ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc

Analysis

max time kernel
128s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
Size

1.8MB
MD5

1efec3d439b01b7d3c0350e5a33b700f
SHA1

70f978e5e24bfa05327aa9355aa70f81aa337671
SHA256

ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc
SHA512

76cad2beaf03659fa0e56dc42615b10496710a09bfb09aa96a92f696a666b3f3fb0ffa482e5931f2ed26c0f7235f45fac31db6a39b66bec23d12ce1727987556
SSDEEP

49152:Zx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAjf9Ckt7c20+9qNxUW:ZvbjVkjjCAzJsfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
484	Process not Found
3060	alg.exe
1712	aspnet_state.exe
1600	mscorsvw.exe
2368	mscorsvw.exe
2376	mscorsvw.exe
1340	mscorsvw.exe
2756	ehRecvr.exe
672	ehsched.exe
1564	elevation_service.exe
1036	IEEtwCollector.exe
2996	GROOVE.EXE
2792	maintenanceservice.exe
2612	msdtc.exe
2448	msiexec.exe
1704	OSE.EXE
340	OSPPSVC.EXE
2388	perfhost.exe
1664	locator.exe
2100	snmptrap.exe
2312	vds.exe
2684	vssvc.exe
2848	wbengine.exe
2528	WmiApSrv.exe
792	dllhost.exe
1504	mscorsvw.exe
2608	mscorsvw.exe
2476	mscorsvw.exe
1660	mscorsvw.exe
2092	mscorsvw.exe
2228	mscorsvw.exe
2068	mscorsvw.exe
2080	mscorsvw.exe
2828	mscorsvw.exe
860	mscorsvw.exe
2896	mscorsvw.exe
1624	mscorsvw.exe
2696	mscorsvw.exe
2808	mscorsvw.exe
1668	mscorsvw.exe
2284	mscorsvw.exe
1620	mscorsvw.exe
2236	mscorsvw.exe
2132	mscorsvw.exe
928	mscorsvw.exe
1884	mscorsvw.exe
2004	mscorsvw.exe
2900	mscorsvw.exe
324	mscorsvw.exe
2008	mscorsvw.exe
2268	mscorsvw.exe
2860	mscorsvw.exe
2480	mscorsvw.exe
1436	mscorsvw.exe
2928	mscorsvw.exe
2752	mscorsvw.exe
1356	mscorsvw.exe
2504	mscorsvw.exe
2120	mscorsvw.exe
2172	mscorsvw.exe
2756	mscorsvw.exe
2608	mscorsvw.exe
308	mscorsvw.exe
2620	mscorsvw.exe

