4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1

Analysis

max time kernel
136s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
Size

1.8MB
MD5

fbdd4b8a4e609d97cc2751f115a0ee28
SHA1

4d731a40314568fdc52a9b3dbfb55d5eec3b5ba5
SHA256

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1
SHA512

eb5ea30cbf0e6681cf243ad8bd49951f949d0476ed9a4927b658cc2c73a2fb8e2f738564709cafffb398d2863dd7012e00d78e6ef3f1c7db5112d465329082db
SSDEEP

49152:pKJ0WR7AFPyyiSruXKpk3WFDL9zxnSzJE3jM2ce:pKlBAFPydSS6W6X9lnUE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exedllhost.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exewmpnetwk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
2544	alg.exe
2532	aspnet_state.exe
1632	mscorsvw.exe
2116	mscorsvw.exe
1920	mscorsvw.exe
876	mscorsvw.exe
2724	ehRecvr.exe
1060	ehsched.exe
1168	elevation_service.exe
596	IEEtwCollector.exe
2592	dllhost.exe
2412	maintenanceservice.exe
2464	OSE.EXE
1776	OSPPSVC.EXE
2172	mscorsvw.exe
2264	mscorsvw.exe
2560	mscorsvw.exe
3060	mscorsvw.exe
844	mscorsvw.exe
1636	mscorsvw.exe
2216	mscorsvw.exe
2252	mscorsvw.exe
1140	mscorsvw.exe
1372	mscorsvw.exe
2624	mscorsvw.exe
1028	mscorsvw.exe
1652	mscorsvw.exe
1764	mscorsvw.exe
1068	mscorsvw.exe
708	mscorsvw.exe
2192	mscorsvw.exe
2852	mscorsvw.exe
2252	mscorsvw.exe
2528	mscorsvw.exe
1276	mscorsvw.exe
2548	mscorsvw.exe
1944	mscorsvw.exe
764	mscorsvw.exe
2244	mscorsvw.exe
1740	msdtc.exe
1704	msiexec.exe
2356	perfhost.exe
2088	locator.exe
592	snmptrap.exe
2316	vds.exe
896	vssvc.exe
2736	wbengine.exe
2144	wmpnetwk.exe
3044	mscorsvw.exe
1872	mscorsvw.exe
436	mscorsvw.exe
2556	mscorsvw.exe
1628	mscorsvw.exe
932	mscorsvw.exe
2720	mscorsvw.exe
1164	mscorsvw.exe
2164	mscorsvw.exe
1816	mscorsvw.exe
1632	mscorsvw.exe
1788	mscorsvw.exe
1212	mscorsvw.exe
3012	mscorsvw.exe
2360	mscorsvw.exe

Loads dropped DLL 50 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
464
464
464
464
464
464
464
1704	msiexec.exe
464
464
464
464
744
1628	mscorsvw.exe
1628	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
1632	mscorsvw.exe
1632	mscorsvw.exe
1212	mscorsvw.exe
1212	mscorsvw.exe
2360	mscorsvw.exe
2360	mscorsvw.exe
1756	mscorsvw.exe
1756	mscorsvw.exe
2200	mscorsvw.exe
2200	mscorsvw.exe
1568	mscorsvw.exe
1568	mscorsvw.exe
3052	mscorsvw.exe
3052	mscorsvw.exe
1916	mscorsvw.exe
1916	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2216	mscorsvw.exe
2216	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe
1744	mscorsvw.exe
1744	mscorsvw.exe
1068	mscorsvw.exe
1068	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exeaspnet_state.exemsdtc.exealg.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b00983e7ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_tr.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_hr.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\psuser_64.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_cs.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_vi.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_ko.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_zh-CN.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_da.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9C8D.tmp\goopdateres_ar.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4099.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F5F.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP872A.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6ECA.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP535E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP647D.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B9AED31A-B471-4DE8-AA0D-59A4CBE74C7E}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F58.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exemscorsvw.exeehRec.exemscorsvw.exemscorsvw.exeSearchFilterHost.exewmpnetwk.exeSearchIndexer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c090f6da11aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2548 ehRec.exe
2532 aspnet_state.exe
2532 aspnet_state.exe
2532 aspnet_state.exe
2532 aspnet_state.exe
2532 aspnet_state.exe

