0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Size

622KB
MD5

26d13d573632d01d744e90a65b353457
SHA1

5b4f24ef71c17bc45f3cb27cfddf731ae58871ab
SHA256

0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231
SHA512

af3d4f828a2c5c6bd32b01989693196a791a6945d4257f4b98389359607634e91d4bbf739dbca7b29b1f3bf45d3d7d5e3de24b09b642ede0b7ff5c03cbce2907
SSDEEP

12288:suJ4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:suJ4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 43 IoCs

pid	Process
468	Process not Found
2540	alg.exe
2680	aspnet_state.exe
2664	mscorsvw.exe
2896	mscorsvw.exe
2884	mscorsvw.exe
1696	mscorsvw.exe
476	ehRecvr.exe
1544	ehsched.exe
2240	elevation_service.exe
2116	IEEtwCollector.exe
1808	GROOVE.EXE
3024	maintenanceservice.exe
3032	msdtc.exe
1584	msiexec.exe
2636	OSE.EXE
1736	OSPPSVC.EXE
3040	perfhost.exe
1384	mscorsvw.exe
2720	locator.exe
2312	snmptrap.exe
1608	vds.exe
2144	vssvc.exe
2124	wbengine.exe
2468	mscorsvw.exe
2780	WmiApSrv.exe
2064	wmpnetwk.exe
2856	SearchIndexer.exe
1580	mscorsvw.exe
1036	mscorsvw.exe
2508	mscorsvw.exe
1912	mscorsvw.exe
1996	mscorsvw.exe
2096	mscorsvw.exe
1044	mscorsvw.exe
2376	mscorsvw.exe
2460	mscorsvw.exe
2316	mscorsvw.exe
1016	mscorsvw.exe
2368	dllhost.exe
2400	mscorsvw.exe
1120	mscorsvw.exe
2736	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1584	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\alg.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2fef99969a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\vds.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{07AE5B36-52CF-41AC-9FA3-E415AD64329D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{07AE5B36-52CF-41AC-9FA3-E415AD64329D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C699572E-000F-48B7-BC50-CBB3A6FD4A2A}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1420	ehRec.exe
1968	ehRec.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	1696	mscorsvw.exe
Token: 33	2260	EhTray.exe
Token: SeIncBasePriorityPrivilege	2260	EhTray.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	1696	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	1696	mscorsvw.exe
Token: SeShutdownPrivilege	1696	mscorsvw.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeSecurityPrivilege	1584	msiexec.exe
Token: SeDebugPrivilege	1420	ehRec.exe
Token: 33	2260	EhTray.exe
Token: SeIncBasePriorityPrivilege	2260	EhTray.exe
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeBackupPrivilege	2124	wbengine.exe
Token: SeRestorePrivilege	2124	wbengine.exe
Token: SeSecurityPrivilege	2124	wbengine.exe
Token: SeDebugPrivilege	1968	ehRec.exe
Token: SeManageVolumePrivilege	2856	SearchIndexer.exe
Token: 33	2064	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2064	wmpnetwk.exe
Token: 33	2856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2856	SearchIndexer.exe
Token: SeDebugPrivilege	2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2372	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2540	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2260	EhTray.exe
2260	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2260	EhTray.exe
2260	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
892	SearchProtocolHost.exe
892	SearchProtocolHost.exe
892	SearchProtocolHost.exe
892	SearchProtocolHost.exe
892	SearchProtocolHost.exe
2484	SearchProtocolHost.exe
2484	SearchProtocolHost.exe
2484	SearchProtocolHost.exe
2484	SearchProtocolHost.exe
2484	SearchProtocolHost.exe
2484	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1384	2884	mscorsvw.exe	47
PID 2884 wrote to memory of 1384	2884	mscorsvw.exe	47
PID 2884 wrote to memory of 1384	2884	mscorsvw.exe	47
PID 2884 wrote to memory of 1384	2884	mscorsvw.exe	47
PID 2884 wrote to memory of 2468	2884	mscorsvw.exe	53
PID 2884 wrote to memory of 2468	2884	mscorsvw.exe	53
PID 2884 wrote to memory of 2468	2884	mscorsvw.exe	53
PID 2884 wrote to memory of 2468	2884	mscorsvw.exe	53
PID 2884 wrote to memory of 1580	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1580	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1580	2884	mscorsvw.exe	59