Loads dropped DLL 29 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
2448	msiexec.exe
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
2928	mscorsvw.exe
2928	mscorsvw.exe
1356	mscorsvw.exe
1356	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
308	mscorsvw.exe
308	mscorsvw.exe
900	mscorsvw.exe
900	mscorsvw.exe
1496	mscorsvw.exe
1496	mscorsvw.exe
1036	mscorsvw.exe
1036	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\locator.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\System32\vds.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\75b80740bfe435d8.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_et.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_pt-BR.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_zh-TW.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_ja.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_vi.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_sk.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_am.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_hi.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_en.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\GoogleUpdate.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Program Files (x86)\Google\Temp\GUMF7B.tmp\goopdateres_fil.dll	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBC0F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD2BA.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAD30.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC33F.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB413.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD910.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDF28.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1796	ehRec.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1268	ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	2376	mscorsvw.exe
Token: 33	2964	EhTray.exe
Token: SeIncBasePriorityPrivilege	2964	EhTray.exe
Token: SeDebugPrivilege	1796	ehRec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: 33	2964	EhTray.exe
Token: SeIncBasePriorityPrivilege	2964	EhTray.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	2376	mscorsvw.exe
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeBackupPrivilege	2848	wbengine.exe
Token: SeRestorePrivilege	2848	wbengine.exe
Token: SeSecurityPrivilege	2848	wbengine.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	2376	mscorsvw.exe
Token: SeShutdownPrivilege	2376	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	2376	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeDebugPrivilege	2376	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2964	EhTray.exe
2964	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2964	EhTray.exe
2964	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1504	1340	mscorsvw.exe	55
PID 1340 wrote to memory of 1504	1340	mscorsvw.exe	55
PID 1340 wrote to memory of 1504	1340	mscorsvw.exe	55
PID 1340 wrote to memory of 2608	1340	mscorsvw.exe	56
PID 1340 wrote to memory of 2608	1340	mscorsvw.exe	56
PID 1340 wrote to memory of 2608	1340	mscorsvw.exe	56
PID 2376 wrote to memory of 2476	2376	mscorsvw.exe	57
PID 2376 wrote to memory of 2476	2376	mscorsvw.exe	57
PID 2376 wrote to memory of 2476	2376	mscorsvw.exe	57
PID 2376 wrote to memory of 2476	2376	mscorsvw.exe	57
PID 2376 wrote to memory of 1660	2376	mscorsvw.exe	58
PID 2376 wrote to memory of 1660	2376	mscorsvw.exe	58
PID 2376 wrote to memory of 1660	2376	mscorsvw.exe	58
PID 2376 wrote to memory of 1660	2376	mscorsvw.exe	58
PID 2376 wrote to memory of 2092	2376	mscorsvw.exe	59
PID 2376 wrote to memory of 2092	2376	mscorsvw.exe	59
PID 2376 wrote to memory of 2092	2376	mscorsvw.exe	59
PID 2376 wrote to memory of 2092	2376	mscorsvw.exe	59
PID 2376 wrote to memory of 2228	2376	mscorsvw.exe	60
PID 2376 wrote to memory of 2228	2376	mscorsvw.exe	60
PID 2376 wrote to memory of 2228	2376	mscorsvw.exe	60
PID 2376 wrote to memory of 2228	2376	mscorsvw.exe	60
PID 2376 wrote to memory of 2068	2376	mscorsvw.exe	61
PID 2376 wrote to memory of 2068	2376	mscorsvw.exe	61
PID 2376 wrote to memory of 2068	2376	mscorsvw.exe	61
PID 2376 wrote to memory of 2068	2376	mscorsvw.exe	61
PID 2376 wrote to memory of 2080	2376	mscorsvw.exe	62
PID 2376 wrote to memory of 2080	2376	mscorsvw.exe	62
PID 2376 wrote to memory of 2080	2376	mscorsvw.exe	62
PID 2376 wrote to memory of 2080	2376	mscorsvw.exe	62
PID 2376 wrote to memory of 2828	2376	mscorsvw.exe	63
PID 2376 wrote to memory of 2828	2376	mscorsvw.exe	63
PID 2376 wrote to memory of 2828	2376	mscorsvw.exe	63
PID 2376 wrote to memory of 2828	2376	mscorsvw.exe	63
PID 2376 wrote to memory of 860	2376	mscorsvw.exe	64
PID 2376 wrote to memory of 860	2376	mscorsvw.exe	64
PID 2376 wrote to memory of 860	2376	mscorsvw.exe	64
PID 2376 wrote to memory of 860	2376	mscorsvw.exe	64
PID 2376 wrote to memory of 2896	2376	mscorsvw.exe	65
PID 2376 wrote to memory of 2896	2376	mscorsvw.exe	65
PID 2376 wrote to memory of 2896	2376	mscorsvw.exe	65
PID 2376 wrote to memory of 2896	2376	mscorsvw.exe	65
PID 2376 wrote to memory of 1624	2376	mscorsvw.exe	66
PID 2376 wrote to memory of 1624	2376	mscorsvw.exe	66
PID 2376 wrote to memory of 1624	2376	mscorsvw.exe	66
PID 2376 wrote to memory of 1624	2376	mscorsvw.exe	66
PID 2376 wrote to memory of 2696	2376	mscorsvw.exe	67
PID 2376 wrote to memory of 2696	2376	mscorsvw.exe	67
PID 2376 wrote to memory of 2696	2376	mscorsvw.exe	67
PID 2376 wrote to memory of 2696	2376	mscorsvw.exe	67
PID 2376 wrote to memory of 2808	2376	mscorsvw.exe	68
PID 2376 wrote to memory of 2808	2376	mscorsvw.exe	68
PID 2376 wrote to memory of 2808	2376	mscorsvw.exe	68
PID 2376 wrote to memory of 2808	2376	mscorsvw.exe	68
PID 2376 wrote to memory of 1668	2376	mscorsvw.exe	69
PID 2376 wrote to memory of 1668	2376	mscorsvw.exe	69
PID 2376 wrote to memory of 1668	2376	mscorsvw.exe	69
PID 2376 wrote to memory of 1668	2376	mscorsvw.exe	69
PID 2376 wrote to memory of 2284	2376	mscorsvw.exe	70
PID 2376 wrote to memory of 2284	2376	mscorsvw.exe	70
PID 2376 wrote to memory of 2284	2376	mscorsvw.exe	70
PID 2376 wrote to memory of 2284	2376	mscorsvw.exe	70
PID 2376 wrote to memory of 1620	2376	mscorsvw.exe	71
PID 2376 wrote to memory of 1620	2376	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe
"C:\Users\Admin\AppData\Local\Temp\ccaea9ab2abbeadd325fd19db54da6da94c999fa903dadfafcfbf43438c2e5dc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1600

