ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
Size

1.8MB
MD5

2a7843da29ee14ccac393ab8f2449483
SHA1

731d531c76f490255deb8462051305983a69f6ae
SHA256

ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb
SHA512

9148afb91824c3845a478b113f9f0cf4dfe2e51e7120c3951f923189ebfb1080b7e657063802900a87e8e3d8d32ab7a4bed6d06fac6e1a29df4e271296deb4f1
SSDEEP

49152:lx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyFO7p+5gRwPHqqgvNxnz:lvbjVkjjCAzJkp+50wPzsNxz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2528	alg.exe
556	aspnet_state.exe
816	mscorsvw.exe
1936	mscorsvw.exe
1872	mscorsvw.exe
2188	mscorsvw.exe
1428	ehRecvr.exe
276	ehsched.exe
788	elevation_service.exe
1892	IEEtwCollector.exe
900	GROOVE.EXE
2464	maintenanceservice.exe
2508	msdtc.exe
2436	msiexec.exe
2788	OSE.EXE
2460	OSPPSVC.EXE
2432	perfhost.exe
540	locator.exe
392	snmptrap.exe
1200	vds.exe
3064	vssvc.exe
2644	wbengine.exe
2392	WmiApSrv.exe
2740	wmpnetwk.exe
684	mscorsvw.exe
2400	mscorsvw.exe
656	mscorsvw.exe
280	mscorsvw.exe
2332	mscorsvw.exe
2888	mscorsvw.exe
2480	mscorsvw.exe
2348	mscorsvw.exe
3044	mscorsvw.exe
2228	mscorsvw.exe
1668	mscorsvw.exe
1412	mscorsvw.exe
2888	mscorsvw.exe
2576	mscorsvw.exe
2928	mscorsvw.exe
2208	mscorsvw.exe
812	mscorsvw.exe
1212	mscorsvw.exe
1444	mscorsvw.exe
1580	mscorsvw.exe
1984	mscorsvw.exe
2448	mscorsvw.exe
2840	mscorsvw.exe
2808	mscorsvw.exe
832	mscorsvw.exe
2144	dllhost.exe
2848	SearchIndexer.exe
2084	mscorsvw.exe
2744	mscorsvw.exe
2136	mscorsvw.exe
1504	mscorsvw.exe
2304	mscorsvw.exe
2328	mscorsvw.exe
2912	mscorsvw.exe
1760	mscorsvw.exe
1984	mscorsvw.exe
2792	mscorsvw.exe
2924	mscorsvw.exe
2448	mscorsvw.exe

