Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07/12/2021, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
Resource
win10-en-20211104
General
-
Target
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
-
Size
341KB
-
MD5
0632c821ea5bbadb6d2103a007ee4689
-
SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569
-
SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
-
SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Extracted
arkei
Default
http://195.133.18.126/ZIaKfGwC3P.php
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/816-137-0x0000000000E50000-0x0000000000EB9000-memory.dmp family_redline behavioral1/memory/3596-177-0x0000000000300000-0x00000000003B2000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Arkei Stealer Payload 3 IoCs
resource yara_rule behavioral1/memory/2072-248-0x0000000000BB0000-0x0000000000F7B000-memory.dmp family_arkei behavioral1/memory/2072-249-0x0000000000BB0000-0x0000000000F7B000-memory.dmp family_arkei behavioral1/memory/2072-253-0x0000000000BB0000-0x0000000000F7B000-memory.dmp family_arkei -
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/2732-238-0x0000000002890000-0x00000000028D0000-memory.dmp BazarLoaderVar5 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
pid Process 4424 143F.exe 4584 143F.exe 648 8B07.exe 816 8DA8.exe 1488 iitshhh 2460 iitshhh 3596 D14A.exe 5112 E214.exe 720 tkools.exe 2988 FC15.exe 2072 3F1A.exe 3956 tkools.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3F1A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3F1A.exe -
Deletes itself 1 IoCs
pid Process 2236 Process not Found -
Loads dropped DLL 4 IoCs
pid Process 2732 regsvr32.exe 2072 3F1A.exe 2072 3F1A.exe 2072 3F1A.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3F1A.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 816 8DA8.exe 3596 D14A.exe 2072 3F1A.exe 2072 3F1A.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4024 set thread context of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 4424 set thread context of 4584 4424 143F.exe 71 PID 1488 set thread context of 2460 1488 iitshhh 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 143F.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iitshhh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iitshhh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 143F.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 143F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iitshhh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3F1A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3F1A.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4336 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 4336 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found 2236 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2236 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4336 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 4584 143F.exe 2460 iitshhh -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeDebugPrivilege 816 8DA8.exe Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeDebugPrivilege 3596 D14A.exe Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found Token: SeShutdownPrivilege 2236 Process not Found Token: SeCreatePagefilePrivilege 2236 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 4024 wrote to memory of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 4024 wrote to memory of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 4024 wrote to memory of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 4024 wrote to memory of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 4024 wrote to memory of 4336 4024 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe 69 PID 2236 wrote to memory of 4424 2236 Process not Found 70 PID 2236 wrote to memory of 4424 2236 Process not Found 70 PID 2236 wrote to memory of 4424 2236 Process not Found 70 PID 4424 wrote to memory of 4584 4424 143F.exe 71 PID 4424 wrote to memory of 4584 4424 143F.exe 71 PID 4424 wrote to memory of 4584 4424 143F.exe 71 PID 4424 wrote to memory of 4584 4424 143F.exe 71 PID 4424 wrote to memory of 4584 4424 143F.exe 71 PID 4424 wrote to memory of 4584 4424 143F.exe 71 PID 2236 wrote to memory of 648 2236 Process not Found 72 PID 2236 wrote to memory of 648 2236 Process not Found 72 PID 2236 wrote to memory of 648 2236 