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 238 -NGENProcess 1d0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 238 -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 238 -NGENProcess 264 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1ec -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 274 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 1ec -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 1ec -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 1ec -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 294 -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 1ec -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 288 -NGENProcess 270 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 1ec -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 11c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 28c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 1fc -NGENProcess 1dc -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 200 -NGENProcess 24c -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 260 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 220 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 220 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 248 -NGENProcess 284 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d4 -NGENProcess 28c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 290 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 294 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 2a0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 29c -Pipe 18c -Comment "NGen Worker Process"
  2⤵
  PID:1760

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2756

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1704

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
d0354503f22dd0e11ecfb72739c4f42d

SHA1
fe4d89850e6a391a85322104dab1e2dc7bf3b178

SHA256
1991d7f2a0aaaac488be955c84e1e5de816abf3502ce91e6bb53e4d3f2850199

SHA512
207e2cca3104da66a30d99e1a8ad7bfce45a35e7e2eda9ff13ec453d1361e92bccb375e442cb833cb28117bcf54af88d523e957df361090b07560766efe5f727

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d5d7a0f9ec874fcd8989a23af73ff780

SHA1
d63433f77d2454a33d2ad7621e7f4d3a50e59c10

SHA256
a4250b934898a897f927547abe06a8c7881258d4db15456f8e9d1967092a674a

SHA512
b8f20ff789f99a0cf3e581a36b04dc9935e18cd9a537298ce194ce8fc7864d85837b4ec10e117c5dc2323f52ffac17a762ac953ea36858014c7d022c6df013d0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f9c1c90ee09dc0fbde553d32054f8428

SHA1
548b5078f436a7d431f00d0b15b551d343fa364a

SHA256
ff6fd26e42b65ff9b9a1f7661c426398287a3b8dbcad07cba50d5ea06e9d8958

SHA512
d8150f457c947b87bda398a7cc9735b930fd4713f26b9937c7161c0ff015184c0db3c8cdd56a9f5b8d816ef91ad22b71bfb5381d1f09d120356af3e4c5ea3b87

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
99f68194d0176fe548d9edc162b1533b

SHA1
e0457f0b817910ce991ea86b4d49f0508006fb47

SHA256
353d1a3c10b155558e7db372f2f7f2c4ca501557d38775f4ab52b5c4e98e5d0e

SHA512
43fe3fa835f7c20cde24e5fb5d48f121a8c24a793e80275df3f201b4f3275223adea6013d96a8501823abff15f79041efabd9f6658989d496da1d0d7d2927c37

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0a0c34f678ccbf93f121d468d3d7d962

SHA1
2c3e27e76751170aaca74af46659943454108e43

SHA256
45dfb0e0c524069383edd29601ab99cb26f0d71b04d3a0520d9b2cfa1f40227e

SHA512
863b265acec265bb2d863b9d45bf334a415143540bc53f13ede3f0e0d54f9ee7da5c444df0bb013c2adddf4048f8fdca22f7a571d141603c1d84bf2c1b2aafa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0f86dbfb3540750ab763f4e6380d7347

