ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
Size

1.8MB
MD5

455c31f767e9d2cb9023998729da0af8
SHA1

3797503e964716ca4cd95a47c0c1fce0bd0f718f
SHA256

ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36
SHA512

051be9820e9c2f2fc80db8bb70d68c2d77e063b19ec2a1b6c942a9d3437b4291e309534d73737956e404c0208e0f4f0e4149e84005b2966956b7a75a3a5261cc
SSDEEP

49152:IM9QPdxwfE7WlFwKAfzuTiDFUFkZq2seRcA2NyZ:I1PdVQFwKZCFg0keyi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 34 IoCs

pid	Process
468	Process not Found
2652	alg.exe
2744	aspnet_state.exe
2884	mscorsvw.exe
1668	mscorsvw.exe
584	mscorsvw.exe
1804	mscorsvw.exe
1464	ehRecvr.exe
1336	ehsched.exe
1476	elevation_service.exe
2980	GROOVE.EXE
2064	mscorsvw.exe
2880	mscorsvw.exe
2876	maintenanceservice.exe
320	OSE.EXE
1816	OSPPSVC.EXE
1932	mscorsvw.exe
2016	mscorsvw.exe
2588	mscorsvw.exe
2072	mscorsvw.exe
2728	mscorsvw.exe
2528	mscorsvw.exe
2736	mscorsvw.exe
2440	mscorsvw.exe
884	mscorsvw.exe
268	mscorsvw.exe
1668	mscorsvw.exe
2748	mscorsvw.exe
1812	mscorsvw.exe
328	mscorsvw.exe
2012	mscorsvw.exe
2804	mscorsvw.exe
1584	mscorsvw.exe
1512	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d52e2cc49a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_no.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_fi.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_sr.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_th.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_fil.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_zh-CN.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdate.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4386.tmp\goopdateres_bn.dll	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99499D80-37EA-4BC3-A6D1-12F6ED68A113}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99499D80-37EA-4BC3-A6D1-12F6ED68A113}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D5D2FB4D-857A-4C26-B86D-E0880DE17950}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D5D2FB4D-857A-4C26-B86D-E0880DE17950}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	ehRec.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2196	ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	1804	mscorsvw.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	1804	mscorsvw.exe
Token: 33	2600	EhTray.exe
Token: SeIncBasePriorityPrivilege	2600	EhTray.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	1804	mscorsvw.exe
Token: SeShutdownPrivilege	1804	mscorsvw.exe
Token: SeDebugPrivilege	2960	ehRec.exe
Token: SeRestorePrivilege	964	msiexec.exe
Token: SeTakeOwnershipPrivilege	964	msiexec.exe
Token: SeSecurityPrivilege	964	msiexec.exe
Token: 33	2600	EhTray.exe
Token: SeIncBasePriorityPrivilege	2600	EhTray.exe
Token: SeBackupPrivilege	2988	vssvc.exe
Token: SeRestorePrivilege	2988	vssvc.exe
Token: SeAuditPrivilege	2988	vssvc.exe
Token: SeBackupPrivilege	2668	wbengine.exe
Token: SeRestorePrivilege	2668	wbengine.exe
Token: SeSecurityPrivilege	2668	wbengine.exe
Token: 33	1832	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1832	wmpnetwk.exe
Token: SeManageVolumePrivilege	1104	SearchIndexer.exe
Token: 33	1104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1104	SearchIndexer.exe
Token: SeDebugPrivilege	2652	alg.exe
Token: SeDebugPrivilege	584	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2600	EhTray.exe
2600	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2600	EhTray.exe
2600	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1656	SearchProtocolHost.exe
1656	SearchProtocolHost.exe
1656	SearchProtocolHost.exe
1656	SearchProtocolHost.exe
1656	SearchProtocolHost.exe
1656	SearchProtocolHost.exe
1932	SearchProtocolHost.exe
1932	SearchProtocolHost.exe
1932	SearchProtocolHost.exe
1932	SearchProtocolHost.exe
1932	SearchProtocolHost.exe
1932	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2064	584	mscorsvw.exe	41
PID 584 wrote to memory of 2064	584	mscorsvw.exe	41
