b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
Size

1.8MB
MD5

34446803caeef0fddd97afd72ce1f7d3
SHA1

b2a287c2b93389277c6167df74f85df6a4089f45
SHA256

b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a
SHA512

62407b80fe9373802079208bb7b93a92c87ee414b4f670121a04677ec4d4c7458abafcc85127da46fc318a96d75bbec574e413c26787527db5a639ae3bd044bb
SSDEEP

49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAbaB0zj0yjoB2:rvbjVkjjCAzJ/B2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 47 IoCs

pid	Process
480	Process not Found
2716	alg.exe
2684	aspnet_state.exe
3064	mscorsvw.exe
1612	mscorsvw.exe
640	mscorsvw.exe
1648	mscorsvw.exe
596	ehRecvr.exe
1780	ehsched.exe
2184	mscorsvw.exe
1656	mscorsvw.exe
2680	mscorsvw.exe
2176	mscorsvw.exe
2452	mscorsvw.exe
2844	mscorsvw.exe
2036	mscorsvw.exe
2836	mscorsvw.exe
1244	mscorsvw.exe
2348	mscorsvw.exe
492	mscorsvw.exe
2168	mscorsvw.exe
1616	dllhost.exe
2164	elevation_service.exe
2208	IEEtwCollector.exe
2560	GROOVE.EXE
2688	maintenanceservice.exe
2736	msdtc.exe
3016	msiexec.exe
384	OSE.EXE
2260	OSPPSVC.EXE
2272	perfhost.exe
2668	locator.exe
1888	snmptrap.exe
848	vds.exe
2004	vssvc.exe
2492	wbengine.exe
380	WmiApSrv.exe
1500	wmpnetwk.exe
1960	SearchIndexer.exe
1900	mscorsvw.exe
2888	mscorsvw.exe
916	mscorsvw.exe
2800	mscorsvw.exe
2724	mscorsvw.exe
3032	mscorsvw.exe
2348	mscorsvw.exe
2428	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
3016	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eb61488ae738cb9d.bin	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\GoogleCrashHandler64.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_iw.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\psuser_64.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_el.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_uk.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\GroupRestart.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_hu.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\GoogleUpdateSetup.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_sl.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_pt-PT.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_zh-TW.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\psmachine_64.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM141D.tmp\goopdateres_cs.dll	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DD5AF5FA-DD9A-41A7-B57B-FDBC29DFB1F5}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DD5AF5FA-DD9A-41A7-B57B-FDBC29DFB1F5}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{30560FD3-DD42-43C2-8C5B-1CDCA3F99957}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{30560FD3-DD42-43C2-8C5B-1CDCA3F99957}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2684	aspnet_state.exe
2684	aspnet_state.exe
2684	aspnet_state.exe
2684	aspnet_state.exe
2684	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1680	b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	640	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	640	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	640	mscorsvw.exe
Token: SeShutdownPrivilege	640	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2684	aspnet_state.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe
Token: SeBackupPrivilege	2492	wbengine.exe
Token: SeRestorePrivilege	2492	wbengine.exe
Token: SeSecurityPrivilege	2492	wbengine.exe
Token: 33	1500	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1500	wmpnetwk.exe
Token: SeManageVolumePrivilege	1960	SearchIndexer.exe
Token: 33	1960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1960	SearchIndexer.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeDebugPrivilege	2684	aspnet_state.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
932	SearchProtocolHost.exe
932	SearchProtocolHost.exe
932	SearchProtocolHost.exe
932	SearchProtocolHost.exe
932	SearchProtocolHost.exe
932	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2184	1648	mscorsvw.exe	36
PID 1648 wrote to memory of 2184	1648	mscorsvw.exe	36
PID 1648 wrote to memory of 2184	1648	mscorsvw.exe	36
PID 1648 wrote to memory of 1656	1648	mscorsvw.exe	37
PID 1648 wrote to memory of 1656	1648	mscorsvw.exe	37
PID 1648 wrote to memory of 1656	1648	mscorsvw.exe	37
PID 640 wrote to memory of 2680	640	mscorsvw.exe	38
PID 640 wrote to memory of 2680	640	mscorsvw.exe	38
PID 640 wrote to memory of 2680	640	mscorsvw.exe	38
PID 640 wrote to memory of 2680	640	mscorsvw.exe	38
PID 640 wrote to memory of 2176	640	mscorsvw.exe	39
PID 640 wrote to memory of 2176	640	mscorsvw.exe	39
PID 640 wrote to memory of 2176	640	mscorsvw.exe	39
PID 640 wrote to memory of 2176	640	mscorsvw.exe	39
PID 640 wrote to memory of 2452	640	mscorsvw.exe	40
PID 640 wrote to memory of 2452	640	mscorsvw.exe	40
PID 640 wrote to memory of 2452	640	mscorsvw.exe	40
PID 640 wrote to memory of 2452	640	mscorsvw.exe	40
PID 640 wrote to memory of 2844	640	mscorsvw.exe	41
PID 640 wrote to memory of 2844	640	mscorsvw.exe	41
PID 640 wrote to memory of 2844	640	mscorsvw.exe	41
PID 640 wrote to memory of 2844	640	mscorsvw.exe	41
PID 640 wrote to memory of 2036	640	mscorsvw.exe	42
PID 640 wrote to memory of 2036	640	mscorsvw.exe	42
PID 640 wrote to memory of 2036	640	mscorsvw.exe	42
PID 640 wrote to memory of 2036	640	mscorsvw.exe	42
PID 640 wrote to memory of 2836	640	mscorsvw.exe	43
PID 640 wrote to memory of 2836	640	mscorsvw.exe	43
PID 640 wrote to memory of 2836	640	mscorsvw.exe	43
PID 640 wrote to memory of 2836	640	mscorsvw.exe	43
PID 640 wrote to memory of 1244	640	mscorsvw.exe	44
PID 640 wrote to memory of 1244	640	mscorsvw.exe	44
PID 640 wrote to memory of 1244	640	mscorsvw.exe	44
PID 640 wrote to memory of 1244	640	mscorsvw.exe	44
PID 640 wrote to memory of 2348	640	mscorsvw.exe	45
PID 640 wrote to memory of 2348	640	mscorsvw.exe	45
PID 640 wrote to memory of 2348	640	mscorsvw.exe	45
PID 640 wrote to memory of 2348	640	mscorsvw.exe	45
PID 640 wrote to memory of 492	640	mscorsvw.exe	46
PID 640 wrote to memory of 492	640	mscorsvw.exe	46
PID 640 wrote to memory of 492	640	mscorsvw.exe	46
PID 640 wrote to memory of 492	640	mscorsvw.exe	46
PID 640 wrote to memory of 2168	640	mscorsvw.exe	47
PID 640 wrote to memory of 2168	640	mscorsvw.exe	47
PID 640 wrote to memory of 2168	640	mscorsvw.exe	47
PID 640 wrote to memory of 2168	640	mscorsvw.exe	47
PID 640 wrote to memory of 1900	640	mscorsvw.exe	68
PID 640 wrote to memory of 1900	640	mscorsvw.exe	68
PID 640 wrote to memory of 1900	640	mscorsvw.exe	68
PID 640 wrote to memory of 1900	640	mscorsvw.exe	68
PID 1960 wrote to memory of 932	1960	SearchIndexer.exe	69
PID 1960 wrote to memory of 932	1960	SearchIndexer.exe	69
PID 1960 wrote to memory of 932	1960	SearchIndexer.exe	69
PID 1960 wrote to memory of 2632	1960	SearchIndexer.exe	70
PID 1960 wrote to memory of 2632	1960	SearchIndexer.exe	70
PID 1960 wrote to memory of 2632	1960	SearchIndexer.exe	70
PID 640 wrote to memory of 2888	640	mscorsvw.exe	71
PID 640 wrote to memory of 2888	640	mscorsvw.exe	71
PID 640 wrote to memory of 2888	640	mscorsvw.exe	71
PID 640 wrote to memory of 2888	640	mscorsvw.exe	71
PID 640 wrote to memory of 916	640	mscorsvw.exe	72
PID 640 wrote to memory of 916	640	mscorsvw.exe	72
PID 640 wrote to memory of 916	640	mscorsvw.exe	72
PID 640 wrote to memory of 916	640	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
"C:\Users\Admin\AppData\Local\Temp\b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 1f0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 188 -NGENProcess 278 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f0 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1f0 -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1ac -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1ac -NGENProcess 294 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 1ac -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2208