SHA1
dd93eb954a763bcb72d8b6fd013e01321e14765a

SHA256
05f1710e8c73a111123d29af6092a2110fbef3b0743becdb918d75e0aeff22ae

SHA512
b6876e471d39decd31fdff19fd62ebaeeeaac9a065be5f7780bf8489d9ddc42b07515952e8d9b199db7dd06744859af1287b9efc9f08c3164c87d6ccd27b2d0e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
e8d2c6a599bf8d47f433978229992f95

SHA1
b1dfc881e8fa3b87763c24636bceccd217858f96

SHA256
191d60509aa33709b6bc194593999449a9f559ff1e7b33ed42cf4da2e2c2341d

SHA512
89462b325694c3f78b0cf5ce7b93fba03f72e1bb351dccc5d6ac2837049b632c537b631c61e9dd8218746de34c6af12f66a39e70aae443eb2278c42ccc5d22f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c4fb0f15fd244375bee8bc6f626ef3bb

SHA1
60e00f6ffc6653e160734f3291f67862a490dc10

SHA256
e9e8bf76dc87cded8710f3af7b1f03c5164bf87d3835cd86ee59e7f3d3b02ea9

SHA512
771e1d47699b9ba5269719f90b30c090d892d13d9a1f47ca1215882648fb66c0814ce5aaa9a30140106720aaad07baef49de4071abe934a99383736d982f0385

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
4cfdc8b28207b5aeb1f84f0bb12a49a6

SHA1
ad1aad4860c8e8a7313840ea1e1a6c50092d74c8

SHA256
4f7619843e6e3d19caac480ecff7f0987802ce1db421a554dd1b9597aa3a57c7

SHA512
183f98301075075f80381a8cf4ff1767e430452d9d2284390b57db98077433897585d943659fd07f44863ad1b12eccb10f74bc6aab1585d08df48d80e165a063

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
93992aff7a17ec6af2fc9c74b9e22ebf

SHA1
2bf963bf81c4b994bc4eeba4a55b1e3c426b49d6

SHA256
ceacdf680253ddd39ac714fa50540dccf50701fa75b333f322ddcc655d3968a1

SHA512
e0d8cd5845262bf01d01aacf3dbca28e00d29045001ca855bef0d6b0cd3b0930eea5c991e885572cef7fd2a5dc81e52b07930f7c5de49ccc973f05b3611dddc8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
58db3aa056fbe6f6776f349a86d77c4f

SHA1
4ffe66e00ca992452f370afe4c6b6de22bf946b7

SHA256
5f044a1860026783ee1c9c6702429efe2b9dd9bd2542aa354e8d5441cea56c77

SHA512
20e07d0d8cc3949d727cfd78e618448ee72f58160dfa0ae0a809402b590f881b70d0eaef4156cc7cf6478a12507ae8f2a8560382ae3af6e2e5037f6719d9f716

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
ec0d745b8ebaa1b43d36b45c9cabd668

SHA1
8b59065e9f32129ca2858d8d18955b4e595988c5

SHA256
45300fb017e96160147ec2a712c2e67174199618c5e7d3ec903e045641239c34

SHA512
a31ec8deed752f1d87e22863ee91660a088f43c72fa3093e5808d41d7e14932d2ac56630aa83c9577a626df96a181bf8bfb5d329d3e7748a0286b5b358781f75

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
fd4957a8369921a302453d758787e03e

SHA1
6ccfe24bcc78393c75ebe7702d4d13ec5c73739f

SHA256
4755461ae6e19ef5524f3435b7751035d9f0c41000bd59b51d2127950cbde8dc

SHA512
00f0c30546ed9eaef8829386d2ef1b91efe24fecb6a2aed2aa775a1484311ddd2142d1cc6de670578c5e6180ed24b7620c2d9fa0beeb451954a5bc72f34121e5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
1ff78d602428c020c813ec3d33ebc77c

SHA1
ced30ad68e1f18584aca30433fbc1ac7ab7b9dfa

SHA256
4e89dea923850793402034b4475fce08214babe42a0fb09fdb9c149697fb1c0f

SHA512
997582f4fff2f0d30ec79e38d5506acd593bf6d7842c9830bc0c9187fbc57e20993ca838b6053b7a9cfc279c9e54883ff5aa9a61352967f4e5aafd21a119b18b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
1771314bbd3f7f1b34a3d8604187bb78

