8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0

Analysis

max time kernel
141s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
Size

1.8MB
MD5

bf48a0d4da6c9cf6d8ebf66577496046
SHA1

51cecbd86040101e00b6bbb1ac51a1944cd0db71
SHA256

8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0
SHA512

bbcb366b8220b61a37144dc52c50e22f2a5847bb5f9e1d924af555ea2291d8c498342461b8cd051449c770a8d6ab7a6e80174aa5f318027ee93991725afcc4e0
SSDEEP

49152:9KJ0WR7AFPyyiSruXKpk3WFDL9zxnS8/i3da1YS6ozB:9KlBAFPydSS6W6X9lnr/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exedllhost.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2576	alg.exe
800	aspnet_state.exe
940	mscorsvw.exe
2628	mscorsvw.exe
1996	mscorsvw.exe
2212	mscorsvw.exe
2988	ehRecvr.exe
2028	ehsched.exe
1576	dllhost.exe
2776	elevation_service.exe
2544	GROOVE.EXE
1004	maintenanceservice.exe
2712	OSE.EXE
1480	OSPPSVC.EXE
1932	mscorsvw.exe
1752	mscorsvw.exe
1592	mscorsvw.exe
2488	mscorsvw.exe
2368	mscorsvw.exe
1284	mscorsvw.exe
2148	mscorsvw.exe
656	mscorsvw.exe
2872	mscorsvw.exe
1244	mscorsvw.exe
2920	mscorsvw.exe
680	mscorsvw.exe
1644	mscorsvw.exe
1848	mscorsvw.exe
1096	mscorsvw.exe
880	mscorsvw.exe
2948	mscorsvw.exe
2276	mscorsvw.exe
1616	mscorsvw.exe
2300	mscorsvw.exe
2408	mscorsvw.exe
616	mscorsvw.exe
2632	mscorsvw.exe
936	mscorsvw.exe
844	mscorsvw.exe
2080	IEEtwCollector.exe
2272	msdtc.exe
2424	msiexec.exe
2116	perfhost.exe
2932	locator.exe
1032	snmptrap.exe
1620	vds.exe
2148	vssvc.exe
892	wbengine.exe
2492	WmiApSrv.exe
2884	wmpnetwk.exe
2856	SearchIndexer.exe
2100	mscorsvw.exe
436	mscorsvw.exe
2580	mscorsvw.exe
2556	mscorsvw.exe
2832	mscorsvw.exe
2836	mscorsvw.exe
1352	mscorsvw.exe
2844	mscorsvw.exe
2000	mscorsvw.exe
2404	mscorsvw.exe
2108	mscorsvw.exe
2392	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
2424	msiexec.exe
468
468
468
468
468
732
2832	mscorsvw.exe
2832	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
2000	mscorsvw.exe
2000	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
1028	mscorsvw.exe
1028	mscorsvw.exe
824	mscorsvw.exe
824	mscorsvw.exe
1868	mscorsvw.exe
1868	mscorsvw.exe
1864	mscorsvw.exe
1864	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
1164	mscorsvw.exe
1164	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

alg.exeaspnet_state.exe8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exemsdtc.exeSearchProtocolHost.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4435b855ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exeaspnet_state.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\psuser_64.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\goopdateres_el.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\goopdateres_ru.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\goopdateres_sr.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\goopdateres_vi.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\psmachine.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E1C.tmp\GoogleUpdateCore.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exealg.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55BE.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C89.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A0C854BC-F0D6-42E8-B66F-055EAD47B0E1}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F80.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4A68.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61A0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A0C854BC-F0D6-42E8-B66F-055EAD47B0E1}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP50DE.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ehRecvr.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRec.exemscorsvw.exewmpnetwk.exeSearchFilterHost.exeOSPPSVC.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{83F781A2-732A-4EC3-996B-8874DA7F3AF4}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060ee5c02f0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2752 ehRec.exe
800 aspnet_state.exe
800 aspnet_state.exe
800 aspnet_state.exe
800 aspnet_state.exe
800 aspnet_state.exe

