9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
Size

1.4MB
MD5

1b5ef1a77d711af341cda60e9a2ccd3a
SHA1

20bec02ed9ec1d3155189ba51d985cc448de1d62
SHA256

9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55
SHA512

9c50cd114105cf85e6c7e18efcee41e5adaf09ce076f60e7d7e233fd2425ef07326b9e021fcb2b7ebb034e4294b7edcee6fabfd9106d0e371bc145ee796acaa3
SSDEEP

12288:/2iEExbs8rHos3KcZt+8x/T5zpBzqUV6jWOev+C3oaxj9y97HQKjs:OOtTTos3TZBRXzqCO+t3oagF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
468	Process not Found
2668	alg.exe
2764	aspnet_state.exe
2616	mscorsvw.exe
2484	mscorsvw.exe
1264	mscorsvw.exe
2820	mscorsvw.exe
2012	ehRecvr.exe
1052	ehsched.exe
1704	mscorsvw.exe
2780	mscorsvw.exe
2384	mscorsvw.exe
1048	mscorsvw.exe
1980	mscorsvw.exe
1968	mscorsvw.exe
528	dllhost.exe
2340	elevation_service.exe
2708	IEEtwCollector.exe
1996	GROOVE.EXE
2732	maintenanceservice.exe
1732	msdtc.exe
944	msiexec.exe
1692	OSE.EXE
1560	OSPPSVC.EXE
908	perfhost.exe
1848	mscorsvw.exe
2296	locator.exe
2112	snmptrap.exe
2860	vds.exe
2528	vssvc.exe
936	wbengine.exe
1428	WmiApSrv.exe
2848	wmpnetwk.exe
2072	SearchIndexer.exe
2000	mscorsvw.exe
2140	mscorsvw.exe
836	mscorsvw.exe
2592	mscorsvw.exe
2568	mscorsvw.exe
1504	mscorsvw.exe
1760	mscorsvw.exe
1424	mscorsvw.exe
1488	mscorsvw.exe
3056	mscorsvw.exe
1104	mscorsvw.exe
2236	mscorsvw.exe
2344	mscorsvw.exe
2108	mscorsvw.exe
804	mscorsvw.exe
2496	mscorsvw.exe
2884	mscorsvw.exe
2420	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
944	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8cc78722ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DAA49BC8-B4CA-4E69-8F46-6DDB1F8E8197}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DAA49BC8-B4CA-4E69-8F46-6DDB1F8E8197}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{41D9D081-6C51-4AD9-A3F5-6C25595D03BD}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b53dd68693da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2764	aspnet_state.exe
2764	aspnet_state.exe
2764	aspnet_state.exe
2764	aspnet_state.exe
2764	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2656	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
Token: SeShutdownPrivilege	1264	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1264	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1264	mscorsvw.exe
Token: SeShutdownPrivilege	1264	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2764	aspnet_state.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeSecurityPrivilege	944	msiexec.exe
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe
Token: SeBackupPrivilege	936	wbengine.exe
Token: SeRestorePrivilege	936	wbengine.exe
Token: SeSecurityPrivilege	936	wbengine.exe
Token: SeManageVolumePrivilege	2072	SearchIndexer.exe
Token: 33	2072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2072	SearchIndexer.exe
Token: 33	2848	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2848	wmpnetwk.exe
Token: SeDebugPrivilege	2764	aspnet_state.exe
Token: SeShutdownPrivilege	1264	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeDebugPrivilege	1264	mscorsvw.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe
1772	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1704	1264	mscorsvw.exe	36
PID 1264 wrote to memory of 1704	1264	mscorsvw.exe	36
PID 1264 wrote to memory of 1704	1264	mscorsvw.exe	36
PID 1264 wrote to memory of 1704	1264	mscorsvw.exe	36
PID 1264 wrote to memory of 2780	1264	mscorsvw.exe	37
PID 1264 wrote to memory of 2780	1264	mscorsvw.exe	37
PID 1264 wrote to memory of 2780	1264	mscorsvw.exe	37
PID 1264 wrote to memory of 2780	1264	mscorsvw.exe	37
PID 1264 wrote to memory of 2384	1264	mscorsvw.exe	38
PID 1264 wrote to memory of 2384	1264	mscorsvw.exe	38
PID 1264 wrote to memory of 2384	1264	mscorsvw.exe	38
PID 1264 wrote to memory of 2384	1264	mscorsvw.exe	38
PID 1264 wrote to memory of 1048	1264	mscorsvw.exe	39
PID 1264 wrote to memory of 1048	1264	mscorsvw.exe	39