PID 2884 wrote to memory of 1580	2884	mscorsvw.exe	59
PID 2856 wrote to memory of 892	2856	SearchIndexer.exe	61
PID 2856 wrote to memory of 892	2856	SearchIndexer.exe	61
PID 2856 wrote to memory of 892	2856	SearchIndexer.exe	61
PID 2856 wrote to memory of 1916	2856	SearchIndexer.exe	62
PID 2856 wrote to memory of 1916	2856	SearchIndexer.exe	62
PID 2856 wrote to memory of 1916	2856	SearchIndexer.exe	62
PID 2884 wrote to memory of 1036	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1036	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1036	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 1036	2884	mscorsvw.exe	63
PID 2884 wrote to memory of 2508	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 2508	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 2508	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 2508	2884	mscorsvw.exe	64
PID 2884 wrote to memory of 1912	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 1912	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 1912	2884	mscorsvw.exe	65
PID 2884 wrote to memory of 1912	2884	mscorsvw.exe	65
PID 2856 wrote to memory of 2484	2856	SearchIndexer.exe	66
PID 2856 wrote to memory of 2484	2856	SearchIndexer.exe	66
PID 2856 wrote to memory of 2484	2856	SearchIndexer.exe	66
PID 2884 wrote to memory of 1996	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 1996	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 1996	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 1996	2884	mscorsvw.exe	67
PID 2884 wrote to memory of 2096	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2096	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2096	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 2096	2884	mscorsvw.exe	68
PID 2884 wrote to memory of 1044	2884	mscorsvw.exe	69
PID 2884 wrote to memory of 1044	2884	mscorsvw.exe	69
PID 2884 wrote to memory of 1044	2884	mscorsvw.exe	69
PID 2884 wrote to memory of 1044	2884	mscorsvw.exe	69
PID 2884 wrote to memory of 2376	2884	mscorsvw.exe	70
PID 2884 wrote to memory of 2376	2884	mscorsvw.exe	70
PID 2884 wrote to memory of 2376	2884	mscorsvw.exe	70
PID 2884 wrote to memory of 2376	2884	mscorsvw.exe	70
PID 2884 wrote to memory of 2460	2884	mscorsvw.exe	71
PID 2884 wrote to memory of 2460	2884	mscorsvw.exe	71
PID 2884 wrote to memory of 2460	2884	mscorsvw.exe	71
PID 2884 wrote to memory of 2460	2884	mscorsvw.exe	71
PID 2884 wrote to memory of 2316	2884	mscorsvw.exe	72
PID 2884 wrote to memory of 2316	2884	mscorsvw.exe	72
PID 2884 wrote to memory of 2316	2884	mscorsvw.exe	72
PID 2884 wrote to memory of 2316	2884	mscorsvw.exe	72
PID 2884 wrote to memory of 1016	2884	mscorsvw.exe	73
PID 2884 wrote to memory of 1016	2884	mscorsvw.exe	73
PID 2884 wrote to memory of 1016	2884	mscorsvw.exe	73
PID 2884 wrote to memory of 1016	2884	mscorsvw.exe	73
PID 2884 wrote to memory of 2400	2884	mscorsvw.exe	75
PID 2884 wrote to memory of 2400	2884	mscorsvw.exe	75
PID 2884 wrote to memory of 2400	2884	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
"C:\Users\Admin\AppData\Local\Temp\0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2664

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 250 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 278 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 184 -NGENProcess 248 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1dc -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1dc -NGENProcess 250 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 11c -NGENProcess 120 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 290 -NGENProcess 1dc -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:476

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3024

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1736

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:892
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:1916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2484

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
c2f58e2425cfdb192d01c10c9b0eba35