pid	process
2548	ehRec.exe
2532	aspnet_state.exe
2532	aspnet_state.exe
2532	aspnet_state.exe
2532	aspnet_state.exe
2532	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2648	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: 33	1252	EhTray.exe
Token: SeIncBasePriorityPrivilege	1252	EhTray.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeDebugPrivilege	2548	ehRec.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: 33	1252	EhTray.exe
Token: SeIncBasePriorityPrivilege	1252	EhTray.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeDebugPrivilege	2544	alg.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2532	aspnet_state.exe
Token: SeRestorePrivilege	1704	msiexec.exe
Token: SeTakeOwnershipPrivilege	1704	msiexec.exe
Token: SeSecurityPrivilege	1704	msiexec.exe
Token: SeBackupPrivilege	896	vssvc.exe
Token: SeRestorePrivilege	896	vssvc.exe
Token: SeAuditPrivilege	896	vssvc.exe
Token: SeBackupPrivilege	2736	wbengine.exe
Token: SeRestorePrivilege	2736	wbengine.exe
Token: SeSecurityPrivilege	2736	wbengine.exe
Token: SeDebugPrivilege	2532	aspnet_state.exe
Token: SeManageVolumePrivilege	2488	SearchIndexer.exe
Token: 33	2488	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2488	SearchIndexer.exe
Token: 33	2144	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2144	wmpnetwk.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	876	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1252 EhTray.exe
1252 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1252 EhTray.exe
1252 EhTray.exe

pid	process
1252	EhTray.exe
1252	EhTray.exe

pid	process
1252	EhTray.exe
1252	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 1920 wrote to memory of 2172	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2172	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2172	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2172	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2264	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2264	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2264	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2264	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2560	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2560	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2560	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2560	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 3060	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 3060	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 3060	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 3060	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 844	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 844	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 844	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 844	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1636	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1636	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1636	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1636	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2216	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2216	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2216	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2216	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2252	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2252	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2252	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2252	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1140	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1140	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1140	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1140	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1372	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1372	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1372	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1372	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2624	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2624	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2624	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 2624	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1028	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1028	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1028	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1028	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1652	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1652	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1652	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1652	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1764	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1764	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1764	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1764	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1068	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1068	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1068	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 1068	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 708	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 708	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 708	1920	mscorsvw.exe	mscorsvw.exe
PID 1920 wrote to memory of 708	1920	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
"C:\Users\Admin\AppData\Local\Temp\4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 250 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1e0 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 250 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 25c -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 28c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d8 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 28c -NGENProcess 274 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 284 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 280 -Pipe 214 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 260 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 22c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 1f8 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 1f8 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1c4 -NGENProcess 24c -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 24c -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 1f8 -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f8 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2a8 -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 244 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 284 -NGENProcess 1c4 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1c4 -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 278 -NGENProcess 274 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 2a8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2a8 -NGENProcess 250 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d8 -NGENProcess 1c4 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2c0 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 274 -NGENProcess 1d8 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2c8 -NGENProcess 2a8 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2a8 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 1d8 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1d8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2b8 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2b8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f8 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f8 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2c0 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2f8 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 310 -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 358 -NGENProcess 370 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 370 -NGENProcess 364 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 314 -NGENProcess 378 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 378 -NGENProcess 314 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 384 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 1b4 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 358 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 38c -NGENProcess 384 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 388 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 364 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 384 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:596

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2464

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 604
2⤵
- Modifies data under HKEY_USERS
PID:1204

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
2c94ee700a65a6eb8a4f52e6f89b35ac

SHA1
166152a23f9a083b10e6c1857769a2cf17fe861e

SHA256
38330251ac005f88c9057b74bc5dd3a4df5ba68565faadc41ba1df440f638e40

SHA512
08714a4f561584dd0bee939a2094dd602c3263876bd2d8ca3f1f4fecf118c61ff0ceb46bd991c836f9a9e3f9c905382b510f90e4f96fec4f6c6ec43fca89edad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
cb9e55e1c08e9cd17f23c9c9b8e7be15

SHA1
e860cfa95eb6a562265271ccf9ad74505a34d08c

SHA256
cb8647ca84442765d4b00444579cac0ab101d4f40427e414c35d12332db1f6c8

SHA512
0970900a07e372462c64c04f0df87c4fcfc6afe5cd85aa6834e3d4c55bae8b289eff2965d6fd86583487b6e45afaf83f2c3025c06cb3bc9fe753e7596b45b6a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
406e465bd3dcc9c262d119721f0103d2