PID 1264 wrote to memory of 1048	1264	mscorsvw.exe	39
PID 1264 wrote to memory of 1048	1264	mscorsvw.exe	39
PID 1264 wrote to memory of 1980	1264	mscorsvw.exe	40
PID 1264 wrote to memory of 1980	1264	mscorsvw.exe	40
PID 1264 wrote to memory of 1980	1264	mscorsvw.exe	40
PID 1264 wrote to memory of 1980	1264	mscorsvw.exe	40
PID 1264 wrote to memory of 1968	1264	mscorsvw.exe	41
PID 1264 wrote to memory of 1968	1264	mscorsvw.exe	41
PID 1264 wrote to memory of 1968	1264	mscorsvw.exe	41
PID 1264 wrote to memory of 1968	1264	mscorsvw.exe	41
PID 1264 wrote to memory of 1848	1264	mscorsvw.exe	54
PID 1264 wrote to memory of 1848	1264	mscorsvw.exe	54
PID 1264 wrote to memory of 1848	1264	mscorsvw.exe	54
PID 1264 wrote to memory of 1848	1264	mscorsvw.exe	54
PID 1264 wrote to memory of 2000	1264	mscorsvw.exe	63
PID 1264 wrote to memory of 2000	1264	mscorsvw.exe	63
PID 1264 wrote to memory of 2000	1264	mscorsvw.exe	63
PID 1264 wrote to memory of 2000	1264	mscorsvw.exe	63
PID 2072 wrote to memory of 2548	2072	SearchIndexer.exe	64
PID 2072 wrote to memory of 2548	2072	SearchIndexer.exe	64
PID 2072 wrote to memory of 2548	2072	SearchIndexer.exe	64
PID 1264 wrote to memory of 2140	1264	mscorsvw.exe	65
PID 1264 wrote to memory of 2140	1264	mscorsvw.exe	65
PID 1264 wrote to memory of 2140	1264	mscorsvw.exe	65
PID 1264 wrote to memory of 2140	1264	mscorsvw.exe	65
PID 2072 wrote to memory of 440	2072	SearchIndexer.exe	66
PID 2072 wrote to memory of 440	2072	SearchIndexer.exe	66
PID 2072 wrote to memory of 440	2072	SearchIndexer.exe	66
PID 1264 wrote to memory of 836	1264	mscorsvw.exe	67
PID 1264 wrote to memory of 836	1264	mscorsvw.exe	67
PID 1264 wrote to memory of 836	1264	mscorsvw.exe	67
PID 1264 wrote to memory of 836	1264	mscorsvw.exe	67
PID 1264 wrote to memory of 2592	1264	mscorsvw.exe	68
PID 1264 wrote to memory of 2592	1264	mscorsvw.exe	68
PID 1264 wrote to memory of 2592	1264	mscorsvw.exe	68
PID 1264 wrote to memory of 2592	1264	mscorsvw.exe	68
PID 1264 wrote to memory of 2568	1264	mscorsvw.exe	69
PID 1264 wrote to memory of 2568	1264	mscorsvw.exe	69
PID 1264 wrote to memory of 2568	1264	mscorsvw.exe	69
PID 1264 wrote to memory of 2568	1264	mscorsvw.exe	69
PID 1264 wrote to memory of 1504	1264	mscorsvw.exe	70
PID 1264 wrote to memory of 1504	1264	mscorsvw.exe	70
PID 1264 wrote to memory of 1504	1264	mscorsvw.exe	70
PID 1264 wrote to memory of 1504	1264	mscorsvw.exe	70
PID 1264 wrote to memory of 1760	1264	mscorsvw.exe	71
PID 1264 wrote to memory of 1760	1264	mscorsvw.exe	71
PID 1264 wrote to memory of 1760	1264	mscorsvw.exe	71
PID 1264 wrote to memory of 1760	1264	mscorsvw.exe	71
PID 1264 wrote to memory of 1424	1264	mscorsvw.exe	72
PID 1264 wrote to memory of 1424	1264	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
"C:\Users\Admin\AppData\Local\Temp\9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 254 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 254 -NGENProcess 238 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 234 -NGENProcess 1f0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 280 -NGENProcess 1ac -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 234 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 184 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 234 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 2a0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 298 -NGENProcess 2a4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 24c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 24c -NGENProcess 1d4 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 24c -NGENProcess 11c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 29c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 1d8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 194 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 22c -NGENProcess 214 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2012

