e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-10-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
Size

1.8MB
MD5

83fc902787b30eaaca3d40ad12ceba57
SHA1

5912a778c138c119471cd36a750a832603abf6c3
SHA256

e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213
SHA512

bf1c4ed11b6f1a64f2db2f0c25b7ce4c7a8481fe85e894f20953839f2c50c185608cd0770a0dfccfd2524134faca67899850d5764c4b9d3f0ddf3c7928b47cbb
SSDEEP

49152:FKJ0WR7AFPyyiSruXKpk3WFDL9zxnSg/fZUm2I2vmSg:FKlBAFPydSS6W6X9lnBUm2VvmSg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
464	Process not Found
2172	alg.exe
2548	aspnet_state.exe
3004	mscorsvw.exe
2824	mscorsvw.exe
2400	mscorsvw.exe
912	mscorsvw.exe
1268	dllhost.exe
2140	ehRecvr.exe
1020	ehsched.exe
1732	elevation_service.exe
2200	IEEtwCollector.exe
2744	GROOVE.EXE
1060	mscorsvw.exe
2160	msdtc.exe
2864	msiexec.exe
2804	OSE.EXE
1192	perfhost.exe
2448	locator.exe
2072	snmptrap.exe
1148	vds.exe
1416	vssvc.exe
856	wbengine.exe
808	WmiApSrv.exe
1984	wmpnetwk.exe
1900	SearchIndexer.exe
1336	mscorsvw.exe
2420	mscorsvw.exe
1160	mscorsvw.exe
2472	mscorsvw.exe
2920	mscorsvw.exe
2624	mscorsvw.exe
2600	mscorsvw.exe
892	mscorsvw.exe
1580	mscorsvw.exe
1788	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2864	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a860c2b99022096.bin	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_sl.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_hi.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_ur.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_ko.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_sv.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_el.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_fa.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_fr.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_en.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3ACF.tmp\goopdateres_sr.dll	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	aspnet_state.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5FA35C74-0C58-4A68-B367-F525EF885514}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5FA35C74-0C58-4A68-B367-F525EF885514}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{90C78641-922C-4884-A2BC-D1382A6594A1}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{90C78641-922C-4884-A2BC-D1382A6594A1}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3032	ehRec.exe
2548	aspnet_state.exe
2548	aspnet_state.exe
2548	aspnet_state.exe
2548	aspnet_state.exe
2548	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2228	e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2548	aspnet_state.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: 33	2592	EhTray.exe
Token: SeIncBasePriorityPrivilege	2592	EhTray.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeDebugPrivilege	3032	ehRec.exe
Token: SeRestorePrivilege	2864	msiexec.exe
Token: SeTakeOwnershipPrivilege	2864	msiexec.exe
Token: SeSecurityPrivilege	2864	msiexec.exe
Token: 33	2592	EhTray.exe
Token: SeIncBasePriorityPrivilege	2592	EhTray.exe
Token: SeBackupPrivilege	1416	vssvc.exe
Token: SeRestorePrivilege	1416	vssvc.exe
Token: SeAuditPrivilege	1416	vssvc.exe
Token: SeBackupPrivilege	856	wbengine.exe
Token: SeRestorePrivilege	856	wbengine.exe
Token: SeSecurityPrivilege	856	wbengine.exe
Token: SeManageVolumePrivilege	1900	SearchIndexer.exe
Token: 33	1900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1900	SearchIndexer.exe
Token: 33	1984	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1984	wmpnetwk.exe
Token: SeDebugPrivilege	2548	aspnet_state.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeDebugPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe
Token: SeShutdownPrivilege	912	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2592	EhTray.exe
2592	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2592	EhTray.exe
2592	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2696	SearchProtocolHost.exe
2696	SearchProtocolHost.exe
2696	SearchProtocolHost.exe
2696	SearchProtocolHost.exe
2696	SearchProtocolHost.exe
1540	SearchProtocolHost.exe
1540	SearchProtocolHost.exe
1540	SearchProtocolHost.exe
1540	SearchProtocolHost.exe
1540	SearchProtocolHost.exe
1540	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1060	912	mscorsvw.exe	42
PID 912 wrote to memory of 1060	912	mscorsvw.exe	42
PID 912 wrote to memory of 1060	912	mscorsvw.exe	42
PID 1900 wrote to memory of 2696	1900	SearchIndexer.exe	59
PID 1900 wrote to memory of 2696	1900	SearchIndexer.exe	59
PID 1900 wrote to memory of 2696	1900	SearchIndexer.exe	59
PID 1900 wrote to memory of 2780	1900	SearchIndexer.exe	60
PID 1900 wrote to memory of 2780	1900	SearchIndexer.exe	60
PID 1900 wrote to memory of 2780	1900	SearchIndexer.exe	60
PID 1900 wrote to memory of 1540	1900	SearchIndexer.exe	61
PID 1900 wrote to memory of 1540	1900	SearchIndexer.exe	61
PID 1900 wrote to memory of 1540	1900	SearchIndexer.exe	61
PID 912 wrote to memory of 1336	912	mscorsvw.exe	62
PID 912 wrote to memory of 1336	912	mscorsvw.exe	62
PID 912 wrote to memory of 1336	912	mscorsvw.exe	62
PID 912 wrote to memory of 2420	912	mscorsvw.exe	63
PID 912 wrote to memory of 2420	912	mscorsvw.exe	63
PID 912 wrote to memory of 2420	912	mscorsvw.exe	63
PID 2400 wrote to memory of 1160	2400	mscorsvw.exe	64
PID 2400 wrote to memory of 1160	2400	mscorsvw.exe	64
PID 2400 wrote to memory of 1160	2400	mscorsvw.exe	64
PID 2400 wrote to memory of 1160	2400	mscorsvw.exe	64
PID 2400 wrote to memory of 2472	2400	mscorsvw.exe	65
PID 2400 wrote to memory of 2472	2400	mscorsvw.exe	65
PID 2400 wrote to memory of 2472	2400	mscorsvw.exe	65
PID 2400 wrote to memory of 2472	2400	mscorsvw.exe	65
PID 2400 wrote to memory of 2920	2400	mscorsvw.exe	66
PID 2400 wrote to memory of 2920	2400	mscorsvw.exe	66
PID 2400 wrote to memory of 2920	2400	mscorsvw.exe	66
PID 2400 wrote to memory of 2920	2400	mscorsvw.exe	66
PID 2400 wrote to memory of 2624	2400	mscorsvw.exe	67
PID 2400 wrote to memory of 2624	2400	mscorsvw.exe	67
PID 2400 wrote to memory of 2624	2400	mscorsvw.exe	67
PID 2400 wrote to memory of 2624	2400	mscorsvw.exe	67
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	68
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	68
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	68
PID 2400 wrote to memory of 2600	2400	mscorsvw.exe	68
PID 2400 wrote to memory of 892	2400	mscorsvw.exe	69
PID 2400 wrote to memory of 892	2400	mscorsvw.exe	69
PID 2400 wrote to memory of 892	2400	mscorsvw.exe	69
PID 2400 wrote to memory of 892	2400	mscorsvw.exe	69
PID 2400 wrote to memory of 1580	2400	mscorsvw.exe	70
PID 2400 wrote to memory of 1580	2400	mscorsvw.exe	70
PID 2400 wrote to memory of 1580	2400	mscorsvw.exe	70
PID 2400 wrote to memory of 1580	2400	mscorsvw.exe	70
PID 2400 wrote to memory of 1788	2400	mscorsvw.exe	71
PID 2400 wrote to memory of 1788	2400	mscorsvw.exe	71
PID 2400 wrote to memory of 1788	2400	mscorsvw.exe	71
PID 2400 wrote to memory of 1788	2400	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe
"C:\Users\Admin\AppData\Local\Temp\e75ce4701b8db9f5bac3f75113bc4e9860c25ab24814adec5201164b77363213.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ac -NGENProcess 248 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 240 -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 270 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 270 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1268