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:384

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:380

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
97KB

MD5
8ceaa168d2b4ac29c1f7866ca210f558

SHA1
a349e9cd9746eb68f561d4d39516204892f1e3e9

SHA256
88ae9dc4f47659270cd77ddf6bf64fa0c5cb8fe1cfb30c762fd9d986cca36261

SHA512
17d3859fc8e2b2bb699e67bcc1e952d01d284e2b09c35ccfee866ad8a671f5c26a03c141b9a220e06b06287752b07e95642dfe2c802fab1b673b33df05ab1912

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
203KB

MD5
ac2170529674fe3d978d169477f817b2

SHA1
0a66446b446973e238cdbfe13bf781b81f3aa649

SHA256
2db6dc96b65f2358d0d1f28dde422408112ae85be3c8e51695c4bea5d59300b1

SHA512
73f69015bba0bbf9ed82bb65b17fc1add4e87c2cbf7e15182c9195c4e4787e551782e799870c3e07bc17d246e4fa32dd40726ecb40ee3d998d7d4f9f0a72da4a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
36KB

MD5
d8477b2b9df609a803b9434a01f73589

SHA1
d0a0427fde972cf0070aa0e6c4ff82be68831991

SHA256
9e4aaaaf5ba7d948a6c605278abc5e346e4d651195a5bfa8bf2ae1f35e28d4cb

SHA512
40f530e02d6791da23ebb25a3ebaa514b9827566e3c9d16253e437299c4aa4268008d386822ce9617eac0fb3b009bf3a1632ec3852ba7bf37a4e38972c0b1d09