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2708

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1692

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
4595ad7b6b1ccd43891ac89b25d85811

SHA1
3a3940df952a1b6b36cdbe97b95cfc128f84513a

SHA256
e614771d2b61a506909f1eadce6255a400b7b36eea413fdf2f839f8f7dd42a9a

SHA512
c341204a2e05d0a1adb7eb2a75c3271f6603b7b3e019e16b4395399694aa69620a5a93d985c5c311a050534454d18c54f376569179cafac2a71d0789f6608f5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
cb0362d2d1dd9c738add00262d165965

SHA1
9b35b089584b8d68ecbd6334347533f946efce3c

SHA256
d8b7f6852f85085848b192f469a97d40c162c4fde5e1ae5b852058d5e13073d6

SHA512
78b614f81adfe450f1a5c4a7ba81c9ef437a86b47c55b7aa46c69e108d8040080ec63fec0bdb95e97b01038c5d82e8d5a828e4721dc5fad7a276e2bfc5277841

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
1a9612412f0c34be682c7a5214f2d8f0

SHA1
0ecfbe85e67df40653b805fe2029cea8af2e3d32

SHA256
702b7d4d0042c973f11d9477f94c6f302e1c8ea00720e4dcf4b7831dda32187b

SHA512
ee3944fb8cb2b47dd536aa29e99fdf5413c7e48d626ec959f3a52374460307730abb94c48e028bbd132b183b0680e68efcbdcac0bb06069f8e9fe4d2678148b7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
3213b23faf793fb2d14f4ef8850bad50

SHA1
5fa1f4e9be3941a0103831b7505a1caaedbc854b

SHA256
e834c0e4e9334822b10c278a57564873a45b79687e2afc6e0a3f5619d098cc94

SHA512
d8154e111b7bf7ab8033e565b1e95333b6b4bea8a83501149d23f8da26118ca46da837369a806bf8d9b064c114375a5c5842821dc6a1e1613bcf3a580cefd34e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fb102df9687d01408386fea4f839db27

SHA1
db082f4f8e43a0b5df13579bee3ee3b6193e9c9d

SHA256
0df802f767743bf78904b3da05bfbae9e64943b9539a62ecdb3816d10b57c5b4

SHA512
0754eb1eb187d2c6679f8079b92ee13d40aadf6698d82593d4a65cc066d6605fc2c5da22b07e2a113317656cbcfc8c9c108f4a1fa9314e320e6f1d99840075f6

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
5766284dc035d891a4d7e7f7248f9ace

SHA1
6daa60463dc7b657c1c544b7f50be4c9dff3bc89

SHA256
cca41bbc86e69de779e74911f75a1adcd4d489edbf1e2df9487316f6e2acb0c5

SHA512
29469baa01c798bbd49c6a060caf720d6fd53e1b5733612f8cdf5fd098fd611d055441f090381841fd69946a824a4636da76fdec25885e05bd2207c6c45e2d85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
587d5712b8ecb4dbf7c742887f1a1c4b

SHA1
de9d7597d5c6e54c97594a4615c550faa94d7011

SHA256
cc279c70fd986fea1d3ea4e991562fd6750b55bfb7aeccc0fda0604b0fbcbffd

SHA512
ce2e9f7ec850a19c0c9f1a18c4cbbd78753c327df50e9e5553e24f5b77a6868d80ed86935f34eaa1e287e94798d6bc3cdf4a36c0578820494affae4e598da70d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
cd86912c0ad581b83288201233b4c0c8

