a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Size

622KB
MD5

a48dc6f58a4b81f51fcbdd2153568c85
SHA1

11540e4f9c7fba27e953c155a136411fc2c4527a
SHA256

a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471
SHA512

4f407e77d332ff265dce879cd4020b1d31d62afc87e141da7de968ac677b1e6628ea5c7929a7f41f6451188343d928d964b23c64c6f2416c6c980e0e08a5d436
SSDEEP

12288:tuW6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:tuW6LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
480	Process not Found
2180	alg.exe
2660	aspnet_state.exe
2600	mscorsvw.exe
2496	mscorsvw.exe
340	mscorsvw.exe
1864	mscorsvw.exe
1620	ehRecvr.exe
3000	ehsched.exe
332	elevation_service.exe
2904	IEEtwCollector.exe
1552	GROOVE.EXE
1736	maintenanceservice.exe
2244	msdtc.exe
2020	msiexec.exe
2284	OSE.EXE
1052	OSPPSVC.EXE
2676	perfhost.exe
2496	locator.exe
1676	snmptrap.exe
1496	vds.exe
1996	vssvc.exe
604	wbengine.exe
2040	mscorsvw.exe
1964	mscorsvw.exe
2500	mscorsvw.exe
1700	mscorsvw.exe
2908	mscorsvw.exe
1656	mscorsvw.exe
1492	mscorsvw.exe
2736	mscorsvw.exe
2720	mscorsvw.exe
1872	mscorsvw.exe
1960	mscorsvw.exe
1608	mscorsvw.exe
2840	mscorsvw.exe
2824	mscorsvw.exe
2636	mscorsvw.exe
1632	WmiApSrv.exe
1380	wmpnetwk.exe
2368	SearchIndexer.exe
1248	mscorsvw.exe
1300	mscorsvw.exe
1700	mscorsvw.exe
2544	mscorsvw.exe
1236	mscorsvw.exe
2024	mscorsvw.exe
2752	mscorsvw.exe
2868	mscorsvw.exe
1664	mscorsvw.exe
1796	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2020	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\vds.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\alg.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35d4a5393d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DE4A8357-501E-4E80-951C-CC463AF5B403}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DE4A8357-501E-4E80-951C-CC463AF5B403}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{3F0D87D0-7ACC-4409-B67F-F4AC5FE7E92E}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{3F0D87D0-7ACC-4409-B67F-F4AC5FE7E92E}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030015132be92da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
988	ehRec.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: 33	2832	EhTray.exe
Token: SeIncBasePriorityPrivilege	2832	EhTray.exe
Token: SeDebugPrivilege	988	ehRec.exe
Token: 33	2832	EhTray.exe
Token: SeIncBasePriorityPrivilege	2832	EhTray.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	2020	msiexec.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeBackupPrivilege	1996	vssvc.exe
Token: SeRestorePrivilege	1996	vssvc.exe
Token: SeAuditPrivilege	1996	vssvc.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: 33	1380	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1380	wmpnetwk.exe
Token: SeDebugPrivilege	2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	2220	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeManageVolumePrivilege	2368	SearchIndexer.exe
Token: 33	2368	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2368	SearchIndexer.exe
Token: SeDebugPrivilege	2180	alg.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2832	EhTray.exe
2832	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2832	EhTray.exe
2832	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2040	340	mscorsvw.exe	52
PID 340 wrote to memory of 2040	340	mscorsvw.exe	52
