dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
Size

1.8MB
MD5

0c414c744d93254cb1ae93770374aab9
SHA1

4afa2b6061fa2c48eae9858cd3dbb70c6ca1eae4
SHA256

dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db
SHA512

1ecbf203e558870bb5fed2425b3051357aedf5429f766237bc40e7d9cae3aa72767ddb314bc59781969b6c87b6f70d29ef474919b0a70a7a5677707b68332e78
SSDEEP

49152:Jx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAzgDUYmvFur31yAipQCtXxc0H:JvbjVkjjCAzJtU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 53 IoCs

pid	Process
468	Process not Found
2388	alg.exe
2452	aspnet_state.exe
668	mscorsvw.exe
808	mscorsvw.exe
1456	mscorsvw.exe
1648	mscorsvw.exe
2064	ehRecvr.exe
1148	ehsched.exe
1812	elevation_service.exe
2992	IEEtwCollector.exe
2952	GROOVE.EXE
2440	dllhost.exe
1640	maintenanceservice.exe
1460	OSE.EXE
2788	OSPPSVC.EXE
1132	mscorsvw.exe
2664	mscorsvw.exe
436	mscorsvw.exe
2076	mscorsvw.exe
1916	mscorsvw.exe
1608	mscorsvw.exe
2564	mscorsvw.exe
2700	mscorsvw.exe
268	mscorsvw.exe
1756	mscorsvw.exe
1896	mscorsvw.exe
1548	mscorsvw.exe
632	mscorsvw.exe
1696	mscorsvw.exe
2708	mscorsvw.exe
1728	mscorsvw.exe
2676	mscorsvw.exe
1740	mscorsvw.exe
2724	mscorsvw.exe
1800	mscorsvw.exe
1620	mscorsvw.exe
320	mscorsvw.exe
2832	mscorsvw.exe
2640	mscorsvw.exe
2660	mscorsvw.exe
2000	mscorsvw.exe
2764	msdtc.exe
608	msiexec.exe
2312	perfhost.exe
2112	locator.exe
1896	snmptrap.exe
1276	vds.exe
2336	vssvc.exe
1820	wbengine.exe
2620	WmiApSrv.exe
2800	wmpnetwk.exe
272	SearchIndexer.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
608	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2fd5f00ccea407a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_ja.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_pt-PT.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_te.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_ur.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_hi.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\GoogleUpdateComRegisterShell64.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_nl.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\psmachine_64.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT4B73.tmp	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_es-419.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_el.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\psuser.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_mr.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_fr.dll	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\GoogleUpdateSetup.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC53FC4E-4AC6-4773-B69E-91F8F7A5F734}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC53FC4E-4AC6-4773-B69E-91F8F7A5F734}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020504b9af78fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
940	ehRec.exe
2452	aspnet_state.exe
2452	aspnet_state.exe
2452	aspnet_state.exe
2452	aspnet_state.exe
2452	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2184	dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
Token: SeShutdownPrivilege	1456	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: 33	1448	EhTray.exe
Token: SeIncBasePriorityPrivilege	1448	EhTray.exe
Token: SeDebugPrivilege	940	ehRec.exe
Token: SeShutdownPrivilege	1456	mscorsvw.exe
Token: SeShutdownPrivilege	1456	mscorsvw.exe
Token: SeShutdownPrivilege	1456	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: 33	1448	EhTray.exe
Token: SeIncBasePriorityPrivilege	1448	EhTray.exe
Token: SeDebugPrivilege	2388	alg.exe
Token: SeShutdownPrivilege	1456	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2452	aspnet_state.exe
Token: SeRestorePrivilege	608	msiexec.exe
Token: SeTakeOwnershipPrivilege	608	msiexec.exe
Token: SeSecurityPrivilege	608	msiexec.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe
Token: SeBackupPrivilege	1820	wbengine.exe
Token: SeRestorePrivilege	1820	wbengine.exe
Token: SeSecurityPrivilege	1820	wbengine.exe
Token: SeDebugPrivilege	2452	aspnet_state.exe
Token: 33	2800	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2800	wmpnetwk.exe
Token: SeManageVolumePrivilege	272	SearchIndexer.exe
Token: 33	272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	272	SearchIndexer.exe
Token: SeShutdownPrivilege	1456	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1448	EhTray.exe
