72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
Size

1.8MB
MD5

7376e2a7ece8bc2d4df062c2eff4c1aa
SHA1

f25b27172fe7f9e4bb78d25d76a63216ac45349c
SHA256

72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48
SHA512

82dd77693b015673f6ec68cee9657aec11ca947f8c4f608c8eb2a1570d0f080fa5edfe03eeedeb214eb2305971bca98d444a9ed05f2b2b283a3f51c8550fa62c
SSDEEP

49152:uKJ0WR7AFPyyiSruXKpk3WFDL9zxnStblI7a8K2mFhbrr:uKlBAFPydSS6W6X9lnMlI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
3012	alg.exe
2164	aspnet_state.exe
2152	mscorsvw.exe
296	mscorsvw.exe
1288	mscorsvw.exe
1600	mscorsvw.exe
3028	ehRecvr.exe
2892	ehsched.exe
1336	mscorsvw.exe
2572	dllhost.exe
2468	elevation_service.exe
1040	GROOVE.EXE
800	mscorsvw.exe
584	maintenanceservice.exe
1832	OSE.EXE
1648	OSPPSVC.EXE
1568	mscorsvw.exe
1384	mscorsvw.exe
1740	mscorsvw.exe
1720	mscorsvw.exe
1036	mscorsvw.exe
2408	mscorsvw.exe
2512	mscorsvw.exe
2096	mscorsvw.exe
2440	mscorsvw.exe
1596	mscorsvw.exe
2092	mscorsvw.exe
1700	mscorsvw.exe
2200	mscorsvw.exe
2484	mscorsvw.exe
1636	mscorsvw.exe
3052	mscorsvw.exe
784	mscorsvw.exe
524	mscorsvw.exe
2668	mscorsvw.exe
3032	mscorsvw.exe
2516	mscorsvw.exe
2360	mscorsvw.exe
844	mscorsvw.exe
2312	mscorsvw.exe
1404	IEEtwCollector.exe
2056	msdtc.exe
1940	msiexec.exe
2944	perfhost.exe
2872	locator.exe
2716	snmptrap.exe
1004	vds.exe
2184	vssvc.exe
584	wbengine.exe
2348	WmiApSrv.exe
1460	mscorsvw.exe
1856	wmpnetwk.exe
1792	mscorsvw.exe
1972	SearchIndexer.exe
2420	mscorsvw.exe
2096	mscorsvw.exe
2532	mscorsvw.exe
1628	mscorsvw.exe
2620	mscorsvw.exe
888	mscorsvw.exe
1592	mscorsvw.exe
1584	mscorsvw.exe
2624	mscorsvw.exe