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2200

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2744

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:808

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3513876443-2771975297-1923446376-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3513876443-2771975297-1923446376-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2780
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.7MB

MD5
1384e14476597a24e2b26baaf0cff92d

SHA1
9c114ac66087273d877859bbebaae15cda2626df

SHA256
d9c02346e08129be2c13792e871740b63ff1472e0fe20d6938051416ce783194

SHA512
e42d4af8f75f75e6963660658c102ecd36baba4e24a52e1c35f7ac5a945fb3864bf9dc520d623560cfd98a0c47b395de8b188fc64f7739fcd17cc7b89b320dd0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
01db0ea5f0cbcb2d957b9bfc7293e350

SHA1
16b7a7132068951c03011c773abe195f8a7f39c4

SHA256
36425c79987164008c83950e41d8764a5b4d394a591d79db45de95f2b69336f0

SHA512
7f8f60a125fbf8867dfa50aec189d25b8f3996b5bab5913aecacca0b2623b99158e69a9bc0007d996f5a30f86529f823f7f9c6b073c7c3144dd683f54d3c8bf9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
3657d15248f2bc5205c7ba8046387368

SHA1
4e46a002f58f446382c08972cba45f200e5c4cfc

SHA256
642f51db22decc9a1a2ad82f959d4754a8cedc051c2b82c98b4b94f91ab043f6

SHA512
8de2af73b4763e70a6b27de436b9f1005bcb60006aef579bb75ec87dd6cbe7dbff2898a98f7ddbb2f5859b48e9b178bfd966a486ace21f022891598c4fc84300

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
2.0MB

MD5
c58d75ded24aca86e0dee20e4ae27673

SHA1
11249b3ede757c2d767d26b7a0e0642875a4f867

SHA256
b87db27226f1d6368594096eed179c010afa4832cb42895750644d86baf6f59f

SHA512
1a7e56c5c176139ce8b1b1146abd99b913b8b4da27712145ea9b8508b480dd9268121ca004c65ef751c29adfef7b892729e163d88265e4b8fd7e7cb879774731

