9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
Size

1.8MB
MD5

6339f820bf1c001ddd91078562fa9bc8
SHA1

2fbe050c4f000b47e5d43c6609c5ae628e8eb720
SHA256

9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a
SHA512

144c9722204765011450395951892cbd6191b4ee2cba92ef47d2d0073c95ad3f9e75dd11b265ca2eb4f0bbc1dd0973d3bb6f8079fd320e2b8853dd678c1afb42
SSDEEP

49152:1KJ0WR7AFPyyiSruXKpk3WFDL9zxnS1rfPOkhqvq:1KlBAFPydSS6W6X9lnyOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 60 IoCs

pid	Process
472	Process not Found
2104	alg.exe
556	aspnet_state.exe
1328	mscorsvw.exe
1116	mscorsvw.exe
2320	mscorsvw.exe
2272	mscorsvw.exe
2136	ehRecvr.exe
3068	ehsched.exe
2956	dllhost.exe
2332	elevation_service.exe
1364	mscorsvw.exe
1620	GROOVE.EXE
1640	maintenanceservice.exe
1976	mscorsvw.exe
576	OSE.EXE
628	OSPPSVC.EXE
1556	mscorsvw.exe
1192	mscorsvw.exe
1196	mscorsvw.exe
2076	mscorsvw.exe
1824	mscorsvw.exe
2836	mscorsvw.exe
2792	mscorsvw.exe
1072	mscorsvw.exe
1996	mscorsvw.exe
1484	mscorsvw.exe
1892	mscorsvw.exe
2616	mscorsvw.exe
888	mscorsvw.exe
2932	mscorsvw.exe
2816	mscorsvw.exe
3004	mscorsvw.exe
2000	mscorsvw.exe
2512	mscorsvw.exe
2524	mscorsvw.exe
2544	mscorsvw.exe
2748	mscorsvw.exe
2436	mscorsvw.exe
3012	mscorsvw.exe
1936	IEEtwCollector.exe
2180	msdtc.exe
2892	msiexec.exe
2172	perfhost.exe
2508	locator.exe
2244	snmptrap.exe
1556	vds.exe
1296	vssvc.exe
1888	wbengine.exe
2744	WmiApSrv.exe
2780	wmpnetwk.exe
2940	SearchIndexer.exe
1356	mscorsvw.exe
1584	mscorsvw.exe
1548	mscorsvw.exe
1484	mscorsvw.exe
1200	mscorsvw.exe
1404	mscorsvw.exe
1740	mscorsvw.exe
1908	mscorsvw.exe

Loads dropped DLL 19 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2892	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
748	Process not Found
1200	mscorsvw.exe
1200	mscorsvw.exe
1740	mscorsvw.exe
1740	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3d215504ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_uk.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_tr.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\GoogleUpdateBroker.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_sl.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\psmachine_64.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_ro.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_th.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_de.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_hu.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_el.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_zh-CN.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_vi.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_iw.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_te.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_es-419.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_lv.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A74.tmp\goopdateres_ta.dll	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe