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
113KB

MD5
6c639b8d8ffad1171a0a16b364ae8a75

SHA1
9cc13d051f6ca7ec634c7ac8d5870ec88d814f4e

SHA256
fb83d56840001e084c3e09343f2bab6fa31a7be7ea1f1069191dc51f08a5d5dd

SHA512
81eb7366c1140c3d8195c278c0d129c3c4531bba437d519047884b124718fe763fef686d4722fe4c5070238c7759c0a37df2525017cc669f581611fab49599eb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
95KB

MD5
70f86b659adc142e65350db7727bca95

SHA1
fe134f4e88738d81f2a8e713ed4ca779e6309494

SHA256
044bc6f6c2f7246640c1cce80efbadedc81d9f07d2ac4003e8ff3ddd29f4e72b

SHA512
d1448a5de5b51898ec56a48aea42f743bb91ccfdc5e3bce8c36c9bf712b03797db1136bdf28577945f1d65f64f5008991d0df082635e2428b0372d4094ed04d6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
119KB

MD5
2669291f09b1e2c24ce94e8cea21e089

SHA1
56841aada5453dffaedc55899ac2f6490625b109

SHA256
4b05afd88f2a07480b2b8629df8a80de326aeca233c3d654999806abe66044ad

SHA512
a7e884a4f268a3824e2b64d5d31c3ef7295fadff30e59581c608b4519d9085ac14f287b737829cd489211a05b84173e26510665a50a74aec2fed9b22fae501d4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
46KB

MD5
430551ad29fd27e7128391e28972b2d3

SHA1
92f8d99d611a9522d0b074c0006a9d0049a74709

SHA256
37c0be736fb38ed1ab521fe8f2933a6768030893348418be9e06617de9ac358b

SHA512
24b2defc8e9d294715d7d56140c0e35de343e14a37e0f2363f0df7980bdae4a871db695b19bede07b7945d6103ddd83f8258a50aa14b37548d8f194a5eac078c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
160KB

MD5
683df748c79e29067dd88607cd7cf5ef

SHA1
25278563873893e7d9c64c85d2df3ecfb984db08

SHA256
0f3d16b12999b8a0a783302b96b1e69ce57319690079c9129d49cf2eeb0d33b5

SHA512
224e1e60bb8fb5bad5d1cadfcf4899bcdf06ceef5b938cca531d2a1f0b5709c7f1d821d75090c8461815018c402d858c7d42481907bddf69846431afe2d589fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
126KB

MD5
e756144128b212c2bc67a611c1ac250b

SHA1
b33273289ebf068f6e10225a0885f7ff91935eca

SHA256
eca4ee10bd2d3bceb6f833c339c2dbff1dbafd6cb5eed977e5ede03f650f564b

SHA512
899b94064d47e7a537fe0e9f04321ac4f7cc61e78421127f3fdd9bbe681c644479878949f377ffd8e0200a248cbdbd893f0948652a6fc2c254d2700dcb3af03e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
102KB

MD5
8222f1ece632cb7ab7bf2ed0b32c07b4

SHA1
92f7b50e0512e493a04d0f57a2443bee6a6d0aaa

SHA256
003ace1a709f33c1334165666bb52fb5ea7b57488941d3164c94d815ef7eb04d

SHA512
2b30fa4c7edd7c763d60fd6faf595e74ad0e05d9b3517ec7983da424cff65b665956c2ecbf7c0b6bef7181d6c10a45c313d7fe876db27dd5ef09a10dd8342467

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
163KB

MD5
e225f718ad064e3d200cb50f1d6c17d0

SHA1
9c78dfbe9fd0b0246254b1de578e8a1cd14f5dc6

SHA256
58809a43deb2bab088d86186a2c8544c674f08466865cd0f9a529b2cc07ab83b

SHA512
f09a748170296472fd95ed4542a4f607c7f02d73669fcd198d8a3dbb5424b7862c5bada3aeb83fcdb303bdfd8ab44c46b2b6713ba275aa57295498e1dd0a80de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
114KB

MD5
259af2bb909f465f02bef262dba78d3c

SHA1
33a019c00ef73d8e0a66df1b1a66c527eb4d9534

SHA256
8741f21ac13f681713dc076d925cc74a725ffa8cda2a475b40b49ddef9512d3e

SHA512
2f1561ddce9095f9f26c505b5ef839c7cc829a9e5e167a02ffbaab048747213c02024ee7519bda1d4644bbb130bddc07f6dcf6dace1707d384780cc5f9412e26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
56KB

MD5
1512d694b2eac1033d6b2b140c3a2de7

SHA1
ed51c75df6a2e9caa0e7cff945766a45b6eb80ab

SHA256
eea3322e18b7edbbe7ee602a054ae4e20987a2e82eecceb9b058bf2e536f18e2

SHA512
46fda221bffea0211a4ed5903323de3315ddbba7da0b80a74487ed745f2bb8e73c3f94334a6a13cfe8e030f03f354c8505a1907fcf6d560be2f96e57214077eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
140KB