SHA1
dd768b2b3a2c39707bb1e46f7b8529bf924b11dd

SHA256
bc2a0cdbebb9254e3741ba7cd94617e3de3af347c2c4823ba5c31d5e638053ab

SHA512
5b92b287e0e494e0f7b2c4e34abe07cc91a4b60399bec085c480d2e86ee7c85dbfd551d355325b6dcd99b199aaff460334a5eb60351c146f4c9d44c4885e4588

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c97ef3f34afb24ba93eac0fa1327b610

SHA1
9c8818854e0e6a1340844c85eb1bc89fcd22f942

SHA256
876836c390ec94aae10cfd6f6be21f971e7887c7e86eefc35236c084a6fde5e3

SHA512
0683cde770e6a35392215246ca3d558e09fefdb56573ad0eaabaa86e4cd03c6712f5d6c991891a861819ff99821c01c5bd2f9becdc7f3be46e422c5a55944dbf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
df2e94ac79552856d6042dff2c19a4d4

SHA1
66a4ed4f6a3db957aa02be1785ed5474b1200c22

SHA256
5c24a6128976dc81c5b59f7bee72033f8111c4ed5a89f1c96acab151e31eb4d3

SHA512
63ee349bee12b5d75151ee1b3a727766b6ca786796c0f0096ee6101fb5bd85a6744ebedfde9b472ef92c9cffefcf96c5bf554950ba8eabc8e7e14aa5e9a29614

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
86db04240b88c2c45da976ea708672b9

SHA1
faa9b28ef713ae3682e3552d229e2fea3c18b321

SHA256
03f70cf28e20add075340d9dadc03bf88715ea331fec7d86567d68ca0a0499b0

SHA512
87a4d4c2469ebbd41637dc640264e954c6bf174c621930516391205ab83e83b08232da5e4a314fdd8c31967b619852711991c0981a1cef431cf6a6bba79fdc7a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a1aa9e25e445776dfe336542ee410d9b

SHA1
9d4580828b845ce240eae522749e19d1b7bcbe63

SHA256
1885269ac2b9606bf4cafff23a7b6e03371f3f3e350094bc022846e189ca714e

SHA512
a4b1babf38a13bfa51df88cd6bb8a247a433153901bcf206b9d3f4eba87677a0128990d8397572d9e7d6beb4adbe1127eba2e07590e151971554451cc6b89e52

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f96978fc46d9f00d8780351026924d7_f4bfc772-1e14-4cb7-967a-2360098b659f

Filesize
59B

MD5
db733e033c397fec5917611957620271

SHA1
6f94d1daa0fc4ec1b2d4cbcb93730d8edb77a2b7

SHA256
1f3ffadd3b80c7f95be06e245410768e8302a24e573868da3c6fd91230025bdc

SHA512
9a9bb4cf6380bb0a73ea414ca2226a344c7da003e49610dc38bd10892dc17244e4c88bf8a466131027e3c064c693ad99014e6853fff51edb21cb690b926b962f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
31f22c5f8426aa7a95ae96edd526e018

SHA1
dfc176c59346728a518b8580670ca6515dffff33

SHA256
9b203b5beb5366556e5b386e44b9ca920b1ac3355c143ad0ee0c8c3807554bd5

SHA512
567648fa77169f513d3f679c097640599f26283bdc7f9774dcec3851fe8d0cfaac2350c14a53c6fa4a75410c7699bd6beadfad145c5a46baab0a4617aea1f390

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
cd8e586193812a898a496df1f2199967

SHA1
fc7124b5b75a1e8745cd73fb7b5b30b461a77e7f

SHA256
b82489d70986c20fafcae1c11c09242803a8340c395092e307dbd2a05fde6b05

SHA512
9f2c597d5b6739bdf23272347091bcaa710333ba2a9202a35ded398e71130343a0e0f6970d59d273031170a6108f3708448116f11f1041d86bfd77b447a5bf20

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
0178e82a6c750a0b4546f56971862d5c