Drops file in Windows directory 51 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7955.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{598FF322-8CA3-49D0-90B8-2B80E1168722}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{598FF322-8CA3-49D0-90B8-2B80E1168722}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8018.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{72CE6C48-7876-4987-B5E6-054F1969720F}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070257624828fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b055291f828fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001007fb1d828fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070fd881b828fda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003041281e828fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2336	ehRec.exe
556	aspnet_state.exe
556	aspnet_state.exe
556	aspnet_state.exe
556	aspnet_state.exe
556	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1692	9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: 33	2528	EhTray.exe
Token: SeIncBasePriorityPrivilege	2528	EhTray.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeDebugPrivilege	2336	ehRec.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: 33	2528	EhTray.exe
Token: SeIncBasePriorityPrivilege	2528	EhTray.exe
Token: SeDebugPrivilege	2104	alg.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	556	aspnet_state.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeBackupPrivilege	1296	vssvc.exe
Token: SeRestorePrivilege	1296	vssvc.exe
Token: SeAuditPrivilege	1296	vssvc.exe
Token: SeBackupPrivilege	1888	wbengine.exe
Token: SeRestorePrivilege	1888	wbengine.exe
Token: SeSecurityPrivilege	1888	wbengine.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeDebugPrivilege	556	aspnet_state.exe
Token: 33	2780	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2780	wmpnetwk.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeManageVolumePrivilege	2940	SearchIndexer.exe
Token: 33	2940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2940	SearchIndexer.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2528	EhTray.exe
2528	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2528	EhTray.exe
2528	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2588	SearchProtocolHost.exe
2588	SearchProtocolHost.exe
2588	SearchProtocolHost.exe
2588	SearchProtocolHost.exe
2588	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe
1720	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1364	2272	mscorsvw.exe	42
PID 2272 wrote to memory of 1364	2272	mscorsvw.exe	42
PID 2272 wrote to memory of 1364	2272	mscorsvw.exe	42
PID 2272 wrote to memory of 1976	2272	mscorsvw.exe	45
PID 2272 wrote to memory of 1976	2272	mscorsvw.exe	45
PID 2272 wrote to memory of 1976	2272	mscorsvw.exe	45
PID 2320 wrote to memory of 1556	2320	mscorsvw.exe	48
PID 2320 wrote to memory of 1556	2320	mscorsvw.exe	48
PID 2320 wrote to memory of 1556	2320	mscorsvw.exe	48
PID 2320 wrote to memory of 1556	2320	mscorsvw.exe	48
PID 2320 wrote to memory of 1192	2320	mscorsvw.exe	49
PID 2320 wrote to memory of 1192	2320	mscorsvw.exe	49
PID 2320 wrote to memory of 1192	2320	mscorsvw.exe	49
PID 2320 wrote to memory of 1192	2320	mscorsvw.exe	49
PID 2320 wrote to memory of 1196	2320	mscorsvw.exe	50
PID 2320 wrote to memory of 1196	2320	mscorsvw.exe	50
PID 2320 wrote to memory of 1196	2320	mscorsvw.exe	50
PID 2320 wrote to memory of 1196	2320	mscorsvw.exe	50
PID 2320 wrote to memory of 2076	2320	mscorsvw.exe	51
PID 2320 wrote to memory of 2076	2320	mscorsvw.exe	51
PID 2320 wrote to memory of 2076	2320	mscorsvw.exe	51
PID 2320 wrote to memory of 2076	2320	mscorsvw.exe	51
PID 2320 wrote to memory of 1824	2320	mscorsvw.exe	52
PID 2320 wrote to memory of 1824	2320	mscorsvw.exe	52
PID 2320 wrote to memory of 1824	2320	mscorsvw.exe	52
PID 2320 wrote to memory of 1824	2320	mscorsvw.exe	52
PID 2320 wrote to memory of 2836	2320	mscorsvw.exe	53
PID 2320 wrote to memory of 2836	2320	mscorsvw.exe	53
PID 2320 wrote to memory of 2836	2320	mscorsvw.exe	53
PID 2320 wrote to memory of 2836	2320	mscorsvw.exe	53
PID 2320 wrote to memory of 2792	2320	mscorsvw.exe	54
PID 2320 wrote to memory of 2792	2320	mscorsvw.exe	54
PID 2320 wrote to memory of 2792	2320	mscorsvw.exe	54
PID 2320 wrote to memory of 2792	2320	mscorsvw.exe	54
PID 2320 wrote to memory of 1072	2320	mscorsvw.exe	55
PID 2320 wrote to memory of 1072	2320	mscorsvw.exe	55
PID 2320 wrote to memory of 1072	2320	mscorsvw.exe	55
PID 2320 wrote to memory of 1072	2320	mscorsvw.exe	55
PID 2320 wrote to memory of 1996	2320	mscorsvw.exe	56
PID 2320 wrote to memory of 1996	2320	mscorsvw.exe	56
PID 2320 wrote to memory of 1996	2320	mscorsvw.exe	56
PID 2320 wrote to memory of 1996	2320	mscorsvw.exe	56
PID 2320 wrote to memory of 1484	2320	mscorsvw.exe	57
PID 2320 wrote to memory of 1484	2320	mscorsvw.exe	57
PID 2320 wrote to memory of 1484	2320	mscorsvw.exe	57
PID 2320 wrote to memory of 1484	2320	mscorsvw.exe	57
PID 2320 wrote to memory of 1892	2320	mscorsvw.exe	58
PID 2320 wrote to memory of 1892	2320	mscorsvw.exe	58
PID 2320 wrote to memory of 1892	2320	mscorsvw.exe	58
PID 2320 wrote to memory of 1892	2320	mscorsvw.exe	58
PID 2320 wrote to memory of 2616	2320	mscorsvw.exe	59
PID 2320 wrote to memory of 2616	2320	mscorsvw.exe	59
PID 2320 wrote to memory of 2616	2320	mscorsvw.exe	59
PID 2320 wrote to memory of 2616	2320	mscorsvw.exe	59
PID 2320 wrote to memory of 888	2320	mscorsvw.exe	60
PID 2320 wrote to memory of 888	2320	mscorsvw.exe	60
PID 2320 wrote to memory of 888	2320	mscorsvw.exe	60
PID 2320 wrote to memory of 888	2320	mscorsvw.exe	60
PID 2320 wrote to memory of 2932	2320	mscorsvw.exe	61
PID 2320 wrote to memory of 2932	2320	mscorsvw.exe	61
PID 2320 wrote to memory of 2932	2320	mscorsvw.exe	61
PID 2320 wrote to memory of 2932	2320	mscorsvw.exe	61
PID 2320 wrote to memory of 2816	2320	mscorsvw.exe	62
PID 2320 wrote to memory of 2816	2320	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe
"C:\Users\Admin\AppData\Local\Temp\9cb92e0f1b38f65415fdb387e958ede56b191ac978d0e43ba34361d2671afe7a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1328