pid	process
2752	ehRec.exe
800	aspnet_state.exe
800	aspnet_state.exe
800	aspnet_state.exe
800	aspnet_state.exe
800	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2508	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: 33	2296	EhTray.exe
Token: SeIncBasePriorityPrivilege	2296	EhTray.exe
Token: SeDebugPrivilege	2752	ehRec.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: 33	2296	EhTray.exe
Token: SeIncBasePriorityPrivilege	2296	EhTray.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeDebugPrivilege	2576	alg.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	800	aspnet_state.exe
Token: SeRestorePrivilege	2424	msiexec.exe
Token: SeTakeOwnershipPrivilege	2424	msiexec.exe
Token: SeSecurityPrivilege	2424	msiexec.exe
Token: SeBackupPrivilege	2148	vssvc.exe
Token: SeRestorePrivilege	2148	vssvc.exe
Token: SeAuditPrivilege	2148	vssvc.exe
Token: SeBackupPrivilege	892	wbengine.exe
Token: SeRestorePrivilege	892	wbengine.exe
Token: SeSecurityPrivilege	892	wbengine.exe
Token: SeManageVolumePrivilege	2856	SearchIndexer.exe
Token: SeDebugPrivilege	800	aspnet_state.exe
Token: 33	2856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2856	SearchIndexer.exe
Token: 33	2884	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2884	wmpnetwk.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	1996	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2296 EhTray.exe
2296 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2296 EhTray.exe
2296 EhTray.exe

pid	process
2296	EhTray.exe
2296	EhTray.exe

pid	process
2296	EhTray.exe
2296	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
3000	SearchProtocolHost.exe
3000	SearchProtocolHost.exe
3000	SearchProtocolHost.exe
3000	SearchProtocolHost.exe
3000	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe
1788	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 1996 wrote to memory of 1932	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1932	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1932	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1932	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1752	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1752	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1752	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1752	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1592	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1592	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1592	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1592	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2488	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2488	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2488	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2488	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2368	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2368	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2368	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2368	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1284	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1284	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1284	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1284	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2148	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2148	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2148	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2148	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 656	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 656	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 656	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 656	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2872	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2872	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2872	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2872	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1244	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1244	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1244	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1244	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2920	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2920	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2920	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 2920	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 680	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 680	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 680	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 680	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1644	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1644	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1644	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1644	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1848	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1848	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1848	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1848	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1096	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1096	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1096	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 1096	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 880	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 880	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 880	1996	mscorsvw.exe	mscorsvw.exe
PID 1996 wrote to memory of 880	1996	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
"C:\Users\Admin\AppData\Local\Temp\8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 1d4 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 25c -NGENProcess 284 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 29c -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 25c -NGENProcess 290 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 1d8 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 220 -NGENProcess 274 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 254 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1c4 -NGENProcess 1e8 -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1e8 -NGENProcess 244 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 29c -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 270 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a8 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 244 -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 1c4 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1c4 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1d8 -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 29c -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 25c -NGENProcess 2a8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a8 -NGENProcess 1d8 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2bc -NGENProcess 26c -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 26c -NGENProcess 2b4 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c4 -NGENProcess 264 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 264 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2bc -NGENProcess 26c -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 26c -NGENProcess 2b4 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2d4 -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c4 -NGENProcess 2bc -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 26c -NGENProcess 2b4 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2b4 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2bc -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 26c -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 26c -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 220 -Comment "NGen Worker Process"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f4 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f4 -Pipe 334 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f4 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f4 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f4 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 378 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 364 -NGENProcess 310 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 374 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 38c -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 388 -NGENProcess 30c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 390 -NGENProcess 374 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 37c -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 30c -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 374 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 374 -NGENProcess 394 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3a4 -NGENProcess 30c -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 394 -NGENProcess 30c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:844

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2988

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2296

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1004

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2712

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1480

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
2⤵
- Modifies data under HKEY_USERS
PID:1312

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
1b25eec278edcdb338d86d255d3d3f9a

SHA1
10aec7f59cab204dcb641533ce04e0e7abbc15ae

SHA256
cbaf2620f668b2372acacf5aec4af89f775a2f0918d6c31c737ff6aed0dbd16d

SHA512
a5fef6e64319d2fc53bf8d3e5539a767777df0adbc161c7613429324944e4170d89e920cfc3ec953b243fb2b6d0dcaa84fc9f40e9c7923c01b638cb5dd747c22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
4a20da7a2608e493968304bc55dca18a

SHA1
9e4bc2df8d6dfdc4713912fbe9ca79f9898a76f0

SHA256
d44c39647e84f4796afedadb84887b1ec533f9aafc53b2d11b3ee1faa25e7701

SHA512
512ef1602bc775be9988049b6bdaaa60651df6a49195497709a4218fab55a4c80734528bb30869b8e7845eac5ab4d50c4fc93759d108ae03b321e7783b3f6b2a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
bd2ff405370c70915ad6d2a57bfafca1

