dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
Size

1.8MB
MD5

01a569da489b7b6e9f8754f90f74eaf9
SHA1

22c8bd58abb079c51ea9495e3c2eeba25ca79c56
SHA256

dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d
SHA512

76b4faefb564d7ef69dfd6a604e319b6ae842bee64d83ac29250fd91f07db0082d5cd5eb5497996bc7369b65d90f8ceb2e321a26d9d0c77236692fdb545e8783
SSDEEP

49152:mx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WABaB0zj0yjoB2:mvbjVkjjCAzJxB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
468	Process not Found
2632	alg.exe
2992	aspnet_state.exe
2876	mscorsvw.exe
1268	mscorsvw.exe
2824	mscorsvw.exe
2012	mscorsvw.exe
2456	dllhost.exe
2368	ehRecvr.exe
872	ehsched.exe
2980	mscorsvw.exe
2740	elevation_service.exe
3000	IEEtwCollector.exe
2200	mscorsvw.exe
1092	GROOVE.EXE
2692	maintenanceservice.exe
2052	mscorsvw.exe
528	msdtc.exe
2588	msiexec.exe
920	OSE.EXE
2260	OSPPSVC.EXE
2680	perfhost.exe
564	locator.exe
1960	snmptrap.exe
2380	vds.exe
2232	vssvc.exe
1604	wbengine.exe
2120	WmiApSrv.exe
3044	wmpnetwk.exe
1744	SearchIndexer.exe
2936	mscorsvw.exe
1600	mscorsvw.exe
2692	mscorsvw.exe
2644	mscorsvw.exe
2368	mscorsvw.exe
2500	mscorsvw.exe
2068	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2588	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\89ad205454788660.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\GoogleUpdateComRegisterShell64.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_is.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_lt.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_fa.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\GoogleUpdate.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_vi.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_tr.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_no.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_ur.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_mr.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_cs.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_hi.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_ar.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_sv.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2DF3.tmp\goopdateres_fil.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7AD10BF6-8AEC-4923-89A5-0156A8686253}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7AD10BF6-8AEC-4923-89A5-0156A8686253}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{082EB719-6F96-45AB-B840-28AA7BE9C5B8}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{082EB719-6F96-45AB-B840-28AA7BE9C5B8}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2488	ehRec.exe
2992	aspnet_state.exe
2992	aspnet_state.exe
2992	aspnet_state.exe
2992	aspnet_state.exe
2992	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1056	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
Token: SeShutdownPrivilege	2824	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2992	aspnet_state.exe
Token: SeShutdownPrivilege	2824	mscorsvw.exe
Token: SeShutdownPrivilege	2824	mscorsvw.exe
Token: SeShutdownPrivilege	2824	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: 33	2764	EhTray.exe
Token: SeIncBasePriorityPrivilege	2764	EhTray.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeRestorePrivilege	2588	msiexec.exe
Token: SeTakeOwnershipPrivilege	2588	msiexec.exe
Token: SeSecurityPrivilege	2588	msiexec.exe
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe
Token: SeBackupPrivilege	1604	wbengine.exe
Token: SeRestorePrivilege	1604	wbengine.exe
Token: SeSecurityPrivilege	1604	wbengine.exe
Token: SeDebugPrivilege	2488	ehRec.exe
Token: 33	3044	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3044	wmpnetwk.exe
Token: SeDebugPrivilege	2992	aspnet_state.exe
Token: SeManageVolumePrivilege	1744	SearchIndexer.exe
Token: 33	1744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1744	SearchIndexer.exe
Token: 33	2764	EhTray.exe
Token: SeIncBasePriorityPrivilege	2764	EhTray.exe
Token: SeDebugPrivilege	2824	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2764	EhTray.exe
2764	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2764	EhTray.exe
2764	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2132	SearchProtocolHost.exe
2732	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2980	2824	mscorsvw.exe	37
PID 2824 wrote to memory of 2980	2824	mscorsvw.exe	37
PID 2824 wrote to memory of 2980	2824	mscorsvw.exe	37
PID 2824 wrote to memory of 2980	2824	mscorsvw.exe	37
PID 2824 wrote to memory of 2200	2824	mscorsvw.exe	42
PID 2824 wrote to memory of 2200	2824	mscorsvw.exe	42
PID 2824 wrote to memory of 2200	2824	mscorsvw.exe	42
PID 2824 wrote to memory of 2200	2824	mscorsvw.exe	42
PID 2824 wrote to memory of 2052	2824	mscorsvw.exe	45
PID 2824 wrote to memory of 2052	2824	mscorsvw.exe	45
PID 2824 wrote to memory of 2052	2824	mscorsvw.exe	45
PID 2824 wrote to memory of 2052	2824	mscorsvw.exe	45
PID 1744 wrote to memory of 2132	1744	SearchIndexer.exe	61
PID 1744 wrote to memory of 2132	1744	SearchIndexer.exe	61
PID 1744 wrote to memory of 2132	1744	SearchIndexer.exe	61
PID 2824 wrote to memory of 2936	2824	mscorsvw.exe	62
PID 2824 wrote to memory of 2936	2824	mscorsvw.exe	62
PID 2824 wrote to memory of 2936	2824	mscorsvw.exe	62
PID 2824 wrote to memory of 2936	2824	mscorsvw.exe	62
PID 1744 wrote to memory of 1048	1744	SearchIndexer.exe	63
PID 1744 wrote to memory of 1048	1744	SearchIndexer.exe	63
PID 1744 wrote to memory of 1048	1744	SearchIndexer.exe	63
PID 1744 wrote to memory of 2732	1744	SearchIndexer.exe	64
PID 1744 wrote to memory of 2732	1744	SearchIndexer.exe	64
PID 1744 wrote to memory of 2732	1744	SearchIndexer.exe	64
PID 2824 wrote to memory of 1600	2824	mscorsvw.exe	65
PID 2824 wrote to memory of 1600	2824	mscorsvw.exe	65
PID 2824 wrote to memory of 1600	2824	mscorsvw.exe	65
PID 2824 wrote to memory of 1600	2824	mscorsvw.exe	65
PID 2824 wrote to memory of 2692	2824	mscorsvw.exe	66
PID 2824 wrote to memory of 2692	2824	mscorsvw.exe	66
PID 2824 wrote to memory of 2692	2824	mscorsvw.exe	66
PID 2824 wrote to memory of 2692	2824	mscorsvw.exe	66
PID 2824 wrote to memory of 2644	2824	mscorsvw.exe	67
PID 2824 wrote to memory of 2644	2824	mscorsvw.exe	67
PID 2824 wrote to memory of 2644	2824	mscorsvw.exe	67
PID 2824 wrote to memory of 2644	2824	mscorsvw.exe	67
PID 2824 wrote to memory of 2368	2824	mscorsvw.exe	68
PID 2824 wrote to memory of 2368	2824	mscorsvw.exe	68
PID 2824 wrote to memory of 2368	2824	mscorsvw.exe	68
PID 2824 wrote to memory of 2368	2824	mscorsvw.exe	68
PID 2824 wrote to memory of 2500	2824	mscorsvw.exe	69
PID 2824 wrote to memory of 2500	2824	mscorsvw.exe	69
PID 2824 wrote to memory of 2500	2824	mscorsvw.exe	69
PID 2824 wrote to memory of 2500	2824	mscorsvw.exe	69
PID 2824 wrote to memory of 2068	2824	mscorsvw.exe	70
PID 2824 wrote to memory of 2068	2824	mscorsvw.exe	70
PID 2824 wrote to memory of 2068	2824	mscorsvw.exe	70
PID 2824 wrote to memory of 2068	2824	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
"C:\Users\Admin\AppData\Local\Temp\dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 184 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 268 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 2b0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ac -NGENProcess 2e8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2456