SHA1
e84c4c9aa2e1f5169cb4862c493a144f4f616959

SHA256
67d04eb25818db2b1af0aa86f933f2471c6151ade6bae83e940b83f652b3db08

SHA512
8930c0900921366a7bab5bb399a06c85ba235dbfd218f011648d959cfa9c6cd7e09b0be60a7fbcf4ee3cf92b037ac34e2fc5ab41d7ee35af90e161a7886b37e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b436dbb967e619880c7ee7330e751eef

SHA1
b447fe8a06c74f3aa504ef07bbbd182d7e7d4aeb

SHA256
55d9cf308a73b98d1de9c9fb7c6465c46de2d004ba8e43b679327902821ef8ac

SHA512
9c8cc65d3924fbc231f511776eb4f046b15c63e0b1cb34d77282d9bd9283b7f3ad5ddfd33632db84345c815e8a295749df0b3c148f61471d8fb3d1a0bf43025c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
c727284831d90b11064275ff2d3cf0e1

SHA1
465e55ed4482288452f085507695cd8986e50252

SHA256
70a494f3a27286a719207bcdc3c508063a48c99c4c5ef768f9c44a31e064760f

SHA512
82f28a1c1a531268c2d0326718cd28432d9961f7dd8f815e1d7ab524fd5d9a6e50fdaeccc10e71f0231c571a45f9b18dabed0124a2b79459ea2d28232f73d576

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
aea2fee896bb3fcd3cdb3904f8792bf3

SHA1
aa0d0de136b1a6ac7bd842abf3b4c7cd7902ff48

SHA256
4011371b2531cce4c6fe5087a17ff37dbe1c0351b05414c00d10d26eeb98a69b

SHA512
c2ce5c1b3db64583062279498c68d6f379fecd6a9c23a206d323d37e1790381428a1b656fe606e02d3f40c0c43ef1a7187b7c28ad13c116992c0ad0a160d527c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
b4680e06a0ae982342382a21a26e2578

SHA1
f1cf02540ad58a86c52bda1f2454277f23fcbb94

SHA256
f74f94cbd21659275dbc696b24e0f5efe102f0418cc771470c86800fd769f7ff

SHA512
0a15673a79461fad8f056bef836ecb4cd401ced923d19ff40565868705573a450c766b2b920199e680504ad8cddbac39a9dd2b564f5101b3d19e318c8f03206a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
017a636363b46c771cce84f53bffc543

SHA1
35fc1ea3a3b4f811055dd371f066cf56b5b2438e

SHA256
85e858c55377a53f6e5085fdd8133e8f50d926e14972982b3c577e3a5c8cbb49

SHA512
75c80b340966341737c2a77d65960298066fb97d27378b18b3e049d8c4148d520a3e707a592ed7210cb5e958b152edc851c959c83797f0ced17bd2613db6246d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2b9aafc6ca07671d5424393db9369b40

SHA1
ad6f9ca724a05d705798a1c17970ddb029e07e59

SHA256
0ef2590fbac181c4263e0f3cebf7bc8ae096298cb415097736d505aea8753c23

SHA512
04af170fb4b29f23ca3cae6f82b8fd028fa80bd5e63a65cb5e8ddd22d73d9b81cca91c15997dfbd5ef40b44a590496bf372315ec8965d07428d74f02a6145a8c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
27f4f2da45a555d6158b25c4fe4fd953

SHA1
7388ef03718abff2cdf77a461804cba4bf1e4ed6

SHA256
d8609738172b80cb6edc990094a75bf014086dd4672ce09a4ab6b4c77651b3d1

SHA512
81a8b362dc919af745855592dd7d8f1086d978214850f579484788aa93ed9c816e1e4c537cd2c19b8e9c4257ea6971d1b943bfe48efda330f1516d77e6eb7951

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
7f9ea5bf98036e0ff831f4bc28e08074

SHA1
71bb7f6b5068022e12956877bce1f3104676772e

SHA256
a5bb7682b177efe41bea3654dbb5284b6a0ddcb430262b8ca6d7590a69008e8f

SHA512
888571802d0e14101e7dc838dd48828a126ebbc90287c99cdb50bbc28543809d627a45e0d017e389eb0b43443481b4c5ca495715974ef21eb7749487c760741c