Loads dropped DLL 25 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1940	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found
2532	mscorsvw.exe
2532	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
1592	mscorsvw.exe
1592	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
1728	mscorsvw.exe
1728	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eeade99d9a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_am.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_te.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\GoogleUpdateBroker.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_sk.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_no.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_is.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{89C4F14B-4003-4E4F-9969-A2103971EDD4}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_en-GB.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_sl.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4837.tmp\goopdateres_ro.dll	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9F8D1836-F02C-429B-AC33-6A7554268C0A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP45D6.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP780D.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6D53.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9F8D1836-F02C-429B-AC33-6A7554268C0A}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP58BB.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D363022C-B128-488B-B69F-A3CC5E517DFF}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D363022C-B128-488B-B69F-A3CC5E517DFF}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2436	ehRec.exe
2164	aspnet_state.exe
2164	aspnet_state.exe
2164	aspnet_state.exe
2164	aspnet_state.exe
2164	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2232	72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1288	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1288	mscorsvw.exe
Token: 33	2588	EhTray.exe
Token: SeIncBasePriorityPrivilege	2588	EhTray.exe
Token: SeShutdownPrivilege	1288	mscorsvw.exe
Token: SeShutdownPrivilege	1288	mscorsvw.exe
Token: SeDebugPrivilege	2436	ehRec.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: 33	2588	EhTray.exe
Token: SeIncBasePriorityPrivilege	2588	EhTray.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1288	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2164	aspnet_state.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeSecurityPrivilege	1940	msiexec.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeBackupPrivilege	2184	vssvc.exe
Token: SeRestorePrivilege	2184	vssvc.exe
Token: SeAuditPrivilege	2184	vssvc.exe
Token: SeBackupPrivilege	584	wbengine.exe
Token: SeRestorePrivilege	584	wbengine.exe
Token: SeSecurityPrivilege	584	wbengine.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeDebugPrivilege	2164	aspnet_state.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: 33	1856	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1856	wmpnetwk.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeManageVolumePrivilege	1972	SearchIndexer.exe
Token: 33	1972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1972	SearchIndexer.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2588	EhTray.exe
2588	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2588	EhTray.exe
2588	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2504	SearchProtocolHost.exe
2504	SearchProtocolHost.exe
2504	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1336	1600	mscorsvw.exe	36
PID 1600 wrote to memory of 1336	1600	mscorsvw.exe	36
PID 1600 wrote to memory of 1336	1600	mscorsvw.exe	36
PID 1600 wrote to memory of 800	1600	mscorsvw.exe	42
PID 1600 wrote to memory of 800	1600	mscorsvw.exe	42
PID 1600 wrote to memory of 800	1600	mscorsvw.exe	42
PID 1288 wrote to memory of 1568	1288	mscorsvw.exe	47
PID 1288 wrote to memory of 1568	1288	mscorsvw.exe	47
PID 1288 wrote to memory of 1568	1288	mscorsvw.exe	47
PID 1288 wrote to memory of 1568	1288	mscorsvw.exe	47
PID 1288 wrote to memory of 1384	1288	mscorsvw.exe	49
PID 1288 wrote to memory of 1384	1288	mscorsvw.exe	49
PID 1288 wrote to memory of 1384	1288	mscorsvw.exe	49
PID 1288 wrote to memory of 1384	1288	mscorsvw.exe	49
PID 1288 wrote to memory of 1740	1288	mscorsvw.exe	50
PID 1288 wrote to memory of 1740	1288	mscorsvw.exe	50
PID 1288 wrote to memory of 1740	1288	mscorsvw.exe	50
PID 1288 wrote to memory of 1740	1288	mscorsvw.exe	50
PID 1288 wrote to memory of 1720	1288	mscorsvw.exe	51
PID 1288 wrote to memory of 1720	1288	mscorsvw.exe	51
PID 1288 wrote to memory of 1720	1288	mscorsvw.exe	51
PID 1288 wrote to memory of 1720	1288	mscorsvw.exe	51
PID 1288 wrote to memory of 1036	1288	mscorsvw.exe	52
PID 1288 wrote to memory of 1036	1288	mscorsvw.exe	52
PID 1288 wrote to memory of 1036	1288	mscorsvw.exe	52
PID 1288 wrote to memory of 1036	1288	mscorsvw.exe	52
PID 1288 wrote to memory of 2408	1288	mscorsvw.exe	53
PID 1288 wrote to memory of 2408	1288	mscorsvw.exe	53
PID 1288 wrote to memory of 2408	1288	mscorsvw.exe	53
PID 1288 wrote to memory of 2408	1288	mscorsvw.exe	53
PID 1288 wrote to memory of 2512	1288	mscorsvw.exe	54
PID 1288 wrote to memory of 2512	1288	mscorsvw.exe	54
PID 1288 wrote to memory of 2512	1288	mscorsvw.exe	54
PID 1288 wrote to memory of 2512	1288	mscorsvw.exe	54
PID 1288 wrote to memory of 2096	1288	mscorsvw.exe	55
PID 1288 wrote to memory of 2096	1288	mscorsvw.exe	55
PID 1288 wrote to memory of 2096	1288	mscorsvw.exe	55
PID 1288 wrote to memory of 2096	1288	mscorsvw.exe	55
PID 1288 wrote to memory of 2440	1288	mscorsvw.exe	56
PID 1288 wrote to memory of 2440	1288	mscorsvw.exe	56
PID 1288 wrote to memory of 2440	1288	mscorsvw.exe	56
PID 1288 wrote to memory of 2440	1288	mscorsvw.exe	56
PID 1288 wrote to memory of 1596	1288	mscorsvw.exe	57
PID 1288 wrote to memory of 1596	1288	mscorsvw.exe	57
PID 1288 wrote to memory of 1596	1288	mscorsvw.exe	57
PID 1288 wrote to memory of 1596	1288	mscorsvw.exe	57
PID 1288 wrote to memory of 2092	1288	mscorsvw.exe	58
PID 1288 wrote to memory of 2092	1288	mscorsvw.exe	58
PID 1288 wrote to memory of 2092	1288	mscorsvw.exe	58
PID 1288 wrote to memory of 2092	1288	mscorsvw.exe	58
PID 1288 wrote to memory of 1700	1288	mscorsvw.exe	59
PID 1288 wrote to memory of 1700	1288	mscorsvw.exe	59
PID 1288 wrote to memory of 1700	1288	mscorsvw.exe	59
PID 1288 wrote to memory of 1700	1288	mscorsvw.exe	59
PID 1288 wrote to memory of 2200	1288	mscorsvw.exe	60
PID 1288 wrote to memory of 2200	1288	mscorsvw.exe	60
PID 1288 wrote to memory of 2200	1288	mscorsvw.exe	60
PID 1288 wrote to memory of 2200	1288	mscorsvw.exe	60
PID 1288 wrote to memory of 2484	1288	mscorsvw.exe	61
PID 1288 wrote to memory of 2484	1288	mscorsvw.exe	61
PID 1288 wrote to memory of 2484	1288	mscorsvw.exe	61
PID 1288 wrote to memory of 2484	1288	mscorsvw.exe	61
PID 1288 wrote to memory of 1636	1288	mscorsvw.exe	62
PID 1288 wrote to memory of 1636	1288	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe
"C:\Users\Admin\AppData\Local\Temp\72b92372377fcdac6ef322494db967a3c40f638c9596ed3ec85613788b281c48.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2152