SHA1
18a9b0b790bd6e39444834f0adceb622c945dbbf

SHA256
6f9634b5ae39dc36dff6248806551c5e91863ada0d5abc70f440468660fe1f15

SHA512
3d135bcd77e2397cc8f3ec9bdb20554f82e2e4da822778126ba65ec39ab21537ec928899031581ff21162bc5837021cc3c31a84af5abb91ea0570222c4130936

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
29803ec66c4d8e659d7a7f43fb4ff057

SHA1
f9e0ce31d9e9da21a09456302ca03f75d24e54ed

SHA256
e4075e832e3ca1b7b5f3f250a379eb281fb6092645ac6c64a199c8ebadac4472

SHA512
58e0f227915243b0181738a93334c045de2b7d05dcebb8ed5eecff3cf7172843dc36c41e5aa495e0f9f555d5e8b713b85d55eb73c0988d8bc15343f40d3419e0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
2461dd7e2873e89ee0cf2cd86ba37f12

SHA1
741ad53831aed624c7599ba3ad3b5b210782eb8a

SHA256
4486b2f7f48beb3002c98cd6389647add4fa686289d84a1db7470b9265e6545d

SHA512
46e512e6f1231c1148e07bf05939283db24ee45378fcf92e67838cb9927da3826c7e45fce374453e5cff248adab078f45b97855db59c7bad6e7c7e732ccbdb8c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
8bbcc0f6f4a3420d0493d18cf55fc000

SHA1
5d3c4948d71426f076efcd865440d3343b1b0e6c

SHA256
b2661d7cb3854f43a95499c920710fd8757e7081bf4f65f7bc4c9f062fa27b9e

SHA512
81b7009f71d8873d0c840415c444041296f41fa5b3b19b98cd9fe470f906be4d1e0c5ffb8176a2bab40f168f6367f99fe45d65947ca7f3c55bd2649caae28cef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
59a87e35637c3098f8c50e65e9bbcb4d

SHA1
c62bf47407f3f4750f6990329da1fbea37aa7c28

SHA256
4a33772b4ee38979a43f5db7b421a55730866344104f48113e2065ea40b91e95

SHA512
1a31d9a365e88d85c775a39b8e3a7235cf9e4720494af9621448c91d805438347d52a419a60236ce0328afb8a655a287a7eb724539849fa020034f35b75cb0da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
dae30572cfb4597118973598b7612817

SHA1
2383de9c2b04dfba7718f071633cab7816913d14

SHA256
59b8dd701640189896d8024c93a4792f42b78331bd66b6a4df2243c7c70733af

SHA512
5cdf4ffb6cef7314550eb626cac179a6b495d342145e64b8af78fe612c4ba49bc6dcd6c58cd4fcfa1885535f09c69cf26705c8b6dbbd441995120b01dee3b91e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
ad455b98ca1ba0091e810cfa09609681

SHA1
c2f57589588e638489f5bc388cadb0aff241016a

SHA256
eded76e7933a6150ddac9c8f29ed83f1a8ac718f34e215d355a763e1f4eb6202

SHA512
5523cb3d6a50285d3010011672a8da7b816183b77b22710b0f0b77c6bb97494aea29107ce81b95e332d56014ece59fa812ea2f1854a81e306398e30cce36f966

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
ca46dd18486fe8b6d2c8f7988c0bcff0

SHA1
89a26cfcbfdb726205a0ab8d3c74c30ea13c37db

SHA256
c1148f47977a2bd9a38e628a57c6fe5278ca860affea274b02d907041a71137c

SHA512
4d527a5185747036ae8c960facfa77096c5dc9a3ebb79d1de1f36fcd13abd647b8c67f29bfe1d5c6471a8a05d8d4eab8be4f715318025ad127241c618757eae9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
c8d5cb2c3e5235f1b41d86623909e7a2

SHA1
99c7664a4f05942fa8c419554aef36bb31fa5322

SHA256
c4bf575fd1a30052d4cd5257a32312397955132175d015b1ca140004258b4835

SHA512
9567f98ec64ced7e87a219b985d86ab8e19aaa65ef024928cf502ec9145f950f592bab22f0b449ddf54918585631a576a0868c50beb7e1fc78594d7e91ed1c03

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
df1c8ed4e3e48ae727b9b8cb6038b4bd