Download Submit
\??\c:\programdata\microsoft\ehome\mcepg2-0.db

Filesize
532KB

MD5
18a9937a26fb1def55e62b744dfa0aea

SHA1
cee763dde5ebce20288e1d21aebbb757514c7f45

SHA256
536d1c922bff9dc31c2f99e347230a5b329ffd4d9c3d54f916aa15a852a40f09

SHA512
78bf0a48b2b42f5ea9a5b1d6cf62f7b48faff4881fe76e00b082d6cb06602c580f3c71094a9faa214f56827b24c0d387a924c1e1542b6ed2410349e169f5a37c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
11809864966f72652c07bda4ba9df058

SHA1
25f4e1cbeacfdbc0c3b4ced10875709d5cb59e6b

SHA256
1147a2127e43bbeb399430534f38b32ba34d63da76076cb42c807b568391bd99

SHA512
9c02b7ec0fc36d3d618d03bf3476abcf8494c7fa16738aea5aa8af4f5d1d2c977eb90d6e3e30d6c5bc981ca79aa7e7a6dd8b20512f379e817fd1486a011f3d0f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
188ecc075eabf746ee361fbed1b1850d

SHA1
c6ee59774bf39799ab45ad572ce317566d6e6f2a

SHA256
40392ac920a405408ea2c3e98751fd8fb30ac6d8c951212591def0d621fbdc7d

SHA512
f29152f2d404f9e06c51485f8ab5f1a86394bd3929ed8d2fad5e2424195d550c4eabddfbd2255cc0a22f1ed391a1eb971eb02410660ea92de716622f0c6b3566

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
821e80d8d7fce090b63d4a2572a6e722

SHA1
799a52ddff91fd1554308ea6feb8b71cf6fdace1

SHA256
e36c837aea20b889bf7963b864e351c13a174fed1fe63c9a866cdb3b7bc9c9dc

SHA512
dffb99ffafed1b3381a94554d9b5edb435987f0e92f927ba92f05ea82acf992f114e2dc95e3a6a172b8255f65b173bc053ceff035ff940adff9584f425fe3c49

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
f022bad830740022a9171015a4a699e7

SHA1
2a9d5d08e3596279b2896590f29d61f69b8614ab

SHA256
6d980cfcd09ead46024f8875cb6fe3ff420185f2ee25b9d2cf25242024cfae6f

SHA512
9fdb1189d0950d7f4ecdc93d83d58a85994d2984f94474bb777050f4a7f0fc4a139c643f6f1728b40ab4a02494d4ccfb3fbc46c77c645bcad596ec4ebe096494

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
4d77ee2010819e3d5aa34cce29035e10

SHA1
a8b14d95ea72668dd3dd2b2f1b0695920de5f22a

SHA256
d874b0f5d7b09c2db246ac5d3913d320a501a98ab864eb841064cb3277c6da91

SHA512
ff2a712b14dee27fb8cc18eefd1f6feffb283a3faacd80faa12fba1d2b288a8796b8caedd855700647b37e6c34830e37ddeb2a20c2983a9cff3780684497b2fa

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
b3b7c7099bb69f8cbaee3ca405420235

SHA1
41175cc9323a226f49f2a1d0b0ee282e866192c5

SHA256
e13eea0bf7e840ec57549a054b86e123f95932250e898765d5ce50c2dc656a44

SHA512
7031d2d0765b76a9e17c7c65fbbc077b5bc4ba5b0204d32871b8a0fd7f9cafedce1412ec36de73afb912a8aa2b0c169de7870e8adb8762e26153a0fd7b9bae69

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
e5d6fd205b97740ac6d645a58d02996d

SHA1
3b6625e67c5f1df53f8f9d6fe555226b9b2bec5b

SHA256
e1afbd981100cc70738c5fc630b579400decb2890b736fbcb1119bd824faad27

SHA512
692d7f40aa14a161fbf4f4299f81b728aad9a7e2c5ce4d4a2fa968e9591449ae6dff4de071b66db0db4cb9d2b5bb6e61b0a3d85c4942dd19cf9b41da7442b290