PID 584 wrote to memory of 2064	584	mscorsvw.exe	41
PID 584 wrote to memory of 2064	584	mscorsvw.exe	41
PID 584 wrote to memory of 2880	584	mscorsvw.exe	43
PID 584 wrote to memory of 2880	584	mscorsvw.exe	43
PID 584 wrote to memory of 2880	584	mscorsvw.exe	43
PID 584 wrote to memory of 2880	584	mscorsvw.exe	43
PID 584 wrote to memory of 1932	584	mscorsvw.exe	48
PID 584 wrote to memory of 1932	584	mscorsvw.exe	48
PID 584 wrote to memory of 1932	584	mscorsvw.exe	48
PID 584 wrote to memory of 1932	584	mscorsvw.exe	48
PID 1104 wrote to memory of 1656	1104	SearchIndexer.exe	60
PID 1104 wrote to memory of 1656	1104	SearchIndexer.exe	60
PID 1104 wrote to memory of 1656	1104	SearchIndexer.exe	60
PID 584 wrote to memory of 2016	584	mscorsvw.exe	62
PID 584 wrote to memory of 2016	584	mscorsvw.exe	62
PID 584 wrote to memory of 2016	584	mscorsvw.exe	62
PID 584 wrote to memory of 2016	584	mscorsvw.exe	62
PID 584 wrote to memory of 2588	584	mscorsvw.exe	63
PID 584 wrote to memory of 2588	584	mscorsvw.exe	63
PID 584 wrote to memory of 2588	584	mscorsvw.exe	63
PID 584 wrote to memory of 2588	584	mscorsvw.exe	63
PID 584 wrote to memory of 2072	584	mscorsvw.exe	64
PID 584 wrote to memory of 2072	584	mscorsvw.exe	64
PID 584 wrote to memory of 2072	584	mscorsvw.exe	64
PID 584 wrote to memory of 2072	584	mscorsvw.exe	64
PID 1104 wrote to memory of 1036	1104	SearchIndexer.exe	65
PID 1104 wrote to memory of 1036	1104	SearchIndexer.exe	65
PID 1104 wrote to memory of 1036	1104	SearchIndexer.exe	65
PID 584 wrote to memory of 2728	584	mscorsvw.exe	66
PID 584 wrote to memory of 2728	584	mscorsvw.exe	66
PID 584 wrote to memory of 2728	584	mscorsvw.exe	66
PID 584 wrote to memory of 2728	584	mscorsvw.exe	66
PID 584 wrote to memory of 2528	584	mscorsvw.exe	67
PID 584 wrote to memory of 2528	584	mscorsvw.exe	67
PID 584 wrote to memory of 2528	584	mscorsvw.exe	67
PID 584 wrote to memory of 2528	584	mscorsvw.exe	67
PID 584 wrote to memory of 2736	584	mscorsvw.exe	68
PID 584 wrote to memory of 2736	584	mscorsvw.exe	68
PID 584 wrote to memory of 2736	584	mscorsvw.exe	68
PID 584 wrote to memory of 2736	584	mscorsvw.exe	68
PID 584 wrote to memory of 2440	584	mscorsvw.exe	69
PID 584 wrote to memory of 2440	584	mscorsvw.exe	69
PID 584 wrote to memory of 2440	584	mscorsvw.exe	69
PID 584 wrote to memory of 2440	584	mscorsvw.exe	69
PID 584 wrote to memory of 884	584	mscorsvw.exe	70
PID 584 wrote to memory of 884	584	mscorsvw.exe	70
PID 584 wrote to memory of 884	584	mscorsvw.exe	70
PID 584 wrote to memory of 884	584	mscorsvw.exe	70
PID 584 wrote to memory of 268	584	mscorsvw.exe	71
PID 584 wrote to memory of 268	584	mscorsvw.exe	71
PID 584 wrote to memory of 268	584	mscorsvw.exe	71
PID 584 wrote to memory of 268	584	mscorsvw.exe	71
PID 584 wrote to memory of 1668	584	mscorsvw.exe	72
PID 584 wrote to memory of 1668	584	mscorsvw.exe	72
PID 584 wrote to memory of 1668	584	mscorsvw.exe	72
PID 584 wrote to memory of 1668	584	mscorsvw.exe	72
PID 584 wrote to memory of 2748	584	mscorsvw.exe	73
PID 584 wrote to memory of 2748	584	mscorsvw.exe	73
PID 584 wrote to memory of 2748	584	mscorsvw.exe	73
PID 584 wrote to memory of 2748	584	mscorsvw.exe	73
PID 584 wrote to memory of 1812	584	mscorsvw.exe	74
PID 584 wrote to memory of 1812	584	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe
"C:\Users\Admin\AppData\Local\Temp\ac501ed09606fb4ddc4f0ca37ca02818c9f79a79cd97db41312c78edbaf77e36.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 23c -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 240 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 280 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 27c -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 278 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2fc -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 304 -NGENProcess 2e8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1464