1448	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1448	EhTray.exe
1448	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2524	SearchProtocolHost.exe
2524	SearchProtocolHost.exe
2524	SearchProtocolHost.exe
2524	SearchProtocolHost.exe
2524	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe
3052	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1132	1456	mscorsvw.exe	45
PID 1456 wrote to memory of 1132	1456	mscorsvw.exe	45
PID 1456 wrote to memory of 1132	1456	mscorsvw.exe	45
PID 1456 wrote to memory of 1132	1456	mscorsvw.exe	45
PID 1456 wrote to memory of 2664	1456	mscorsvw.exe	46
PID 1456 wrote to memory of 2664	1456	mscorsvw.exe	46
PID 1456 wrote to memory of 2664	1456	mscorsvw.exe	46
PID 1456 wrote to memory of 2664	1456	mscorsvw.exe	46
PID 1456 wrote to memory of 436	1456	mscorsvw.exe	47
PID 1456 wrote to memory of 436	1456	mscorsvw.exe	47
PID 1456 wrote to memory of 436	1456	mscorsvw.exe	47
PID 1456 wrote to memory of 436	1456	mscorsvw.exe	47
PID 1456 wrote to memory of 2076	1456	mscorsvw.exe	48
PID 1456 wrote to memory of 2076	1456	mscorsvw.exe	48
PID 1456 wrote to memory of 2076	1456	mscorsvw.exe	48
PID 1456 wrote to memory of 2076	1456	mscorsvw.exe	48
PID 1456 wrote to memory of 1916	1456	mscorsvw.exe	49
PID 1456 wrote to memory of 1916	1456	mscorsvw.exe	49
PID 1456 wrote to memory of 1916	1456	mscorsvw.exe	49
PID 1456 wrote to memory of 1916	1456	mscorsvw.exe	49
PID 1456 wrote to memory of 1608	1456	mscorsvw.exe	50
PID 1456 wrote to memory of 1608	1456	mscorsvw.exe	50
PID 1456 wrote to memory of 1608	1456	mscorsvw.exe	50
PID 1456 wrote to memory of 1608	1456	mscorsvw.exe	50
PID 1456 wrote to memory of 2564	1456	mscorsvw.exe	51
PID 1456 wrote to memory of 2564	1456	mscorsvw.exe	51
PID 1456 wrote to memory of 2564	1456	mscorsvw.exe	51
PID 1456 wrote to memory of 2564	1456	mscorsvw.exe	51
PID 1456 wrote to memory of 2700	1456	mscorsvw.exe	52
PID 1456 wrote to memory of 2700	1456	mscorsvw.exe	52
PID 1456 wrote to memory of 2700	1456	mscorsvw.exe	52
PID 1456 wrote to memory of 2700	1456	mscorsvw.exe	52
PID 1456 wrote to memory of 268	1456	mscorsvw.exe	53
PID 1456 wrote to memory of 268	1456	mscorsvw.exe	53
PID 1456 wrote to memory of 268	1456	mscorsvw.exe	53
PID 1456 wrote to memory of 268	1456	mscorsvw.exe	53
PID 1456 wrote to memory of 1756	1456	mscorsvw.exe	54
PID 1456 wrote to memory of 1756	1456	mscorsvw.exe	54
PID 1456 wrote to memory of 1756	1456	mscorsvw.exe	54
PID 1456 wrote to memory of 1756	1456	mscorsvw.exe	54
PID 1456 wrote to memory of 1896	1456	mscorsvw.exe	55
PID 1456 wrote to memory of 1896	1456	mscorsvw.exe	55
PID 1456 wrote to memory of 1896	1456	mscorsvw.exe	55
PID 1456 wrote to memory of 1896	1456	mscorsvw.exe	55
PID 1456 wrote to memory of 1548	1456	mscorsvw.exe	56
PID 1456 wrote to memory of 1548	1456	mscorsvw.exe	56
PID 1456 wrote to memory of 1548	1456	mscorsvw.exe	56
PID 1456 wrote to memory of 1548	1456	mscorsvw.exe	56
PID 1456 wrote to memory of 632	1456	mscorsvw.exe	57
PID 1456 wrote to memory of 632	1456	mscorsvw.exe	57
PID 1456 wrote to memory of 632	1456	mscorsvw.exe	57
PID 1456 wrote to memory of 632	1456	mscorsvw.exe	57
PID 1456 wrote to memory of 1696	1456	mscorsvw.exe	58
PID 1456 wrote to memory of 1696	1456	mscorsvw.exe	58
PID 1456 wrote to memory of 1696	1456	mscorsvw.exe	58
PID 1456 wrote to memory of 1696	1456	mscorsvw.exe	58
PID 1456 wrote to memory of 2708	1456	mscorsvw.exe	59
PID 1456 wrote to memory of 2708	1456	mscorsvw.exe	59
PID 1456 wrote to memory of 2708	1456	mscorsvw.exe	59
PID 1456 wrote to memory of 2708	1456	mscorsvw.exe	59
PID 1456 wrote to memory of 1728	1456	mscorsvw.exe	60
PID 1456 wrote to memory of 1728	1456	mscorsvw.exe	60
PID 1456 wrote to memory of 1728	1456	mscorsvw.exe	60
PID 1456 wrote to memory of 1728	1456	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
"C:\Users\Admin\AppData\Local\Temp\dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 258 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 264 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 268 -NGENProcess 29c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 2a4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 188 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 284 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2064