Process not Found 72 PID 2236 wrote to memory of 816 2236 Process not Found 73 PID 2236 wrote to memory of 816 2236 Process not Found 73 PID 2236 wrote to memory of 816 2236 Process not Found 73 PID 1488 wrote to memory of 2460 1488 iitshhh 76 PID 1488 wrote to memory of 2460 1488 iitshhh 76 PID 1488 wrote to memory of 2460 1488 iitshhh 76 PID 1488 wrote to memory of 2460 1488 iitshhh 76 PID 1488 wrote to memory of 2460 1488 iitshhh 76 PID 1488 wrote to memory of 2460 1488 iitshhh 76 PID 2236 wrote to memory of 2732 2236 Process not Found 77 PID 2236 wrote to memory of 2732 2236 Process not Found 77 PID 2236 wrote to memory of 3596 2236 Process not Found 78 PID 2236 wrote to memory of 3596 2236 Process not Found 78 PID 2236 wrote to memory of 3596 2236 Process not Found 78 PID 2236 wrote to memory of 5112 2236 Process not Found 81 PID 2236 wrote to memory of 5112 2236 Process not Found 81 PID 2236 wrote to memory of 5112 2236 Process not Found 81 PID 5112 wrote to memory of 2340 5112 E214.exe 82 PID 5112 wrote to memory of 2340 5112 E214.exe 82 PID 5112 wrote to memory of 2340 5112 E214.exe 82 PID 2340 wrote to memory of 5084 2340 cmd.exe 84 PID 2340 wrote to memory of 5084 2340 cmd.exe 84 PID 2340 wrote to memory of 5084 2340 cmd.exe 84 PID 2340 wrote to memory of 1492 2340 cmd.exe 85 PID 2340 wrote to memory of 1492 2340 cmd.exe 85 PID 2340 wrote to memory of 1492 2340 cmd.exe 85 PID 5112 wrote to memory of 2292 5112 E214.exe 86 PID 5112 wrote to memory of 2292 5112 E214.exe 86 PID 5112 wrote to memory of 2292 5112 E214.exe 86 PID 2292 wrote to memory of 4744 2292 cmd.exe 88 PID 2292 wrote to memory of 4744 2292 cmd.exe 88 PID 2292 wrote to memory of 4744 2292 cmd.exe 88 PID 5112 wrote to memory of 4936 5112 E214.exe 89 PID 5112 wrote to memory of 4936 5112 E214.exe 89 PID 5112 wrote to memory of 4936 5112 E214.exe 89 PID 4936 wrote to memory of 3560 4936 cmd.exe 91 PID 4936 wrote to memory of 3560 4936 cmd.exe 91 PID 4936 wrote to memory of 3560 4936 cmd.exe 91 PID 4936 wrote to memory of 3540 4936 cmd.exe 92 PID 4936 wrote to memory of 3540 4936 cmd.exe 92 PID 4936 wrote to memory of 3540 4936 cmd.exe 92 PID 5112 wrote to memory of 396 5112 E214.exe 93 PID 5112 wrote to memory of 396 5112 E214.exe 93 PID 5112 wrote to memory of 396 5112 E214.exe 93 PID 5112 wrote to memory of 720 5112 E214.exe 94 PID 5112 wrote to memory of 720 5112 E214.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\143F.exeC:\Users\Admin\AppData\Local\Temp\143F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\143F.exeC:\Users\Admin\AppData\Local\Temp\143F.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\8B07.exeC:\Users\Admin\AppData\Local\Temp\8B07.exe1⤵
- Executes dropped EXE
PID:648
-
C:\Users\Admin\AppData\Local\Temp\8DA8.exeC:\Users\Admin\AppData\Local\Temp\8DA8.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:816
-
C:\Users\Admin\AppData\Roaming\iitshhhC:\Users\Admin\AppData\Roaming\iitshhh1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Roaming\iitshhhC:\Users\Admin\AppData\Roaming\iitshhh2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2460
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\CDA0.dll1⤵
- Loads dropped DLL
PID:2732
-
C:\Users\Admin\AppData\Local\Temp\D14A.exeC:\Users\Admin\AppData\Local\Temp\D14A.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
C:\Users\Admin\AppData\Local\Temp\E214.exeC:\Users\Admin\AppData\Local\Temp\E214.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5084
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:1492
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:4744
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3560
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:3540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵PID:396
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:4852
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:1348
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:1584
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:940
-
-
-
C:\Users\Admin\AppData\Local\Temp\FC15.exeC:\Users\Admin\AppData\Local\Temp\FC15.exe1⤵
- Executes dropped EXE
PID:2988
-
C:\Users\Admin\AppData\Local\Temp\3F1A.exeC:\Users\Admin\AppData\Local\Temp\3F1A.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2072
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:3956