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2980

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:812

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2824

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:1868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2352

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
7339f4fc8de555bce13b151d3310c12e

SHA1
653fa7c5ba9b0f060d060ddcd4d37c5625ac0849

SHA256
b40d0e65103a5a7c617df64ee624523c4d845f48360c384b2da4533629df5561

SHA512
61c860440633a7b6f0266feb9ac66d6cbe80f0bb9b4213a9a9f3975d0289ba4023782957c1f90f18ba57c6411fd42630879cb72a9e5627db99c5f655cf848c2d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
a55b15016d5693d637f0e0989a8d89e0

SHA1
40f572cb8d91b0e411f0eb53a60996df30c6db0b

SHA256
a8f9a8dc63a32f0da96cb875ebac9bea600720fa86c172889ed58ddd414b2d25

SHA512
ba20aef06b51e6afc2d670899a9cb2ad81ce434f9e0502f236756ba2c89bd231128d71ddffbf4a96dfebcf64588f84421e549dbdedf7bb23e3c77067332f986f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
7c096673c4b1f9c2842e1dad0e17ffb4

SHA1
eec21f421cba60fdf2700d9ba7a731faa1057ac6

SHA256
a34f2c84e76869fa15bfc00fa7543223bd1e01d4ebe1c91cf0cedcbee1075ffc

SHA512
fedbb3be6b4221f6fd4cc50fdfe048f86dd6f32fa6de968fe721ed9f95b15c2dd39a586f8adc21b6807ede3cce8385316d7116b6831277cb921348af4e12c1f7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
911cee009e7ead87b8ba10bc8775a1dc

SHA1
8aa7330a95ca1b3b828aea5804db10e236c91389

SHA256
0d7d9f2ea75f70fa281c080e2a06b209c1752aee20617b9bf20ddc161a531e4c

SHA512
6ae05f6e50699df2731342885909aa23e1ee1c1e923a24fe48b972ad9dda36452b93b360a7a52feabbe5d73440624f7432469a815f34e692dd15036e0270b81e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
edfc83c57f361183ae5048de9ff070de

SHA1
d82dba06ca5d1a56a549f283f673394081eddbff

SHA256
0c96ab4620985fc29b1b2c709739c465e1c05eb5e2ddf705e8e863733fd54744

SHA512
6fcc545979fcfd0690d08c425db160ef60416610e998960a257373eea2e9b42d13d7b31a13c05530865be749d9ad8fc0080941a2aeb781b15eaea4e83dc193c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c8d2582969614b3acca16fc08ecf260a

SHA1
377dbbd76d18ec74b3bc9912a0fd7ed684fddae7

SHA256
8f61075930ceed7455aab0223b438cb6e985e51062c4c958932ff647e387b259

SHA512
b7f792562018f55357439885be42e66ce2e2dcf516726352c6986b37b5d2faa20880b8554f4ec9e1a1a21d11f86168f983944906489d8c068269168ee2b1b9a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
2f72bfc42e8b7f770380d239cb71b275