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1460

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:272
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2610426812-2871295383-373749122-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2610426812-2871295383-373749122-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
90fc1fe924d49f9b4da00539ae082ed4

SHA1
85cecc6627d4b8e047b53644f29e9f85bc59d44c

SHA256
323be04db5b4cd769688a4129ee81da91508bd1c662af0b0ffe1fefadd9078ca

SHA512
856496b7ba0f45555019957278d12409de408f46c90f2c1317aea9ceccf8fc9b920041c4d4b84ef3403df5abb78e3dffa4202c54847b1f2bd0a308868d488086

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
cbcb0d4c80545fe01e3ac0e978d927f4

SHA1
f3b8e19f0ec4eed8d54ce73b5de093173367bdcb

SHA256
5a4900c57e7129a59b1060349a9eee4347eedf73d60f4d855b096137afecc572

SHA512
b3a03f5ef0e1be8c23f06ed5169a0f6bbbc989c19ed1f4814173c73a4c9f30c58d0cb946fef24ff3eba5bccb4e987b77df1a517807cedc5e2a986d82ddf92171

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
01529d845e604739c4077696b72370d1

SHA1
c3b600955a805ae069a5e0619faadf6b9d8c5a74

SHA256
d24513f652f14503fedc432835fe4239ea9de59aaffeab7d0d67331f5931acd6

SHA512
3627890a74a3de8ac1af09ad155dd30fad3115765bc159cb72d195b8bcab4891a75c78b315b67831c4fb57c99ad2d138faa11cfedb4c4e0739cbfbeed135aa16

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c65172f5e6eb25cc7dced89883d5140c

SHA1
d7f4fbafd4b7bd920d097cbf45bcc8222cc77631

SHA256
0099f3eb9445eb0eb86ca3a46171b8efaed533a404f773fbe72a7d5693f8da25

SHA512
38be245b9c7c40c5566171911dd8d7ecfe18d601d9d43a8945d29ef79a38840b1d25233fe7b9e1119453d728e41f35d9daca41089cb7835d7a38d89994a0ef74

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6569aa0d1bbabad1b66022a14dd03ddf

SHA1
a31946bd97de3b9145bbfa2299fd99d3c007e451

SHA256
5ada869370203d8c9dfffeae8a15ce32177d7aff843ba6c822c33450ad8874ae

SHA512
c4d578a9f6574b389760e06c820a15e0a41ae60a82f6d51e849f420eb9703becbf799a8463b5d4844825de98f2a6a10ca6a750a7a5a7f1ab18adf6051fff8b58

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
14349ce1846fccf7830f06c7b606ea7e

SHA1
20fcec01f71a77e84b5b7052e2acb8d87616faef

SHA256
932c5198814c1de31e2754b3e57aa12ee72b99dafce3b331f7a2efa659201b04

SHA512
0c3df92a9f054f6c38abdc2da475a76d7185bb591c6679fd287cacfeb493a42dccadf009041c870472c7efb2b253a049d20eb0b9e1ddcbaf6649054532637fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
81b0f66b70843b2c98fd446dfa10bad2

SHA1
b8d0026310c670559ebed06c693ee8055c73030e

SHA256
06850db7ace78636f972d5da772fc764d0a73dd1bd4ab59c325108cec6a1a6a6

SHA512
f6bc3a15ddaa66df24f21c47a03ffc682f52dd0c3d5fdbce4cfbb98fb498eeec66359f54aeeaa716b6b5e2a9f3dea56e56b25c9b28f2cd38487b28418c7ff4f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
cab5c2ef8a93f68f31e84f3553345fb3