SHA1
3bfd891ef650d7b912e5bbe984f82a9d17fe0e51

SHA256
63ec356daba6088aca95ee9ca61192d4c4a1ac46d44b87edce16dddd97c887cb

SHA512
f0d7dc9f1162257b64b8c38efc7db20f604a280c286d8bd1137e4c5b84556cbdfc13aa3c800033c13aa577d6387a8b2afcfd9982d60742a574f278174a26f8da

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
7a70e42dc0d97171dafe40c8d5971760

SHA1
cbd89c5f7facc3ad20449a8e8e3e809fadf1c20d

SHA256
7a10f2ffbcc905629deb9373bd108e6ca792bea2b1279707dfb1d59d93fd5734

SHA512
f6ddc58653708f6f33d874374ae1bc5f697cf2edf8d55d5adcd2a387b5f9cf47b02af3345e8e01a0d2c334ebdaa0dfad43a8dcaab8ab556664c5e95300cdfd04

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
bff8e2f1246a36024f8f74a3abdeee0c

SHA1
1569c03250f2d8dad003a837a4c4cf962d19c49e

SHA256
467db6490483f06f19dd720660e2165af285c023b82109bb8fe6ba7c2b68d8c9

SHA512
b589212851165d5fd562b079b3e4a3011d680a910bdadf869481e23c24ad38ce9694564e1af42384cb1ef8a7f18573f04b3016d60fabfa0f06f6ea225ee554c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
cee2abc7309b157f76434d7bf3c26b81

SHA1
8c2adea0ea6eb0e041bc9ebe22926cec8591da63

SHA256
fec7255fd73c7182e8ba9c2cc7d376f57ea55e9071d9b22ee6881089236b309d

SHA512
1c3ae150aa7b46d95255daf30b1468dab85ad92c8fa9455dcabbd902202fb2957e489f4016278f357d02f0d03173f8392dbc725abfb16ecbb5e0ac520f257eb3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
8778cc5334d7b12fb5d06943e238f37d

SHA1
9b0a76038a2cd11f32e1550a47a380fc7f72f2c3

SHA256
1c7b9ea03bd8b46dc6da3bd5065d709dc9fd0bf68bc296e724f2c3f5a92fb350

SHA512
a1ce7e54dabc037690ea6c4848db2a6cdaac494137141b7b4f7d653bec2727645e972b454d2d97b538ff58caf7790304d222ccd8caf68c8f885dbfec2fc8dbf1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
4473858e4963b4b9861db36674dcd2e3

SHA1
f9efac96f3008d1e0cbf95cc6aced167b9e09632

SHA256
e1a9f16e3801662e958ee0e7e3728217940d1c5a97a6fa0c673eda79fd95980a

SHA512
bd225af266db033fb2c9773c3d2d8c2f45e097122ff056dc246655793a7cd5ff5e1257538442cefbd3705073649938ffdbd771aafc3461ead503eee4352e7be5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
6f19d49e061752e3c08c9f47c4300bf8

SHA1
e86b34709011499342f2193cddf81f5bc714743c

SHA256
67812c4e94e3de431eaa5a11659a1c2719aae469781e57860d48030cb14b84a0

SHA512
88d8c3abfeaf33a58324c6845c971547a5f318909fd8e7fac7c92ae627cae4cc8c60d9cf3c115ab2675dbb27061be336eacbf858beedbe3c4409c418ad78abc1

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
a26c440eccb031db7a052367cd35dd7c

SHA1
1f88ad6f311b0e0a79492f69e737fe086e9d8bc8

SHA256
723e3bbc8fd14ddfe97d89e73742391788cc018fee58e665a02cb9c85b742e62

SHA512
a562c6fd94721ed716f52610d72c8601dc955990755e2f3e1479c64c3951e436ef4c3d4f2ae93ef381762866be0fa5daace802f35a037c67d388d66d768e69ed

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
4ab64a476c9c529e2005f961cf9e4931