MD5
0588d298ad7a76b5fae02f038680ba95

SHA1
5495609930489c1d8fafd19f91bd35afa8701232

SHA256
691841be10769a6effbc9857a8e53027edfdab5375d1a2e06ba5cd6c12ab863e

SHA512
f04aa7b7ca663d532466b50b4fd4b3450471bb1b903b470914447e954ab3d23372c199369ebf96f3437942b04992c884d4c29cd4d1ed6e91bd2b885283e1017a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
20KB

MD5
32eae428471bb4c37dff7d41d4ada74b

SHA1
d94aa734c8db6d17bdff7a755405386f1a4c1345

SHA256
2ebef31001b61b5e0d3489de0f926d157a0d5bf5b625aecb65e0d1de3e432576

SHA512
42ebd6c0f5e7b5f6e81b7fd44f4aafa6c6c0a1fa0a6e5d6117ab964c2fc0f87857d0b0854be84df8f2dfc92337f672cb4f962247b27426154a02ffd35e051b64

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
128KB

MD5
111835419d204e3537c4766bffb73519

SHA1
a49dcb3ab696a249d4ad03d596bf281b079f0b39

SHA256
b0390a4b70ca450d8eb841a29b64b9bb02611d6a6d8f4652fba560c05f5130a0

SHA512
dded4e96e778a537ebdfbd3c5d6452c2d0d0f5e17f7fbae5edd11b59a092b7e03bc94cd92c1a483f3135193a3e084c4ff234ad963c6222bb8bd7b14dcd7d82b7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
141KB

MD5
5e7911c98433e425dd0e30b10a37c77c

SHA1
5bb26738c1841bb5328c6ea81a4345026753dc4d

SHA256
89c45262d9713ae29c9e6a5993d07b77233feeec4bd5131fa0ff0404260ff470

SHA512
e28a2a192385b2a7b07a0641547bc15a4eb4194c0e248268f020fa0b05eaf9e71565007dde900a8b8b5e1e88f94bff2e912f0a83e4f909a418aa349ec251b979

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
136KB

MD5
2ab20566346a68d9995ba8e5b1f73233

SHA1
90f891a3024cbea9a0f09d7fbdbcb940b98d5d25

SHA256
cad644710968050ade13e216ed705ba1cdff23c90fec28d7d28b84989766eac6

SHA512
3b4f63f40385572bfab1a6952eb4a5ea2176ef8e2b5430821c2db6bcac41f65752f1e8dc2da116b39a35c508e6e7345f66f71d707dddb223203a43c9663a584e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
97KB

MD5
38f70466d7da6f11655e9f8e77756351

SHA1
c7e5cb52312a34256bd9a5b294caadefaa11206d

SHA256
8005f6659288baa536778da508ff4a26d694c69d78576af0efb6366c10bd29dd

SHA512
8b43dd5754b4d4c0789b6a41c43826b1276ff22b8fe608fe4a91f39dfb42ba04323b07436d99f8eb7b7af3761d1ae17e9202472b9544878d0f5002328029ed7f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
69e47589657151677e62d87978bc5516

SHA1
b382cdf1b8612399be78b77b66fec56201380479

SHA256
58d0f601aac66e5ee739ebdec1fb073b9be75719ed363cd1accc776c9926a7a9

SHA512
adf006048df9f0ee253d363c8c87ff114e865faf51858ec48010da2a9888d1a5ae8590936bda7e253bce1e9a038e8ea69ce8b2eaa8438d542bc72f07bf23e22e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
70KB

MD5
abd1fb0154323c52f4320b8d162ea069

SHA1
56991a2b9fa7b23a3ce69042e7cc8730eb359a86

SHA256
df1c8663f415349cc143350af764b241a438bd011ac47455af764bcd7e66cddb

SHA512
3f289ee8eb91005ea9f4e2034e46fcd7b5783a313389cbb19304f861408c6f3577fcf586df9ebb28d15533de1cde9acba61c16ac6ed7abd92e1eaee42e2c1fe2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
57KB

MD5
21f01e31e99736b084323a028be706d6

SHA1
77a8885b143a25c1f02099535c9d75b7ade5c88b

SHA256
73d02f4a4c33c392801d35dd4c6712e0aa666a9e565a126c16a2cebf5cf49141

SHA512
d1cf2e31ed59403daccdc859ac24e8131c73c5e7b7d5399d809fcbc5408c480891306cb6be44e6764c96e4ce045b411850140f351737e195697e4df7215b97d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
147KB

MD5
3163cdb9e369cb21f241b4967647f65d

SHA1
689dc5d8745473d8bc1ea534bd94f888944ee305

SHA256
11f3c46bd8799874687995c8a27633d08a813511274dfff22a674d5fa2a8a6f1

SHA512
e61851f2aaf02978c72833246118c11e95da662c454305477e503ef1da68e4eb5235608227eca4d282f42282bdeda7a5fa15d4a6767e31b5d2833a33cc5f32eb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
206KB

MD5
ae76bf2fe51243f2d4795eb1ecaf5227

SHA1
f420f0a687e397607b50f6c91d460eadd829585d

SHA256
95ce63ab69293d3492e7d30251e1312b7ea4cf0fca5eec0528ab71616c94cad2

SHA512
66eed8db82bb8df24b51d77ad4b457fbeb6f3eff1787b4392bff4df45d8ade7449a5fa6b32e34334f981ddcd871a5de9d9b3c89c878cf2e01d39575be42b9ac9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
70KB