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2368

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:920

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1861898231-3446828954-4278112889-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1861898231-3446828954-4278112889-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
76c76d0cbfbd8a457597b47212a93a8f

SHA1
6341daf2f7185030f51b7f8074386aeed1229a1d

SHA256
e2f1d2ffe3114b848d6ce34a2b27bc3bff9a3db2450ddb26e10b3e1cf80dac77

SHA512
c747142c5347ec8b5165bd2401fa2fc277539b2fb480dffd0f113a89a20bb7ef97bdf9e9ceeb796cbb800bff0e862ea0f8bbca469fcca63422bec5274a31ba62

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
28833b962c9fb16761c865aa99bb7f3c

SHA1
81684ea478bf0ce83e3ac6e3beb80211f33b157d

SHA256
4a979858f8dc71b01f2269d608d6a37fbee3077249ea3f6da41353b7ee1ce091

SHA512
afeb5868ec9851a6b956cb8c96397330121204133c8ca4d02cb62582672e6380a671d6c3ab99e09d3611d8abbe54a0bb3cbb9ac241cff3b53b3f9dbeaf47e469

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
1bebdfe1456ba0f080355ab3dbdfd663

SHA1
1ed2ad1d9c04cffdd2b5274ec0eece7fa31040d6

SHA256
804f58b3c6f486195d29ac06d78696485a52494391f4166fba6f63854030a9a9

SHA512
588ae614595ab3852602f2580437012527faa446b05bf4510d51f9c8285bf5bd1d6c8c939fc025e233d619739a0a637b87a2602444e4e9511c9d087396d8fa5f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
a7d85f51d5a45b8aae37a545c8a81fae

SHA1
ac194dcb235def02452ebb5d658e9187d2a9bee4

SHA256
c4656809c8c37c58e9dd634b061b4acd62bc778b69410f3eeb566ca9039a799c

SHA512
f5e718fb7d0a27f3b93a3527659feb1d4651117fe6522c91568564bf18c0bd962c36596a8643ef8b75841370c5e51ace9cd113f29680ed786567b247c2143f71

