2c0c25c5596eeedda9cb7e562ccb0e

SHA512
8f5043b6b49a107eacac4b7365ba90d9574e962c2bdeddaf019f29aa7cbb1d1a578465ef99a9ba8a07da2a4e8de342d022739c8784f529411268d9e367691da1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
88e2c9696e8286b661bbd97c081a5e7b

SHA1
a87014e74687e756bf636729c7aa7939e345cbb9

SHA256
c6c6857ae979161eebdc8ca83726838eb2c139ba6fbb2756732812397b68c6c7

SHA512
77bea6533e676ddb9ff14cb1f845bc00afb719576abc2988ebdf33be79dda1f87b64bef30e49059b3e24f811fe25ac18e6b76a7a5819b67dad5e1cafb763c8e6

Download Submit
memory/548-140-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/572-225-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/572-226-0x0000000000170000-0x00000000001D7000-memory.dmp

Filesize
412KB

Download
memory/596-228-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/944-247-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/944-114-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/944-122-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/944-118-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1088-504-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1088-242-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1116-237-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1116-465-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1320-253-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1320-272-0x000007FEF4490000-0x000007FEF4E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1320-171-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1320-170-0x000007FEF4490000-0x000007FEF4E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1320-282-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1320-174-0x000007FEF4490000-0x000007FEF4E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1368-224-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1368-223-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1448-113-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-39-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1448-44-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1448-38-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1552-127-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1552-216-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1552-137-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1552-128-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1552-257-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1556-269-0x000007FEEF650000-0x000007FEEF6EE000-memory.dmp

Filesize
632KB

Download
memory/1556-281-0x000007FEECBA0000-0x000007FEECCC8000-memory.dmp

Filesize
1.2MB

Download
memory/1556-286-0x000007FEECAC0000-0x000007FEECB91000-memory.dmp

Filesize
836KB

Download
memory/1556-259-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1556-251-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1584-265-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1584-285-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1684-232-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1684-217-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/1788-25-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1788-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1788-1-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1788-6-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1820-227-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1960-243-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2024-20-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2024-28-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2024-19-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2212-466-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2212-240-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2252-220-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2308-61-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2308-123-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2308-55-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2308-54-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2388-98-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2388-104-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2388-97-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2388-238-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2488-32-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2576-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2576-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2596-221-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2596-236-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2676-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2676-26-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2744-235-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2744-218-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/2744-280-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/2760-73-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2760-72-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2760-79-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2760-135-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2820-107-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2820-85-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2820-84-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2820-92-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2820-108-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2820-116-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2820-142-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3020-169-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/3020-168-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download