SHA1
9c531b630ca68df2a915b24d7cf67e844284bc89

SHA256
2b6fa60bf9786bacb5dad0f2c48e75de1fefc80e733085687b14bbc58d9164e9

SHA512
1b3e11e839cc042d1644f08ff8f2f7a2772cad99e9c834ba672ee9887948a60bf1cc1484359a8722c706f67f4f5a18ae20e1682f3151cebba2539d62fbb8bba0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7a280abca4f82408e85707f5d98b687a

SHA1
a36e52d74106ab624e46a8a924a5e3eb93a22ac1

SHA256
11c7c3a6bc9025806c5af9de5a6e9c66cabe46a9574acb17778c1b772ebcb9f9

SHA512
9e526ac30e73e87f29610868d785e8083579d572a00e84a360fe81253b1c6d4672886b37493f6638f7fdaacb4588a801e559b6174d51146f6f4a14ea7284f53b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a96b1a6695fed517c10c2da6b0e40969

SHA1
d68e4930d200989833b59b42beb860da52306eb0

SHA256
c7ed70f5c3b2c3e1f3a5526eee21a2211435d1ec9dc34f0b6f93a034dc4c0615

SHA512
61e6af72e78f8aca3229aacd08fa09d365146bdbc0604246994c791351ae149a9b0eced10d1efa0057e57b7b1bd91ac9734a8cc00a9fbc951a621cfdc66dab88

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
05762b4aeaeb344b663a99d0c46fb6c5

SHA1
7a03c099e77c37d2f8ba26d4ecd8128a8015dfd0

SHA256
de3006f1cdb7315eb0d8a99923af45cac9f5fda7bba61eff6ffbdf0571cf3d57

SHA512
a4801967e3ebb27ee4bfe5774d079060cead4cd9ad0178a89a9a5a10cc48da837411fbe4ae89c094d89b0bb0cfbb756152abab85fd0e0dcdc4897f1de40908f0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8f1c33fac66392b379154ba2f5fe4228

SHA1
358f966243134d770c1e546d426803f6f9462706

SHA256
976e4ae125edb2c9dd7c9845038e03d285e3acffcef17187cb1bdb6858558415

SHA512
04feecc55e26df2c2d25cd9600f0e4506588d3f05c79c4fb21ad6953e354ee6d4f98db96b98dcce9d526527e3d3cb5623f4d41cc6b714b18ec5c7c40ca2d4f11

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
95571062f61eae006c7ba69790bdbf6b

SHA1
ae695b57c1cd3bd164f15e1e30729f08a6c164cd

SHA256
0ff9e08846601dd57bdbb05832c282af562b81a663b67be4713226757b57002b

SHA512
2bc48268d9c2adea40cdf1efc4cb4a0538c20d2dd05284162a0eba0a1f49a47883b7ddfa343373a56efba41e6a79692cdbfa28defcef73ad2e908626a5340c0e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
92d6268d402b972ce1931cddf0f7c51d

SHA1
d896f9f8abfc3631a6242ac4feae14520678fe33

SHA256
bdfbe82890bc269bc98fcf31e4338578bcd250ab656e18f58fc16a1456775c81

SHA512
e01fceee6dcaba62a1f0d50ae4206348718b0dc4d2263d1e72877877d384c7c876b39988f7f05472106e155fbd136aef9a93af0d468f3f26576dc76c790880fe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5bd04ecd92a0df81283a15c9e25d8d55

SHA1
256d1036bf586e42c1e302fa1b35daaed2c9374a

SHA256
f3c1d710fb26d27cbcc4281b1d55e89be6b6d943381cec34f9d750ba2bf3e46a

SHA512
431eb060527baccefd9fd276380d16a66b95dc8bea06bb652e1cfd2f8c5464b01f9fdba0b634cd0183f41a337f9a0eb1a08ebb95dadaa58ec07d6c822d3886a1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
7ad7d14eae939f3631b51bf0b0110bb1

SHA1
fd705136746253b0305ee77ebd1b14261070cc4f

SHA256
b2514e56c8dedfee60a7ffbcfc6ef0472323cd1f45b8aaebb959b656a3a10b51

SHA512
06cf64469468208a300f9bbbb281099f79c8db199a49fec5d0d09bd96bb0c1daa6b578fefa49a40b35eae24bbadb1834026b9d9de6a4d750711a56bc732416dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7dd9dbcb8bb6ac61acb39a7bf5be680b