SHA1
622f516658c5cfabe009aa84f2e87c30cf311a7a

SHA256
6cc498b1aa0f84afd55c10e1201235dc52a5e4f7a996be4ee27655d78f4e126a

SHA512
6613a5845df4adbd2e936ec4c98a4664a11556b0f8613e005a5d596f047b9785163ee5ad99618a348faec50f7fa6cded643645210f4d019a514af7c657806be0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
b43db3a95c8ac0cd7649dadae25e6f31

SHA1
20011a26a981060287b1d651127be04ab988c4b6

SHA256
2318fd61f2b9a4b538179b71a58cd82808c6f030bfe2f29b551e99ae9004504f

SHA512
d6df2a124c3f12fee1827415503cc555cd4b18b9a4e9c0de7c6eeb0e5bc0d050d752ae0eb9121556f785f8efdaca229c79f7f78b197a1b8ebf39341d3e760896

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
32b203834d2032a9c6a3e169c21a44b3

SHA1
a8d51f78a892090cad676fdee473d89872439587

SHA256
5815148d70855895a84c55d37e32c4205d07712df03fddb7a1abc4eb129af3e4

SHA512
972477c2c5d51a76bd853efd99aa44662d70e8426006aafb899a42f317a141b0e503d5302b1e3c946b42153f38f434bbbf3784dd4b089f331682b1475b189c05

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
76915b55fe7bc35e3e53ccdb4eeb64ef

SHA1
6bcb848b11bd517d4adf97e76a69a5d6f6d3f9b6

SHA256
7f352b6ed879f728fc5417a7abf4260885432d74ceba4dd05edd2cad01ac168a

SHA512
286503eb7ee3414afb5a6775f4ed37c095a98ca76db6b68dee16e7ca8f4d24aa36a9ce40c77518f6514d465c42c710911cd00c31e2a73b072a2497f4e4341e75

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2b37e4642321cc476d1d10bfba53c2b5

SHA1
991c4e5a5eb686e6af3d74bf90346842fca8b0b5

SHA256
8b929fc38d96fd91665512e2d0e93eeb5ee31b213e6c021368f76605c1361cd1

SHA512
248d3b0c432967e4ec872c1bb4fd85beafe2cb93f7c205b54786287df6da025b222a5ae04b8db0c658b3bb4f5962496fb1304fea5afff702664153dfca219bce

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
6c8a1122633a9de87487105fae2df42a

SHA1
bc3e62cda59f3124f9d3faf16f525001b734544f

SHA256
82f1b789e2b30fe2450b45f8e4d47915f4dc3b64f788607dcb6211b1fdf96913

SHA512
f6cc7ee6fa82d2b2e8cf0bb5f81ba9c8eb43f7f51493ffd0e516333bf29214d20b5ca2a44e149c5c51549bb6af43fc16648ce35d12de06f7fc6ec67c5a1b75f1

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
f58a99c83f3db4da3041efb076b4c0cf

SHA1
a21510f3ab697734559af29cdcb8002d27a28d8f

SHA256
6f2421c19f0012fe6897d20150692312595c280549cb6039a1020a66403843b0

SHA512
f6e5df6bdf80611dc5b0d368bff38fa80284ffbe87d6f8aa637082bba345798b3cf1c0b2c138a93d51ac05e777ac8d45b11e08ae0cd0869d5789deafa6791c7b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
be103d3ee18c7864e6030b10ee2c2ffb

SHA1
f6dba7337907c33615d13c3ebda69996acb8b19c

SHA256
837d7ca75cc30ba6fc98dfbcaad26754c06a80b3281e6df212df57178be91336

SHA512
cc1286f99e636ec2d7e4d06748586e8d66f8531c5ba0d2ac2937c3b11eb1e8248681930383725a19cb0cc63dc2d047e4cb7af64b75a8623e82baf5de82279d1d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
bb6939d1fc4a3788bb2f256c95841d8e

SHA1
1e1527edd9e67cc6f4f216ff2a190e849e1bd02b

SHA256
11d90db88200d8ffd17a36cd2fc84883f3f1e372ea0cfcd9cafea1692b05c431

SHA512
8824354a39ddd297944050cb8d8455ca2e9f06d6d2de3ddb76ea7dbdf922b4e731d775aef45d4aff4c501eaf31ea31df70f7e7f4f14c0f709d73f709d5c09e11

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
a3a6356268137b616e227330bdb4aa59