SHA1
e9fdff3a0f081725d920b67dd0f55522d0be22f6

SHA256
4ed187054e46716293bb25daff6dab9dd0e2fe1be8a440c1ef9849460154d442

SHA512
406046722f261d489a8a597a179ece029983cb674f5998e3dba5a05d0bd12c30f76650b8ac20cc2a52d2cfd3e84a1902600c4342980f3c7058dae2e4b03e893d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
24b6f8c0840fc0b6755dd465bfd18edb

SHA1
627c5a89c320e3710599c8f2ecc9fcc71c136aad

SHA256
f61c7d66e949f070af88c4fb4dd4ec47c7f364062ffb3914515cf00bbe008513

SHA512
dd8ff26225a359f75fd6509ceae82b915fc316d3e3e760cc01551d926e83c91ee4e49cb9241d7975348817e683a666373b357d259fa6c999c1fd48eb4af097f0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
66fbcc51abb72b666138bcd60ced3f1b

SHA1
fc64b87b83382eecac386b1dfb496d47e6350664

SHA256
82666a3543c38e75f7e069aa6ea9ca80a96ec7d5ebab8ab4696da32aa80f286c

SHA512
3129180965812d560a98a2a97c59933f88833ae682239372b3307d27f934370e4c7f5842add5ede053e4f2daf5e14ca1d78e1c36d04ba25b44b8406bcf741097

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
7c281af3c8c942218e199d3ca0db8ffd

SHA1
a00592408cb4564c6765ce8db909cf88b4697cca

SHA256
f7b0002708cdc5b393f0a3204869effe37cc373e3562bc4ac70c5f1fead7124b

SHA512
a551233ac7b32b170fcf265fd62174e6fba842c2851f9ee5df09941fb0808b73826d7fab7800ff27b3c268df09b1e29f8007b6365b103d75a67b2aa590250bed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
8642248c50cf674623433e108703015a

SHA1
086324beb3f11c985301852cc3c69c9409b45dcb

SHA256
179492cb83d493d37ba592a4bf5b78ee6c527982a867f71af1d09a24191bd95a

SHA512
7594cfb4e63934d0b6b1c159c5bea9bb73cc13b6410351902fced2e106b45411048c40a95c96a8ee693533d663e822cb7daf0a5d89e4c616ff31666f96be38c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
1f65ac02e0edf9560908dab6d9f5ac48

SHA1
22217f2535103bd943c4cb8b2608ff5b69ae17db

SHA256
f4e773c39e675a793e9efbf50c26c626d985711f350212337e50e56ba05681c3

SHA512
d9284d4858495315293230f229d3af0f839e3ba92e2ff687055b1cacae7f87ccf747559767c589fd047f058cab061ff7b84a3d9685fdf31ad4c8de068a5e6942

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
4e26fc0d898d8ce2a6fd39e58a265db6

SHA1
ea282c6aab5e636bde07f3a2e8450a0b2ca18d13

SHA256
e075ee64ef10c6aa56dd59bffb5e356cd3880f906976337bb59a239ccffa105a

SHA512
f355104c4728dced947a1082313b34d180f5e3c80df908b64368f2570aedc37005ce9dee1ca5c358827ec83ef0cc8e5040cd23c4d1178510f260c4df90af4d9e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
1a12c5a2af50e813205fab7c64b52df3

SHA1
c0d8c93d0a845f737147fd2a87fceebc5b13aa28

SHA256
6974d76ea02dd3658f35f6ed5b68a18bc98fd1dfe7c427a085f081026c945462

SHA512
b324f75ade57af459c9f656e7402a81488ba21e7e5e95856bf79e4adae574f164007317d5f25f570d52c5a219fc20633873bb23a8df66519b9ae4bfdb6c2e834

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
6d65a80e616b798e0875975bb4456b02

SHA1
09125824964186ac78d71e34712bd419096ad399

SHA256
60d8beeb1dfb8a122d3a922abdeeae49e281632c49a40a3672cb0fc3bd318c4e

SHA512
6ffcfd58e13f98744a3ff1072c76b48fc81e13dc855f67d6083d0bc288b537c8d258eaf8ce9bb1ace5c2ac25fe44ca52934398e4d676a8701149e4e6f04390ba

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
56b19d548e8b732c8a03efbcc0a922dd

SHA1
e307ee717f171a9ba41ffaa611df722497a693b1

SHA256
781347a6533e0885c3b62dd40227e070858f5b1a70b701418e4e6da3249fcf37

SHA512
3da7f680b3dde7f41e879399531e806349e6c63a8cc346a2b11a85dce6b88e6f2e43fc333b1f3094ebd3d92da5f4d65719fff1d177c7d0111960c3df4d24f84b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
859KB