SHA1
211d4aabb091c2daeee23b3cac8a7c1953140b72

SHA256
dda887a4d6b7f085ee73be2b7cf2f083a39d2b95d5a83db4f42c137d2e91a576

SHA512
43c367720d1b0d58adc9f1be5c7c5f66b12c35f68a15c8315f0f93058d2c9eb228c9934e29db0b7fc23b849c7708d7a080e5ae0c767e9290a142c103450a8bb1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
38c33ef0eaedd6b174de69b19877d0ac

SHA1
3e197ac91017c575fbbcb874313477a24486d0e7

SHA256
149566c62d407b2bed137f474bc543c077d304016432123918646283a91ffc21

SHA512
2b4bbcac7fba5e5d6cf8beb3a7e4ad1e29fb9dfec0f7160411a214df6d8cb31737bb334175456d69cf79310066760fc0d6f471d6e5dc584717bd2835b64d40c3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54ba26779e6f2075f91293f4f81c2fff\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
ad8c0e759df25e0049d44e5aba4f3321

SHA1
4e1e19b1b5602937057170bf390db0091899af69

SHA256
4c31b7d8501b8914425568b1c3a228aeafa35b6cd6bfcd9cf55dfa511a71ede7

SHA512
f23471c6371f3828002e2ff168013cc01d7744299bd14c7d2117bc39261a9d10cf3bbbe87af08874990a2e20998ec7e3208bf16659ef9e895147e854509f88c4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9b03427638acd7fb726b8992a3a11816\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
8bf7ab404550a3cdb40f276c1ab985d1

SHA1
5aa281584e767f277666676acf1029852227b14c

SHA256
339d75a299b0adf32b4bf6550a35011812ffb9eb82813271ae8ed696729528c8

SHA512
6175394b0a8738dce509b392bb0871d1dae2586a524b98bb603a18b130bf64b885a795bc268525937ee0be052b426cded9c80b65a6d7923167cab70c2423a3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a54b95e06854534eb954caa54fc57408\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
bfef0cfc1aed08bd0993aa08450f9529

SHA1
776e2e295f9f9ce4ad9bfe98d79c217cbce3f56c

SHA256
bdc90448e9d40a52c9d4348ea9cd35150de3a777e459b60be8cd6738bc7b511f

SHA512
885c288796f4c105992b428736251b20c9a906ff67720b8ec9d66a41376720dd7337c5e974381e615b1d0c82412c836fae49d49b9b2c17175e7a979297463ed5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
99afcc945084aabda2954ed1d13946d7

SHA1
1d708d380af902066351c356be3325bd70a5bba8

SHA256
7a59f7ae63e28692ad04af07f108cb6b5a5781eb2593261ed7f95e4d44042aa2

SHA512
908bbe3af61c6d99a2f22c805dec4578757499966e6f05bc0831e247a85ff723acbd8d0394b3da460fd197218a155170915468437301d28d4b8d6a257449dc20

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
1c8d9652f96055414496cb42ce3e68db

SHA1
67f6120e468cc11b42f0c1329285d7d70197893a

SHA256
6ecfd2516ae1cdf15a70428e2810a43e34b5f8cf43620931513e78a9876fe2b3

SHA512
1a3412a05df58281fa1063299e7af2dfdd940ca0693c9ae9bc5e0280f29070a5080cdcc00e61ec60a9db8b840aefcbcbdb6a3492186086c0fcff7010d8c66bbb

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
732f3defe7141beb6b76e55c6aeff066

SHA1
64c612c32eb04d751e943d4f96004929e04f076f

SHA256
45b11d7b91b5f00ff1f0e715780db5795826406d3b8c72ba557baf0218e269d7

SHA512
51018b9e1bd0a2554f71d6a70c0fd003a76db3d4cfb5f8bbe0d7fdb2c296918c69ff49baab354801a0fcf55e51fc68af7a4d59bb3ed79ca0acaddf6f15b9195e

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
7bdf5a7980aba00ddc94a16fc32c8265

SHA1
a93693a04f9232f3d1a1ab82a48659db4832471d

SHA256
c5472b0ee3931b8a25b615b6632a1477118567e389624fef26b20be3b7c41a15

SHA512
04d5aa611010a7e75fb9b5a41bed47a74b7b876b47707d364a50aaf4ab26d67cbd8fe9d39d459b5f047222e186cc0f4db62875a52da20204a59055fbd2291532

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
5eb48dd3dc00916d162f8dd9a4a6f264