SHA1
a96c9fb4e58e08e72697372e32165085d86fd346

SHA256
868d611be4050610f14a889b0cf864ba9c3ff2aedc88bab705953622db13029d

SHA512
5cc5c8b4a4bc9872610a7097ff36d3c98d9708f4ef2625ce66bbd0fd1cbcf9aed9d7b3ef20dee41fe0d4e5b864a3fbf4253fca432ac9141620af90965586bb44

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
f7e0417b8ec62c539cee726edb582b2f

SHA1
a2ec3c6b19627129fe92fe317cbaa7ec633a7342

SHA256
b1cd926e3f576858823e0eb71027756d102a587aed85142faf64afcbf96e7d2a

SHA512
16b0929cea4c08927edf8bdb87e915ecd57703fbcd57ab107b2784743f6f594a0f037961d1291906673def45499eb160c3423da18df7432e54126aad99c14a6c

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
dd90ec35cf4bc808e7c0b27920b79ecc

SHA1
fa6cdf8b0cd5b8808af3bec12ec2104e06414d0d

SHA256
18cdee53e98b464502327d461fdd61cf5e4966249e1b93d41903d0f2daad6fb3

SHA512
7835ddae55690cb5a1ab6474cd60ec1716e3235200110f953a394e004bdadfcc41df0997e6d885bc810d1680b89e50c5b0eff781394e93b28c5f379e6dd866c1

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
af22f3eed78d492c6613bb6fd6cee24a

SHA1
4393f7ccd6d509687df3ea9003c32f0edd0cc58e

SHA256
1a079b25517650d5c754ddacd2fe5577f976182b17ab0ddfe6a734aa96321cf6

SHA512
373b6b1055ce2a5064e9d66e6a0e92e85d065c5eae5bd8784776cdf30b5f63f457eec44fc26c28580738d0876581452c800acc654a96d7cbd7f4df98a7cada8c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5098e8393ec73a929e0f9f87657a64a6

SHA1
edd886012042cb8b0dee2ab0fa11b04b40c345af

SHA256
cd23da381aab865bd247fe0f172be39107d0bec12d0e65d93949fb6eaf92b061

SHA512
c2e63c108ee03e0e8fe08dfd752e2c4936d1fb6e725c7deabb3d379f02b98f6a57deea57b4bdd0db0cab453581921732036c7d5e0afd7c803b43827ae5ffcaa1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
7ff7254ff31a4a840454a8e2f217aacf

SHA1
51d157787a7daeffc47c024c76fb5f99d331b0a9

SHA256
2214c52df54ca9e7d0361e77abe5c18156ae05fc671b4665aa1d40ed9f88f2de

SHA512
f8aa1483028475a8411ad2a97b6547426468d8a6d756ca786f1b3f75bfd37c8c57e28ca7ed2205c2af254f02a0a2be7cd730bc9a9a24541d0d018208cfcbc0eb

Download Submit
memory/436-572-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/436-594-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/436-595-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/436-575-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/436-571-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/668-114-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/668-140-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/668-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/668-108-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/808-132-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/808-174-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/808-123-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/808-124-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/940-561-0x000007FEF48C0000-0x000007FEF525D000-memory.dmp

Filesize
9.6MB

Download
memory/940-317-0x000007FEF48C0000-0x000007FEF525D000-memory.dmp

Filesize
9.6MB

Download
memory/940-237-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/940-235-0x000007FEF48C0000-0x000007FEF525D000-memory.dmp

Filesize
9.6MB

Download
memory/1132-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1132-526-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1132-534-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/1148-204-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1148-196-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1148-600-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1456-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1456-220-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1456-150-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1460-568-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1460-567-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1640-350-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1640-349-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1648-170-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1648-576-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1648-163-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1812-221-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1812-212-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1916-610-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2064-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2064-190-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2064-591-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2064-183-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2064-215-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2076-596-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2076-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2076-593-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/2076-602-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2184-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2184-314-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2184-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2184-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2184-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2388-52-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2388-53-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2388-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2388-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2388-13-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2440-566-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2440-578-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2452-103-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2452-92-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2452-181-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2452-96-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2664-559-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-557-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-558-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2788-573-0x0000000074428000-0x000000007443D000-memory.dmp

Filesize
84KB

Download
memory/2788-569-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2788-570-0x00000000001C0000-0x0000000000220000-memory.dmp

Filesize
384KB

Download
memory/2952-565-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2952-574-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/2992-577-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2992-319-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download