MD5
b1710075691bed8011e2918aa8376b8e

SHA1
c95d445575773d35b452fb6af338fb5001431013

SHA256
464f3706393bf0df70c1baa97b63bbb539ba915eb1f68df4fc051b63fac13913

SHA512
2c215da5ed0e00a4042a11e7a7ee855b33a347febc9a7f3d474de16f5e4575049382f71c71deb9d50b05e18340e19a900934b1fcf926253ee8961ce88e523e42

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c20d4739d2aa1a2c844646f2e84c8aa6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
b567f81d57593894cc2b64379492704a

SHA1
21b6bab4cbbfd98fb5e23766637423ba97f59cb7

SHA256
ca5116e0d49caea77f1abec750943e6427c48c6cfbca010e392893813e3e18e2

SHA512
d408cd5f36b087e7f81f1d8b02f7746622cedd1ec42c8298f95ab285bbfe395c24850da5ae667819d438057ede36bad0d1ef9bc73b6d0e10aff5a3b6b0b79735

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c56af680a68ef5897f99cfa4f4bed338\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
4d4e643db73677854f5e73a17ab8c145

SHA1
6375c38589e9b57bbc6d5b16c29db301d19b9f1b

SHA256
ee181236e8ce820f08717465e05e8750d9fab02949fe518cc09d1a3c6ed2448d

SHA512
9bfdf5979318c89adbe779eda934dd297f46539af4df9eb0cb81e06378f6a6ee7742240bdf8450bc7c4bebf29589c8ee1cbcb54880f4ee52f93a73ca48f22b7f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61A0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll
Filesize
180KB

MD5
d4de1bebc223981091bf98c2fe12c3d4

SHA1
68798498f7f595d0b305fbb91c3b57bc69b559cb

SHA256
07cf07f9d4b80c90fee78f5f6cf9711a41e27b6c0caec4c81f624b7eb598e098

SHA512
171fc95b9455d452b257e2dcc2127d3b55c92e46fe8ea0d9cdf35058572a6b5a4be2f54de9b744d9fde9c2e31f853f69d069b3f1bcded098d3eb397317888b71

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
0a2481686e1e0fe2ed831594ac039d41

SHA1
5ff2d34d21c5f5c287a10e2d8b33f4d4653cb9ad

SHA256
41d37856abae19753ab219861a1e7dec474d101f80b9783afdbd71536bc90a44

SHA512
9ece1aa8f2e3ed31ee43a5b2aafdc42e7a583730ba6e7ed2ba6b707036feefbb1c19d7a1b34bf25efca80f874d81516c203e7bd33a88f0cc3e3e7cbe29a60128

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
a940bb0a23c0a99a3ad67f1b43dec015

SHA1
8a031b36fde140611174a5b542ec2523e7213070

SHA256
6e39a2383ab7d78346bf2da54176ee8e72adaf876ef9decb471ef210e97d9e47

SHA512
98347532ebf2861a2af76df06b27fa58f590362561b916314dd379859513e53a6406a25a25dc92633570057bbd72c03a513dc501524648902c8faa1b22e73173

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
218ac99f621d8a961aa712476922c696

SHA1
8dbde94b64ef5d648452758f20cf8b34171181ca

SHA256
97e5058a7fe5886170ca76e47fe55681d06ee1b9fe16e620eb79ddc65a0d6871

SHA512
ae1f94fd89352874580db06616a3663164f46f2d8a9f0a87f5e550b60fc5f756cbccf658bf0a559bb856538cb7c5a79a259db4510a280842ac2aca72f6dc74b5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
a5ac916d9f5a7895691127049a4e607d

SHA1
0e3e8ca89fc87ea92171ec5943505d3bf6df321f

SHA256
0e5f605f9829c607a05c833a2f2ed3b204fb78e12861c191bb215313c290957f

SHA512
7abb2abc90ffe22526c8b4889df3501c8d71d36a8ff008765bea055fd7d4d5d7090d0e24775c86093af5f21c9b0a20e6ade5c155d9c104031e841d9bd1cdbe83

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
e73c4cb730888d417fce1fd13775a1c6

SHA1
1c9a10002cdd10c0b19eaa87dd734ab31223d108

SHA256
0537c7c88f5cc2564cf554ab661433ad39c7987c60cc278a209b84d85dbd78b3

SHA512
c1691d8e9e2a784e3ad0e53f8d408af4f07d9f88ee1178582a289dfd5bfff534f8cc40b1e1a5ca9df689dc558e2ee0f0f1829345bd4a9ec38928ef9e16f59a06