Loads dropped DLL 38 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2436	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2304	mscorsvw.exe
2304	mscorsvw.exe
2912	mscorsvw.exe
2912	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
2924	mscorsvw.exe
2924	mscorsvw.exe
1764	mscorsvw.exe
1764	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
864	mscorsvw.exe
864	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
2924	mscorsvw.exe
2924	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\853af1bf3d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\locator.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_ml.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\GoogleUpdateOnDemand.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT1018.tmp	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_sv.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_ms.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_sk.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_ta.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_lt.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2C18FE73-0135-4FFC-BCB7-4B0A9050B077}\chrome_installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1017.tmp\goopdateres_da.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD884.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC764.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC11D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDDC2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC3D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE8E8.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{47036C33-4681-4007-A4B3-258B961928D6}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE93.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF3C1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1248	ehRec.exe
556	aspnet_state.exe
556	aspnet_state.exe
556	aspnet_state.exe
556	aspnet_state.exe
556	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2040	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: 33	888	EhTray.exe
Token: SeIncBasePriorityPrivilege	888	EhTray.exe
Token: SeDebugPrivilege	1248	ehRec.exe
Token: 33	888	EhTray.exe
Token: SeIncBasePriorityPrivilege	888	EhTray.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeSecurityPrivilege	2436	msiexec.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeBackupPrivilege	3064	vssvc.exe
Token: SeRestorePrivilege	3064	vssvc.exe
Token: SeAuditPrivilege	3064	vssvc.exe
Token: SeBackupPrivilege	2644	wbengine.exe
Token: SeRestorePrivilege	2644	wbengine.exe
Token: SeSecurityPrivilege	2644	wbengine.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeDebugPrivilege	2528	alg.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	556	aspnet_state.exe
Token: SeDebugPrivilege	556	aspnet_state.exe
Token: SeManageVolumePrivilege	2848	SearchIndexer.exe
Token: 33	2848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2848	SearchIndexer.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe
Token: SeShutdownPrivilege	1872	mscorsvw.exe
Token: SeShutdownPrivilege	2188	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
888	EhTray.exe
888	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
888	EhTray.exe
888	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 684	1872	mscorsvw.exe	55
PID 1872 wrote to memory of 684	1872	mscorsvw.exe	55
PID 1872 wrote to memory of 684	1872	mscorsvw.exe	55
PID 1872 wrote to memory of 684	1872	mscorsvw.exe	55
PID 1872 wrote to memory of 2400	1872	mscorsvw.exe	56
PID 1872 wrote to memory of 2400	1872	mscorsvw.exe	56
PID 1872 wrote to memory of 2400	1872	mscorsvw.exe	56
PID 1872 wrote to memory of 2400	1872	mscorsvw.exe	56
PID 1872 wrote to memory of 656	1872	mscorsvw.exe	57
PID 1872 wrote to memory of 656	1872	mscorsvw.exe	57
PID 1872 wrote to memory of 656	1872	mscorsvw.exe	57
PID 1872 wrote to memory of 656	1872	mscorsvw.exe	57
PID 1872 wrote to memory of 280	1872	mscorsvw.exe	58
PID 1872 wrote to memory of 280	1872	mscorsvw.exe	58
PID 1872 wrote to memory of 280	1872	mscorsvw.exe	58
PID 1872 wrote to memory of 280	1872	mscorsvw.exe	58
PID 1872 wrote to memory of 2332	1872	mscorsvw.exe	59
PID 1872 wrote to memory of 2332	1872	mscorsvw.exe	59
PID 1872 wrote to memory of 2332	1872	mscorsvw.exe	59
PID 1872 wrote to memory of 2332	1872	mscorsvw.exe	59
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2480	1872	mscorsvw.exe	61
PID 1872 wrote to memory of 2480	1872	mscorsvw.exe	61
PID 1872 wrote to memory of 2480	1872	mscorsvw.exe	61
PID 1872 wrote to memory of 2480	1872	mscorsvw.exe	61
PID 1872 wrote to memory of 2348	1872	mscorsvw.exe	62
PID 1872 wrote to memory of 2348	1872	mscorsvw.exe	62
PID 1872 wrote to memory of 2348	1872	mscorsvw.exe	62
PID 1872 wrote to memory of 2348	1872	mscorsvw.exe	62
PID 1872 wrote to memory of 3044	1872	mscorsvw.exe	63
PID 1872 wrote to memory of 3044	1872	mscorsvw.exe	63
PID 1872 wrote to memory of 3044	1872	mscorsvw.exe	63
PID 1872 wrote to memory of 3044	1872	mscorsvw.exe	63
PID 1872 wrote to memory of 2228	1872	mscorsvw.exe	64
PID 1872 wrote to memory of 2228	1872	mscorsvw.exe	64
PID 1872 wrote to memory of 2228	1872	mscorsvw.exe	64
PID 1872 wrote to memory of 2228	1872	mscorsvw.exe	64
PID 1872 wrote to memory of 1668	1872	mscorsvw.exe	65
PID 1872 wrote to memory of 1668	1872	mscorsvw.exe	65
PID 1872 wrote to memory of 1668	1872	mscorsvw.exe	65
PID 1872 wrote to memory of 1668	1872	mscorsvw.exe	65
PID 1872 wrote to memory of 1412	1872	mscorsvw.exe	66
PID 1872 wrote to memory of 1412	1872	mscorsvw.exe	66
PID 1872 wrote to memory of 1412	1872	mscorsvw.exe	66
PID 1872 wrote to memory of 1412	1872	mscorsvw.exe	66
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2888	1872	mscorsvw.exe	67
PID 1872 wrote to memory of 2576	1872	mscorsvw.exe	68
PID 1872 wrote to memory of 2576	1872	mscorsvw.exe	68
PID 1872 wrote to memory of 2576	1872	mscorsvw.exe	68
PID 1872 wrote to memory of 2576	1872	mscorsvw.exe	68
PID 1872 wrote to memory of 2928	1872	mscorsvw.exe	69
PID 1872 wrote to memory of 2928	1872	mscorsvw.exe	69
PID 1872 wrote to memory of 2928	1872	mscorsvw.exe	69
PID 1872 wrote to memory of 2928	1872	mscorsvw.exe	69
PID 1872 wrote to memory of 2208	1872	mscorsvw.exe	70
PID 1872 wrote to memory of 2208	1872	mscorsvw.exe	70
PID 1872 wrote to memory of 2208	1872	mscorsvw.exe	70
PID 1872 wrote to memory of 2208	1872	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
"C:\Users\Admin\AppData\Local\Temp\ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:816