MD5
687b0631a493f266e47ff31f3c216fa9

SHA1
6b2ea996030f3915df7715bdd0a2a2ee38c51bb6

SHA256
a444312e8c37b02d98bd0a060521c18a513b86a4e34eec0daa74dd0b52c8a9de

SHA512
68895f1450b0a9a3206675d7bf2c8c1ce7a6a288d62228d59040d671f601c4128329d67543e0d0aec7828b898c40c96b1d1a6f305a5196ddc38993df58f4e161

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
3KB

MD5
040bb6b4e26e5a9286130dcc5cf58640

SHA1
7ad0eb31c95930a4ce7dfb015a99cee20bbc9be4

SHA256
cb1d9318fa98d88fcfa3e88ee24782613900b7e23a8ec506b878ec67937b5e3b

SHA512
84f803ca35f5c9745485781d183fb22fddefa5b56f42a2b6497e5d6f6778382a973fbb33c291bb7579043cdd133638cc5c601d068c860918a4cd28d157c84855

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
145KB

MD5
59914bb44e7cc56f852b59141367eb39

SHA1
ba6096b3c603796161c81ccf59931c9e1bd9366a

SHA256
64397d3256926ba19d8b1e49c1415107b85607b16aa587fb1ebec98ab0c9df93

SHA512
d626ce6a5fbd0035e70f52182e8e8f4191dfdd8224758a7446bab203455566449245a1f851d6feb89213f81c5b9a6e8f98232c0756a573181c8ab0be83050ce2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
55KB

MD5
c1337d4f3635a6236039e9091c165d00

SHA1
72e9864c9bd5a137b2eb9c9553e73e49882dea59

SHA256
a3a2280768769fd0eda4719e263cfe75e6428d4c1e5c0a0adcadb809737d20c2

SHA512
7df734d0d4b22078b74867ab9d5d5a4abdea4fb17d25d6ab9e70121896389886ae2e9001b29fab6c890cc9e67ea19e0c7de8b8e5b286597cea9bcda1f0f7fdd5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
f09212a7b382b903a59dec7d88c7dedc

SHA1
2ca5c81a3002d061b830c74cc5de7129ebf2becf

SHA256
798d19ebd2869f933332356839634cd40a74735cff508d1f3a979b8722532042

SHA512
64d54c171de761ca6f69cccd2fe0198e2fc19e6e20a15694e9e2abb36f2c18a5b07dfbdf30c00a86dd10874e537e1f1ad1c2f152901f5ad14f7e20d4d4036400

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
25ad6ef8ba51d22ad521c8e9d1658abe

SHA1
d0227239bc447da72b45926805a11e8942e4ce49

SHA256
335a246b5dc467596efd862c8883170c258d354867af73f2ef5f443774f221cf

SHA512
d7968683e57e382bb9269e7049f2f9f7ca530439e170737f2e910eab0bb80c785ca368a992a69bf44475b28120d9c2d1ad95f717c2e8978c76f868e212fe8732

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
39KB

MD5
65cd5b99fabd763f0948fd655f6b18dd

SHA1
f8f8a6961063094fbe835b025f840adfdc0d6807

SHA256
9eee4fa00ab53412ec114fbeda8f6f5be274bbc7cec21131cf82865a69f5bed0

SHA512
f933895ed074d758a44c3f45ac43410a263e60370f62fdb87252d3233567b489457a3aae4c0aec00437ddaa97545f2c28a88786047b07938590242f3f91c9b1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6cdce4c08af86d39b8746a9cff2cadc3

SHA1
afd840753aedcc77d0b7a716fcecedaad403d7d5

SHA256
52e35ffc2d39e767652123d95d8a08e3e255aaf9b9f9b02176f9b00ce94fe683

SHA512
6c77d7d9e0bd8b05627b8ef648d0115b5e0f006535502274e33b4ab9f0826a2cb83c343e8c96f62b9d4ba95fb04744a9e3ecf7a452e6672555e454a83c6a1167

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.0MB

MD5
bd7dce5be37c0f13424c6cc41e065d77

SHA1
2166ab077cfc816e54073b66f3c0d403cc25bc65

SHA256
53e7b85e4cf9d53f225ed852c95825ba96e34cf08422d352771db8c2a7a0bb15

SHA512
eda6ddb2cff7e11d4f0f5ddf05fd55f5c1a1fee6bcb5ab41643bb221511309d982ad7d35d0d40b618af1247b32aee0cfbeeb9b31c37ab1b22ccc90eb9604db95

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
182KB

MD5
501ae0f4f533bb3d17afd9324fd8a643

SHA1
b6925ed486961bda509ec5e4b3485fc184d5feda

SHA256
15cc473d45bc26e081f0958254bee56593a01ce5826992d43f4a7f12bcac4f58

SHA512
632c759c02b83171c49eb44f76af967b0dc05f50ea08572a84154ae3ba626e4e364711c903cda477938be18c2c4c6993eb23512cc057b53774f8e7d9f74253c0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
83KB