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
6e5dee658a9fdedd0394b914b3e55da1

SHA1
a7cb9d883b2f0dc523d88580c2f4dac6f6994690

SHA256
ad8b6936565ff4a0934ae9ef2db68a1024a31af257b5ba95d78224b5473936f7

SHA512
21fa64428a30c8600b9cd9087a1d083cc548e84d6e1bc1c4d4fb4515ff4919737f37adda4467cfc8af836cb518be00c616b0f1637399170a9ced2e7f976bf06e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
26d7a4b3eb8fb50a2b5e53a534f825bd

SHA1
f958b9cf5e9cb0b523541390125c35b3ce096882

SHA256
9a1dd141a67959ae904900727079c0793bb8da84fc69c95c818a6ce794f65238

SHA512
9ef7853a7bb0d52709f7ecda94074b5bbccf67e1a4b394da35c6b4eb4c72f6929c0246d2e7ecf742a11f688f10b31709773252f0513048f9a14e67ecc5358445

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
02a64956e216b75811c65f79f83cad48

SHA1
59210cec151ea5cf9c3202291e22c25616d8779a

SHA256
28b50157190e3e4e517e422c4f7dd2c47b38f9cd9e10f5b3fb7292d796fa9d69

SHA512
15f788f606c2b3c4d670c1e2ac5c7ab1c506d0b1bf1ba61ec40d503f605f5d2b1fd927d791478fce9ceab8e1c2e630920746c902712c2af56b15a5830719f77e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
2988ee34404a2d64baf83a6f339dd856

SHA1
4e1d0bed90c9f00d494656e835e8cd4b293c373f

SHA256
25e927c6f59dfb885a53a8ef527138ea1e3bbd4ed4e8c14ae36e3624ee1b8ba0

SHA512
cb76d7aa6eddb1a9b672c8479373718544593a8a51fcd1dafd3ce88e3baa575b2eb542d31cc1682f4341b01ca8043e935c174e12dbc8f8ed7ecd7344fb58d0a8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bdeb86284e19accb3fbe02398a546853

SHA1
f3250c56f4210cd864f8bc17a51268b043ac6dc1

SHA256
214e19115c8aa9acba65ce7da6acf8a84376ebfe3ed912d204c4d106d1329da6

SHA512
56eeb65e57d9a530af918a641ded20c3f54b7b7b51c8969a89e7d3018a375496dbda417c9c6872f5845ae4d08cd51d00ebf53ea1b956e6d574de37724613939e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
191a10c56befbcb0a67357bd2260ba37

SHA1
21440bbecc08fad6512b986dc66daacc3bd9dca7

SHA256
6d2e2c53cf463b3572c47c8dcacd0947b75db44fca589ea2453b4fa6818f0867

SHA512
9929cf2052d34b5eea5ca45e035dfb9fd91515c1f4a1cae7a0fbed202088cfb10cea537647e675e07633613a2f0624f2eb0711d4ff8f9512ed36e58d2d32a9e0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
bdfab8d50e977c80a0d50a6ab5963188

SHA1
721336367cf334ae38039d0898a794b71690c366

SHA256
1000a4f102d9a11eaf52791eda9e000716624063398772a94e99029cd1c084ef

SHA512
b71e8fdbc799822072753d8693b19ce30df339b008811e48ac3024319a74f7665cf1e9a818cbc50a446a1fc4e44c31d23064118b206a8bf8fe3e6ec3e58a2043

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
f6dca8903c1a9fb636fc387571faa147

SHA1
cb7f451002f2f48a5863bf875bf38cdbf2914f96

SHA256
bc9a251aae4af646c83fe3a040afb6a67ea9cacb769020ebd8300b5c2ed4d078

SHA512
bf3698f32222d562b063c3cae159adfb6d43f4c4d4e86145f101f2ac215b881148237ca6d2aa330d338e8d12cf14a3dda7e91481ea82742a86d3f4e279497777

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
f6dca8903c1a9fb636fc387571faa147

SHA1
cb7f451002f2f48a5863bf875bf38cdbf2914f96

SHA256
bc9a251aae4af646c83fe3a040afb6a67ea9cacb769020ebd8300b5c2ed4d078

SHA512
bf3698f32222d562b063c3cae159adfb6d43f4c4d4e86145f101f2ac215b881148237ca6d2aa330d338e8d12cf14a3dda7e91481ea82742a86d3f4e279497777

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
97394d566f2bc553086503a4c7b5a5e5

SHA1
827dd443fd4c5debe0150901e67f4ff5f9fbcc39

SHA256
c57656e62a4fdd8b634b2b7a57329b5c0e6a345194d6083e28903761b43bb4b8

SHA512
2835073521ca24433dc799543aeec8f23047a170b41d445129bdf87cb7c2c90b99ddcf3f0cfe566e123dfe78949afd7588999503270f64273f36a08f9218847c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.6MB