SHA1
2aeecbf639ac4add8c03bf3f7516c3d53590b6ea

SHA256
24e48c0271e40b86cea12ea459eadc15f07398c0be5c32d3a77a345a78f1e8fe

SHA512
3e1caa00a071a85c0687df0785191a8fb9a13f38573613c0657a84742dac626c769c33ff26938e2ba03b58aeb1675ac4042b02a35e144e57c6b7499d758b4021

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ef67ee4ccc5b938645c6cdd3b872309d

SHA1
8823e29d69f19ecca2952072fe0667096e586827

SHA256
041aaf80fbe2c56df5ae3b2e8aa1710da763c81f7a4f8a06bded634e10d6e337

SHA512
70d7b0a95b9a32d828c900b45fcca9c6edac6bbf0f90bc84632053db5a90533ba824cc9d3218e97ca0fdb9a33d76508755abef637965c82d57daefcc19560224

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
aa0915219e66252eaa419c32596426f5

SHA1
4cef9a32043a0c3a17c393ada65cafd4a3422233

SHA256
1232516daa5eb185bf94e5238eadd0e52833aa3d44eb974cd3e1137047720cb8

SHA512
77f646ad98f523f283156e47d5dca12a34bc319329b203e94f48a8f9000f2faf02a29f83e3109409c3e43564af7c423fe3e911f4e6f7a5bfd6a773501199b621

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
5f81c604275bd2383d12b176cdc90ab1

SHA1
51f02f325a9280596a4b23d5903775835f6f810f

SHA256
1388a8fe188b94db98486fcea36cab471ef3f9c4c7e1dd6e4bf1b594c6fb77ac

SHA512
d45fd04f4b67e8edc39541b0a9037950471c0e99ff27d1febe9b2e485d5e1924db7b4a94e871ee3c255a63fbbe4a5fca9af15a7f33ad8a7d85d907d821e4db8c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
3ad4ec335b41f1ab6c41f51334209a2b

SHA1
565b6d1ef975379a3e654d0e302e1057bdd78100

SHA256
f4ec228a7e9851c1cf95cfeced7c71363175f32054db5ed62f66a6bceb086541

SHA512
904572f53a70cf5460ea3b34e4efb834acaedb474fe2a9c41f0a81f9c01df55a0a6d9ca3b524e378916704fb5a48f0dddc9cec8d19e57f7f74961ef0c2747e81

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
517efc0f589174fbcf3acd43435756b0

SHA1
cc0587e7709193c0aa1e89df14ec73685243b842

SHA256
593cb6461de57721cee59b7d255eb3a5eec153a91fc14627b27603e6fae6e867

SHA512
94746ac0a730c69891bb4c7ec56e2045d834def4e5ccfe9948c06eaa8b705c3587a6b7be340eb5cab86d08a074d024ac78a45fa9da6045a4ad0bf0c5bfd4815b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
9181167af92483883e1046f1e00820a0

SHA1
502f51d0b6afc1cb7519cbb662345a2e4552fc0d

SHA256
d9b247b105929688c3427da618c0ef713c5549053eab947e882faa3cd805456f

SHA512
e191edfebb1c66596c2064aa49822e6f767b255b2575dbb8e1c82a8b9f7802ad5bfd3b52c32240fd7f668591303be3b77c84990fe997d94dac153b2845a5431c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
c837a1d97c3ea7b74331c32e0b47013d

SHA1
dcb97d7420d2759f8e922d6b6a4dcf0ea5c76c8c

SHA256
d9670fe85afbd80e34a91392ca4ccd4316726e9f12925998f66be3e7438f09f8

SHA512
6a1317ef74efba0991885c3cfadf74e8dc5aba7ee71a0e6fdd59fde5ec00d9cf9a0c24a069a41a03f40fadb1eacc4fd2e864282df361e31f48bcbdba45268052