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 288 -NGENProcess 240 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 244 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 254 -NGENProcess 240 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 250 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 254 -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 2a8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1ec -NGENProcess 250 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 26c -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 28c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 24c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 21c -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 23c -NGENProcess 1d0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 28c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 1c4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 2a8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 244 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 254 -NGENProcess 1e8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 1d0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1e8 -NGENProcess 1d0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 250 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1e8 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 254 -NGENProcess 250 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2bc -NGENProcess 250 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a8 -NGENProcess 1e8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2cc -NGENProcess 2d4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 1e8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1428

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:276

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:788

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2788

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2460

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2144

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
243a8de9f7d9fd2bf9febde905f7bb5c

SHA1
94453fe1c15667540922c01e44fe19cc442347c6

SHA256
b977c83e0b5728ec0c154e8127e84a5410db6ea1624a5209e93e953d07985f6d

SHA512
b599910fd67a323035d12a04ad7d2939f5f471f6d5cfff55cdc6eb4362b3c54890828cae92e2b4997b4c6952278db96f3eb1e2e9c9edc5439a13314a4b3c39f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b5a13493a12e703047ab4ff1ccb426a0

SHA1
2571a4fc902b285b7961165853dbfbbbdf598e7a

SHA256
f6de3736c829ac97179fa14bab91361f86bb54aa2ab5bf530b1a76b191379ff5

SHA512
220cd0b7b056db16d134c4321b1feeeb8b80295840a06d2c3c3547f8f4c2fe8578bb1880619c0d3b25eb44633b30403f755a92f25f2d03e7fe1ed35d1d50aa61

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
696d6eb597580d059faca38888b3c460

SHA1
8ed8ad10ef9c456fe5499a7f53b5edd53e3d51bd

SHA256
ac8b4c60f62d36496ccff33911ce954800d129ddfabfae45091118e0cf40dd7f

SHA512
7b0a874d8d46f5c28fbb1da9b2162a16d629d7278dd35f719d11a6dfb37c31e3dcb975c467354fc1ae3ad71151aadfb9caf13a62c5858e21b17b553a9500e360

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
da3b87666509b0cec473eae30ed02c59

SHA1
bea732cc59da825beddf08dd3283bfd19359e07f

SHA256
13dfe0011a993d56cdaa5714f2405c9620f1486be7a60309eb29a06d4e980522

SHA512
e54c41898d2b149460ee8ff97306dfc721386d2cb19c336fddb1715784aed4cd0476e9b7d7decaae6bdabc45460fc8a7ab4f6c3901022b3def77bd3a6e9c4ea2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8665ad7c0308d2f17173e63fd4fabdd7

SHA1
2ff64b2551fec0b567722f3dfe4b3a8f045f2d5c

SHA256
440eb07a8e8dcb2c8e61386d7f6c268ab83e7eb46667b8438f5234d8d1174df0

SHA512
bb6c411fa948310101634b3fdd21379fd37559b4845cdcb25ecce158613a9f5b4c0319c03237f925b80bc22b5163ef5155f27a8e31869696ca7326931e8a7bc7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
f8ce79536378613e14a9322514175003