MD5
91e2ab8737df2dd087e9e56ecfb25075

SHA1
2413cbbdf2440bf8fc1e3d505ae93ed58dc86b52

SHA256
8f02a58f191a6735a75b6629ae4b81eb6e235692de2461fd146554b4b646dd7c

SHA512
a6dfca1b13859c7c025140eaf7278d2bf11d9103eaa425b6c02fda1d8cc01f5eb31339d0c44ab283b72009c710405a6a5cc8a6dd680cd284be040189eba2956e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.7MB

MD5
1fa09348c9c9ea4d8c96e09ba1dac22f

SHA1
ceff133d7738f939431b0534510442fa872a8ad3

SHA256
5fd379ce29ac48ac9121275d51297ef4c2f2521274be5cf61299e995d726faf0

SHA512
21bd0ceae4771cab2dded09635f4ffba898008b11869c5d42f3773e8998907f33d86a18ddce2bc1d13b43e3c358210c7a4531ed6d0a1b68c41b7eda8eb356bb8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.7MB

MD5
1fa09348c9c9ea4d8c96e09ba1dac22f

SHA1
ceff133d7738f939431b0534510442fa872a8ad3

SHA256
5fd379ce29ac48ac9121275d51297ef4c2f2521274be5cf61299e995d726faf0

SHA512
21bd0ceae4771cab2dded09635f4ffba898008b11869c5d42f3773e8998907f33d86a18ddce2bc1d13b43e3c358210c7a4531ed6d0a1b68c41b7eda8eb356bb8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.7MB

MD5
1fa09348c9c9ea4d8c96e09ba1dac22f

SHA1
ceff133d7738f939431b0534510442fa872a8ad3

SHA256
5fd379ce29ac48ac9121275d51297ef4c2f2521274be5cf61299e995d726faf0

SHA512
21bd0ceae4771cab2dded09635f4ffba898008b11869c5d42f3773e8998907f33d86a18ddce2bc1d13b43e3c358210c7a4531ed6d0a1b68c41b7eda8eb356bb8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.7MB

MD5
1fa09348c9c9ea4d8c96e09ba1dac22f

SHA1
ceff133d7738f939431b0534510442fa872a8ad3

SHA256
5fd379ce29ac48ac9121275d51297ef4c2f2521274be5cf61299e995d726faf0

SHA512
21bd0ceae4771cab2dded09635f4ffba898008b11869c5d42f3773e8998907f33d86a18ddce2bc1d13b43e3c358210c7a4531ed6d0a1b68c41b7eda8eb356bb8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.7MB

MD5
1fa09348c9c9ea4d8c96e09ba1dac22f

SHA1
ceff133d7738f939431b0534510442fa872a8ad3

SHA256
5fd379ce29ac48ac9121275d51297ef4c2f2521274be5cf61299e995d726faf0

SHA512
21bd0ceae4771cab2dded09635f4ffba898008b11869c5d42f3773e8998907f33d86a18ddce2bc1d13b43e3c358210c7a4531ed6d0a1b68c41b7eda8eb356bb8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
4ba359a63c50f04f2eea83784cc86ee5

SHA1
3f590e1a445e58177b5b715f006e29e7b2fbb1ce

SHA256
81f0dc4dfe039283aa5653c93983bbd7e77fb73487c71f1af598bffd0fa94569

SHA512
aba884128df77833d98ef06610f4f9b30b209fa7a3e5a270005e357b3bf9be638133a13888205f6784fa3cee37c028a91236b5b399db110a90fe3d97e94c3717

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
4ba359a63c50f04f2eea83784cc86ee5

SHA1
3f590e1a445e58177b5b715f006e29e7b2fbb1ce

SHA256
81f0dc4dfe039283aa5653c93983bbd7e77fb73487c71f1af598bffd0fa94569

SHA512
aba884128df77833d98ef06610f4f9b30b209fa7a3e5a270005e357b3bf9be638133a13888205f6784fa3cee37c028a91236b5b399db110a90fe3d97e94c3717

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2d4afa1a86ae63084a3785f2168fa6e2

SHA1
d0fdcc6d999d3d54e44bc7db8e5fae147422523b

SHA256
06c3862d5bd06258f8801bfda1cc42c7f649fdaf0e2b6f5e759f8a68f233522d

SHA512
744aedcc4f56ef344304f798d02ab2f88d96b7407e5fbb086e7210f5accaaac422abe423172bd2176416f357ecbdf3ef1203b7096c641e7e80ad71f5bdce52a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08a6bdd31394544360b4d70088c99cff

SHA1
3b82ce657b17887d2fc2236616e19916907d6d49

SHA256
fa3776520b2a6871eb9f3f9cfebcf4eeb82fa444637fa891bbb53e35f5c29fd0

SHA512
e32d41b51ac78e1f24ce77cacf3b35e2faa090a1f7126d258c2cde2bc847a82b4dfee88c8970d5fc97e6f17820c611d006618b29dda3c5f1b022729d25482da0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.6MB