SHA1
ac678a5c1af6553e36678b1274fe8184de46bb78

SHA256
315d16da57473580d047144bf265625141dd376188f523e71971821ef86ca0f0

SHA512
461be40c7219c73b94d79b1a9ca6cdafc494696fff4293e72611f4b834fe8308da83284de18c2cbae04fe163c606ec887f943b9a009e4d2c5cbe105697ed1b28

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
04f52cbfb3cf83bb5222feea30f8fd50

SHA1
717bffa2a8452e0f77e39b1218117a0daf7319c5

SHA256
e8b3b6275da093fc3d4e2b3762cf607221f5ffee69e5a405c43b06412c36d672

SHA512
aee40a8934ff2f4d64d3c1a12fed1babe3e5ad59302e52408034897ef2de4bb361bb9aa0c8878584ed017f4fc9ab69b08d71621b3ad71ca8437a2d6288aa6233

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4e1adf66313e5365983abb3178e9988a

SHA1
0605bbd91c181877326b9d1e156ced33f458ee2e

SHA256
f0d5d8d1e4f76af6994ad5ca767761bd52f81887db35790204680721b9b21be7

SHA512
24ea5d3e0f3719f07221e6703e74aa1e396f9bcadc3dcb1d49dae8cc31ca5dc8c1759dcb094e98831df6a22484608674e473c8de31e0a7aa4785fe7904c69fed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
4ad9f0c1ca05a74b150e2d57c9da9daf

SHA1
09af5480351240501cceb030a148013a61fcddd5

SHA256
b76878596fbb81f02858ac067b0f28843987fb7f273c0d2361dbc7cebd160941

SHA512
0140727c35da3ce994c7b343d2d72a39242279469edbf33477449ba87299769e2a2d8ba556fc4905bf185a8cd538ae8133dfcf54e8db75297ff29f5be74d49db

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
18884b6c226777db9a2de9462fa391bb

SHA1
a91f301df269d727df2cd920ca7aac77e6702f24

SHA256
0d34613071037a89c308556e4f184377622f4f8db8b7984aa0895fbf84979f70

SHA512
8c03aafbd6b33b075706c9703e8096542d9c84218432b37c6103c834ebc38cec1b6356b46846cf5234e36971d7c2bc76fd9eb012f1096045b5b94076deddc019

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d0305e082b96909d86819362e1efab6f

SHA1
8e7c8378300b5165cca466d81d2eb171f5d4be0b

SHA256
ccf378aeab66606d17d63613e7cb2a6b402ef4ba76de7398a2545eb14b11cf42

SHA512
274e3f20f109996f1fd91f9a52a8e73dfbdd2cddbc028cc631ff09a48a3dce9d93a8393a065764df1b01e35373c5394025d598c17c7cd895d2e0b9ca4a5e008e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
4db1f4465cf800ebdc1c49923011d0c0

SHA1
e89ca4432023d2c08689f9ce7ba79227860abc7a

SHA256
f7bf1478a6a7e13548e124c14d55f33eb01e646849e21e77c9d10fd72304b30d

SHA512
733ac5b4c091939ec29a5fd88ecf44db5ec6a1932b3d2b07b067b9e3fbae70f646637569276c1b68026dc593984f355040d849dc5a33e17c022a1c939541aa17

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
35f90810553cb57f9b1ce3bd0d723a23

SHA1
af3411adcd2b19192c3f1cdb7d05226906002403

SHA256
db46894f7e84707e2a35dcf338e01effb4dfe27fbc7a7d3a88390532202664df

SHA512
08e5944465d8478f8c8074c030af0ab9c93d157b28e0f6304cd0f9fbb20a882bfad60b4712ff91a4c85eaa6f2ec6c2c6c49235db40877616e9fc78549df1e049

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f27ff3e66f02f0b03e14b36bbaeef5c3