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
b28a164f0ee533014ad015c4bbb39c09

SHA1
f718750ad63d7afe9d2b22960b0133638c803151

SHA256
f48f81a2aebe06dd0aea649af90716b7a5b2f5596e689ed07c33c2a7e984fbb7

SHA512
5e54c863f4b52305b2189c3fa6a8a6107a157a207aa65edffd66f8195059dc731d83584467964e8493e96e01dc43f34cfa51cc87d016de88a80b86719a957333

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ed4b178297b616b838afffa209b8d309

SHA1
57e4153984bd8c6d77f25d44868cd119ffe22194

SHA256
df5c592b93e37f9ad06abdbefbebcf85e03567cfe6c98dc4d2b390bce8867cbc

SHA512
52fcb8a20f3368d677e514a39e1d998ddfe6d5f7f67a8e4170a3f9681d459ddf51c34db9b2842549ff199fd224dfbb0f78cf363c9073e5de24a0bff3cc239773

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
eb7f758ecba8f3c0297c163a9fe1defe

SHA1
df23bc4b2237fe53757076294c7be9820bdd063d

SHA256
436ce1f63ea3d7f5b09d337a4153a3eaa1b8ef5d27ddc80da3d3eedc23096c1b

SHA512
7f0711e5a31f5465ed64e4d2bf600f954aaab795d36c9a943a52bd47e1a8df31bae7e004dd9f4cad1ed0e1bf6fb34c737dc4fcd61e7807136c4227f7a447f2ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
eb7f758ecba8f3c0297c163a9fe1defe

SHA1
df23bc4b2237fe53757076294c7be9820bdd063d

SHA256
436ce1f63ea3d7f5b09d337a4153a3eaa1b8ef5d27ddc80da3d3eedc23096c1b

SHA512
7f0711e5a31f5465ed64e4d2bf600f954aaab795d36c9a943a52bd47e1a8df31bae7e004dd9f4cad1ed0e1bf6fb34c737dc4fcd61e7807136c4227f7a447f2ab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
cdf063bb9ccc7133a33464a333bc9f89

SHA1
31e7120aa1cc87baac6b87e64d0dc9f19d78074b

SHA256
50c9a463fdbc1d1c6df49d37f6f02e096dc8f51bdae0b2a830ebc86d1791ac96

SHA512
78e166eb1b9bb6f640bc2359555f1dcffb42f65268279d85f8ded4b250006d908d3de12bb2ddf9256c05e75f2b30e6bd1834d2f3261504c8d82407b9173283ca

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
ec8a7db6c2d5ef34bae5583d56a2689e

SHA1
1bb740b6ce9930a856102b07dc78c8e0acb04a57

SHA256
8e90aa94ab79db783c98d4803a7bf443a88409a146a5a620d971ec8a24c8e47c

SHA512
bfc715be91ec13476a27dafe57eb4d58364399c52de77ccb8691b6f91a6ae95ec95c481251f7d74385b1b852b56f0814a54145afdd385fb381908e5bcf671eb0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ad979e2b5cb9b901cdc99db40cb560f5

SHA1
516d1b81de7c7482d63951df7d7411d07cb6a311

SHA256
7d3275ead2139602d2fd3ca1ecc538fd5c8ecf0a6fd495551f2ee0e92ef11e4f

SHA512
d2296b88dd77e28f28db402d50b93d8d00cc7195b31506ce43b002a475ff86c3aee6b3232af95c31e0a2f7d619fb75533c6d5a3c18072f5880daca2d4fadb48b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0bdcb8ea833f8e027a8263c95c6a3876

SHA1
c3f81a92dda7ec7bdffcaa3a227f3024689dfe0e

SHA256
2383b563cbeecc64c29a0f1e0b5044161fac7390d77245e50e0fe92bd1321305

SHA512
ff2d787752c26fdc83650f4adb570b0de57bd5a660a358d1dcfef4a013f4d0066a992369d23a7cb38cfa0ba9a321d4b41f7512c4f8592ff39a0048c6dbaf3ccf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
988fdf4892ce6b14663f16c987d63834

SHA1
261c4ae22374eaf8caa6700a662002600076b59d

SHA256
65df3a7c0c0d067ec5fdcb004a5795f32ba2216cff4283d6460135d5e906629f

SHA512
ba299b3137f93dc6347e7ac069f8376d8c2a33a3224e6dbb66f711bbc49de0a4663a38c5247f29c27be7b8291e1980815ad94f2d85ae5ea2e8aadb421c90f224

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c9837ce57460ce141c41730dffac3d12