MD5
a4574a39fc55b114ff993fb3e806896d

SHA1
c9a1444fc5940b95ca2f5e09499286a7d9a60960

SHA256
4d1a8dffce6d24d9f3634c4c5ab808bd7e47620c3e263b00ae2651d7de1bbad0

SHA512
b0d6a0c320781714ba909b7f258422cc312fef103a5466da611a5d1a65aa46db4b22069ff05bf9f67343c83dc9ac9117f0ca9f87eff90191e1ea77431b74d016

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.6MB

MD5
eede64ca061eb6f6c217fdad6e6531f2

SHA1
e27a60321bfe48bb39513f5bfafe8d09b7118bc6

SHA256
2a1663a344374dc7c5b4c704af2b8e3f8ce26cceb5f10fe255b7a0b52fdd0ab8

SHA512
274ebb2609e2a532ebc2a868d2d00232f9bf8aa3e3f2c4eb4e6dfee178500c748238df6ae7bb4cd0c4a78bc114ace048b1d4b2780bcdf17ba7df957a2e1b2d6e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
9f33c227e793416a89e952e643f57852

SHA1
2be045483ae895fb066dd52ce79dc8afc1ad9937

SHA256
fffcfc3a5d9ce2c663ff11b30ff8954535dcf3aabbab13b4612687328ee589f6

SHA512
632d7142fde946e6444968566b34f48d8c30c53530feecb6303dba7bae22f729a9178998318f0c1f9623765cb4d8c23fa66a947edce6d0eb76dfcf9af0c72b20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
88f00b4915463f2957c8f94b1a4ab06d

SHA1
f7f15423e4de27bb46c02e262d417bc4c866243f

SHA256
7144690e1babc96a95ca609bbb19675042a088163dfeedeba167aae255dc89d3

SHA512
90bab448837c79da163a6ae308b13d1d8c8a72e0023054c726f296cf6ca46df3716e95bd02387a29aa320d655fd1aebb1531598010fcaa56dce66b4d03af8bc9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
8056f13072e5af479f871d52aaee00a9

SHA1
bee4d78103f3b5d07842dcd7a97f926d28b461d1

SHA256
db17f466f5e7b2ac382b38dccfa49ca036955ecf2fab760aa58dcd08d064e44b

SHA512
690e18cbb853affae9af6e763752350c4ad1921f86fd7b5eec66f923e079666046c4e199bd16265019fed89dfcfaef5ee756e160f2ade7d0de026ee09d58c4a6

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.6MB

MD5
40588d40fb33f31005537ddb49dfce64

SHA1
f190ca568cd3213d3591c0d19619424b96ae1c7a

SHA256
a0af6fce9363e79b221a29072c2686191a77e1482e594f0baae3c4004eb106db

SHA512
48f57ecc698f2e2444510fb9a7c039f48d9e5194d514d518e39a4461895bbaf8c0a47c9acc9aced7c80fa13ad61f70cc9f53be7337748c1564a0a52523953ae1

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
6431122f61bae67ecea7e631e8d666b5

SHA1
5204ed1eddfec8800f5b4d5da0b165c718263053

SHA256
ef53b3a280c4b0cde74e8e5e92ae191194a88313f7afcc0410396812ec81617d

SHA512
7dc219e17a01f1c828fbac10054fdaaa66223f98af127145306eea2d18fcad7c2ccee50d8363bc19548940715c2de93b75ec2e7e5a1f48a1963d5cdced14af0a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.7MB

MD5
2753ab43066388f0f011e3857cabb768

SHA1
2dec216224eb03f1fe6e39ee9cef1f26b676fa69

SHA256
d5116766edb8b98d044b12778066970f3452af57c96357655f285d5b5390425a

SHA512
695452c023224205d4a788ba69920955ea4e0095b6c70e75f2d5741daaba75f3ed147b6a9c0bfa58f3670b33a91ece9145e5aebad7447aa255a4ae0876b4dfa2

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.7MB

MD5
d4481b7fa74579e1b5549f1929f03807

SHA1
63aedfe151bc3b87325ef6ce105db92482d9d8a5

SHA256
65f740060615ebb12a63a49964574f46fd5e6fd27ba225db73cc5ede18479fc3

SHA512
05ae73b827ae3e6f8ec2285cb979c2692b73ed2f1b5802330179c9c3c75d04488be9e9db7b1ab8f5e44447e34b05a6614a50abe15d667288176c5d5515ddccc8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.6MB

MD5
910f137a9fcf36f36bc8b4aec0504fbb

SHA1
fcb0949d5c64c951789a50934add4dd99fd299f4

SHA256
7c99c39416bf6410d7cfb76da97f57e367789f8e48f418f478618d1f5a162690

SHA512
008f991c1e4274f4067ea57e61b66d73df9aff5216db0a99bfe472fde87a10e7393df3427ef7c392ddb9966de29de449c04202f5e929ee122e45f2737bbf760a

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
08ecc4469e6c4375b31748382d652027