MD5
9551701633bd7e8765f0a0a019642938

SHA1
fe53d82e885dcf7ec956af627051e637e63fa396

SHA256
df60fddcf9301cff9bf51d15c510c37689c6d8d80c11cc8c8fff67065eb71a23

SHA512
8d8ce1827dc18fb7a0a9140583dc193a8dc0e9b819334df14b6debbf00b76d6f9696efd4ed59cbb575c434a35198ee9408a393a05d58021cd019fd97c8553eef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
148KB

MD5
7646f5a97743d8a200e9a407b6ea55d6

SHA1
445c267fb373ed1864d40c3545be7da4c84a012d

SHA256
a5311b601d70d31bc344fdc70207ff82655cbd2cada5fd6935461eacfa5fa076

SHA512
b5e1cf2b0e6812fdb3251492f15928295720a2c6a3ad8fafab39cd2abf5d846aeece7dd33f4be4c060fb420d9c44a41ae580df7e048acf20b8659aeda1b53d23

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
79KB

MD5
b73945325edb71fc666d6e390e998f94

SHA1
78601b7005bf2fbb133f042b22b81c3c1f66cc64

SHA256
4ab7d22ecdfd3dd63977941350e0ebb71321274506498ead04f163e7a1434a94

SHA512
21c9451207f4451dbc1b36c46a075f5812fb2c70723cbd104740eaef92a30a291a3315754bc8f576376742c427abdd03d1f5bd51e272136e4e22882b54588742

Download Submit
C:\Windows\System32\alg.exe

Filesize
25KB

MD5
adba19cc9368cafba6a2d5e9da5a8644

SHA1
c69f75d92810ef12693cf8faa79a1c7d3d047e8f

SHA256
5cce2259aee219e0f1647bd524ccb1924c083243da6466e4bd950ae2e0827013

SHA512
7310be34af52034a0e4d658e5e90d1fda899b0b8c926a456ba80045d83ccdd024263383ab2e8e9f16afb3b9fb717d98fd17f6fa18bc39ce16ad867b18f2ab849

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
286KB

MD5
1614284c94b62c1c987fc209b7bf5ff1

SHA1
f1de856e3066df91ad2c91162620c0880d56bb12

SHA256
9471187f08f840bc21b6055c989ad8a4c107f6b15ad24f770da38d54a437ac9d

SHA512
9b30cdc81e1cea1216b6bf50759b4368363ae0a495b322de860938ccd1b3c9eca8aa1c8b727eab8e1028a639b165a09b2be4b6754bdbda67ce9f694a8b0e64d2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
129KB

MD5
40abf774b52c7d0974c7206f0889236a

SHA1
5499316c22f7db98617fa5fffe478945116d6e38

SHA256
ae0fbfabaa298eba940958e825bb4753acfab9fe7bda6b78c4b6d7752cd73f53

SHA512
260f4b53f28477bff1143293bf85f1385f86dc7f52dd3a46d5a91b2ccf4b59723ab85d70e7fe059d0f3cd5dc052032cf6b8e8e4918efea8c11d8176cc7944d72

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
30KB

MD5
a3abefd18d3210e33e6d2df7e0a34604

SHA1
d1efbe3aa45e1344c23c35a7458af5243ab6753e

SHA256
08bd1d8fa5cdef3cdb6408f5c8bf2700de7d309d1f893872a88fb3e0a1de0bd7

SHA512
757c1deca949777cbfa4ac054c063d71e25987fa690118ffb02cf501d2db1568751b593835e17acc81f927df4570d0ab19755ee58d9b08b27e4827df2a00ae6a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
15KB

MD5
0e6738309651d322620f6e37c35fc3d2

SHA1
fd195ce40845d6a85b57d7c83b03f778370046e0

SHA256
d7446629258682d87c34e4d1ee09c0e63aeb08c3852ca9c7be238bc72bd17bb9

SHA512
14d016443c5d6a649ba7ecf5b422428e035849c6797e484ec6c097685e3ef2ce03cd4a554a989ca9f8c4a26ef3d59264968bf315b6b30930f7f960d6661b20cd

Download Submit
C:\Windows\System32\vds.exe

Filesize
158KB

MD5
6054b8e488f4ed4f6cf188ea9de76dab

SHA1
29f47de5226d8f5af993b5500ff5b75d4c726156

SHA256
cf6101de72a70cd4484df76805f12d642187e2e953e68b00e8b9737eab5e7aa4

SHA512
6e80ec54d9f0437584b7e1dac8ce707b4b40e9a8ee1a3b73bdb39bded3f4e1e0ef00aa2bfa23ab3438aeba648feefa9c9c870b3dec59ae1852136874c982e812

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
79KB

MD5
c8a53d81d4f6652748ab023fbe3301d6

SHA1
f9864f9cc6978a3ef3fd524524d798914e9426be

SHA256
8dea1383ca9ef234378d6d2839192244c4b3fd7a36be657ca1a0be46b31574de

SHA512
646a020c720c0ad8719807d2989507d8f6664cbdf95662f6432605f8a3ccd14e19dc3d7811b327dd0cf7056b5661653c9120df5c03b970980de27a041a30c0f6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
27KB