SHA1
cf33a394e57c4c64b2dbfdac8f33b05209b18e1f

SHA256
ea940e081f36af3a011718dbf9d947a3004e8ee3518094db78a13ea6e664fd31

SHA512
397e1fae575b6a3eaebbc3d239be43668af3308482f8f2cd047c4e80dbfcb4e604d7b7b3f17217ec4e3b1d3b33ffeadb4677f246df9f9466b9b5a8d0a6601c2c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
064f87871cdc00d67dd02652f5f7e6ac

SHA1
eddc94a7b74da4bc6aff255473f6a811ff0ea863

SHA256
2d27b26177157b7efc299113cc558d81621078f56f87110ca1afbc6c66756aff

SHA512
bef2e79744b71e441d71a33cbc53020ce7c32d1d56d72425d657686ab13ed60d6084af4349c128dc13af28f1ba27995246f19f7fe9134903da84571d0067700b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
34e8efae7c1dc3dde008cd2dbb608ae8

SHA1
8872ee744365553957cfded6e5146ede1469bee4

SHA256
f38f973d9924de5d05d93237b1198b82c74824b541b22581ce843d40a7f2762b

SHA512
f4d0ea62b82c753318ea62bc30bd03c21ef3b7c8aee08cdc347a793a0772fb59067ede491c658b770f6c1caaf2b6817c5d23d5ed0cfec822b33b094b4296d0aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
8fb1daa35469868a274bb842cca2442c

SHA1
55225f8cb96f520f6eb8b50b6ba273e837f21371

SHA256
b8ac77d226180377d5f4b9307da953682c7aa0c882ff2dbde90950c42466ff80

SHA512
7d4d54d4691ca4de9816f5bd500885162d529220efecfe96b290af9e07da383f76b08ba65febf056ab05b69989e77f63cdb001092cee667c3a8cfbf6b8b65cc1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
88345ce7e9647f4fae64e9d618f5fe6b

SHA1
ff74cdfb805e7816603843bd9c6b45b60305117e

SHA256
2e2a8068a7c0dd2260329f86d8a90d58822f4457f0bd46084f4ea34356e1daba

SHA512
125b6591c4bf32ddac05b2df16c523a73ec0c32fbf3d42e94a0462033f7f44dda99e37e99ba78fb83fc2e8ed2146d14ed327e59fa5576b1218fccaffe44f56a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
e3e8540564cd6db790d25bff05eecd1e

SHA1
276dae813fa4c7684eb7022e0a861bd013a82993

SHA256
b4253feb603e55f9231e918f3c087d1e9c80e1ba046fa04414134adbb630ef83

SHA512
a0a9567bff9184f5f043ff8019c2e669e79e9eee21024f2a11cf823e227dc970780ad917c0eec363e35aa7330982c2acf5695a1e89b45d681bcfc4a1a9cd060f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0772b88a2d4c835f6bc17040a036d14e

SHA1
5056d4dc0502b4066ae24fe722e1a112c624cbf7

SHA256
14a5c9d4e19ddd06de6a843ae1fcc98d879f8d3b350dccc95983f669315e957d

SHA512
e4da387b7591dd8ed437afb4f6eb155a9e1fa484a13cf9b12e4010d6805c1e2e9732b1297328677426936b7b1cec865f41678b175f373a76aee0915fc4bdf700

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
71d2c69b72ee89c8036f40185f936c25

SHA1
f2dc6fedbcd43f7c0384a98e0925721189cdd45b

SHA256
57e5b0ceed5e5acc1bba4a27d354e6755948a91fa4b013ab2a77de937b11620b

SHA512
e09048e6a6bffa4da3203957e9f3e1134f7e42a0e03841629cbc7975ada20ce429ba7fd2d7bde9a8e5aab36a75b9859d3af290fb3deec3885e1a92b847e82da8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
572a86537c8cfc8c0109f93f022fa136

SHA1
f6d3d8bf25c00106ef5c77e99a5c7cc8738346d9

SHA256
41cfb8468507aa6567b8c9d3180fda455a51d2f880f1602d0131d548ecfd5830

SHA512
e13ef33bbfbe6ca715f98a3ce53415825d8b9d58668342934f5e733c731d0bc20e51e77f592790fb68ff912d1d6148909f692cf8b5927b088911b3cda590b4d1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
d82bf2ae879cf6b916a7b283ddae8e0e