SHA1
6fe593a7aed54a944681945edbf0f08165217c0c

SHA256
4f0df43953e35f5231820f9fbf89d8129a2435ce940b3af52189b0cc4a6d80bc

SHA512
ebb9d91dbbcf5fe8ee4230eb2ac4c71206e2d5d3687a5ee5ce808133a3530e6f35436fea809da108b8d1e305c3fdbb69cc18cdb223260c22e9a634df44f56e1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
3cc6ea65e5496842fdd9113715611750

SHA1
d856d4ea7bcfa4d8bd2e6549670471258d9f7d48

SHA256
4bfea684e229a436a07c7b0379c8bd7e95473486a24315dcd468b6628b02f924

SHA512
2efa668ea55f0c3ee0e56f4f6b5e4221dc6d3e84ff5ef4d4ee75207d364f64bcf9fa0bba220ec9deb02716572db43d658d32bb92321cd4cd49ecc78025c466ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
3cc6ea65e5496842fdd9113715611750

SHA1
d856d4ea7bcfa4d8bd2e6549670471258d9f7d48

SHA256
4bfea684e229a436a07c7b0379c8bd7e95473486a24315dcd468b6628b02f924

SHA512
2efa668ea55f0c3ee0e56f4f6b5e4221dc6d3e84ff5ef4d4ee75207d364f64bcf9fa0bba220ec9deb02716572db43d658d32bb92321cd4cd49ecc78025c466ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
50f13d4c6430d56400119d9030d675af

SHA1
1089a25c485d13dcbd184a0d52ac60e963ed5e3b

SHA256
d13c93b8403cdeb9d01017868357f77dcabd43339b34d3a147c864d6843322f2

SHA512
da6f1b7c0c32bdb91343f36ff50b2c0a676f4869c4e69cf65942776e92d9c5ad206f972e356bf51a930d77863f36148254b75314dbd90a85548cf952f8b8f573

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
be9ee77bc856d6a8e4a2b8ad5df36250

SHA1
6e0905154be4da8f52e83187e85870dade87ab76

SHA256
3753d9ae19febd0849830c39136b958f6be6631aa4606f47cb7eb532885f8fc4

SHA512
b5186f3132d2ed824e2839ca0f44bf043cd2b1e29182882385ad0fce822f4c3f12864058403ba6cee643b919d1ce997211ac45b784aa40feb36507385d6b6b95

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
5718879bba2e0d884ae4f91d205b6648

SHA1
109f3e03655632366b2184851b070bf96497bdf6

SHA256
e33e2e36e38589a5cd0eacd41065c99ae35f6e7d91805290d8ac2609383ff81a

SHA512
ed91cfc81423ed41b8b7927750e8db0d8cd51f269afcb37028b4039ae93d8d555fdb1ba339127d1e9497984a770cf0eaf084fe8b707578aeed00eee7d639e424

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
5718879bba2e0d884ae4f91d205b6648

SHA1
109f3e03655632366b2184851b070bf96497bdf6

SHA256
e33e2e36e38589a5cd0eacd41065c99ae35f6e7d91805290d8ac2609383ff81a

SHA512
ed91cfc81423ed41b8b7927750e8db0d8cd51f269afcb37028b4039ae93d8d555fdb1ba339127d1e9497984a770cf0eaf084fe8b707578aeed00eee7d639e424

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
8b93e9bcb555e109ed22ab7bb1d6ec0a

SHA1
a5cfc25b9c4ab554025c88b3fba64cd2e922f2ee

SHA256
9d2b675d2bd1bd6ba5ee58f3c27543de5ddb7df59780fb9c6571fe50b500b421

SHA512
a9a1310e7450bb959ec62a63b5f30e9d6a9d6563132ce5df747575365cca19803e374da2baf8aa05e8ebd5a5e4ed31dfe7ff6a903f1df265b470d6c14d1af768

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
8b93e9bcb555e109ed22ab7bb1d6ec0a

SHA1
a5cfc25b9c4ab554025c88b3fba64cd2e922f2ee

SHA256
9d2b675d2bd1bd6ba5ee58f3c27543de5ddb7df59780fb9c6571fe50b500b421

SHA512
a9a1310e7450bb959ec62a63b5f30e9d6a9d6563132ce5df747575365cca19803e374da2baf8aa05e8ebd5a5e4ed31dfe7ff6a903f1df265b470d6c14d1af768

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
f068e9b25b0516c7dff49b7a868bc870

SHA1
521cf3b4a670c85409edc0c315d0e4e07bf89729

SHA256
540d68f4be5083ec80d656922d310a0fe39cdd19506fdfe5b41c43247a0580ab

SHA512
b85a5d345e0a820363db552fc0c5d0d94f708ce882c56df756860017adf5b9314fc1a33b1070f48b6b39321a8733735a3dde70bdc6dcd8fecc4ab102b18bdc96

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef8b6a490156cd6b339dcf8f4ddce2a2

