fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
Size

1.8MB
MD5

55dd7caa96c700a762ad3741e6202656
SHA1

5b4b07e2f08dc0549ac1974b52e349f0ab162995
SHA256

fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8
SHA512

454d982e1d9e430b8ebe2d64be0f2bd3c89804ea5a787096d54f713d8575a53e245f1fac18b3e3deb80695b278a0191debb50cde8b630b5f1ce6fe7153c731f1
SSDEEP

49152:Ex5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyaB0zj0yjoB2:EvbjVkjjCAzJcB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 53 IoCs

pid	Process
472	Process not Found
2792	alg.exe
2992	aspnet_state.exe
308	mscorsvw.exe
2020	mscorsvw.exe
756	mscorsvw.exe
2476	mscorsvw.exe
2360	dllhost.exe
2644	ehRecvr.exe
684	ehsched.exe
2932	elevation_service.exe
2664	IEEtwCollector.exe
2676	GROOVE.EXE
592	maintenanceservice.exe
2816	msdtc.exe
308	mscorsvw.exe
292	msiexec.exe
2484	OSE.EXE
2940	OSPPSVC.EXE
2104	perfhost.exe
1328	locator.exe
1528	snmptrap.exe
2912	vds.exe
2108	vssvc.exe
588	wbengine.exe
2648	WmiApSrv.exe
2168	wmpnetwk.exe
2988	SearchIndexer.exe
1808	mscorsvw.exe
2768	mscorsvw.exe
3032	mscorsvw.exe
2800	mscorsvw.exe
912	mscorsvw.exe
1132	mscorsvw.exe
2400	mscorsvw.exe
812	mscorsvw.exe
2552	mscorsvw.exe
2740	mscorsvw.exe
808	mscorsvw.exe
1604	mscorsvw.exe
2884	mscorsvw.exe
2632	mscorsvw.exe
1688	mscorsvw.exe
2424	mscorsvw.exe
440	mscorsvw.exe
1012	mscorsvw.exe
2408	mscorsvw.exe
2628	mscorsvw.exe
1672	mscorsvw.exe
2384	mscorsvw.exe
2216	mscorsvw.exe
2596	mscorsvw.exe
2472	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
292	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed44f9e6223c682a.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_fil.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_uk.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_hu.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_sr.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_zh-TW.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_ta.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\GoogleUpdateOnDemand.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_el.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\psuser.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\GoogleUpdateSetup.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_ro.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F2D1DCEA-3974-4AE2-AC88-A893D86175E3}\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_zh-CN.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_id.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_th.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E7068FA0-F933-4F82-9B50-E25B4AD1EB58}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E7068FA0-F933-4F82-9B50-E25B4AD1EB58}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{10146251-8D75-44F0-B92E-6DED3A5EBA3D}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a09465ebed55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a034eec2ed55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e00461f4ed55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2748	ehRec.exe
2992	aspnet_state.exe
2992	aspnet_state.exe
2992	aspnet_state.exe
2992	aspnet_state.exe
2992	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1756	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2992	aspnet_state.exe
Token: 33	2804	EhTray.exe
Token: SeIncBasePriorityPrivilege	2804	EhTray.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2748	ehRec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeSecurityPrivilege	292	msiexec.exe
Token: SeBackupPrivilege	2108	vssvc.exe
Token: SeRestorePrivilege	2108	vssvc.exe
Token: SeAuditPrivilege	2108	vssvc.exe
Token: SeBackupPrivilege	588	wbengine.exe
Token: SeRestorePrivilege	588	wbengine.exe
Token: SeSecurityPrivilege	588	wbengine.exe
Token: 33	2804	EhTray.exe
Token: SeIncBasePriorityPrivilege	2804	EhTray.exe
Token: 33	2168	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2168	wmpnetwk.exe
Token: SeManageVolumePrivilege	2988	SearchIndexer.exe
Token: 33	2988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2988	SearchIndexer.exe
Token: SeDebugPrivilege	2992	aspnet_state.exe
Token: SeDebugPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2804	EhTray.exe
2804	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2804	EhTray.exe
2804	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 308	756	mscorsvw.exe	44
PID 756 wrote to memory of 308	756	mscorsvw.exe	44
PID 756 wrote to memory of 308	756	mscorsvw.exe	44
PID 756 wrote to memory of 308	756	mscorsvw.exe	44
PID 2988 wrote to memory of 2348	2988	SearchIndexer.exe	58
PID 2988 wrote to memory of 2348	2988	SearchIndexer.exe	58