SHA1
4e30a32a02799a3bad903fcf13c29039cf734376

SHA256
4a4fc1bd525fa81ffdee1faa47c6965e14443c7df205a5b5e870c5be768fc37c

SHA512
4dfc923087d129c64bc3dc3c88e65a08f70f8b84912d52b2c7498366bb5215c119785f03b16d8ae86e315c848548c81f357f9ff8200e6ea12151c361f927f004

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
55fc5fcf721dbdb221a57730af833738

SHA1
c968e83a173d29619cef06ac816edbc0fd455433

SHA256
2e9fc901537fff1039f8c9fb31ab8e1357609618e19b64546e9b0a08f2883032

SHA512
a4ad114e9b9b83561b492a7ca370d477b1ee218bcf67b19ea5879c5b893da95287edc0121b0b3e922c984f1c917690a75c395582cbb34f277c77d3b3e7ee4bce

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
312740b0b3ea006fa9fbd976ddc70d14

SHA1
d4b02123ea6a6db12bca481180f318de04ed1346

SHA256
223e8240fe7cb6554f90fe4db0e6d00d2f2cdbfc590988f2b2730e223881ad49

SHA512
ccb28ff3ff77ac6d0489457f015b86a6f61ef912809bbe91d2eb1427924a34b6fe0452e30c04779b6dc9536ba4fcfb30e142ae91a04003aa46f8b231a83a762b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
d42da9bf12045bd8a360b6c6d3b7407e

SHA1
fdcdbe10e5a981d66e6efe11bf60900a1856c4d2

SHA256
345134da1376208bd3962b0f3c413c96cce0a3b9e9ca16500ee1c4349aaf9160

SHA512
0bc0bb6d345d9edb5dbe137fe20e5cc23f22d54a0010231ebd56b8b4d2361d061a1fbae072313e46ba9af4cbabcd4e714e00aaad64f92fb8f5cd86602da4bb70

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
60d9c024db0f4f1db99bff4f02b29622

SHA1
eed89eb599d152b7f2eb498fd5b63d562fb69f00

SHA256
f2c560ff74b3296f64cf2445fd8df6a4899be96cc33f72a704b16ebe817a2174

SHA512
18db761fe4e476efb5fd7db7f8c4c3f21712559b200fe829362710338c05481c5bdd6026e4d802a7c13f557c59b751219dfb300a8853e971ef9a48329eb2642a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
85d2cfdf94be63eba929ec97144137f8

SHA1
48c4ddc5b01095027721b075a7a252a690996a07

SHA256
fcbe0be6b3a9b802d9b32bf8b00b7827c6992a0ce7d8c5354c4bf95c3df0e563

SHA512
3c19c503449d51c723a36ed667b15c7a3ee7fb065aaee5cc30f43ff3c1730b5add934a3a9f79384cd34ac5bf84c9243bd7fc0b5af22a0472e90bcdbca740a45d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
97ecaed242187c3811321e535ec18552

SHA1
9904f56a330bdc76d2c113b436998f4a46db9826

SHA256
828d174f0a5014990308933d1247fb32f1c7d1051714689fe7eb177178aa48c8

SHA512
6e6440a3c064204f8f70c382d9a53ae66d6650ee862190401b8365432fb7971511f5490e4a1bdd694470c960a8be30564032269d61f44459a88c09b574e6ec89

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
379583c527502a820b605c6b2b29a17f

SHA1
a332754f33f6272ae33f428ea5d2087138d9f47d

SHA256
31934105fe4afa1b6a0bc0be2fff3e55b451128245bbd1ce2db9892a48ccb863

SHA512
2ff8d2150ec2578e20c2559df3c113bad633d76d321e1969e0122fd7e5ae095ae81966922dceedcb7f292832627d8fdbdd9037dcaf37edee6975042b814203cc

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
08d2f5f6dd8b564871821fb911d72370