SHA1
9e0bec8f36001e4a66af08ec0354ebaff315f82e

SHA256
df16a6a2784fdf8def161f50a16b033134cd348a2c19ed50c846d3bc4876923f

SHA512
5f086207529ae247ec6acd7931d6a3d795a04d7b97ab16f35209c23436188adfdea424705c5996358b7929398ea5f7d9ae276386c409bbbba93986e17e1af000

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
3ee397f22d8b01e6c0c1c045fa94405d

SHA1
86fe9b189fe955eb6931314bfa02490de5f52b56

SHA256
c4b23fa03aac5023377937479483a871b7efdde013ac0e60214922898a8c25fd

SHA512
f0cf117a0945e5fd644e8a7eaa5e87f12163abb4753549806bbd18e7fc84f22694049b77fbc01dcda894ddcbde2d4f535f3e6e84455d2100c6158999c7c2ac01

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
37ffa51d863e3d8fb806721e67ff891b

SHA1
73dcb40a0e8ec5e10bb9b7e5216430ae4d3bcd4c

SHA256
3fa81a4123f91ddc66ea1dd174562f91dbc88e875355c880e460c0fae13dc3d4

SHA512
36b09c8bfca43bec5d5bf919e0f4a91390f4a7fed40adda7bdf3bf38af23fede01bb4c30a658bfb5a2b63850fe2b08d3415ed2427dae4ae35242a780ae22298d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
e199e6ad6492811ce86d6a936aa42d25

SHA1
cf2236e6c905b59b557ca0cf408460421e1dd550

SHA256
e04ea578826d1730458151b4e2c7dd95c54835c0b9a7154ee3d5d6baef3269fc

SHA512
cdc97836e5e628dd5af4c4a949199c6882c56cbf045bb42514a656f9fb996ca2b05d20385fba368ba9fac6ac373a8d66c0df6bf0b73e5be4563b820148b19a55

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
859a95b3e63a389968456620ffa22fdb

SHA1
7b86c0f812a27ee793a606c1e27c95fea2486024

SHA256
389be217b6566a411df5db8a2bb8a2429ed28bdfb2256e86f1047dc780586b71

SHA512
78e14bdb52344eaeab54101b92408130eeeaba8120ac65de24b6f6581d98f42fc52b98f1281514b8263fc7dc0e4eeaae7baaf9e31bddf8fd643f11aa908c39f2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
58bdda4c92fc14b27c83d43b62281a8a

SHA1
8cde3267a224c2f502acf6a27c5efd370a3db13c

SHA256
65cbc3971b1b1d7e36d8e45c3c42fff6ffa69c136716b164513b50b05209060c

SHA512
dc2700067eca4edfe0c15d2be9edfee1493b8ef65399aabd277f3ca9dddd035b1d81f4efaa2294b6169f0fef6f06a15e6b87ff546505ed7298acb049e8cc7d43

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
dab6bc7844f619299404c757f4d0dbd5

SHA1
99912f3ce5090b835ffc33e545b44142ccac5ec5

SHA256
48cf04c46c1f5f8455163361601a18a6039ccee8faff93ba578f8a4919f1654d

SHA512
7092caa5b123246c491c87436a5fe1413059157294d9c7234ddc36375c19da73b0f1cdf811ab0d8c7728d462b6dcf55a2e1131e9f2f41d3461022023b0ee860e

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
b6ca08a40e79a25418c7f87c28e867ab

SHA1
5104b5ed396c680f6b325b50a0072305fadd3ae8

SHA256
d30af3cce9ed5303a45dbf2f7b67aff9ad8cd664be9d2bc38d3b13b915164b80

SHA512
e91ca508fb9fb731a122590c278574cc5547294bbbd41e2c496c453977694aaf2053a5f284e167790f2c470823de952810cede63f0bce2116a80760d2fb9a125

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
feaeabd3ba88e000aafa1753b01bc5f9

SHA1
def0de6c3c1b1ef40ca77e2f82bedd5b9684a5ea

SHA256
d3b58d7d542e035d7afdf6ba4279d5170a95972b008257cfebbb578d5330a7b2

SHA512
9b56a727f84615dc28725a421edda6d446255f75dd15958927f233dda1ef19b3459ba9613f11ea5d50060ca5834604cb5ceef792efb5abd92caab93fe455db2d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
fd7cfd93af843b4af5860a16f5084ba2

SHA1
0661989ef155df6d49ba959df3f39339d9d1da7b

SHA256
c7cbc6788025f2f71828ad21011b4132b1569387dea5604e432094b790cb9314

SHA512
943ed235730721ca4f3cd6905a812b7358805d7aee89302f10d8c49f1aa414621878b952baa46a5a9032c10341e3173d0fd4c879d32e32d87818e68207b7c0dc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d9e8454a1a4eb021f762d782b25d2b5c