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 1f4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f4 -NGENProcess 1dc -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 278 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 260 -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 288 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 1f4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 290 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 290 -NGENProcess 1d8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 294 -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 294 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 298 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 20c -NGENProcess 1e0 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 250 -NGENProcess 234 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 258 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 228 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1d8 -NGENProcess 258 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1d8 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2136

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2956

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:576

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2940
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2312
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
7c81d8075bd43534762ba496c57137ec

SHA1
66ff80949541f80b6c4873f57b1f4139f4341469

SHA256
96e429ef336da7ef0aaa6db59d7e7716b842a548ad26d8c1443c32bea182d375

SHA512
3fe02fc426475e13a99045f92fa23df4f7a2cc9fa736c55db9554ee74c4c4478abb28d52706b708fd5842aa4663798eb060a0e0eba95089e8e95d118cc8c5f12

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e423bdf5abf04af511a1f221d259acf5

SHA1
0b2bf52b823a6dfcbd795c44c409e17ea906955e

SHA256
f29ad39cbc4aabccc6a622b9740e018a660673a03d99d281046be81cc115bc8f

SHA512
5615313c71974900cb6f44e2c1df2ca1bdf16234b4a02e05b9f3be534ff9c36f0da74ca5e671b704cd1b599b239076c4941bdbe5e4a7da8c0878f79b9b109152

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
3b8e534e9a77addb5db08f28f68156d3

SHA1
b46f57a051e7890764e42ceedcf97f7fab2a53ee

SHA256
e2766a2d403c2d6f69f0b7df15269c9853f1d4b7adc494dbf32717eb7c706f7c

SHA512
4ebbde6cdffcd2499c606ec9f70ddc317c7a846e057ece27df7634e5a2af719898b987fb97fc8d36aa49f7f7a8c33238a5f4d67fb6dbe42afb3f59bf410f7dbf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
64cfc11c1b58faa91ef1ac1f7594f9ff

SHA1
4a2b63778f2634d16bce83dc8514761607f8579a

SHA256
4c9b39f6a4b8963d73558be47a0884a146f82de8eca77a699e3891e4e844ba28

SHA512
d507922cfa784cff384852e5878a56236ca776f759684ae33e028b8d35a526a7c2cd133843ccc9428382fafd0d00eb9c57305e33ec7172b1a42d3c411b2d68ab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ef5bcf8cc1532245a364d9101d861fce

SHA1
5e4b75b51fdd2b8474812d71cfc87dc7cd8e445c

SHA256
c94b97fd9aae7c5b0973e5d02ac6f2126f940ee84f0bdafada336f93628045b0

SHA512
fcf527c6284c6612e7ed3aa79fb724b956a358504ca974e8c5ff829b7b516bf320bb4036532273c5cdf4dfbd267ab88a590e409fde51faeff9e4c862e8fb789c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
9cf13ad82ffc68e3b9009fe8557ee202

SHA1
29ad70a9874d3278d9065d19ebf8f120a82c0bb2

SHA256
67d2bb7cab40a4deaf75f56425870f9f4f21f768b8eab049487217b054fcc508

SHA512
732dfcdc771d009d42c4df7903bea02db19c2e2091f7e3230ae420ac15de10fc06264f87f49ba1ce714bfa3ed2576d0690958baae0a198dff099b42c03128ba2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6af2cec6daeece79f1963776aaefbf47

SHA1
0e063b07f86890bb5676530cc147b4d271904fbc

SHA256
9d1ae8224d2786443261544d9ef3de35e2df5ac9133557364aebac56d59f878d

SHA512
871256ddba95148c7972f8ae069209a3e77f445f660248b0d9cbe1208177df49f6329b15c48d1f41eecf00fb23d7401686db30a2b8aaef4d5b82ccf6427b3373

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
628d9f1688ee56e8f45582f68c93e471

