8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Size

768KB
MD5

c677f69672c707d4e12aed0494241002
SHA1

c80595408ed0f6e7465e3cb1e0de3b9f8360fa23
SHA256

8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b
SHA512

16c3500fa420ec5e2a56fe05b18a0023240b19dbeaba1ad8e19c7c783be26bd9a3f61b31c8bd931e2774666562d47fb8359806d31da38d08feb0758856d9bd2d
SSDEEP

12288:lRsGNtapUBL8252uui8FbECP7BhdfswdJ0NXdU8ZWH7DEP1rCJ7U36:YGD2t2rR8FfBhRJUEbDk1ulUq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
2884	alg.exe
1504	aspnet_state.exe
2772	mscorsvw.exe
2192	mscorsvw.exe
2668	mscorsvw.exe
1952	mscorsvw.exe
1092	dllhost.exe
1008	ehRecvr.exe
1296	ehsched.exe
1800	elevation_service.exe
1696	IEEtwCollector.exe
2652	GROOVE.EXE
1680	maintenanceservice.exe
2600	msdtc.exe
484	mscorsvw.exe
2756	msiexec.exe
2208	OSE.EXE
2096	mscorsvw.exe
748	OSPPSVC.EXE
2204	mscorsvw.exe
2252	perfhost.exe
2516	locator.exe
1932	snmptrap.exe
2260	mscorsvw.exe
1032	vds.exe
2232	vssvc.exe
2588	wbengine.exe
1756	WmiApSrv.exe
1940	wmpnetwk.exe
1980	SearchIndexer.exe
2508	mscorsvw.exe
1748	mscorsvw.exe
644	mscorsvw.exe
2672	mscorsvw.exe
1564	mscorsvw.exe
2436	mscorsvw.exe
1380	mscorsvw.exe
2572	mscorsvw.exe
2864	mscorsvw.exe
1564	mscorsvw.exe
2436	mscorsvw.exe
1776	mscorsvw.exe
784	mscorsvw.exe
1600	mscorsvw.exe
3032	mscorsvw.exe
896	mscorsvw.exe
1764	mscorsvw.exe
2128	mscorsvw.exe
2372	mscorsvw.exe
2676	mscorsvw.exe
892	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2756	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
736	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\locator.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\System32\alg.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9be4bf0a9a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\System32\vds.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2A69E179-65EA-4E33-9D83-B45D253304CF}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2A69E179-65EA-4E33-9D83-B45D253304CF}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040ffbaa57590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000db2fa47590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{368DFFAC-1004-4104-89EA-90654E21A94C}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
872	ehRec.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Token: SeShutdownPrivilege	2668	mscorsvw.exe
Token: SeShutdownPrivilege	1952	mscorsvw.exe
Token: 33	824	EhTray.exe
Token: SeIncBasePriorityPrivilege	824	EhTray.exe
Token: SeShutdownPrivilege	2668	mscorsvw.exe
Token: SeDebugPrivilege	872	ehRec.exe
Token: SeShutdownPrivilege	1952	mscorsvw.exe
Token: SeShutdownPrivilege	2668	mscorsvw.exe
Token: SeShutdownPrivilege	2668	mscorsvw.exe
Token: SeShutdownPrivilege	1952	mscorsvw.exe
Token: SeShutdownPrivilege	1952	mscorsvw.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: 33	824	EhTray.exe
Token: SeIncBasePriorityPrivilege	824	EhTray.exe
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe
Token: SeBackupPrivilege	2588	wbengine.exe
Token: SeRestorePrivilege	2588	wbengine.exe
Token: SeSecurityPrivilege	2588	wbengine.exe
Token: SeManageVolumePrivilege	1980	SearchIndexer.exe
Token: 33	1980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1980	SearchIndexer.exe
Token: 33	1940	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1940	wmpnetwk.exe
Token: SeDebugPrivilege	2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Token: SeDebugPrivilege	2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Token: SeDebugPrivilege	2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Token: SeDebugPrivilege	2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Token: SeDebugPrivilege	2852	8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
Token: SeShutdownPrivilege	2668	mscorsvw.exe
Token: SeShutdownPrivilege	1952	mscorsvw.exe
Token: SeDebugPrivilege	2884	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
824	EhTray.exe
824	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
824	EhTray.exe