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
ab3388a6cfb361f85d37b63180a5cc07

SHA1
1ea2975f061138713bb3cc0d920cad781b0f3406

SHA256
fa8f122a5b6e2a4811a44eb00b744c12fe0f2022314607f6e974d400066592f2

SHA512
2de1784f1f1bb67342e699ce408e8a2997da2476a09b0c64bfc4f843d000cd73d9dd90eb728e90e28d0b41831414d066f692d429d6933ea97568031e1ab4e412

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
411a6c2212fdd1d3fa21ae21235fc7b5

SHA1
68d0b0cb8319829852ec450c644cd9dbeb6076cf

SHA256
7e9a7e484d322a3c0e678d323e3dca73c9f81782dae051d5850072ac4df21cdc

SHA512
51cb1abc6ba11dcc55d271c25f236c10c9d0534cd358c48f35de17e0460ffb2d3ab76b8c8beb7c674576a067815264b75f0a08660710617eee06ab497dd350b5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
ffdd6467506f4cb5c4da668eaf4ee355

SHA1
95051f364f8ec33decda41885150f3b3669cc469

SHA256
f8136385e5efbd41728e4982b81cff576e07a3e2a5fc7b6fa0cfb58a8aeabc16

SHA512
d823ed3f402f847953fcc888dad82c3cabde3a216786da86882b57e0ad95a523da70d0f6346d8919834d0146569ba7ab361867502b78f49e316b76cb273487bd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
c7b85956104cce619de5300a276b91ae

SHA1
847dd64c15f5e801a6e78fde2f638cbf4af4d8c6

SHA256
d9855f0c165cc0e11c6856d30b2072e98673930b6726bff3759f21cc884a84a9

SHA512
893b69502aeeace654f45473855dc7506e34d00bfde6193d4952e920ced079167db2645d21345abe0c61d04581d4d69d2e31ca55552233db08cabcf09b97522b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
2fa3654d4e2001233e7e817b1156591a

SHA1
1f0e12dd27309705ed0368f8075ae46d0328d4a5

SHA256
e2596618a63fc2d10bcad2c020b353d45f8730d3fc470819152b7841c0381401

SHA512
b01a81c6b1f04b59a8424e024e4753e2dc5552fbac26d70ad4dc6456d4380e39ab143fe1137d7dfcda79fabc240e2c0c31eeca10306ca0cd550a9eeeab403094

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
0a55912f605a88d643312daf2247b27e

SHA1
f5ee77e67829d1da9c9c0fd3a340d1763efbf1be

SHA256
8d01ca0d5e3ac016f28f27eeb4b59acbababfa4a26d041d1941bc889b2ab321a

SHA512
640ae58843248e54fcfbbd5b9de1c6f2b374d39f236314d0f7d6de75fed4c169f4e2c513bd587ae9badb6df5271b3afa9e649572c4101cd01c87fec1b16492a5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
f1f32378a5cd4ca01fe9c79bc56a21f0

SHA1
730123d83bcfea2b69627b83a78e17b6a84b91f9

SHA256
330c31f2f234bc3517bf2fa49a8dccfe68f352569a17a2a53a2a10d51c4a1bba

SHA512
1eedf27fd4d85edd8da44bad940f5e2b45fb47dcff2429489315fd0ab5783c71f7770b2902f5ed6749ee82777ed48e029a77f845852a69fbe60e495293aeae6f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
4cd5f23a678222be3733e84567f8e182

SHA1
093f434732523d366851a0df398a5e7c977cf20b

SHA256
1f11cc61e6adb815e09316fdaddeef1d16be56c6e9a0d57e291159343a83b867

SHA512
d7d4dda2100d24380bc6ee362b250f70580911a7c4d2087c328633328ac9522bf578d1ed526e0ffa499166288bd67c32f0519160b2050d9ac03167f253869316

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4342af7a1b6dd696d38a089275af3d5a