PID 340 wrote to memory of 2040	340	mscorsvw.exe	52
PID 340 wrote to memory of 2040	340	mscorsvw.exe	52
PID 340 wrote to memory of 1964	340	mscorsvw.exe	53
PID 340 wrote to memory of 1964	340	mscorsvw.exe	53
PID 340 wrote to memory of 1964	340	mscorsvw.exe	53
PID 340 wrote to memory of 1964	340	mscorsvw.exe	53
PID 340 wrote to memory of 2500	340	mscorsvw.exe	54
PID 340 wrote to memory of 2500	340	mscorsvw.exe	54
PID 340 wrote to memory of 2500	340	mscorsvw.exe	54
PID 340 wrote to memory of 2500	340	mscorsvw.exe	54
PID 340 wrote to memory of 1700	340	mscorsvw.exe	55
PID 340 wrote to memory of 1700	340	mscorsvw.exe	55
PID 340 wrote to memory of 1700	340	mscorsvw.exe	55
PID 340 wrote to memory of 1700	340	mscorsvw.exe	55
PID 340 wrote to memory of 2908	340	mscorsvw.exe	56
PID 340 wrote to memory of 2908	340	mscorsvw.exe	56
PID 340 wrote to memory of 2908	340	mscorsvw.exe	56
PID 340 wrote to memory of 2908	340	mscorsvw.exe	56
PID 340 wrote to memory of 1656	340	mscorsvw.exe	57
PID 340 wrote to memory of 1656	340	mscorsvw.exe	57
PID 340 wrote to memory of 1656	340	mscorsvw.exe	57
PID 340 wrote to memory of 1656	340	mscorsvw.exe	57
PID 340 wrote to memory of 1492	340	mscorsvw.exe	58
PID 340 wrote to memory of 1492	340	mscorsvw.exe	58
PID 340 wrote to memory of 1492	340	mscorsvw.exe	58
PID 340 wrote to memory of 1492	340	mscorsvw.exe	58
PID 340 wrote to memory of 2736	340	mscorsvw.exe	59
PID 340 wrote to memory of 2736	340	mscorsvw.exe	59
PID 340 wrote to memory of 2736	340	mscorsvw.exe	59
PID 340 wrote to memory of 2736	340	mscorsvw.exe	59
PID 340 wrote to memory of 2720	340	mscorsvw.exe	60
PID 340 wrote to memory of 2720	340	mscorsvw.exe	60
PID 340 wrote to memory of 2720	340	mscorsvw.exe	60
PID 340 wrote to memory of 2720	340	mscorsvw.exe	60
PID 340 wrote to memory of 1872	340	mscorsvw.exe	61
PID 340 wrote to memory of 1872	340	mscorsvw.exe	61
PID 340 wrote to memory of 1872	340	mscorsvw.exe	61
PID 340 wrote to memory of 1872	340	mscorsvw.exe	61
PID 340 wrote to memory of 1960	340	mscorsvw.exe	62
PID 340 wrote to memory of 1960	340	mscorsvw.exe	62
PID 340 wrote to memory of 1960	340	mscorsvw.exe	62
PID 340 wrote to memory of 1960	340	mscorsvw.exe	62
PID 340 wrote to memory of 1608	340	mscorsvw.exe	63
PID 340 wrote to memory of 1608	340	mscorsvw.exe	63
PID 340 wrote to memory of 1608	340	mscorsvw.exe	63
PID 340 wrote to memory of 1608	340	mscorsvw.exe	63
PID 340 wrote to memory of 2840	340	mscorsvw.exe	64
PID 340 wrote to memory of 2840	340	mscorsvw.exe	64
PID 340 wrote to memory of 2840	340	mscorsvw.exe	64
PID 340 wrote to memory of 2840	340	mscorsvw.exe	64
PID 340 wrote to memory of 2824	340	mscorsvw.exe	65
PID 340 wrote to memory of 2824	340	mscorsvw.exe	65
PID 340 wrote to memory of 2824	340	mscorsvw.exe	65
PID 340 wrote to memory of 2824	340	mscorsvw.exe	65
PID 340 wrote to memory of 2636	340	mscorsvw.exe	66
PID 340 wrote to memory of 2636	340	mscorsvw.exe	66
PID 340 wrote to memory of 2636	340	mscorsvw.exe	66
PID 340 wrote to memory of 2636	340	mscorsvw.exe	66
PID 340 wrote to memory of 1248	340	mscorsvw.exe	71
PID 340 wrote to memory of 1248	340	mscorsvw.exe	71
PID 340 wrote to memory of 1248	340	mscorsvw.exe	71
PID 340 wrote to memory of 1248	340	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
"C:\Users\Admin\AppData\Local\Temp\a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2600