824	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2400	SearchProtocolHost.exe
2400	SearchProtocolHost.exe
2400	SearchProtocolHost.exe
2400	SearchProtocolHost.exe
2400	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
2400	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 484	2668	mscorsvw.exe	46
PID 2668 wrote to memory of 484	2668	mscorsvw.exe	46
PID 2668 wrote to memory of 484	2668	mscorsvw.exe	46
PID 2668 wrote to memory of 484	2668	mscorsvw.exe	46
PID 2668 wrote to memory of 2096	2668	mscorsvw.exe	48
PID 2668 wrote to memory of 2096	2668	mscorsvw.exe	48
PID 2668 wrote to memory of 2096	2668	mscorsvw.exe	48
PID 2668 wrote to memory of 2096	2668	mscorsvw.exe	48
PID 2668 wrote to memory of 2204	2668	mscorsvw.exe	51
PID 2668 wrote to memory of 2204	2668	mscorsvw.exe	51
PID 2668 wrote to memory of 2204	2668	mscorsvw.exe	51
PID 2668 wrote to memory of 2204	2668	mscorsvw.exe	51
PID 2668 wrote to memory of 2260	2668	mscorsvw.exe	55
PID 2668 wrote to memory of 2260	2668	mscorsvw.exe	55
PID 2668 wrote to memory of 2260	2668	mscorsvw.exe	55
PID 2668 wrote to memory of 2260	2668	mscorsvw.exe	55
PID 1980 wrote to memory of 2400	1980	SearchIndexer.exe	62
PID 1980 wrote to memory of 2400	1980	SearchIndexer.exe	62
PID 1980 wrote to memory of 2400	1980	SearchIndexer.exe	62
PID 2668 wrote to memory of 2508	2668	mscorsvw.exe	63
PID 2668 wrote to memory of 2508	2668	mscorsvw.exe	63
PID 2668 wrote to memory of 2508	2668	mscorsvw.exe	63
PID 2668 wrote to memory of 2508	2668	mscorsvw.exe	63
PID 1980 wrote to memory of 780	1980	SearchIndexer.exe	64
PID 1980 wrote to memory of 780	1980	SearchIndexer.exe	64
PID 1980 wrote to memory of 780	1980	SearchIndexer.exe	64
PID 2668 wrote to memory of 1748	2668	mscorsvw.exe	65
PID 2668 wrote to memory of 1748	2668	mscorsvw.exe	65
PID 2668 wrote to memory of 1748	2668	mscorsvw.exe	65
PID 2668 wrote to memory of 1748	2668	mscorsvw.exe	65
PID 2668 wrote to memory of 644	2668	mscorsvw.exe	66
PID 2668 wrote to memory of 644	2668	mscorsvw.exe	66
PID 2668 wrote to memory of 644	2668	mscorsvw.exe	66
PID 2668 wrote to memory of 644	2668	mscorsvw.exe	66
PID 2668 wrote to memory of 2672	2668	mscorsvw.exe	67
PID 2668 wrote to memory of 2672	2668	mscorsvw.exe	67
PID 2668 wrote to memory of 2672	2668	mscorsvw.exe	67
PID 2668 wrote to memory of 2672	2668	mscorsvw.exe	67
PID 1980 wrote to memory of 1416	1980	SearchIndexer.exe	68
PID 1980 wrote to memory of 1416	1980	SearchIndexer.exe	68
PID 1980 wrote to memory of 1416	1980	SearchIndexer.exe	68
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	69
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	69
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	69
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	69
PID 2668 wrote to memory of 2436	2668	mscorsvw.exe	70
PID 2668 wrote to memory of 2436	2668	mscorsvw.exe	70
PID 2668 wrote to memory of 2436	2668	mscorsvw.exe	70
PID 2668 wrote to memory of 2436	2668	mscorsvw.exe	70
PID 2668 wrote to memory of 1380	2668	mscorsvw.exe	71
PID 2668 wrote to memory of 1380	2668	mscorsvw.exe	71
PID 2668 wrote to memory of 1380	2668	mscorsvw.exe	71
PID 2668 wrote to memory of 1380	2668	mscorsvw.exe	71
PID 2668 wrote to memory of 2572	2668	mscorsvw.exe	72
PID 2668 wrote to memory of 2572	2668	mscorsvw.exe	72
PID 2668 wrote to memory of 2572	2668	mscorsvw.exe	72
PID 2668 wrote to memory of 2572	2668	mscorsvw.exe	72
PID 2668 wrote to memory of 2864	2668	mscorsvw.exe	73
PID 2668 wrote to memory of 2864	2668	mscorsvw.exe	73
PID 2668 wrote to memory of 2864	2668	mscorsvw.exe	73
PID 2668 wrote to memory of 2864	2668	mscorsvw.exe	73
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	74
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	74
PID 2668 wrote to memory of 1564	2668	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe
"C:\Users\Admin\AppData\Local\Temp\8ce1eb20d418ee731c7005634d464a872aebe73b3bc5d6a20215b47965d2f30b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2772