SHA1
8c0dd9ff747ff82f454c66c6150d3e93cd0d7632

SHA256
13e1273d02da53b62ce8af8d6dd9392a41e4ed8c46cb24f3a973e3b31dc617a2

SHA512
954811e187d3503a58fc283a668488bbd877e5a05a257cde467654f555f0944c9e1972d42f87dca38f5b817829fa3931e4ba581a797f5cda2b44f70f1864268e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
f94b5e8544b5d9f50ddcb221a69608e2

SHA1
446cbd8627d2878086df41908d56aa9a76987697

SHA256
9d539286369ea621adb4f284ed2e195677e0456a617f8a416eff490ddd22d06e

SHA512
3c31832a10ebb6a20797530ad3c0503b359c5da2cbb13ea7060f5e96829992ce1078d5a5e7873ca66086c0c6bf424d6ad6745ec823c02abb83f8534ab9220941

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
836d5d1c3b0d474bb253b2cff6081aa5

SHA1
14e550525996cb7d617424e1f2aecf9ecbaa187e

SHA256
5ce779c0486750899a067bf7551d1b6808c854771a1ef65406d07257425e04f2

SHA512
ec1374070246c4ba8293f3ad0c6b178b84d628356d021eb2731a0efff02566f62ee94515748e646ebbd908355f8d3761d1f7282a59fe6e9807a50a7d51c78646

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
3560418defb863c75f2bad822837754f

SHA1
36e2906a1be754406425e9f248ec519acf6db449

SHA256
7f24227fe944791e1dd121ec37328d33c0793103b0f2abb27b4f8896a1d9fac1

SHA512
c2ccfa5c5f54edc10ad6e1659812361da731f2bc6e49e6061fa0870d6c6eac47674b77cbc87bf464f05a09be118b600ab0eaaf981a4553e194d3351e9c214cc4

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
701bde7da72b881f6d9572da021c3986

SHA1
8c5f25eedab051f207ca77ea8c2f442c64e6ba83

SHA256
a3ad726cf15a617364ccb3541af372c42a83f5c7e7f5ce8879c02613a628eacf

SHA512
f1e0f1cc7fb060e51059ceeed4e26f34e9ae807d925c9f70b87cce5791bc06150bcbba2ce8b554dfdd15e6964071a7f242a284b85fc4724fdc668ee6f3849bb7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
85476c282326cfae2b7b322f5b48abd8

SHA1
f2dfd396c20f3d9690ce767cc71fdc58c9d46448

SHA256
b66cc14a16afa1f07876dd973e6849d42f2fb9667a1ebfaca877726276a84ccd

SHA512
a2ae34ddc7d928cc03957671fc6ac2a97e17f33a354d0b6bc3779282b7f6b7137b093ecba741ce17bb82f962a300889d18b41a427ac5bc2c390cbb7c53b10d6d

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
dba4c7646739569e602ce8de96cb988a

SHA1
60f1be6983db8f5497903b154814c9a3fa45dcf1

SHA256
17eb223dda163bec1765e59499d041c0bbdfc4c80ec1c799b00fb06f7ade61e3

SHA512
57545a5295dd7a04b741742d6a2d84b5154935f96159e00ad249acf220ed9224e8d2d8df2997ce32ed2f6c57dba4deb681a22a77d7a6487f936e9a6fd268c1d5

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
5890724065b96a144c075a1bb8455492

SHA1
890b8fac7efc7492bbf9d88679c6a5e47754e786

SHA256
c78c33ad62db97a35646feb910036f5ba902592c09c74e3bf22552686d884177

SHA512
60ec420885f18b0f8686c0f459e5e43050ced142cc89b2fc743fa2d716dea47aacaf1b6e7345b88a51d086c2a9667609957e233f604046cee158c4ddc08c18f6

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
e8dbdc9ebd466c4344f3581fcb194e9f

SHA1
0f19b75631d8afdc937baba8ac41cba548a19915

SHA256
fe0af34a0fb581729ae5f2936fec8398b841c9682cbeef4973816620bf58ecaa

SHA512
dc838f34197ca4d8352d69851c0bb288ad36b58a2e39d55b035a2e2a24e23f8643786db9eac6e775a34eb5db4884e2afd666b57ecd45fe1e4b80e2007bb136f3