SHA1
314afb0bd31676dc09544d0e4ac120a0238387be

SHA256
078786d0366be16148762b90a6ad6e978ac64f544c1d0bc045e368eab603b256

SHA512
fb65d8e9c08961b75b0ade7ff4c9c891b4e8f6a4d4f5f5968160a7d83a68d376c561d50cf18c93d401f2b50970a4e333f3b0c75d055c3351380ce8a124b3f17d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
02512cee1de679adb6ba0073d58702c1

SHA1
b0573ab624ab1cb968612b1dcc4b891e0cb72f7c

SHA256
5b253c6a974c36e1eb40f30bb5fe562096f0adefbeb3ac0eeeb6c17899419c3b

SHA512
436f2cc917eef82888ddd3a8f0a654fc014943ad4b94de59978f13d4c6dd92e6ec50655045709f1c075f76b58c77b4a292702d7ea235cbb401db679fd20d7d71

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2620d7e2c51fd0826c31511453a4f528

SHA1
c7bb661a6139aaec0603ceb9e5504f5afa8219fc

SHA256
36e48d2a9d11179edb58bd5dba9b7810c531b437b09b32d7e2bf35bb21d1680e

SHA512
35ca2d25dccb5cd785274514500612f7679e577009e19e59e4e25b6626c216dbf00ac02376028cdfe80bf8cd29315cd2ac422a49313790d88033d5c29f59c708

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
56d15ea985a851c6bf362cc375066ec0

SHA1
2c8bdbb58a71742744b1564281fcd621b6f1c9cd

SHA256
e349012dd51ef383cf57a7c39b7bdac5de3b79b65aaf60dcfd2a5a4c9e9cb0f5

SHA512
17ccbb923e4a1b48b2735900460c81b8ee707cb917ae83e473f1eb7dafa55cf0db7665a1e0fe929f8e632d5e1260d4510b86ca90b00451a3c59092241a87822b

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
a531bcc862d2e5e73667d8c61e966f00

SHA1
54448826cabfbd91f0cae73fd33fc05fa43c9719

SHA256
7077530009fd12a533b260cfdff1a957c7cc981c150a4b7384ed11b3ef4cd0b6

SHA512
e3281eb850dac23045211fc01b8a0cdbbd3a42d6a0234e7b299b3de8ff788dd3be6f5a4ccbe5f884f6edc50cca33286f30b3665245df1c5b5b3b7155c8dda1f4

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a531bcc862d2e5e73667d8c61e966f00

SHA1
54448826cabfbd91f0cae73fd33fc05fa43c9719

SHA256
7077530009fd12a533b260cfdff1a957c7cc981c150a4b7384ed11b3ef4cd0b6

SHA512
e3281eb850dac23045211fc01b8a0cdbbd3a42d6a0234e7b299b3de8ff788dd3be6f5a4ccbe5f884f6edc50cca33286f30b3665245df1c5b5b3b7155c8dda1f4

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
de163befc6a6b1d8fa150e94a50a3799

SHA1
938334d7418a1db36bd8c8ae512a017aef971b8f

SHA256
537f9e4876c35b0ed6a030e631ff1bc65716e9164d06a6ba48d989e0c74e341f

SHA512
76fb3ec66bb205c21258fff29404591c27afe3561c923d7360291bfaf5e1ebc5edb5c363c6410c145b7a64b0061fadbf12404c82d8abb34fbee0b359d2f7cd45

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
de163befc6a6b1d8fa150e94a50a3799

SHA1
938334d7418a1db36bd8c8ae512a017aef971b8f

SHA256
537f9e4876c35b0ed6a030e631ff1bc65716e9164d06a6ba48d989e0c74e341f

SHA512
76fb3ec66bb205c21258fff29404591c27afe3561c923d7360291bfaf5e1ebc5edb5c363c6410c145b7a64b0061fadbf12404c82d8abb34fbee0b359d2f7cd45

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.5MB

MD5
b6ca08a40e79a25418c7f87c28e867ab

SHA1
5104b5ed396c680f6b325b50a0072305fadd3ae8

SHA256
d30af3cce9ed5303a45dbf2f7b67aff9ad8cd664be9d2bc38d3b13b915164b80

SHA512
e91ca508fb9fb731a122590c278574cc5547294bbbd41e2c496c453977694aaf2053a5f284e167790f2c470823de952810cede63f0bce2116a80760d2fb9a125

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
994d8a4da851ffe80bfaefefa417dea4

SHA1
511e3a9012d0e8c2feba0ab64d553cbe11c1c2c2

SHA256
ffa326bc0c8d7180706c077c4cb1c00a64bc79e720bd788d9ae944350d5d09d6

SHA512
7e1bdbfa2e0f6cabade9591963d25a3f2b1c7cbfaa7c2fd4311399f91e0e3895bad042c3762d42dc76693f3e5c10f8d73dcc067419a41a6ca18b028832e14b12

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
fd7cfd93af843b4af5860a16f5084ba2