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 250 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 254 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1d4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 250 -NGENProcess 1d4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 294 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 28c -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 254 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 254 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1092

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1008

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1680

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2208

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:780
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
70ae92d6c2388a5b428960c4bc3cc34c

SHA1
c199a8fe5dcbf2e0bcd697523d9a4d305afdebaf

SHA256
eec1c11131ce7661a62c3cf621fffc9a3518616c358d88dc834da34e4400ea4d

SHA512
66c5abc7eb177155f46ede48bb4b2c071e0265c441e5073c51eda6f8e6425178b54cfc6f704c81eaa67577ddc2b89d326ea4a611ee37adcd19d3a19271b46cdb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6d66dacbc44253548276ace4748ded45

SHA1
39f18f370ed3ebd247eb3298ebad7e911d4ac733

SHA256
8113c52ab617332ef7b6ce9106c2d26876cb3de7fd47d1cd57ef5a52996323a3

SHA512
b425223389b9dc4ce67fe5d96ea067fa3de48cd8bef9caca315d536c76d103e17d60f6734b04a36c1f7dde7dd0559eaaf924dbe292292f5793b55954fd257290

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
5e86eee86ded9d089cadc3c486079d7e

SHA1
a66d369fbbd20f05a993436fa55e0e61b9e57dff

SHA256
587f150d06f3762f190530b51d032cb1c67f46ea4642d9a50200b718e67a31fc

SHA512
ce908016e765b85d5aeec24dd5a5eb45abd6f9ba74a3ffb916aa94292404eda1bec1ed868a111e59498e7d35973c32da7ac7a153d75d9eb75dc9ce58eed87b17

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
4e5545417a173a5b30d7a32447f0ad7f

SHA1
5f8e6bfa7a25833e8dc7ae7364a9fd291e91d274

SHA256
3678067d205f2374cc857164e284930b58163af78914d2b974113b24bb73741f

SHA512
2f32f19507822a8b03bdf16ca6c312a9747703df1f5e7d41c4de52c0c44c5259cf1630a59767b6f6b2aaa71fa95437545472ce5f902f7cb03a39b98111da8cae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bca674d8336e2b53e0813ea5b8fccc57

SHA1
8c0d53fe79ab74f10ead7ea57237515fb488252e

SHA256
750ed6ee837bed5deef4b322dd46a8183a4ed3030f362f5153b0e4e7416e5971

SHA512
a1134b8d9f6ffcb1475d8fa7b746020c9a83fb4ac53692716772c313bad87cbeb7ecf8c2b6dd45b9e431dac069761fe2ddc824145713b4f548321116ffc84591

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
735b776cb3b48a991c675317ad5e56cc

SHA1
e7c628494f6e4568af15c573f3e0775fb2427131

SHA256
5c8565650ce1445a4e266e161dea9b2f337b4f832662172c0c971f0ea5891fef

SHA512
b529588a6e8d9fe7bb7afd5c6fec1fe4c223e83981f9dd4d494fc7e0a1a2c546706dd376a7552d63401e80358cc27ea13ff911043bae5d4ff54417eccfa6f647