SHA1
f4dea3d2454219fa3aeb348ca2d1f26e22b62c66

SHA256
402ffc580e7c5bb98c43e0009114dc56027fbcab374a5edbe8bd132a0cc86897

SHA512
4eb72ccb2b129e3adf473b079dd2950074b7d89c789d079fd6917dd6d76ea8e19a12069593f1a28f6f9130a57608e14d257721e7453d03aa377cf2dd9bd7fd9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
683696f9886884f7f7cd01e082634816

SHA1
00a7bb5368429092170b689dd0f542f2c7e3eb94

SHA256
479e1d0828e2ed9a806b85fcedcf9a5e9d4e95c05faf4c8cb82d88fba54f1c0e

SHA512
fc6b0c49f3aea2ac4e1b0aa4909d1c37855c59ae12fa036aa68422878016f72d2fea80504d551a4f9c3c57789491c1fa7bfcdbc3ad6c5c262e036699476a5bd6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
3f7464f4b08223244efcaf57d06be29c

SHA1
f5d8e0f55dd2f46fa93a446cbab52f6a7dc61c53

SHA256
bac1bc3f14ffe5d35e6f2d564b4f3f93e2f0f84223708a17e45411b45b46eac6

SHA512
3a9106bab2b289193f04a297c5cc27cfdc4fade5a7c6c88825e2693738b3d2a60e185d3dcb8093b43dccf6d0ceefcd9f0019b60ccde399043a88f117b004121c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
374fac7222327461115f82b04d777bbb

SHA1
57f2c094d71efb79ee8c55eff32110e48c314f48

SHA256
6c34bba87e33557bd5f77b09a61d99e623166dfedc4423685161f5958a99105a

SHA512
f567cddd5dc25130599516c483184d39a9504991f4a0a9386ffd56aabfc0eee9a4903d90d204d432b2ff6f3d9d58a5222cad960ef6ba73d7f18244284b5a40d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
365cbcb344d79c56f14347c78cb788f5

SHA1
d4a6ef89fe15762f54c2d1bea33bfa7f68202659

SHA256
43aced05766bdb94e3deeab63f70375e6d5a43980c5f420ace35326b1e749eae

SHA512
4c15dbda218ecb90accd6d4dc5358c86d4e6895a1b64a7c9c56c16109554ea114cb39b9c069c7fd54bccb82e9fbf6e2276facd821a23bbbe46878df383c28bfe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
a6d5f69e649457b655c05b37d9f6da81

SHA1
10e4ac9286f7bfb5d0f97a484817645a1a5e76aa

SHA256
72d5739951b1dda0e3dd356f6ffbeb63ac01d8abbc4e39e5a44a7dc1f0a965a4

SHA512
3c1a43667476f519679be4e8bff75e63b7f8e7c74c0fc3e0b4fd95312bc06a2a7d3e5b3268b0e31bb91e0ff994bad7ef8a53573c916a95e4eb50598b938ac3be

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8018.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
f1e205679136efb8e1a0ae96c13b4100

SHA1
e07808ab96ed486048e01394927cf332d7696609

SHA256
908645a31afd9d7450b8e0a88bce0d4869a5a51ea2680b536a80c679c51c4dcf

SHA512
572d7229df058607a33bed19462b9971b05c022a7022df6c2e324384486763dea9f9c8c367d4cc2cf4c70387ef5a74f892c5ec375ede057cfb691ae0918b32e3

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
0a33cfd5fa117ba389c021694294866c

SHA1
388f182c0b36477c93cb51684e6e1179834b7cab

SHA256
a24fd4567329e84ec5066c5b20be229d7f5670e68603f2af69cf2963e49bfe3d

SHA512
9fc3c4611e4e33946a0e4331139a18148522a4d3eb186704889e786cc54a6b7b3362815af484366590523dcc07c1d42c5fc7848770ea5f754af11195dfc242df

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
5c42da4cfabb172346cf06158b92b62a

SHA1
e0087168236549a0dae8546f6b45159ccda78702

SHA256
c1589f017e878dd8d4004a90ac8f1220950ac6f71b89f2bf94769b338143fa75

SHA512
de8835c13982ec9d620d9870b60a1499c438a1a3941bab2261135244c0968cfbfc753a32080da4d775063b2551c2649087fc943dc647f81dda0d1b4224669cfa

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
b3f2f2089108fe5b2f90e4eb08adc404

SHA1
dd28f7f03d39f70b50a83c8418921a010aa08f2b

SHA256
53528fad44fa514aa04c526e07cc9033af8ccd99ad1a71dac2d731f7986bf04f

SHA512
707254a280e9092393328077e3e26b44c8270d5079432fa70a95eeb5a8ef185569aa583af9b5af62104b7d295961988545ecf46157734023d768329041f4e052