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 1dc -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e0 -NGENProcess 1dc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1e0 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 278 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e0 -NGENProcess 278 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 284 -NGENProcess 1ac -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 184 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e0 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 29c -NGENProcess 184 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 270 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 270 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 274 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1f0 -NGENProcess 1c0 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 21c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 1c0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 1c0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1c0 -NGENProcess 288 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 28c -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 21c -NGENProcess 294 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:1568

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3028

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2572

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:584

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1832

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1648

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
cca4244e12083fc4153b275901ad5d66

SHA1
391028df50a7be1d1dfc14ef0d39f7ba5f8652aa

SHA256
50df87a44a8ac2775a13fc015eb3aaeda9e78e96113475332288c9d5d4d6abfc

SHA512
a999e61e345e6108c57ce2a4d5259ced8711409c4bcaa639d9a740cba96580fab2df52853abd59c29d70a70363ba374b9e102ca866019381571ffea731cfb1a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ce3250bf2a6f7983e61f0eafdd639682

SHA1
a5c8a0deb220582efcae6c999732c6b6c6e13bdc

SHA256
c62b80725e79893fa720b5e82e0481596ed261405a6290ee923f98fe97aa8723

SHA512
763bf10ed758a5acf8ddd4fedde4ca04f1d6cbe8aa466e145c7d1d237f7baa811c0ab80df3bcf2438d3f4c1895adac10bedb8c34950b9205ddfef7b41a62554e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f81523b0f7e2f5d10420ed777258fa79

SHA1
dc6ea608879712dad0bf0f8e9e37690784c1ef52

SHA256
4c03cd52327ee97b56baab1d745bcfa962f49b4010efb59d9e7b4d7a8131c221

SHA512
ccbc28e8b0794b71666969202d31c8a7fbfe448cd5705d8b28b836fe9a2ff1ccf6e13c2e535c0dc713e4f79c0d173e0f49fd27ee46814956938e6ba55191d46f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
db880da3a770b84904f36c4275976e2b

SHA1
f1336c454f031db9d783b8a24b8b7f8a6ea2d50b

SHA256
f977fca1258d6d4b3c87073f41a3b8c262c7946b2aa9a159c0bb8ab0a95f7918

SHA512
8fb523b8a045aca9d12f46476c33b4f1986e8f19232482ca0ed919235dcf09484754dfe7928d306ca9a9af1a9d536faa94e88e0342858ea5d5ddf0935dc46aa6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d3d4d384d2b2392619122a40c93fa32a

SHA1
83670f87900def5ccd74ae12d573a5acbd07adbf

SHA256
0512ae113aae9e6751316873fb5374e1ad449b3f5bc07aab354ed0ebe4330b11

SHA512
7d66066f5b2a72941d450d624a68978818e4f39957f8b071e5ce4653363d5a30d6b1e818fe621cd6a97f12e4ffc8638ce6eff1d530d5f9ab9f3b37c055261fb0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
48ea4f1673c75f9e22f0e87a88a1bdbf

SHA1
2c0268dea20b4041f4aae40624b979c8570230d2

SHA256
d5ac1a96c1ef81e6774429b0b5254ecef912a12b538860cbc34fe74014405f45

SHA512
39d898ce180bdcdb0a3eaba0b4f5fe16da12267aae60f712cdb88485ecfb2418e46ead68255ed9c076ff973ed7baa694be019544aac63736d402d6bb95fbf1f8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
3fe52fd0c48bc0051542415368cb24fa

SHA1
f58de3914b79a749c63aaa90cb0d4f90673fc1af

SHA256
d4e1acdbd18403b781238a3f4644ca7cd01502a4fede5ac7f3d4d113f75acc4e

SHA512
341dff4fe0bdaccd5e54ad988cc543a42a4e012481c7c18f830ad0349674eadc329bbe29dc4737912177d3789c0cafaa25bcee65cd17afed63b059bc18753505