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
72a5e5c27d5a36cf0bfc3ea3817ec0c6

SHA1
5cf69084842bbb40cff028137f6c802adbf394ec

SHA256
4aaecc23d752e4d44b902730a0d59b2e3e44f8ceab2d0a00ef5985ecda9407fd

SHA512
bf683a551916152cb39e447a173c6b5641bf5ef96f3b81db71e16b09e53f67f20d4a17b41fc5197cc8884d90a4cdebd05e208a472f158a56eac6430e8f4264c7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
f30dc16f02e47c60a3dd7565877c4293

SHA1
1f582d46a56b0f2ef5ce0384ea174f221e189516

SHA256
03f24f6f03ae5cd7b6f03556d56f6313d98e44ab8a863d2d6628d99516a38919

SHA512
fe69ec295732bf9ef41da2ed6961e941ac1071daea8b327b373222fb67141de2e5a9736c5edb0e644d2dffcbdbcfb0aed62688c72007e85e14b3b95463e32d21

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7f6dfd68359e55358b245f0b04c96b55

SHA1
85befb0047180611cdaf0477d6e89e7dba23df70

SHA256
b60de74c048907a194f6ac251bf4d481206055a4db75049d5a35e3161d62ff2e

SHA512
a3f3cede5b49c61549780885e5295efad15cdfeda247ef20513e4f9f4ad275903d238375a08b2a9e6018a6797e47f537784d7abf2fcac4fb610c526d85a915b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0875a35317b89e96348867af5ffda64f

SHA1
c54e8fb4889b0a5089d78bd8d914aa66f5f8497b

SHA256
3d51b985c9f4be5316749618d17ad057e0543da2064e48fb82fb4a5c8848eb64

SHA512
40ab98a4d2cda4d6f5927f158e4cde88f20e383909a4a97e5da80e8e1bf0669cfcbae1004b6aa3b1245824c1cfccc3ab3fa963b8896bb0073116e2dc02bf7bb9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
1bb1086e4b4c1b883412f6b3f6844355

SHA1
d1bf5ea1e49f8e16b0710aced3b1fca0de498d23

SHA256
66cdfa90aeea1d0ee6693393d2bbd7278b8f2332a79c67b7f6daa6200d0a50bd

SHA512
e4aa65558fd1480776e530e7d83965e65c2eb59d01d010b2f699f0c91e49b82448aa9d77a4c57bfcf13b5e73be5a4b160c40fc3e82f9034a696ec45184adcab6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
e2c76fe20f825753bb450957789f5bf5

SHA1
0a3ca18d4b79aa583148722e4ca817647231129f

SHA256
7af484900e152c75206fae5f5ad2836d7305a12e026bc49f473a5b9899b84c85

SHA512
8a70290ea281a72eb08139046602caa07aca53319b7bb513d1d0988938a29b98ace8cdc92588a9e79ffd185adcf3b89f162d6f720b3858ad858d6066d3007252

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
c9e8a921928e2b5b8d9f498820945653

SHA1
c4fc8e307a90ce0578a3e3de9604e53433459a01

SHA256
5a32adffceba515ec7ce64e5abfa6ffb9f8a702fbf3879caa0d1d48ed80f7e30

SHA512
dc63425d498eccad218f8ed288aa014cdeb84536daac040d24da5720fb9c5d904ca67d13e08aa6f080d5affe4cbe1c4149e4b3cd850000af1a25d12397a43e08

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
08c3e19e09798ab8449891e3f9335a53

SHA1
04a5f608bbceb8785e13d1e6ca4e92512c203b0d

SHA256
f8b1d03f602e7164c34dcf85a980ffcf6d857e90c8ba1772f2036cc1114f11aa

SHA512
e340c4d1993f5cff12fb34f9640097a6f26ac8b32d7cddc927dfe2f70e2992d0d779bdbdcfc3a83f9eb398f5583ff481868e49a529450ddc9c4d6cc7e88e3c27

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
5cd9eb75ff570d0b381748afbe520dc5