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
9263b344aeb5294b88951bb384a01b27

SHA1
7af257b4280d895ac96312a0e2173a333bb2b98d

SHA256
961b4a95515b364a9d52972e5a58411761fdb43cdcf6664abe469b3fda8d4803

SHA512
71a56e462c9ac75864b6940b19eaa858160a3b63f4c3dd317ffcd6efb06b19635c3813ba4229e2978c62ab65246aa4b9402e0e7a9d3731b3e3933fe98fc4579d

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
6547acb58e4ce2f16f0a4a6c1151db50

SHA1
42ff330ddd7f0da6bbb161afe3ac69f8ede44c92

SHA256
7a0808bdc1283feec916ac8a71469c7aef7913c7151a947f11a763cdd12e7585

SHA512
760fca4b51bfd922fae9d1872e76072f40203a1d798c33b929bae1a035d8a63336d84ed1f72dd9d4ef3da45421eaf891562881d33c022c4ef5d120341315e7e1

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
6e8ce3e035bf3ad9bc44444eecd03335

SHA1
1e0f05a74f790dda4719461dade53dc8364180a8

SHA256
0ce3d58eae29d207093ac28aea1e1ffb85961a57a5e2a716bdb21ba7c662ac91

SHA512
767b836b8e190200af577a245798a874cc611cded5205b308b5e188984156a9353367b328034d10522f16384e7c4ff1964e1c20a361785b7d9b21b501d39518a

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
ad00aa04d9740d826fcbea05a1bf95c7

SHA1
5beb88ce46af6fbaacfeee62306708f7d5e02498

SHA256
7556635f8b66084f54703d355a1873521a1d82da95b6f24e1f1839ad37a80f6a

SHA512
07cdfb8fe283e45a20d9fb1adf77ff5af39bddd0e26ac6c66cbceb7b4a55805c2b482613885f445705d61be3b00a428948666b440a66738878033d522d09cabc

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a0ec9986a1385709b241ad3396c4a5e0

SHA1
e77b321972fcc2727e906a077b0593b61d51fc04

SHA256
b814fa28fc090a04952fe165a3be01905fc58fc36072ef8dd7ef23b3b8e40372

SHA512
6a4f3fa7b12bb1db69de25ca77e4e7c9c9cc33a5bd7502587eac94dad0ef8c2b8d0de0fbe8f66c25e9db8734aa7f706e56e37d85b38f6fbba8ad99c8bc4d7c2b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
b5afe6a4b413a53cf0bce171a11b8f2c

SHA1
82c611b409c24809f4589c118b2fc97c9ea1af00

SHA256
410e1057dd19b48636be4ed7cfe3a6b1a97dda984b2a542f023c8dc138e952f9

SHA512
d4ce5b3c28d8328c3ec3baf33ae3a674545c1837c0d620ecc6990dc7e00b356e8e08bb857f859db10681c6e04031f6e72f662de4538887a7c527cf228a382db6

Download Submit
memory/556-181-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/556-96-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/556-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/556-103-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/556-102-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/576-375-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/576-374-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/628-400-0x0000000074158000-0x000000007416D000-memory.dmp

Filesize
84KB

Download
memory/628-398-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/628-399-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1116-130-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1116-161-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1116-123-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1116-125-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1192-519-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1192-537-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/1328-113-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1328-138-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1328-108-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1328-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1364-365-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1364-364-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1364-370-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1364-335-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1364-333-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1556-500-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-496-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1556-509-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-508-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-342-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1620-371-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/1640-372-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/1640-369-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1692-7-0x0000000001E30000-0x0000000001E97000-memory.dmp

Filesize
412KB

Download
memory/1692-274-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1692-1-0x0000000001E30000-0x0000000001E97000-memory.dmp

Filesize
412KB

Download
memory/1692-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1692-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1976-412-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-373-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1976-409-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1976-394-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-408-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1976-397-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2104-36-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2104-16-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2104-163-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2104-17-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2136-395-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2136-183-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2136-182-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2136-190-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2136-495-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2136-278-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2272-298-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2272-165-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/2272-172-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/2272-164-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2320-149-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2320-284-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2320-142-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2320-143-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2332-396-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2332-300-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2336-331-0x000007FEF4460000-0x000007FEF4DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-328-0x000007FEF4460000-0x000007FEF4DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-329-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2336-401-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2956-511-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2956-287-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2956-292-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2956-526-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3068-196-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3068-281-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3068-474-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download