SHA1
a8437b2ad01491cf7402b56b9126bb07a11ce11d

SHA256
ef55977e81f3b5f9bab0fd84d128c6c4d819f9393608d47912e6b89140504293

SHA512
5c35a031e85d727abb97472207c80ffcda1b2caf40143c3d8a744929fec0ecca0adeecfb83e573e3462a6e5cedc06664175f505f436ca13f13140b51d35ef15a

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
3a3c522d93c59be82f1636dcce31f49b

SHA1
149efebb8cff7d45005bee27e7c344c0f50f66b2

SHA256
8aa624de6f65222395d4aaac37cf991ce6eab359d16a58899d3afb2b3744b2a9

SHA512
7367a30d9293e1c0bee89ae01a5156f7b53681c73eab46dfd26192674ba555cd81aa274a1f5717b84b0e2512bd9935511b9dadf7f1f1d4e367c236643e652321

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
4f5731d62093900f1184ae407bceba20

SHA1
9325517d3278315c61f8487ac7043d148934170a

SHA256
020cfbbbf4126357d1d2007d68268c8e418f9e72eb5affd7b29bfd4c398ff16c

SHA512
7270cc1fc09cabd2a7d376fe58124c248b06a00f1ef97aff5482e935fd73c73d9520276394c8d11c76f681d25dfaae84579350ccbe137cf497c809fdc6411c5b

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e6b869bf4839edfbc42ca1404990d502

SHA1
6c6e8a64467004468d10f933333fd15a073bc02e

SHA256
a596819e84a108b643a23f934ca959204a58853318eb833040889cd81876755f

SHA512
4e9701c78d101c53ab49a69a92ec3e5b79c4739b35fdb73f174e5f7f85e8ebeed8158afab318655452f500277ddfd192a3ab8bf2ff585a81e7ee5dd43c460aa7

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4f656f51e2f899609f5eb970d437a164

SHA1
f2a2a8e2f7745175f4304e1c1a675c0831c3c559

SHA256
30a371a26e04ae84928cbd6ef21e0dfd8d1384d8e779b13eae9d8c597fecd5c5

SHA512
56c43ee0fdfbefb61f054dbb65d9ec46e86450b97d0ddd8704201b843494b56f085085c36f6a47dd91cbcbb96bb3e5b529d04249b5a42cbbe8f8e73bdf48a316

Download Submit
memory/276-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/276-202-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/276-259-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/392-366-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/540-359-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/540-352-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/556-95-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/556-90-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/556-179-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/556-102-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/788-209-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/788-277-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/788-220-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/816-106-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/816-173-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/816-112-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/816-107-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/900-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/900-248-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/900-242-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1248-232-0x0000000000D40000-0x0000000000DC0000-memory.dmp

Filesize
512KB

Download
memory/1248-231-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-299-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-292-0x0000000000D40000-0x0000000000DC0000-memory.dmp

Filesize
512KB

Download
memory/1248-269-0x0000000000D40000-0x0000000000DC0000-memory.dmp

Filesize
512KB

Download
memory/1248-337-0x0000000000D40000-0x0000000000DC0000-memory.dmp

Filesize
512KB

Download
memory/1248-287-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-237-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-207-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1428-180-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1428-181-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1428-187-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1428-245-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1872-219-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1872-146-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1872-140-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1872-139-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1892-233-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1892-234-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/1936-120-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1936-121-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1936-172-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1936-127-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2040-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2040-7-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2040-138-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2040-6-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2040-1-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2188-158-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-235-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-157-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2188-165-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2432-343-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2432-339-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2436-290-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2436-351-0x0000000000560000-0x0000000000612000-memory.dmp

Filesize
712KB

Download
memory/2436-345-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2436-302-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2436-294-0x0000000000560000-0x0000000000612000-memory.dmp

Filesize
712KB

Download
memory/2460-346-0x0000000074348000-0x000000007435D000-memory.dmp

Filesize
84KB

Download
memory/2460-330-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2460-323-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2460-333-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2464-282-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2464-262-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2464-283-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2464-252-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2508-331-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2508-267-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2508-281-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2528-156-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2528-56-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2528-17-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2528-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2788-310-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2788-317-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2788-364-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download