SHA1
25d331b306e4eee76e6d293ada4f14dcc015093d

SHA256
d241288182330d6eb4a155558c06ca911f6d24dc4f507ce9d521fd1d80a805be

SHA512
262a40b5ee6629b8269036404e34306dfcd176f8d96a7e6ac5f5b172c4b05cef564bb8d64a47577f3d5676a6620f8cdedc9564b4b6b787ca7abfc5419fc980e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
72d1d381a30cf9a69b8b45cf2b7f56fc

SHA1
64a735949868b492431d59730f17eaa94c67fb69

SHA256
f018fed868594017494ab074f6cb8fc384ae3993104d8a88c0476d74ae5b0abb

SHA512
aca96aa4b4721128c6a798a8a83c514fa25cb0278d53fd2b49caac35859cd97a4c7b6dc58df03867a592e2d7e90a328ee43a65ff6c89c75363e3403359bf17db

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
f20387af026bea3f86b6accd605cdfa1

SHA1
04249eb55ec95470a66d9122d39056bfe0feb0d5

SHA256
e9cd09630fb097cf52be2fa49c3c81792b007ff51707388196a7a943225bf880

SHA512
596f437b222e8f89f783371cc8c8ef6b0ba80bea4f6d30db88990141458fcc7fb8dac993bff3097ed244f3c7ead75d2f8d4daab936ccf7167357b8fa55d84299

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
4da198cfcab48f65b553ff2524795840

SHA1
2a82fc3a85cfc8b5621725032494fd7c51df8bd7

SHA256
2bab4e013cf452fde5d72d50cf761b83395ba74da94f3e6d82c8fc0b8a0d7b41

SHA512
e57e7a6e93849654789fb79a5c3be2778b689a50b91de5a05c5fb1824d481ec52b66f9ade23726464e63b8ce00ee2204e889cd46184f646f80395dca695c3c34

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
21bd4e5556aabdb7d73165d59cadee07

SHA1
d432e522e10898fc3d842d40f51bfb90f055672e

SHA256
7648cc0f933208c4b0d9640ec950966bf196f73c634cdb6238ea5e0e8aaf7ca5

SHA512
b915a2aaf1423fc7c76d537a93290f38870572af1216a5efc838f54b73d09db4575ea11ebe8691eef3e6dc12ad2795d371157a55f863385993ddac7afe4566bf

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
222008122308e20a3bf709b33320a873

SHA1
1de1358eb0cdc615b8880fb4a53dac988d46a51d

SHA256
975ee68256a2b0b94b81b8192499e2f7c3656e9d7cde6dc7af17319eb7adabd5

SHA512
5b8b723964d6b3f2b90dfc5733ac6f418240dec27e5a893b1d7cc26c97633ff3cb7ca4b77b660ccfd550c473f4ac08f412192743be1b95048c6c9ca27e64c6c5

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ee689f76edef0fa99145e2d9317e20e1

SHA1
e31166c1b452ba82b4f7d8e22423945ad52a47ab

SHA256
4dc6a3af39995dc5ccc7736994441c80745b40560e9eec545bd054a3e7f1f046

SHA512
51fd1994d7114fc05762f18648f494fadd8531a277a6e099a9d9036bf9a375b42a7eab1a82adc25ba5f98c9b9b3f9e43239b7b4787155d05a34a49bb3389e663

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
90bbc5e4357b8c2bbd7836846dd877ae

SHA1
05b1b9a8b7e54bb15473df46e900e2e1cf409117

SHA256
4da5659e66c62b05a010f904f58515023d7f2c1b2f5d8c54182ce59846a109c4

SHA512
91ffd57c35039d849b8ac73c62e6dfb8ae77f8e32f64044a1ebc8030409297f065bdf8f8f04418c8f584e2e4820609f243d6987b6db45ac332a71bf252ca24dd

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
2f9269e847927e1bda8324d8a7529cd5

SHA1
3fe937cffc91415fd6bae8a54573675d3e73d994

SHA256
ac6088b619392beec5ce59464be565bf2a1e92609978a2f171499a773ebe0ddf

SHA512
9024983ede77a05149027dff3d5dfecbae67f294741e717cb4eb5bf01875ce76a1f6f1d7beba1de366ee4b9a2592fd910132c0f92290f5ebedf32a79144da2b0