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
29ddc72e7ecf36b24fee7456f213ca77

SHA1
16019346ff9884e7d343dd73c20574c297e93a61

SHA256
305e2e1095c5ee5d43288a40ad24cbceba17fb315a9b2efb59191db8cc36e659

SHA512
3b064ec3f71d4cc960ab0d588ecb3e269b1799fae0f5ffdc3cd1fef476befea07f9ab7fa4effa39cb2dab648f8cb13e80634c30e1481160624694e9ceab364cf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
8b071c87e0b6aa2e241d88bcbfe8ab8f

SHA1
eea4f0d5672ed7aa0b0481c024d30324fbc4cbaf

SHA256
3bb83f4143c1922ab811029c0c6d5f92e1c01fcd55fb799e0939916e0a53fa7c

SHA512
4377f081972cc8649aa161660e49a45cd368ee5c2994d4ee8b9664e8dd5eefa6fcd3ea06890461dc280ffa6613277d4cde50effbcdf6a41b941d2cf56191929d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9255800d0ff758bd3db5e0fcbcd178e6

SHA1
d975cd7de6b975824793d3ff51c5fb2cd358149d

SHA256
48693c4dce68f0b51cf559d81395e14bae681c73f411ac3e495c04fa217e015c

SHA512
e8227035651c5438cbdd8c2571e41221209ceeb84c5bd285362fb984b484dc513298bc676a04f0253f71ea18314d8ab4e54847955b0ba29b6d67d8d48d607730

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d571bbf3777930c696e622db20a706ba

SHA1
d9857c1ce530d38222b29e08370d5c4afe07af2d

SHA256
4b6b8d719c2ff9dd63016eca16c23bb765345cbf26eefce4d74f3f3b034b76ef

SHA512
67ff79c767a79a3e1260ef8c2032b43a9ef2cf2fd82cfbcd9e399e576ae771a306ce16b9138e3f620fb501aaa43d2f4156920d25d09d6ad1985fdb664597d266

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
7379b201740668bf83203a3d3787e61a

SHA1
4a29993215cb01cc64277ee8436335625b3cd8b5

SHA256
b8651a22bf9ce241d3cfb93e40b98567054f7a6a25c5bb9ba4b929c1730fa8b2

SHA512
b78d500b51841428e03212cb1bdf3070f336861aa884d7f1fdd3ee095d9059363e996ffc8d3020a57901f48f598ded4e355cdc4462a9d9b40ac67ddc2fe0a895

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
998a916a0d5620e37776b4f9462166ae

SHA1
28e7f76c1092ed62e454112e63ba613f3e7c8f96

SHA256
31bc3050d66444e5e615d5e705dd8f9d38051b6a90f2d1841a3c49b4f6009f3e

SHA512
cd1ab04355734b9495c3a0076500c9193ca1e42567cf12b7a7057db166c7ffda489c503b4361e7eb3ddd4be8b027339cf5ba76434425291d75816c921ecd94d5

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
2b2789b44d26f7a5ba259922946a93a4

SHA1
19bffc64c738414cb6591c186be67e6eb81b246c

SHA256
0de562ac5b26b59c27f7c7bf23a063390e3ec579d0a76836dee0fc4e5dc2fe9e

SHA512
0e970a25242c6e9367f2bd36afcf471dc42931c73bea64319813a5e9ebba85b74a59a0020dab229a0f07215dc151cecff678a0f75e107a8101eab124ba63116c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
0bfbfc98408166a06293a118f14582d9

SHA1
9aa5576f5bfddcbf709d576ede55c12f5b65ec73

SHA256
f3d2376742439d250704311ced4cdfd3df77f9f6a0f2ba1cadcb7e1ce3575806

SHA512
212aa4f29e9a9baebf90fe0da771eecd17ba3d339042fd6df305a06007fbb6c61aff1b5f4449b8896d06480afc3e7b91b56f4f3c54ee29b342fcd09746d20cf1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
12cb8fdb4834dabe7a126d8c0cf76bae

SHA1
c5f55db9a8448a6ed90f73dc593d574a95e1514f

SHA256
a72f0a9ccfb36632b04a5ec4778587f390f1e481b811f895f8feb3de426c8566

SHA512
b8996638bf09a1978c565209aaff1499243efcfb94b12028cbccce6e3df367ef5d9ecf6dc2b5dbdaad0bb763aa0ffa09dfa85f64306ce591e8c6c04246dd6a1e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
e1b747a819ae31a98ee2cf6718e0686e