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
f5e0c1730aeade610f1a8cf06e98a3dc

SHA1
56b7b514f235915d3f2d61554a485086733ac7c0

SHA256
933c5881863b5e543196264690bb0e5440c7c498ac2f3b3bbebd8e836eef2c15

SHA512
ea4775a32c889c268e1efbc13263195a170a8530f09348d72c7352cfb6c12348bdbab1f9a11c08e7421b1f53fa2015c0de7fa1e5c0bbf94d88493de3a4c1acc5

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
4dbb2de867b1a30f99734ff4a63de090

SHA1
42b3835587fc862111b78458c5189e976e8db35e

SHA256
52d0faab53082f8718ea59c065f27ff4075e218ab13a04db9cb9fe64dc733b91

SHA512
3f870edef6f3bc9d6a32af5b7c30e2902be2b232776630c4d2bd19c34e4d98488563e3402bc8079730a8b7a3e5f2a075669b8aca0d7e3246bcef11d77228791d

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
fcf137e6152e84a82741cdf833a34d11

SHA1
20fbd963f09d025b50a36a9bcb755c96a7386c8b

SHA256
f629d1346bec5132761379a7d5a83964041cd7d997907e37e2952812ed508604

SHA512
01193c4ac1143082626b968818467d0d0b0691a83f9f8b20113b56f32199d6cf485f2f7311f6ddc170485d744a9cbb591cd13d4455219bd3ca51eedf337eee2e

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
19ff527ef0b9961bc6fa13721af8ac8b

SHA1
d3b5411002cbdf329dd3183284908b44a32a347a

SHA256
7b34069687adc6b513f0125ee08b3e26489187a22b4177de67c6b8655b28d6e6

SHA512
5be5b7666ade58d293ce34d10ddbf43bdfd3035ad989b55693d43aef8b3a823bfd0805c60e45832b064f7ed1d29c3f39a1622e6468a4ee3df45d615db4e6f87d

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
92b4f4f2041338fd7dba4ac1c1f12cff

SHA1
aa482410b9e0add39f3ce48e6b225f8f5f773ca2

SHA256
df14c57d2ee59c359c8be958c5a6081648a261242679a922fe5846279d7f1175

SHA512
84b91dbfec7ea7816113ca93e88707e4471130b9c31202f7151f87840ce9206fdc42cda7326e93aa7b314a1734cd0f229da7f0a82783517d4b4e711a41a56b07

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
c478450b4cee50ff40fc5bf6b5f16765

SHA1
d9387af836e845422933c25bb213cfd2441b4769

SHA256
33172bb6d5bd6237c61e727898184bf5d085bbea9c9105def71ab6c409fb0ea3

SHA512
c392a45a7d652bc3865dfb2492c855f1582fcdb49ce20fd9e52b6040b1d04f110184c376e3ac4dba56787f94dd9b1e2b953b782e92a712e3fd94401a6b9489ea

Download Submit
memory/616-786-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/656-572-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/656-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/680-651-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/800-96-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/800-104-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/800-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/800-290-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/844-817-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/880-709-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/892-931-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/936-812-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/940-157-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/940-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/940-114-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/940-108-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/1004-337-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1004-324-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1032-893-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1096-687-0x0000000003C50000-0x0000000003D0A000-memory.dmp

Filesize
744KB

Download
memory/1096-684-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1096-691-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-599-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-624-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1284-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1284-562-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1480-594-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1480-346-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1576-289-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1592-475-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1592-503-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-733-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-743-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-903-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1644-667-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1752-458-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1752-464-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1848-664-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1848-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-460-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-412-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-146-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/1996-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-141-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/1996-410-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2028-465-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2028-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2028-738-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2080-941-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2080-831-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2116-872-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2148-577-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2148-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2148-913-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2212-162-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2212-169-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2212-437-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2212-163-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2272-944-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2272-844-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2276-718-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2276-727-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-754-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-742-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-773-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-762-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-955-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2424-857-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2488-497-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-519-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2492-942-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2508-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2508-8-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2508-275-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2508-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2508-1-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2544-525-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2544-322-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2576-56-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2576-43-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2576-57-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2576-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2576-46-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2628-122-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2628-123-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2628-131-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2628-173-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2632-791-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-785-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2712-336-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2712-567-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2776-302-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2776-510-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2856-956-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2872-605-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2872-595-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-953-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2920-631-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-619-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-883-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2948-721-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-180-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2988-181-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2988-187-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2988-450-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2988-823-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download