SHA1
94f238810170b3b068b7e9b94cb0334c960de090

SHA256
51e47a394380100f2ac464f4a0e6dfe74b0090dd738d41c561b0eb1359a5786f

SHA512
9c45455063d96a13a262084efd14759809ec8d04e59d37b5cad31be7fc606b376d01594b294d6a510202787aa09c4300ae295862613c14543dda0cd6016bc777

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
5560573dfbb17abe39c2fba4f9b502b2

SHA1
79375749122dea75eb0c5543ac27483d1996b50b

SHA256
3f261754f06a5752b34485d216b4e0782efc218ef3315979b265bf903ac56926

SHA512
8d7065e4f913dd20b1f79ad3ca7db5000a81b7618dae5df2c5f0a93c677b6b086629524e7f1a9d20aca6f782baeede4276a3de454e1e25273ad2edfd9e2f03fb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
adc0456f20f7a24beacd47f0d5fbe161

SHA1
164212a1fa3ec715b95827310b7805c08d756d86

SHA256
0fc5532b006d928cfc9942a589f8fba0db8d598395caaf1f33fac0fdbdbcdf4d

SHA512
87df3f64bb59313ac75093c51eae20ca0998eecad5a022c118bb73c6670dfc5ce63b30ae56483fdf2540e3098fc89e67b15b99747896eb2e21803f34abb3b10f

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
db1f453145e1802071ac27757b167113

SHA1
9a09882d5a7a56664b7239d7365673f4f14dcbaf

SHA256
510a95c02f18abb13712fd1a1b3f145d9572744329623a3ee74871e884428c5e

SHA512
70a0ec0497d18dea089a11fe76d53613cc4e336a353e8b9b48a91f60504ccf9801bf5840a8996b744ffc784d193300b8d105061ea37007ae1341b4027e0f0e44

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
db1f453145e1802071ac27757b167113

SHA1
9a09882d5a7a56664b7239d7365673f4f14dcbaf

SHA256
510a95c02f18abb13712fd1a1b3f145d9572744329623a3ee74871e884428c5e

SHA512
70a0ec0497d18dea089a11fe76d53613cc4e336a353e8b9b48a91f60504ccf9801bf5840a8996b744ffc784d193300b8d105061ea37007ae1341b4027e0f0e44

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.7MB

MD5
06acdd347be190c671d907a643eca3ae

SHA1
7b2cbdc0791d0c1a4c71094bc30eabef036e4407

SHA256
f8afa3bcf3b7213cad6a96ee7a3f1181e0ddb198d1a00baa7e4558e46e9fbafb

SHA512
21d6822aec661f4708b71f34c0ac457ba4c666880a553546d477c83dc215fa54123f205b05575084efdd61f527f02fbbb8585c4f16b8a09a6e0b332504a312ac

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.7MB

MD5
06acdd347be190c671d907a643eca3ae

SHA1
7b2cbdc0791d0c1a4c71094bc30eabef036e4407

SHA256
f8afa3bcf3b7213cad6a96ee7a3f1181e0ddb198d1a00baa7e4558e46e9fbafb

SHA512
21d6822aec661f4708b71f34c0ac457ba4c666880a553546d477c83dc215fa54123f205b05575084efdd61f527f02fbbb8585c4f16b8a09a6e0b332504a312ac

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8d51fe92d1291c691b0a04d780a322a3

SHA1
0bc33322cbef0ec9ef24ef06b32f494c7262e24e

SHA256
5918e1acb46ba07eef85a9adccb49d395a4d0c2196b6cb9888977be2cd97dfb1

SHA512
6d80961c6c48da95ad176f4a0271aeb546a473da585cc043c9c0f30cc4554f99ff40ec2d1d2d05ec8f84d7057bd0a5f6efb440bc0849929dc9c8630fa32f63ec

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
191a10c56befbcb0a67357bd2260ba37

SHA1
21440bbecc08fad6512b986dc66daacc3bd9dca7

SHA256
6d2e2c53cf463b3572c47c8dcacd0947b75db44fca589ea2453b4fa6818f0867

SHA512
9929cf2052d34b5eea5ca45e035dfb9fd91515c1f4a1cae7a0fbed202088cfb10cea537647e675e07633613a2f0624f2eb0711d4ff8f9512ed36e58d2d32a9e0

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
191a10c56befbcb0a67357bd2260ba37

SHA1
21440bbecc08fad6512b986dc66daacc3bd9dca7

SHA256
6d2e2c53cf463b3572c47c8dcacd0947b75db44fca589ea2453b4fa6818f0867

SHA512
9929cf2052d34b5eea5ca45e035dfb9fd91515c1f4a1cae7a0fbed202088cfb10cea537647e675e07633613a2f0624f2eb0711d4ff8f9512ed36e58d2d32a9e0

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
f6dca8903c1a9fb636fc387571faa147