SHA1
e09dcea9c8a5ad84dbd3ee296a91e8afcb4d6a0e

SHA256
2efe71a7a3d99400d2ee6187deee813d01246371074dd5b0782a2f24a14c915b

SHA512
f9533057898a15444693a523ebdcc6180e3fdac688bbb3cdd509c2b13e529edd1c791decf101d926cb863559cdbaca2b51005879101b1edd99effaccf8244723

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
ad09bdfa86a8d5c28ca734fd0dfb06da

SHA1
03b2b9f73f367135226dbbdf69828a61121acd6d

SHA256
ec65b187d664abae4bc30888693604d362090b923f2885ec77a71248fb84840c

SHA512
dcd0f1ec39761cd7a111631cfaa8ee0de3addbc46cb492266d24b669eec1e9b37f79112d7454702082495b8ec95fe90ae15790df7c0c10d3430dd34425c90f3b

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
34dc6e53c55be0cfe4373c54de6da439

SHA1
c3db24f2191075c453e933225e5101cddd37fe07

SHA256
88871010a81f2364970e37439b042a5ccdf56d94392fe0d0600060ee59f8db34

SHA512
2817ea17553d69985a4916cfabb622d4f11ef86d7419ca9e2feb2fe43a1badde0ead25aa15a480592ac2cd283b7dfc2c5f98308df159a3c84efad2e5e460647e

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
17ea36c3132bf950f1f3cad8bab504a5

SHA1
31543e2ce3b4271fd78af1fc7a58e673b72ece00

SHA256
e020801468b9c60ee505354fa0cdf8220031c161fd3e5873755207e163235da8

SHA512
cf73f8d810fcf265a233dacbb0d6d843bb666e8d4d0b0062fb22b77a50beab8904ced1c037bf6859a61c10139cbd3fb7c3504b156747875d7a97c7725d2a755b

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
d9373da38e87325f5dd8b400f83391fd

SHA1
e765b32dcc00a79401f6798cc2e3d91f1dc4add3

SHA256
b854161b678f49986ac81f6525988aca8e2c87f0a80e4a99eed9c83ff772f330

SHA512
8127875b363b8c163cb7650f46b29d729916b99e3750546493372f901f83f0b77ee26e142a848ce0cccd9e0eb56a63103c8d59de633e0548488c855754463cec

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
9a921adc9c2bc35b2809ecd55b6fdeb1

SHA1
9e9c96c966c0171ee208ed72e29fbdc38964faaa

SHA256
e227fdfab11b30e4185bfecdd8eb49b45737bf4402c3f22ce2d93668a753fb8f

SHA512
5a7917f8bc6dba2b1c3df389acb192641047388538933602d89f755c3298358ac775a623019ee348504291d31cfef323f003bd9180418f342688eb4eace063ed

Download Submit
memory/592-894-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/596-227-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/596-831-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/708-718-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/764-818-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/764-805-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/844-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/844-511-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/876-397-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/876-166-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/876-161-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/876-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/896-908-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1028-631-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1028-659-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-192-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1060-826-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1060-482-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1068-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-680-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-696-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/1140-588-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1140-601-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1168-495-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1168-214-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1276-777-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1276-762-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1372-606-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1632-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1632-114-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1632-108-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1632-152-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1636-528-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1636-564-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1652-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1652-674-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1704-860-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1704-1031-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1704-1037-0x0000000000590000-0x0000000000642000-memory.dmp

Filesize
712KB

Download
memory/1704-871-0x0000000000590000-0x0000000000642000-memory.dmp

Filesize
712KB

Download
memory/1740-945-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1740-845-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1764-688-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1776-587-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1776-348-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1920-145-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1920-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1920-140-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1920-1040-0x0000000001140000-0x000000000114A000-memory.dmp

Filesize
40KB

Download
memory/1920-139-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1944-792-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1944-779-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2088-884-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2116-131-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2116-126-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2116-123-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2116-171-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2144-946-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2172-446-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2172-403-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2192-729-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2216-563-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2216-573-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2244-807-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2244-821-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2252-577-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-600-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-751-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-481-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2316-904-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2356-1041-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2356-874-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2412-317-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2412-330-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2464-576-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2464-332-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2488-928-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2528-765-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-65-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2532-226-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2532-104-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2532-96-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2544-178-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2544-25-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2544-13-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2544-23-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2548-789-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2548-774-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-483-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-487-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-312-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2592-525-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2624-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2648-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2648-8-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2648-301-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2648-158-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2648-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2648-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2724-179-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2724-433-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2724-835-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2724-186-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2724-180-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2736-920-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2852-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3060-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3060-496-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download