MD5
9525a67bb236ffe37ca1d8fd86283f23

SHA1
78b9a58a49f3cd03a022ffdc91dbc28278cb0151

SHA256
634984e5cf213930d09ccb21f9c9dd24909520250bae08fd02eae1c53357a72b

SHA512
53c9505ad2ea81decf75f3cae64666537bd5adfa931760034cdec78a8d35f1af5acfd6d238aec752de8bb413011a6a184056d25bec1447ea006c7b2ddf95cd6e

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
44KB

MD5
1a17e341167876e42ac1bda090b86030

SHA1
9cb342e41dbc0335030a7190e2ef83eb1308a5d1

SHA256
391eab1696cc19162bc24011686b0a1ed97087471ec23883be3fbcf8f65c2438

SHA512
102257506e690f9bf457dafa7a6c41951a181164d935de11f6f474ea13060721a25f27ad4091d7f37dea8c8dd5f65481de5cef010a473ae5dcb7ec01e1b52e4c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
76KB

MD5
d3fc6409a270097ccce7281773ebf931

SHA1
c62a008ded9650b6b362ae0c36d2b8a8ad7ed168

SHA256
9bed86025b00273d2930c75d3b6819b32c9765b449bdba890844582b7323516c

SHA512
ede7a0570b2e5d5f2d7773d10dc004f1015c613a8abe2bd6170dd50748662308015879db43b3bef6ba91d1e913ca9968f10a131f0d289687763e318f40c2f3f1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
35KB

MD5
0f6742e342164eab213e90484a25f21c

SHA1
fea9fbdfe0fd53d6254fd81abc7542b3ba2df482

SHA256
83cb0c61cbb57910ec7c694f4bc2ff458ced0bf8ddcee65670c684c65eb1f3b1

SHA512
59052b512230ffe44ec65c3c846ec76167bff0293685843868106c96720de3baa89b35ec9c16d1fd48d63415bee2dd8fdd50f77efbd26ac63eda966bdcadf536

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
57KB

MD5
01408a9df0349d025bda97dee31759b1

SHA1
87152231d2e238234c58f9243d199553c2c0a377

SHA256
53e0b0c785a5e789c975205d9844d4a6afb68322a16b2b3ca7ca6831ce763ac5

SHA512
c8827142c0c86eca49fe23b70edde6e2a0e4c0788bfd5d87673fc02259a24a0ece1fccaec05f6fa4d2c3901a5e3f030c778caf615fb50699fd4eb2fa5bcc8aa5

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
130KB

MD5
2154d7e7efcc0e196518d6c9343961d8

SHA1
9400b95250c3130222d5e452e7676584cd881a8b

SHA256
29d0048d8b54e72e1148e678f87b505cf7db7ba673cf968802bab2707337e360

SHA512
8229e944924ef4b285b6008cd646fdc1b74d9a765c29d2b8c17c6f9e4fa393aefd393e26090cf40a139ad7d12571c41e6281fc8410f0b35472c0f761881224a2

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
267KB

MD5
de1d47adf5bd15b54d567e0f6230dc08

SHA1
d06175f5a4869b7078fdba5cb71118884b397ae0

SHA256
d3a9c9a910e0fa8e02b3061faea87d7f7358461745d760c85423739e73be4061

SHA512
456a566205831cb46b50780e264ae9ce1fcae143c1ae567c4ad12855aab8d96e62bb1dacfaa8a7845556c79ae203eb7245405fdf2da470286504e497ba2fc9f2

Download Submit
\Windows\System32\Locator.exe

Filesize
123KB

MD5
5b1b25380af2418f4bafaccb0e95c008

SHA1
bd57324381672b81d23477a6f07e88d34a6a2280

SHA256
b9cc5abe969d8f3e922a12026f806a5992fed831ce9acea43d031c4777c0ee5b

SHA512
c0a1665c01e3d2db3225eda1e39a9db7782a1356a731faa54d9afad642e70a25178014e8e0b3f9c8246268a19e47a2ba57bb0ae8582999c5b680b08922eaacf0

Download Submit
\Windows\System32\alg.exe

Filesize
35KB

MD5
f51cc56c4b3ea148e489a0baf2f0dee5

SHA1
db18ca04542c856868d983edc18142ca44076fad

SHA256
81c5490159f4f224e5423ce311e7866c00eefbdc315db14dbb43041188ea55db

SHA512
02ef027593122bd63b5e0b8c139461dfbc9d4b7dab839d489beddf24757f1a5433b7ed01d5f8b79a163442d85aa080c0a9a74960304556882368a4b459a03fb0

Download Submit
\Windows\System32\dllhost.exe

Filesize
50KB

MD5
cd2860ed805cfd272c850386082d92e3

SHA1
a98daa9b0868392d12d48e2a95a363a859baaca1

SHA256
4347db3a1458adfe6434dc62006f6d377afe91c98d004a5ccf7175a59af39ab6

SHA512
58ba625714ea81ef386da1dc5f9647b4089f49a9c4f83d3f108aeec2bedc1a4fe8c2865062c96c8e1f357511baca4d27f09b4a3876710c11a402e2041b7d66e3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
14KB