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
9dc6c78f0ed4958511c062e15181214f

SHA1
89b44fad9a1e40b233a8e17fe75c718f05bf7202

SHA256
56437f519fa7001d96b02793c62a6211a73a3c42427c8a8428bf7aaa6b5327a1

SHA512
1c9cdb977bb1a2f70c2811355a90d7e70133bbe881e38cfc6266fe4bab8a1b272ba3af8a12092dd18dce4de9333ff1e0949c59b9d99ee32e776bfd7688d2a200

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
58d49c7afa302a924e7a51cac7080eec

SHA1
1128d81a6071632f17fa6f4362f064dd395deb44

SHA256
58a8f01db340ac76f80d5e7bea43313894caf587a97670893e1b726fdc52a1dd

SHA512
a3f60fa3543d5cc221096c26ee23efc6a4fa6e103a90385b81b1c138226de45d4db81878231d9973a4c76c5f20613bfcd91dce55c156f88b3587e6bfe638a964

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
0d97c8b7a4d555e5590b28a6e622396f

SHA1
ee73bf53d9c2bf11c92fda1bb7b02b0b8f95dc6e

SHA256
c86ff9b021367c661ac84b7f062b1d7ff28c3005de14bc4fff9081d860c68f41

SHA512
7b28a856d7b965f3b13cd0a4b7e7ed6c42684ae8a46893bec785f2f5c54e12ccaf05faf73c0873c209f7348dd623698152b37f56eaaeedceaab6d7b430f9e6c4

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
07d80371c4c22226b9f1dd2698b31f99

SHA1
c32cb404dbc7b6af66db29b55b161c1b7cd45b0a

SHA256
90e8b357fd710250afd9143242af499a6bb67808da44df43ce74d88fe9e091e8

SHA512
85b35ba49ee60a02c03cf1d2f9565f433dbbf2167488ed9c4a167f2ef14d8ddedbc592f2d55e04ce9b5bfa5e9d86ff78e1a8cb33b2f2f7a535180d612eb53f56

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b5a0f77898df6252edee9f2941b06693

SHA1
47edb7f0891ded7d70554c8860e1ba73b4cd7531

SHA256
4cd0c3f2c03fa1f70d51b2e89de90432e9b98a93ae3ea23404002a9d16785a2e

SHA512
f6707b82c03daffad7336fc53008b811a02d15141a63fc6963b1911604f9792be31a6ee2ef476fb090c7b2624e735515f248ed23f6e39baa6b06c1d79a7c8d86

Download Submit
memory/484-275-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/484-254-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/484-244-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/484-274-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/484-219-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/748-279-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/748-285-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/872-233-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/872-160-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/872-240-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/872-217-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/872-167-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/872-161-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/872-226-0x000007FEF4780000-0x000007FEF511D000-memory.dmp

Filesize
9.6MB

Download
memory/1008-116-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1008-108-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1008-176-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1008-135-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1008-110-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1008-209-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1092-101-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1092-164-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1092-94-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1092-93-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1296-128-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1296-187-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1296-121-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1504-28-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1504-107-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1680-189-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1680-180-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1680-197-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1680-198-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1696-163-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1696-162-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1800-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1800-147-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1800-215-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1952-77-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1952-76-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1952-145-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1952-83-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2096-267-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2096-266-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2096-287-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-71-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2192-48-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2208-270-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2208-271-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/2600-288-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2600-211-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2600-201-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2652-174-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2652-177-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2652-265-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2668-67-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2668-68-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2668-62-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2668-133-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2668-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2756-228-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2756-245-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2756-237-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/2772-38-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2772-61-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2772-32-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2772-31-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2852-0-0x0000000001BD0000-0x0000000001C30000-memory.dmp

Filesize
384KB

Download
memory/2852-7-0x0000000001BD0000-0x0000000001C30000-memory.dmp

Filesize
384KB

Download
memory/2852-8-0x0000000001BD0000-0x0000000001C30000-memory.dmp

Filesize
384KB

Download
memory/2852-1-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/2884-92-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2884-22-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2884-21-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2884-15-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2884-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download