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
b760fd8b9f3893808e89070f0ee2ddc5

SHA1
7caba37841ea8ac29e5980e9b2f63990acf2f251

SHA256
878872407a401728d178f30b8af9e7b3148fc47f55c81fd6fc73730401b73505

SHA512
9ab8d64ee05e1c50a32626772b338278902452cbc0ecf8091d60f2f785ec7930d6388c8e6bcbcafe6075e856e8aedc2a47cc1cfc0919523e3232dbbc3009bf5b

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
b74234891b6df4d190dd60e4eb6a6a09

SHA1
be69d6fcf0d1653b4c59cccdf456d6efb896cc48

SHA256
7cae5fdd275497db211c5bbedff55e3123726e87f3553062fd9374ca4ddeb60f

SHA512
1839524261c081148e677d8b3793a8e9300f2859b6709191259c1cb3097b028c500341775078dae29b0a75d1822c9d382c291f981585b2b426f4fb5370d86c0d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b86ec8a19c0710071c1ebcd7d3677fb6

SHA1
815f8574b5954fa2e55a8b6a348eb1dd589ebf44

SHA256
6f2e60e8cae4bc9c1d28585b1edb79ffd367001b7952513e8bb0dbf4cdfd4f32

SHA512
ed3dd8f0b44e7593c4ca4a4448d53d43caa370fb84f78a9b58e82b1593ddc201e009ca955d6f4e14ccd520815d644e0f098d451568bd58ae34184a33fec74be8

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
8f90a1475cbfdc737b739989ea81ce66

SHA1
34c7c7194ca97c66ceace2c6fb63de8aeb5f3283

SHA256
81ad56e35a72eb8b9ff7bbccecfb4de86f49092962de617aad0b640914c23e3d

SHA512
8b9dc60a0670ffa505b5ddaa31c749a39f5c2d9fa0d5de68dd903b52274aa1ec704e87eb0e21071613cf927118df23a104ae406ce27eb4e37b6cf6ac8e8c8f90

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
f02f04e9b5e4a819e110ab788515d62f

SHA1
b2ce25f59feb215543b7e812bbf17c23332a076e

SHA256
d34ca2ad3e52f8be8819127fc6185851087c2346776b74d49844918dc0f740fe

SHA512
c79a9c967af461df83f02954cb0c805d59030c39901ae2529ee18aad6e509136a06a60739849aedd0316eb056088316dc98bdc0a9100917e6f81e40f1f5adc2e

Download Submit
memory/476-229-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/476-138-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/476-199-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/476-114-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/476-111-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/476-120-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/476-119-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1384-287-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/1384-280-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1420-248-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1420-253-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-302-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1420-243-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-178-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1420-177-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1420-176-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-218-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1544-135-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1544-126-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1584-221-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1584-224-0x0000000000560000-0x0000000000612000-memory.dmp

Filesize
712KB

Download
memory/1584-231-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1584-277-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1696-102-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1696-95-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1696-94-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1696-186-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1736-263-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1736-254-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1736-261-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1808-245-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1808-184-0x0000000000410000-0x0000000000476000-memory.dmp

Filesize
408KB

Download
memory/1808-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2116-188-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2116-179-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2240-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2240-143-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2240-151-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2372-75-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2372-7-0x0000000001CC0000-0x0000000001D26000-memory.dmp

Filesize
408KB

Download
memory/2372-6-0x0000000001CC0000-0x0000000001D26000-memory.dmp

Filesize
408KB

Download
memory/2372-1-0x0000000001CC0000-0x0000000001D26000-memory.dmp

Filesize
408KB

Download
memory/2372-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2540-14-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2540-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2540-20-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2540-93-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2636-299-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2636-237-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2636-246-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2664-74-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2664-45-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2664-39-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2664-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2680-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2680-27-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-112-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2680-33-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2720-301-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2720-292-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2884-150-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-77-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2884-82-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2884-76-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2896-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2896-56-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2896-137-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2896-62-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3024-194-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3024-190-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3024-213-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3024-214-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3032-267-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/3032-202-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/3032-208-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3040-274-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/3040-270-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download