SHA1
0661989ef155df6d49ba959df3f39339d9d1da7b

SHA256
c7cbc6788025f2f71828ad21011b4132b1569387dea5604e432094b790cb9314

SHA512
943ed235730721ca4f3cd6905a812b7358805d7aee89302f10d8c49f1aa414621878b952baa46a5a9032c10341e3173d0fd4c879d32e32d87818e68207b7c0dc

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
988fdf4892ce6b14663f16c987d63834

SHA1
261c4ae22374eaf8caa6700a662002600076b59d

SHA256
65df3a7c0c0d067ec5fdcb004a5795f32ba2216cff4283d6460135d5e906629f

SHA512
ba299b3137f93dc6347e7ac069f8376d8c2a33a3224e6dbb66f711bbc49de0a4663a38c5247f29c27be7b8291e1980815ad94f2d85ae5ea2e8aadb421c90f224

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
988fdf4892ce6b14663f16c987d63834

SHA1
261c4ae22374eaf8caa6700a662002600076b59d

SHA256
65df3a7c0c0d067ec5fdcb004a5795f32ba2216cff4283d6460135d5e906629f

SHA512
ba299b3137f93dc6347e7ac069f8376d8c2a33a3224e6dbb66f711bbc49de0a4663a38c5247f29c27be7b8291e1980815ad94f2d85ae5ea2e8aadb421c90f224

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
3cc6ea65e5496842fdd9113715611750

SHA1
d856d4ea7bcfa4d8bd2e6549670471258d9f7d48

SHA256
4bfea684e229a436a07c7b0379c8bd7e95473486a24315dcd468b6628b02f924

SHA512
2efa668ea55f0c3ee0e56f4f6b5e4221dc6d3e84ff5ef4d4ee75207d364f64bcf9fa0bba220ec9deb02716572db43d658d32bb92321cd4cd49ecc78025c466ac

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
be9ee77bc856d6a8e4a2b8ad5df36250

SHA1
6e0905154be4da8f52e83187e85870dade87ab76

SHA256
3753d9ae19febd0849830c39136b958f6be6631aa4606f47cb7eb532885f8fc4

SHA512
b5186f3132d2ed824e2839ca0f44bf043cd2b1e29182882385ad0fce822f4c3f12864058403ba6cee643b919d1ce997211ac45b784aa40feb36507385d6b6b95

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
37ffa51d863e3d8fb806721e67ff891b

SHA1
73dcb40a0e8ec5e10bb9b7e5216430ae4d3bcd4c

SHA256
3fa81a4123f91ddc66ea1dd174562f91dbc88e875355c880e460c0fae13dc3d4

SHA512
36b09c8bfca43bec5d5bf919e0f4a91390f4a7fed40adda7bdf3bf38af23fede01bb4c30a658bfb5a2b63850fe2b08d3415ed2427dae4ae35242a780ae22298d

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
58bdda4c92fc14b27c83d43b62281a8a

SHA1
8cde3267a224c2f502acf6a27c5efd370a3db13c

SHA256
65cbc3971b1b1d7e36d8e45c3c42fff6ffa69c136716b164513b50b05209060c

SHA512
dc2700067eca4edfe0c15d2be9edfee1493b8ef65399aabd277f3ca9dddd035b1d81f4efaa2294b6169f0fef6f06a15e6b87ff546505ed7298acb049e8cc7d43

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
dab6bc7844f619299404c757f4d0dbd5

SHA1
99912f3ce5090b835ffc33e545b44142ccac5ec5

SHA256
48cf04c46c1f5f8455163361601a18a6039ccee8faff93ba578f8a4919f1654d

SHA512
7092caa5b123246c491c87436a5fe1413059157294d9c7234ddc36375c19da73b0f1cdf811ab0d8c7728d462b6dcf55a2e1131e9f2f41d3461022023b0ee860e

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
b6ca08a40e79a25418c7f87c28e867ab

SHA1
5104b5ed396c680f6b325b50a0072305fadd3ae8

SHA256
d30af3cce9ed5303a45dbf2f7b67aff9ad8cd664be9d2bc38d3b13b915164b80

SHA512
e91ca508fb9fb731a122590c278574cc5547294bbbd41e2c496c453977694aaf2053a5f284e167790f2c470823de952810cede63f0bce2116a80760d2fb9a125

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
feaeabd3ba88e000aafa1753b01bc5f9

SHA1
def0de6c3c1b1ef40ca77e2f82bedd5b9684a5ea

SHA256
d3b58d7d542e035d7afdf6ba4279d5170a95972b008257cfebbb578d5330a7b2

SHA512
9b56a727f84615dc28725a421edda6d446255f75dd15958927f233dda1ef19b3459ba9613f11ea5d50060ca5834604cb5ceef792efb5abd92caab93fe455db2d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
fd7cfd93af843b4af5860a16f5084ba2