SHA1
cb7f451002f2f48a5863bf875bf38cdbf2914f96

SHA256
bc9a251aae4af646c83fe3a040afb6a67ea9cacb769020ebd8300b5c2ed4d078

SHA512
bf3698f32222d562b063c3cae159adfb6d43f4c4d4e86145f101f2ac215b881148237ca6d2aa330d338e8d12cf14a3dda7e91481ea82742a86d3f4e279497777

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.6MB

MD5
91e2ab8737df2dd087e9e56ecfb25075

SHA1
2413cbbdf2440bf8fc1e3d505ae93ed58dc86b52

SHA256
8f02a58f191a6735a75b6629ae4b81eb6e235692de2461fd146554b4b646dd7c

SHA512
a6dfca1b13859c7c025140eaf7278d2bf11d9103eaa425b6c02fda1d8cc01f5eb31339d0c44ab283b72009c710405a6a5cc8a6dd680cd284be040189eba2956e

Download Submit
\Windows\System32\Locator.exe

Filesize
1.6MB

MD5
eede64ca061eb6f6c217fdad6e6531f2

SHA1
e27a60321bfe48bb39513f5bfafe8d09b7118bc6

SHA256
2a1663a344374dc7c5b4c704af2b8e3f8ce26cceb5f10fe255b7a0b52fdd0ab8

SHA512
274ebb2609e2a532ebc2a868d2d00232f9bf8aa3e3f2c4eb4e6dfee178500c748238df6ae7bb4cd0c4a78bc114ace048b1d4b2780bcdf17ba7df957a2e1b2d6e

Download Submit
\Windows\System32\alg.exe

Filesize
1.6MB

MD5
8056f13072e5af479f871d52aaee00a9

SHA1
bee4d78103f3b5d07842dcd7a97f926d28b461d1

SHA256
db17f466f5e7b2ac382b38dccfa49ca036955ecf2fab760aa58dcd08d064e44b

SHA512
690e18cbb853affae9af6e763752350c4ad1921f86fd7b5eec66f923e079666046c4e199bd16265019fed89dfcfaef5ee756e160f2ade7d0de026ee09d58c4a6

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.6MB

MD5
40588d40fb33f31005537ddb49dfce64

SHA1
f190ca568cd3213d3591c0d19619424b96ae1c7a

SHA256
a0af6fce9363e79b221a29072c2686191a77e1482e594f0baae3c4004eb106db

SHA512
48f57ecc698f2e2444510fb9a7c039f48d9e5194d514d518e39a4461895bbaf8c0a47c9acc9aced7c80fa13ad61f70cc9f53be7337748c1564a0a52523953ae1

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
6431122f61bae67ecea7e631e8d666b5

SHA1
5204ed1eddfec8800f5b4d5da0b165c718263053

SHA256
ef53b3a280c4b0cde74e8e5e92ae191194a88313f7afcc0410396812ec81617d

SHA512
7dc219e17a01f1c828fbac10054fdaaa66223f98af127145306eea2d18fcad7c2ccee50d8363bc19548940715c2de93b75ec2e7e5a1f48a1963d5cdced14af0a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.7MB

MD5
2753ab43066388f0f011e3857cabb768

SHA1
2dec216224eb03f1fe6e39ee9cef1f26b676fa69

SHA256
d5116766edb8b98d044b12778066970f3452af57c96357655f285d5b5390425a

SHA512
695452c023224205d4a788ba69920955ea4e0095b6c70e75f2d5741daaba75f3ed147b6a9c0bfa58f3670b33a91ece9145e5aebad7447aa255a4ae0876b4dfa2

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.7MB

MD5
d4481b7fa74579e1b5549f1929f03807

SHA1
63aedfe151bc3b87325ef6ce105db92482d9d8a5

SHA256
65f740060615ebb12a63a49964574f46fd5e6fd27ba225db73cc5ede18479fc3

SHA512
05ae73b827ae3e6f8ec2285cb979c2692b73ed2f1b5802330179c9c3c75d04488be9e9db7b1ab8f5e44447e34b05a6614a50abe15d667288176c5d5515ddccc8

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.7MB

MD5
d4481b7fa74579e1b5549f1929f03807

SHA1
63aedfe151bc3b87325ef6ce105db92482d9d8a5

SHA256
65f740060615ebb12a63a49964574f46fd5e6fd27ba225db73cc5ede18479fc3

SHA512
05ae73b827ae3e6f8ec2285cb979c2692b73ed2f1b5802330179c9c3c75d04488be9e9db7b1ab8f5e44447e34b05a6614a50abe15d667288176c5d5515ddccc8

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.6MB

MD5
910f137a9fcf36f36bc8b4aec0504fbb

SHA1
fcb0949d5c64c951789a50934add4dd99fd299f4

SHA256
7c99c39416bf6410d7cfb76da97f57e367789f8e48f418f478618d1f5a162690

SHA512
008f991c1e4274f4067ea57e61b66d73df9aff5216db0a99bfe472fde87a10e7393df3427ef7c392ddb9966de29de449c04202f5e929ee122e45f2737bbf760a