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
f54a7d00a8d96a163d72ada068bd48f8

SHA1
57bac344635b88d1919fa16fe79334b67774244c

SHA256
c1cac1bcb80a2e2e297b415c9b56d2746fa0e2935ba8a8aa3483f4a83de3462f

SHA512
8c6cd70987194237d90a939071cbe979c431ab739cf3a1f666f0b4fc847dbd190c090fb27f69c915f443e34731ebf42ea0defa7214210b6d8bcf945b7cd5d477

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
ee67c0a8a0ea2695b713a5a8c2542771

SHA1
0d8b0e48b653a19d2db341d7425b3042c25b27c6

SHA256
e73a172200cab215128315b09c4f09cba35ce23345c69a1a5c76383e1fc99d36

SHA512
96d594231e2dca917fc05edb028db3e517b35947bb7b83150ea43922d4c91d5d7144d54f84aee2bb3298e93d712863fdd1ee48bf10c67f48ab8f5c74cc18a4c8

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
bb56b78214334e39cc154d94bb6fc37e

SHA1
b103f27def34ec7e47ddf48116c4fcd1653c0720

SHA256
386b3ed7ca18c5b72167de9c66d8fbccd0478303fa92871ec5983d8bf4f97bad

SHA512
f5a6d798e1a50f4689d9508ccb7633f2f3d0183e8bb23c98884b5034d8cd03dfe9c3b265a0bf25ec3c77ffaa2f511ae4555a84c5a3cf4b85f747d246d67b8eb2

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d058eac7ee8e6bd381e4d32ba1366372

SHA1
339704fd8ded7f127c79d2d7f96763ecea10447e

SHA256
7177d6d04c275b1b8c0e89161be5fddd7411761013fc303b8615726920f1a779

SHA512
a2b6e197d30398e33a4e9687dbb6443668394c5db2571b40a840d20c83c02f08cb2bb5078798c70d059a122e014a4b8df7db6a6eee0e8d734b053eb651bd79c4

Download Submit
memory/528-231-0x0000000100000000-0x0000000100234000-memory.dmp

Filesize
2.2MB

Download
memory/528-237-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1048-181-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1048-207-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1048-206-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1048-193-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1048-187-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/1052-127-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1052-171-0x0000000140000000-0x0000000140251000-memory.dmp

Filesize
2.3MB

Download
memory/1052-119-0x0000000140000000-0x0000000140251000-memory.dmp

Filesize
2.3MB

Download
memory/1052-118-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1264-67-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1264-72-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1264-136-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1264-66-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1704-161-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1704-138-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1704-143-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/1704-146-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1704-160-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1732-283-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1968-212-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1968-259-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-241-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1968-235-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1968-221-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-218-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1980-202-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/1980-208-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-222-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1980-228-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-197-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1996-266-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/1996-263-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2012-114-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2012-110-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2012-157-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2012-102-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2012-115-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2012-105-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2012-112-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2340-244-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2340-250-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2384-192-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2384-165-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2384-172-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2384-178-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-191-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-53-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2484-83-0x0000000010000000-0x0000000010246000-memory.dmp

Filesize
2.3MB

Download
memory/2484-52-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2484-45-0x0000000010000000-0x0000000010246000-memory.dmp

Filesize
2.3MB

Download
memory/2484-46-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2616-29-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2616-35-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2616-30-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2616-64-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2656-7-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2656-6-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2656-74-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2656-1-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2656-131-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2656-0-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2668-13-0x0000000100000000-0x0000000100243000-memory.dmp

Filesize
2.3MB

Download
memory/2668-93-0x0000000100000000-0x0000000100243000-memory.dmp

Filesize
2.3MB

Download
memory/2708-255-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/2732-273-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2732-278-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/2764-17-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2764-18-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2764-24-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2764-103-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2780-176-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-177-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2780-162-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-159-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2780-151-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2820-92-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2820-85-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2820-86-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/2820-145-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download