SHA1
0661989ef155df6d49ba959df3f39339d9d1da7b

SHA256
c7cbc6788025f2f71828ad21011b4132b1569387dea5604e432094b790cb9314

SHA512
943ed235730721ca4f3cd6905a812b7358805d7aee89302f10d8c49f1aa414621878b952baa46a5a9032c10341e3173d0fd4c879d32e32d87818e68207b7c0dc

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
fd7cfd93af843b4af5860a16f5084ba2

SHA1
0661989ef155df6d49ba959df3f39339d9d1da7b

SHA256
c7cbc6788025f2f71828ad21011b4132b1569387dea5604e432094b790cb9314

SHA512
943ed235730721ca4f3cd6905a812b7358805d7aee89302f10d8c49f1aa414621878b952baa46a5a9032c10341e3173d0fd4c879d32e32d87818e68207b7c0dc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d9e8454a1a4eb021f762d782b25d2b5c

SHA1
314afb0bd31676dc09544d0e4ac120a0238387be

SHA256
078786d0366be16148762b90a6ad6e978ac64f544c1d0bc045e368eab603b256

SHA512
fb65d8e9c08961b75b0ade7ff4c9c891b4e8f6a4d4f5f5968160a7d83a68d376c561d50cf18c93d401f2b50970a4e333f3b0c75d055c3351380ce8a124b3f17d

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2620d7e2c51fd0826c31511453a4f528

SHA1
c7bb661a6139aaec0603ceb9e5504f5afa8219fc

SHA256
36e48d2a9d11179edb58bd5dba9b7810c531b437b09b32d7e2bf35bb21d1680e

SHA512
35ca2d25dccb5cd785274514500612f7679e577009e19e59e4e25b6626c216dbf00ac02376028cdfe80bf8cd29315cd2ac422a49313790d88033d5c29f59c708

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
56d15ea985a851c6bf362cc375066ec0

SHA1
2c8bdbb58a71742744b1564281fcd621b6f1c9cd

SHA256
e349012dd51ef383cf57a7c39b7bdac5de3b79b65aaf60dcfd2a5a4c9e9cb0f5

SHA512
17ccbb923e4a1b48b2735900460c81b8ee707cb917ae83e473f1eb7dafa55cf0db7665a1e0fe929f8e632d5e1260d4510b86ca90b00451a3c59092241a87822b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a531bcc862d2e5e73667d8c61e966f00

SHA1
54448826cabfbd91f0cae73fd33fc05fa43c9719

SHA256
7077530009fd12a533b260cfdff1a957c7cc981c150a4b7384ed11b3ef4cd0b6

SHA512
e3281eb850dac23045211fc01b8a0cdbbd3a42d6a0234e7b299b3de8ff788dd3be6f5a4ccbe5f884f6edc50cca33286f30b3665245df1c5b5b3b7155c8dda1f4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
de163befc6a6b1d8fa150e94a50a3799

SHA1
938334d7418a1db36bd8c8ae512a017aef971b8f

SHA256
537f9e4876c35b0ed6a030e631ff1bc65716e9164d06a6ba48d989e0c74e341f

SHA512
76fb3ec66bb205c21258fff29404591c27afe3561c923d7360291bfaf5e1ebc5edb5c363c6410c145b7a64b0061fadbf12404c82d8abb34fbee0b359d2f7cd45

Download Submit
memory/528-370-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/872-361-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/872-274-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/872-294-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/920-383-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/920-397-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/1056-254-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1056-138-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1056-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1056-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1056-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1092-399-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1092-340-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1092-344-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/1268-113-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1268-114-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1268-120-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1268-180-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2012-155-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2012-149-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2012-148-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2012-297-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2052-368-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2200-395-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2200-357-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-334-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2200-332-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2200-402-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-401-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2368-292-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2368-265-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2368-353-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2368-384-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2368-356-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2368-257-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2368-258-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2456-341-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2456-165-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2456-168-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2456-174-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2488-323-0x000007FEF4050000-0x000007FEF49ED000-memory.dmp

Filesize
9.6MB

Download
memory/2488-328-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2488-330-0x000007FEF4050000-0x000007FEF49ED000-memory.dmp

Filesize
9.6MB

Download
memory/2488-385-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2488-394-0x000007FEF4050000-0x000007FEF49ED000-memory.dmp

Filesize
9.6MB

Download
memory/2588-423-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2588-386-0x00000000005B0000-0x0000000000743000-memory.dmp

Filesize
1.6MB

Download
memory/2588-378-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2632-156-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2632-30-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2680-406-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2680-412-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2692-375-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2692-348-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2692-381-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/2692-355-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/2740-336-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2740-309-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2740-396-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2824-287-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2824-137-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/2824-132-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/2824-131-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2876-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2876-97-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2876-103-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2876-126-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2980-308-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-318-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2980-319-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-285-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2980-289-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2992-166-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2992-92-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2992-85-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2992-84-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3000-338-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download