SHA1
cf4f6d3dc0a28699f536107f58cc3337558a280e

SHA256
5d6f323ff6a9cf2a783c1c062f15c1a966cbdbff41edeac31690b2dbd2c0690e

SHA512
8d76d832d71380a2d90e39bfad29f13762d563f43eb03e461717759ca470a5db961b4cc99b8e5fa126e606e0df5254d4c26c77272bad5b7308933beaf39055cf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
8968f7b4da61d461c474b8c8f1adcf63

SHA1
69adf7cc72cab965ea470e1ad7c1463c56058ff8

SHA256
ffbc66c912065c332ad49b38affdc35d9ca4f32131a8ca24e760965ef7bfd34f

SHA512
5a3a1fbbd15f0afa55bbc54a6e75424ca0325be1bad31ce652e4ebc3948eca62efe33843f3af9c7dfc57777e72f705752265abe551f31cc8406e2118b4073e84

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
93b07f1e65e5cfab8d6d1ffd377c7e7d

SHA1
719582aa0f71e524971718cb80cae9c6d6fcc972

SHA256
50fb90d3d650378fe88194265018cbda88d987fd09d40d560f659d15a46a1072

SHA512
1838b2a44524775b7cb57fc0795eff11cf359de8b1a7808b8ec47f41a7b833f0d61d037b1633523e4eff772f912f454d4be54f9ba089dda464de374e7dc250ab

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
7299e9f1c275867cbb1d895c686f0641

SHA1
72d2ca53e688e7f64a0558c1bbbf705b02708f89

SHA256
ae3f0c49c963a92a2095acf83fe0a086480c9af2dacb7962c2e9cade6a742102

SHA512
2312e72cb772f6eecc4090afeec7d471ea9a4f2f98bd2d06c7e03563975dbb1f0fd01806bf22d9ec9aef2477e7ab554e93e96765af20d19c7bf47b57d12c4aea

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e9f091afef2de358503fc5a60c9e5f03

SHA1
b1d757505af1c3ae523c874736f176b1df8e12b3

SHA256
506dbfcd6704a73208dc2b124ee519830f353466bb8d6e7a2a1b5d7fc1a81e0d

SHA512
49a22b7a405009e72e4325bb4425a5b82a831c1d5ab2792d8d046cd51a5cb908ab99b28d2ae88580cf32edc431c6a5191e76712e7b4c956bd4d0ed68157e4fb9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
a63f558f63a5a46d754a8bfda5b02764

SHA1
89a303c5dd8238580ae82ac4b9349207313080be

SHA256
2c5327f0ecfa8875fc8976bdb72f1e32a0310580cf852af31fc608649f185787

SHA512
7417b231ea688b3e4f3f18e4520bde6ce8edaa908b3c7b051e3f0156a9bec00344938e5d8feefc6c05b508766261c57a08dd0f602ad15a812f29a7fc2d197928

Download Submit
memory/320-354-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/584-285-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/584-124-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/584-126-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/584-131-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/812-338-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/812-346-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/964-390-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/964-397-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/964-403-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1336-165-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1336-246-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1336-166-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1336-311-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1464-162-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1464-156-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1464-163-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1464-249-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1464-149-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1464-150-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1464-296-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1476-252-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1476-259-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1476-251-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1476-321-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1668-139-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1668-113-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1804-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1816-375-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1816-372-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1816-368-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1932-463-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2064-293-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-291-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2064-290-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-371-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-358-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-141-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2196-243-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2196-6-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2196-7-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2196-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2196-1-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2632-483-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2632-494-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2652-18-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2652-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2652-48-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2652-19-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2684-282-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2684-268-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2684-344-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2684-279-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2744-248-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2744-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2824-359-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2824-356-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2876-339-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2876-305-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2876-319-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2876-340-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2880-314-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2880-373-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-299-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-431-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-324-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-103-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2884-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2884-98-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2884-121-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2960-271-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2960-362-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2960-269-0x000007FEF4060000-0x000007FEF49FD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-326-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2960-480-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2960-342-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2960-288-0x000007FEF4060000-0x000007FEF49FD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-332-0x000007FEF4060000-0x000007FEF49FD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-329-0x000007FEF4060000-0x000007FEF49FD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-265-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2980-276-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download