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 250 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d0 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 268 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 1d4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 1d4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1a8 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 24c -NGENProcess 1a8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2b8 -NGENProcess 294 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 11c -NGENProcess 2b8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 108 -NGENProcess 16c -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 22c -NGENProcess 1bc -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1620

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:332

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2904

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2368
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:3012

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
b553f48f98ef1e06446b87cf9b0818a5

SHA1
5db2c946eaf103be81c8ebe7fca3dc77f136fc39

SHA256
5ad0706f0eb5b8fe82f1e4c17a36f1121410bfe5fda0d563a440073772f105e1

SHA512
366f68b5140a28a53adf861ba665b72d6b7c443a3eef84e02bd579879aeae8016d1543486d95c66d24d8d547f27409e3832ca8372a2451879ab5c84653d011e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
1a400c90d38ac1bf07193afa599bfd91

SHA1
58d82680051d2ee385c7e912936e6eac546e41db

SHA256
8d88ae831fc5a7e1a3b0e84e67356f97a8425e439d3c450ecfd1feeaf4acdc13

SHA512
833d4add8030730fd31f321752a442553a29d9640107cf02bb93d6b67256f9433a3f498f678f8b862ec10bc4de9389f87c3bdabf4990e9db35f554adc5172f14

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
87fc7da06c4f03dd4d02081617a3c5f0

SHA1
7827c585c02776fedced2e2e942fc0ff7c807f7c

SHA256
abb6229174b23a70e25f5e8e414c47c049f61c82867184adb0ef0dc0b887d662

SHA512
9acd70d9242244ea3028bfef2d8c8f88579b53cff4e326eb56b253315556abf1d545c04c948b8c730d520d2a233cdbfddc9a3d092de64968cc431a0a17b4ad82

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
7242175bca1f56962d766e572fd65865

SHA1
3aa4adf0ecfd2d84ad985255fd90dc28f1be9404

SHA256
fb5aac41492986b3edde8b6077051689372d9a9ef3ee631b27bc1889c1988ef7

SHA512
9389e2449ee4232cd5ec9dc48fec1242df17f760c14bf3b3fd0ebb459ec8ccbbe36e64cf88474bfebb93892ecd989a60ce5a350772359d38ed4ac9935635a0e8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
71bdbe589c6415c3945f9d5b858c697b

SHA1
4a68bcb3d16beae9b3939a8277cad0fc5cf5dbc9

SHA256
53a068de527184570ce379f3842101bc93a867a5b9a3bd7c5f8e3529219eafcd

SHA512
426b72d14bd7bccb8167725933406b0d2e89d872723e7f886205d2aad0d59008ea8b3d4e35886f15ca07bb132db578733b7b4db5e397660a15db566361720a81

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c9f456bf22e814c63827213ac48b24a9

SHA1
043923e021275282a24a9701fcb627cc64512325

SHA256
2dbd8cdce957cd29b4b975d6a064eb36f9a2ff3fa6efa4324719cea5850db07b

SHA512
43824f2df7f83ec5f96fc95f0b621c1b01c16b431f28d459fbc6bb0849f9b8cb14f10b5e4b225c95546144e5b928f573357c9f6ab079620d250053adb037ad49

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
28203e76dd22c00c870749d3d4d2ad9f

SHA1
35bb1285360710c642d831140222e4251875e9c0

SHA256
28b9106f785d08730b5a173bfc91758fc00da5a833ec275dc13b2927468a5456

SHA512
abfc289a7c9416332c10863e350935543a8e18398dd53cb5ad383eaae1ec05ad2e794249454a2fd5ea82243c9e6f1692354151217805b2f6f293f804295b474f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
1a9ba1a1019969fe33a4cce8c48dba8d

SHA1
52f54b4b665e8b30d190a327c549cd7c4eb895c8

SHA256
eb4cdffc3b7a33eb59905716daa42785151f55d788d4774caf27be191e779247

SHA512
fc77b0107128b7e91e71a189681c84586444024cbf2489052c337d3750857ff6545c450dc49264a6dd57a29d811efed122267670431f9b91136e5106291d1a59

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
13460f091d5fa1577bfc982ebf65e6cf

SHA1
ef298427031d78e3345d45fb0490c6af2ac40c62

SHA256
ac7791e68f35d0ae793e2a30ae5694ad6677b95d6c9d8cae788647bb2a5ce074

SHA512
04e5f15564e0cd1a552bf58d9933e96f014d316f8cca3b1218f9a390a488ffe1f0bb31dc906e449782ea0d1d47e8dd35afdcf059b0dc52932179bb817a90758d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
fcdbad3e01d96683226b16d99f25fdd2

SHA1
20c89aa26a2767a2221d83f2bf7755298b29ea21

SHA256
61a44ea7e0178ab3b7ff5285d40ddba9efbb2078dde17e18868604a5c368d2a7

SHA512
735adc98af345c1b6c001b0d42771916bc5094e369ceaad3a9f6014c7314ecbf1af782b76be71829779c061c0dc032954ffd0d67f902ef7c5d44ee3a04044d65

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
f5acbdda969a70c14e82093bb6076d98

SHA1
2ce6a6baba89db802db0912426d8b27cc995bf5e

SHA256
7dd9a4555a7fc30ea01e9f80932fbe1b5ac02b33229e45693b9b03e3335f92d7

SHA512
ed4c876d0a9a99c0c2ea9e129851df09ba17b849c5ece6ab595536f73b7a236ddc6ee1849743b431fb7b57be8e3dd3fb5b4516e9f75cc673a3b6b93abc3b9d63

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
ccb0949e0c94d8c5c25d041a8338a97f