SHA1
3e45f3a8f61ffdccc988ec73f962684d75e95d42

SHA256
a9fa65de9d2421b66fdde533dad2915e146418ff389a724a3f56d574d714fbe9

SHA512
3a925cb0caa3ad1432c1dd3af6745349ee2631b2826d9551e2f53023d8e4edbb1171e576629e8d001eb2f5806151ecadc2cd0e79d5e8868bd53e044bf6f01ac9

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
f0f1783c96c67210245efe95a731009b

SHA1
263b61ec89791400ed2f9f4d8397b6afb6988124

SHA256
8dc86d26315f545df0aa54d9361d9bab561f419090f03e86c3232b1adb8a60f1

SHA512
dbd405f37f6067ed437f114ffb6569b985c463a8edf236b846d03046e27ae4e24d58a2b475464a752ea3a05eb993709e4b3e11cd9b06333aa88100bd315f87f4

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
96849c90621587753650cb9442d5e5b6

SHA1
8e28a3a2fc7b84b2ba385000f7322da0552d9a53

SHA256
a1f2d7e82eccb5f8a420be490cbb1ed268f5731eb1d4143c4d70db98c3a1d0ac

SHA512
8e2be084d63c5d1f5f78b602fe3c6175871a62dfffde0a3808cdd510fd743d4e08bee945dcc91a71510dda20cdc75f79b1501c5a2a7f899c240b630455dee03c

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
306cd7b5fe5d4a16b2aef3bcf0fa146e

SHA1
223ad024e04f94e331bc24a68366247c9828b199

SHA256
a9125a73adf9424a049a1a63ac011316e8a8e2f4ff8d10e4c235e8231f129911

SHA512
5bc323cb2c1f9514fe47927d4c111c2b8c8397ca7f7d0efd3c1faee1a729b80ac3112668e4cda73839c4b3c95914a76c68aab3b29f98378e114553d679beab8b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9067fac1f3fa7f0e23d6c2fa00c6c393

SHA1
2772e1bbc7259ed1031736deb2434b6cd28b7313

SHA256
265a414419cadfbeac6c40d978f2fa4d6075a8234971c904e44485b1b0deedd5

SHA512
a377bcd10a7e9a30f4d6b6e773a80c9b14fb4bfb77c4d287bff3dc8344715eff7fdc02600093f71a34d0cc1f7a75d3e3022b8c02ab64657149c6dc5ca44a623e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
6f683aaf3653163e75a6f098d204a596

SHA1
961cce96c50e053bebc58bece61f82b28353fa6c

SHA256
4bebde7e490a9300cfd9d47b167b06672652a1b27d04bbaabbd31bb592ea093b

SHA512
4906549e3515bebf846794ce7d0aa013f4376862fbc59a8ff965191427a859c25f176e2d5b0d587aaddc7624269aff5178bf8b412fb50a876a3606e10657aa33

Download Submit
memory/296-130-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/296-123-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/296-122-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/296-180-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/584-377-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/584-379-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/584-367-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/584-362-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/800-390-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/800-353-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/800-351-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/800-391-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/800-389-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/800-350-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1040-358-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1040-352-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/1288-140-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1288-147-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1288-291-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1288-141-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1336-340-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1336-293-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1336-342-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/1336-322-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/1336-341-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1600-158-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1600-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1600-166-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1600-299-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1648-395-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1648-417-0x00000000741B8000-0x00000000741CD000-memory.dmp

Filesize
84KB

Download
memory/1648-405-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1648-408-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1832-383-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/1832-375-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2152-114-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2152-108-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2152-176-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2152-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2164-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2164-103-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2164-96-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2164-183-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2232-7-0x0000000001E90000-0x0000000001EF7000-memory.dmp

Filesize
412KB

Download
memory/2232-6-0x0000000001E90000-0x0000000001EF7000-memory.dmp

Filesize
412KB

Download
memory/2232-295-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2232-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2232-0-0x0000000001E90000-0x0000000001EF7000-memory.dmp

Filesize
412KB

Download
memory/2232-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2436-348-0x000007FEF4330000-0x000007FEF4CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-415-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2436-347-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2436-414-0x000007FEF4330000-0x000007FEF4CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-399-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2436-346-0x000007FEF4330000-0x000007FEF4CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2468-355-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2468-349-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2572-403-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2572-308-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2572-301-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2892-360-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2892-206-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2892-197-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3012-157-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3012-83-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3012-16-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3012-17-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3028-296-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3028-192-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/3028-184-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/3028-186-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-310-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-397-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download