SHA1
1714fe3635e73d220ffbd5d1e5f783d672c2368a

SHA256
e92fc49e4a9c1e58523f19488739f4a603c0940e48f68b5491e71a58c6722799

SHA512
921ab3a52ae92606cd5db9c56837e767ffea9f78bf0d1586091255fa64cbca8efed12d9daca8f14fbddd6dc32c7b89b5b8aa9d030129d8271279bc695c900dd8

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
eb2be7670d7aa8def78d47fd6cb5dac2

SHA1
d71ebe33939fc79012e2d8e1f608312ebe5c10ef

SHA256
ff74078b5c6e39cc1370e1965f52a9a57e1d31b6922e08d177e0785069d8212b

SHA512
a186276fb423c823e07f40b88d44b7d11d4cdcf9917f3dc0df7fbbc1dc8d80cedb2369d4b271c3596f9ab20610aa13caad251260ce328407b700f4cf62e8a7ac

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
7d896797309baf617942088776e00398

SHA1
504ba3d58a3bbb8072e5be41198ef5152bd13360

SHA256
dadde57447d811922588f7e75134db181168a66c612515926f8eeb8ba5af848f

SHA512
2c591b9ed6dea7cdf9977afb1a810b281eb37f3e006b304fa30ae87b67116ff48d647fa5164874cd7fda420425882098a0edaf04f8ad141afd1fea2bc0f14847

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
24e044817a7ed931eab748a3b46e3833

SHA1
0ebe3f65e63852926ce5d77fdca457d4600094dd

SHA256
e5b1f9f0b42415f5c8c74e6bf998eadd6d606c19e4c383a7af174bcd8375dbe4

SHA512
b685197d172b8f74da6f49df063cac5e81f088f94295d710cf1a4acb9e58a639366c12ae73a550e6790b0ba327469e756c1dde0720debd6b5028b6e67102d351

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b856a1c72b5af16867c756587a18fc07

SHA1
77ee21364b85acd9768d27d29b47663119d45aa7

SHA256
3a67c89fc4be687024fbed08fb9941b0f893331c7b68e9bb6310f291ff60e7ad

SHA512
f60950c8fe98322431dd1b1872d0dba5e15d3a136cf081ae92dd71e08599ca1ae189db477d0a699c2240272b4e3eac24fda3c1b8fed9ee18da31e8eaace50431

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
bc346817d06fe442208f2fe815b1a8eb

SHA1
41cfaf556a2af9ac209947d3da573ce1a8ded5c4

SHA256
c1929901bcf88faee7912d6427f96d6891e06554163321d481efcb4ab4738b45

SHA512
7db90e3b49d8957d39160d23373c38123a34e14c6b84418b9c4e7134f94ccd94db5c02b3484c9c93178feecaeff4bed9feeff32b0465af0180d88ecea3f28dc6

Download Submit
memory/340-314-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/340-311-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/340-319-0x0000000074098000-0x00000000740AD000-memory.dmp

Filesize
84KB

Download
memory/340-303-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/672-176-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/672-182-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/672-175-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/672-242-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1036-218-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1036-216-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1268-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1268-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1268-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1268-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1268-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1340-140-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1340-217-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1340-148-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1340-141-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1564-199-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1564-257-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1564-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1564-190-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1600-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1600-103-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1600-134-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1600-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1664-332-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1664-341-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1704-296-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1704-353-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1704-290-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1712-174-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1712-89-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1796-251-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/1796-212-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-276-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-215-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-268-0x000007FEF4590000-0x000007FEF4F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-317-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/1796-273-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/1796-213-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/2100-346-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2100-355-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2368-170-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2368-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2376-127-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2376-121-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2376-197-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2376-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2388-325-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/2388-321-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2448-278-0x00000000005A0000-0x0000000000652000-memory.dmp

Filesize
712KB

Download
memory/2448-330-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2448-284-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2448-339-0x00000000005A0000-0x0000000000652000-memory.dmp

Filesize
712KB

Download
memory/2448-271-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2612-312-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2612-249-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2612-259-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/2756-228-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2756-168-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2756-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2756-186-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2756-160-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2756-185-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2756-187-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2792-234-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2792-244-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2792-263-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2792-264-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2996-230-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2996-224-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2996-283-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3060-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3060-41-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/3060-17-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3060-13-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download