SHA1
f0b7b83b6a4df0f329eb1460f80bdf313989836d

SHA256
ac0a1942ddfb8d44f78437ccb89aa2b4119b74bd6ab211159c93118a92def7ea

SHA512
7162a80cde7550681d3a38916bcf76aed30fcd286fd3ec559a63aec17776a0ce2a3215f7722c5bcabfe515218d12ccab2dbe4b478144a1f4e1b06c54e582add8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
dc3b421cb83b13705ed5a0880207d1ea

SHA1
62af0ab5e51bab373693509434b353ee00de2670

SHA256
94c741d4d9c16dfc539174eb1b5597c65a1b221fcb8fb77b8dea62cfcedae264

SHA512
952eb8ef3f338e857559aaa1692a8a8f3b21bcd00cea372f4f1a72c4e99f71306d15daa78e86393e010fe9adadf8be16fa6e2a3cf6e36790317051b3d23b6195

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
feefe3ebd4800c3671f3cbb7039cd5b3

SHA1
49944688961e08a6290153b30d6ed01a1892b779

SHA256
a8b9af89060adea036108bd6e438ae2091bad4afe2fb6b8e822f145b3649f94f

SHA512
bc0e12b1f152a5ed103229a60d99336eb1207c9f7092ed2cebbdde33cd8359bd2c59104a793d3423f0fc482fe213f87bf0a2af899447a916834818a3042a6c69

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
c97dd8b341761fce723d024768453d2d

SHA1
0f56076561151d5e8c79e1ff58d88f156eb09021

SHA256
fda0a993ba642da380765c90aefdf4401fe3f87f0bf72f70ca16a668369b197e

SHA512
de3a16a856dc1b458addd94dd9485455afa4b8710a697badd24bcf123a8a551eff6fc9d565f03d829541ccd916a814aa778b065484de6205d617e48d9eb7d4d5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
81fb966944fb5d6d74bbdf8e45cebfab

SHA1
dd78aec6c87c2567446d77432f7b61674ddd3c8d

SHA256
45892be8217404d48b47a1c99f17bf4efa488031e6a740348eba9be25d679da9

SHA512
56102f4ae40fa9a5220a948c9d58438f44604e56c1531b7002db9a4b1c6b0ca3b8f6e726285f9cc2dd2a79a020d295282c155e02ff2dfabb08243fb76930487f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
33a0474fc98031b31aefceb1370f5b45

SHA1
6f64b42084fd6caa5a8600d7a7b3d38257410358

SHA256
49c88370ce0a39e7d2925062528a3b52df6f038c4dd9c9f16d7d87291cc491ff

SHA512
044ad647c0e43309732c43e4b4fc6afc6357eb3cfd8a1e8fcaa21b7f9b06a282d8155228301ee8ed3b61e982e288b6bbdf9416f51e222cb369d70f840f6ceef9

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
1358872f913dd2c04c1a8de6ab251b4d

SHA1
dfc745e4f1e0cc4da08139291ba315b8156097da

SHA256
7e894b05036ac34cf9e05c1c60f761d7f732722acc64942231a0cf37878da79a

SHA512
53d6c89fc5f9ebd2e8cd29f8745cd69fa5c105cee45ade9d997b0196ea920ac766ea0627db94b665510b8ec13a15c9b0ee4ded483cf1b46cb50b77689f49f256

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
fb508a4e6be5bcb3a8af74fcbde8f400

SHA1
3c0119adef9dd5c3a21bceaf407ddcc8356ea467

SHA256
6eb6f80ecd6f0867df9ada34365a04b697f473dbe925e072a803c738dc5ebf0c

SHA512
7517386f158c9aa218a29706a0ead67cd23b09ddb68f7029ee2eccd338bf20890afc2a9e012ff5d6f9c46f9d5a6a869b546319426e12ab3c5ede8f5abb696b53

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
13cab55c855e5fae163e768e25d68866

SHA1
2187cb8e7b69897d6853e4b687ba9a5894233fbd

SHA256
2bf9c66cee0209352ad105ba12d3e917b31811c9e18124f7e67922189d31e31a

SHA512
fa63af4917cb7d754fe405b3cdd212d256d6773fa44fdb5c2de06ca5a76a2a4e43408d73b82d7e81cf96ceeac10c8b5086e1b4be2a7e35bcd0f9f3dea0e3c36c

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8f041c887aebbd17cda634f7d46aaef2

SHA1
c15ee0d121bac695918fde88be66593f6910041a

SHA256
05efbfbd355510ae288cdb570c618d9b8775a6978bdb1121a6fb65464a154bc2

SHA512
77c8d683e76df17ce7072056f8a072980bd3f25c5e840ccbde238a8ded3a7fddabe8c26048dd6b5d3d1f17eaae3444d1ba61c9a7e75e3357148be81403e7a131