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
5560573dfbb17abe39c2fba4f9b502b2

SHA1
79375749122dea75eb0c5543ac27483d1996b50b

SHA256
3f261754f06a5752b34485d216b4e0782efc218ef3315979b265bf903ac56926

SHA512
8d7065e4f913dd20b1f79ad3ca7db5000a81b7618dae5df2c5f0a93c677b6b086629524e7f1a9d20aca6f782baeede4276a3de454e1e25273ad2edfd9e2f03fb

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
adc0456f20f7a24beacd47f0d5fbe161

SHA1
164212a1fa3ec715b95827310b7805c08d756d86

SHA256
0fc5532b006d928cfc9942a589f8fba0db8d598395caaf1f33fac0fdbdbcdf4d

SHA512
87df3f64bb59313ac75093c51eae20ca0998eecad5a022c118bb73c6670dfc5ce63b30ae56483fdf2540e3098fc89e67b15b99747896eb2e21803f34abb3b10f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
db1f453145e1802071ac27757b167113

SHA1
9a09882d5a7a56664b7239d7365673f4f14dcbaf

SHA256
510a95c02f18abb13712fd1a1b3f145d9572744329623a3ee74871e884428c5e

SHA512
70a0ec0497d18dea089a11fe76d53613cc4e336a353e8b9b48a91f60504ccf9801bf5840a8996b744ffc784d193300b8d105061ea37007ae1341b4027e0f0e44

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.7MB

MD5
06acdd347be190c671d907a643eca3ae

SHA1
7b2cbdc0791d0c1a4c71094bc30eabef036e4407

SHA256
f8afa3bcf3b7213cad6a96ee7a3f1181e0ddb198d1a00baa7e4558e46e9fbafb

SHA512
21d6822aec661f4708b71f34c0ac457ba4c666880a553546d477c83dc215fa54123f205b05575084efdd61f527f02fbbb8585c4f16b8a09a6e0b332504a312ac

Download Submit
memory/808-376-0x0000000100000000-0x00000001001C1000-memory.dmp

Filesize
1.8MB

Download
memory/856-372-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/912-134-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/912-135-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/912-273-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/912-141-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1020-260-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1020-253-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1020-311-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1060-294-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1148-365-0x0000000100000000-0x0000000100211000-memory.dmp

Filesize
2.1MB

Download
memory/1192-347-0x0000000001000000-0x0000000001193000-memory.dmp

Filesize
1.6MB

Download
memory/1192-371-0x0000000001000000-0x0000000001193000-memory.dmp

Filesize
1.6MB

Download
memory/1268-286-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1268-152-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1268-151-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1268-158-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1416-368-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1732-267-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1732-268-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1732-329-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2072-360-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2140-323-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2140-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2140-165-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2140-173-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2140-259-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2140-264-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2140-261-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2140-297-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2160-315-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/2172-21-0x0000000100000000-0x00000001001A1000-memory.dmp

Filesize
1.6MB

Download
memory/2172-159-0x0000000100000000-0x00000001001A1000-memory.dmp

Filesize
1.6MB

Download
memory/2200-334-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2200-276-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2228-257-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2228-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2228-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2228-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2228-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2228-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2400-123-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2400-263-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2400-117-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2400-116-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2448-355-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2548-164-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2548-93-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2548-86-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2548-85-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2560-299-0x0000000140000000-0x00000001401C7000-memory.dmp

Filesize
1.8MB

Download
memory/2560-306-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2560-317-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2560-316-0x0000000140000000-0x00000001401C7000-memory.dmp

Filesize
1.8MB

Download
memory/2744-283-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2744-289-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2744-338-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2744-278-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2804-332-0x000000002E000000-0x000000002E1B2000-memory.dmp

Filesize
1.7MB

Download
memory/2804-340-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2804-356-0x000000002E000000-0x000000002E1B2000-memory.dmp

Filesize
1.7MB

Download
memory/2824-131-0x0000000010000000-0x00000000101A4000-memory.dmp

Filesize
1.6MB

Download
memory/2824-107-0x0000000010000000-0x00000000101A4000-memory.dmp

Filesize
1.6MB

Download
memory/2864-320-0x0000000100000000-0x00000001001AF000-memory.dmp

Filesize
1.7MB

Download
memory/2864-324-0x0000000000680000-0x000000000082F000-memory.dmp

Filesize
1.7MB

Download
memory/2864-353-0x0000000000680000-0x000000000082F000-memory.dmp

Filesize
1.7MB

Download
memory/2864-349-0x0000000100000000-0x00000001001AF000-memory.dmp

Filesize
1.7MB

Download
memory/3004-98-0x0000000010000000-0x000000001019C000-memory.dmp

Filesize
1.6MB

Download
memory/3004-125-0x0000000010000000-0x000000001019C000-memory.dmp

Filesize
1.6MB

Download
memory/3032-350-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/3032-359-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/3032-346-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-343-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/3032-345-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-295-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-339-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/3032-293-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-291-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download