MD5
84839b493b99f7d096e1c3cead093556

SHA1
cdfbed773355d1753553d58ebb8eca78fa8695bc

SHA256
530d1581dbdb69efb3f7c9f198e62eeb93034fe0109cfdea581c15f3952490f3

SHA512
07eefad136c73f0b7132ce947688112573582cad8445cb2cd37959f4209343a66ec541fefd1bd3d18071c96f6ef365987384e2d6489a6a938b0c4dd178771fa8

Download Submit
\Windows\System32\msdtc.exe

Filesize
166KB

MD5
38265bc57ffe5a83a1113aa195440d87

SHA1
3b2a2839ea9cad6dd2038adaa3fbec1bf31496a3

SHA256
76b074692fb5365d103ec12649fe73a2c6b80065794cf5bf08e1df50fb7b3626

SHA512
c8e7d76112148f12fd7c68f9f025b227354d06cf338b8ffa72dd72972cfdc12d9fcc5b1fd5190e8adff4c3e6ca6ce41f97254239f27df2bbf5f408e756f41503

Download Submit
\Windows\System32\msiexec.exe

Filesize
1KB

MD5
1ecd34f0fe358333d1cc273c8563676d

SHA1
7ac1dba82378f0df99162fff6d0a49540a9e1548

SHA256
957228d14104a0baca4ebc3dd57a5ac4ef27b03a9d895901cc0a506d923bcd5a

SHA512
ef3f2e6dc963f5559022da1687cff0cc6afb57e634d8333b2a0aecf2506ed322918c01f8d75d010acfd12242a5a43f624bca60d76e63a182dd4eb1353ffaf789

Download Submit
\Windows\System32\msiexec.exe

Filesize
8KB

MD5
baae4bab1a24bcbb1ccfb65de23290b7

SHA1
84eb97da9a68844ae298cb8c511ab9da9d39ac08

SHA256
c671dfec83cad1c940fe4b65f4c50ae9ab85947e12b917e8cf2e7d3beae4ee7d

SHA512
ecd4db2b92f59abbbb98f9347a28d05e3fedec1e74480aac5d6189cf199d869377e9679b2631efb32658aa209de896c0b27d783428f00f3aa05148a711b36f4e

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
58KB

MD5
93ecd5683208ca3e5dbb4b3aaed44d54

SHA1
6ebbaf876855304f222dcdbfe0f9ed60bc7d72d2

SHA256
bb1821c206f639734f224baaf5bc2529d55ed4f5eafd27191a71202cac99fcc6

SHA512
4aa9aee3b4a640d9d90814ec793c86198df00874fbd42c9aba1998defbd7028d12d1229dc5267de12f7904f05cf82614b5415e213ca6a793774608180d265315

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
85KB

MD5
86e1f5c1348c26b09872624373c1ba38

SHA1
b68c29217cfb262ae7c8548e6c8e4fb9c40badff

SHA256
6cc862cc0b115e31d37030ebd325428fe805f03d925bd9ad88c9718946e2487a

SHA512
6c66efe34b41d743a412c4c0d86041ddbe6d12ca89e7e8604075c275c20e114cd2ddc545ad4b4a3939fc7e5e52b7365413b8bf727b105d5822f568bf905032c9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
80KB

MD5
e556dc6e71dadff1a98cf7fb5bd47077

SHA1
16d153314102a6617592284408f051ec1c0b894c

SHA256
b06eb33788e360e9f65048f554c421ceecfcb6f23dc58da5a443609bfbe58a48

SHA512
ec97d92efb802039c945deb30dcac604f01e1dfa61f782d893395a36aa4f9fa727f5708e98545708312e45fa9c068c2760435cd3eccaf031a216238030561b21

Download Submit
memory/596-292-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/596-296-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/596-171-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/596-174-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/596-184-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/596-189-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/596-186-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/596-179-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/640-268-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/640-137-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/640-142-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/640-136-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1244-393-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1244-400-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1612-114-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1612-148-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1612-115-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1612-122-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1648-154-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1648-277-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1648-160-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1656-302-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1656-304-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-290-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-291-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1656-293-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-303-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1680-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1680-263-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1680-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1680-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1680-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1780-185-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1780-188-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/2036-389-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-375-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-365-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2036-369-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2036-390-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2176-343-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2176-344-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-319-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2176-324-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2176-326-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-289-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-267-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2184-301-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-300-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2184-299-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2184-275-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2452-339-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2452-358-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2452-359-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-345-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-333-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2680-315-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-329-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2680-313-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2680-330-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-307-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2684-172-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2684-71-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2684-53-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2684-92-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2684-93-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2716-161-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2716-14-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2836-378-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2836-384-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2836-388-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-363-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-348-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2844-354-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2844-374-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2844-373-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-99-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/3064-98-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/3064-134-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/3064-104-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download