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
3a6b105785e5fa6e1d36dbecb41cb43b

SHA1
c1ad3a09389dc3715743dfce63d5d587fd177dc0

SHA256
a5f0da6a87a9707e183febf419c0db0e6c936e7103bc0c60733e7ca9b0bbc262

SHA512
154520f3adf8caf7faeaa9abc92e1b890fdf43b811160f9d70024592de80012d3316322d20ea279922b26695901237cb16b83d7e53821dd75fa5d9b76d865160

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
de997589f92e0b95ef15f09dd323f388

SHA1
c682b6a5dd82f45438ca971c918a9b7e24ec581e

SHA256
d00ffd4e7058a6a969e96b941aa662de0c8e9b40fb0721002bfbab413efe2ba8

SHA512
0cdb6ad77462c6b5072b8a50c6617406bf622432f4c5e5bf45d5a6a14e51e9b178c462da95d43e92809dc771965e797fda1e5df470677e0d834a0b7835abd63d

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
e3837a38995701ebcda6d23e765d792b

SHA1
5227364dbab27d375b1adad2b3c037c5df855247

SHA256
31139e3b1f98558be48ed695db412387b81fefcc3ac5a0ee2f26152e79605ac6

SHA512
035812a616a9270e75c2b5e3c41024914292945a4dcdccb858840016a858d1e24be7bfd205f7d130036b1035fe7c31b2b24bc2f834ec87e0029ca5790db4bb5e

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
94552f6c32148171d26550d1b208427d

SHA1
ba4897be7737b3717154578afcaaecd7ba9b09bb

SHA256
523cfbbc2e61f86f341be5bed6627a531d9c3cda2932309b44a7df37b214c339

SHA512
6e661dbbb6c28460f73338cd62a2909ebbe0030a778ec206c290cf8dfb8b5557b0a700814cc17d2d26987ab9b71ed79640b9fe87543e80603af23ffadf33876d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fccf0d154107d166721bc50818ac11e2

SHA1
86c0c237497cbb3dc402d81264cf81dcc4919d79

SHA256
75467958f0460b04919d4e01a21a5b41b2f7edb942f713de37f4a00e456e4f51

SHA512
ef361372bdb679466eb6f6e828d6e171b70b96e973dce9b32a05830bed8e4eaf1634964a0dca81f5b0481ca1f1dcb0f957de73e97a94248ddcde1a581bde2ae7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
71a28619a302317a8556b815419bfe7b

SHA1
bb0df0bc041adc400f6c1a5d189e9e51c6a9e646

SHA256
bc9be913a50e8908374159ffe8d9c3f5845748a0d070e73ae64692308bd92063

SHA512
9a97b64c3765c83edb468e4a90bd0eeecdaf896ffb2a3f1c9f93b4dbc63df148bd07f955cc79db27f39dd155b2d35740c1906f7930b6f410b96ad3b88d9d3b21

Download Submit
memory/332-150-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/332-142-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/332-220-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/340-149-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/340-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/340-77-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/340-72-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/988-188-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/988-238-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/988-229-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/988-171-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/988-167-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/988-164-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/988-241-0x000007FEF49D0000-0x000007FEF536D000-memory.dmp

Filesize
9.6MB

Download
memory/988-262-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1052-267-0x00000000744D8000-0x00000000744ED000-memory.dmp

Filesize
84KB

Download
memory/1052-264-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1052-263-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1052-254-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1552-248-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1552-179-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1552-177-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1620-110-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1620-185-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1620-217-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1620-113-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1620-137-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1620-119-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1676-299-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1736-187-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1736-193-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1736-213-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1736-212-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1864-101-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1864-96-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1864-93-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1864-173-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2020-277-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2020-283-0x0000000000330000-0x00000000003E2000-memory.dmp

Filesize
712KB

Download
memory/2020-231-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2020-218-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2180-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2180-14-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2180-21-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2180-95-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2220-7-0x0000000001CE0000-0x0000000001D47000-memory.dmp

Filesize
412KB

Download
memory/2220-70-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2220-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2220-1-0x0000000001CE0000-0x0000000001D47000-memory.dmp

Filesize
412KB

Download
memory/2244-209-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2244-200-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2244-266-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2284-250-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2284-251-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/2284-296-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2496-91-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2496-52-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2496-53-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2496-59-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2496-292-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2496-285-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2600-44-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2600-39-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2600-89-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2600-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2660-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2660-28-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2660-111-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2660-34-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2676-278-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2676-270-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2904-161-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2904-235-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2904-168-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/3000-198-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3000-133-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3000-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download