PID 2988 wrote to memory of 2348	2988	SearchIndexer.exe	58
PID 2988 wrote to memory of 932	2988	SearchIndexer.exe	59
PID 2988 wrote to memory of 932	2988	SearchIndexer.exe	59
PID 2988 wrote to memory of 932	2988	SearchIndexer.exe	59
PID 2988 wrote to memory of 1592	2988	SearchIndexer.exe	60
PID 2988 wrote to memory of 1592	2988	SearchIndexer.exe	60
PID 2988 wrote to memory of 1592	2988	SearchIndexer.exe	60
PID 756 wrote to memory of 1808	756	mscorsvw.exe	62
PID 756 wrote to memory of 1808	756	mscorsvw.exe	62
PID 756 wrote to memory of 1808	756	mscorsvw.exe	62
PID 756 wrote to memory of 1808	756	mscorsvw.exe	62
PID 756 wrote to memory of 2768	756	mscorsvw.exe	63
PID 756 wrote to memory of 2768	756	mscorsvw.exe	63
PID 756 wrote to memory of 2768	756	mscorsvw.exe	63
PID 756 wrote to memory of 2768	756	mscorsvw.exe	63
PID 756 wrote to memory of 3032	756	mscorsvw.exe	64
PID 756 wrote to memory of 3032	756	mscorsvw.exe	64
PID 756 wrote to memory of 3032	756	mscorsvw.exe	64
PID 756 wrote to memory of 3032	756	mscorsvw.exe	64
PID 756 wrote to memory of 2800	756	mscorsvw.exe	65
PID 756 wrote to memory of 2800	756	mscorsvw.exe	65
PID 756 wrote to memory of 2800	756	mscorsvw.exe	65
PID 756 wrote to memory of 2800	756	mscorsvw.exe	65
PID 756 wrote to memory of 912	756	mscorsvw.exe	66
PID 756 wrote to memory of 912	756	mscorsvw.exe	66
PID 756 wrote to memory of 912	756	mscorsvw.exe	66
PID 756 wrote to memory of 912	756	mscorsvw.exe	66
PID 756 wrote to memory of 1132	756	mscorsvw.exe	67
PID 756 wrote to memory of 1132	756	mscorsvw.exe	67
PID 756 wrote to memory of 1132	756	mscorsvw.exe	67
PID 756 wrote to memory of 1132	756	mscorsvw.exe	67
PID 756 wrote to memory of 2400	756	mscorsvw.exe	68
PID 756 wrote to memory of 2400	756	mscorsvw.exe	68
PID 756 wrote to memory of 2400	756	mscorsvw.exe	68
PID 756 wrote to memory of 2400	756	mscorsvw.exe	68
PID 756 wrote to memory of 812	756	mscorsvw.exe	69
PID 756 wrote to memory of 812	756	mscorsvw.exe	69
PID 756 wrote to memory of 812	756	mscorsvw.exe	69
PID 756 wrote to memory of 812	756	mscorsvw.exe	69
PID 756 wrote to memory of 2552	756	mscorsvw.exe	70
PID 756 wrote to memory of 2552	756	mscorsvw.exe	70
PID 756 wrote to memory of 2552	756	mscorsvw.exe	70
PID 756 wrote to memory of 2552	756	mscorsvw.exe	70
PID 756 wrote to memory of 2740	756	mscorsvw.exe	71
PID 756 wrote to memory of 2740	756	mscorsvw.exe	71
PID 756 wrote to memory of 2740	756	mscorsvw.exe	71
PID 756 wrote to memory of 2740	756	mscorsvw.exe	71
PID 756 wrote to memory of 808	756	mscorsvw.exe	72
PID 756 wrote to memory of 808	756	mscorsvw.exe	72
PID 756 wrote to memory of 808	756	mscorsvw.exe	72
PID 756 wrote to memory of 808	756	mscorsvw.exe	72
PID 756 wrote to memory of 1604	756	mscorsvw.exe	73
PID 756 wrote to memory of 1604	756	mscorsvw.exe	73
PID 756 wrote to memory of 1604	756	mscorsvw.exe	73
PID 756 wrote to memory of 1604	756	mscorsvw.exe	73
PID 756 wrote to memory of 2884	756	mscorsvw.exe	74
PID 756 wrote to memory of 2884	756	mscorsvw.exe	74
PID 756 wrote to memory of 2884	756	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
"C:\Users\Admin\AppData\Local\Temp\fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:308

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 23c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 23c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1b4 -NGENProcess 188 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 290 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2cc -NGENProcess 2d0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d4 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 30c -NGENProcess 2ec -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2e0 -NGENProcess 314 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 258 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2cc -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2360

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2644

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2664

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1603059206-2004189698-4139800220-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1603059206-2004189698-4139800220-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
815KB

MD5
c2ec7fd2ba6247553bf0818a7406e26c

SHA1
9dae4c39b849bf63388363be86332a4837a28a59

SHA256
b4fdff4364b8f8174875e4c4bbf55f9b71c57d61ae6904ee3c947e606471c72a

SHA512
8f0519eacb33a0e7f639e6c45b953844bc4ac5c2866e482f6129585b4fd486c560d3ae119924749082a486f0a86df2c0dfe32baf2942245bc6159641cc68aa81

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
4.6MB

MD5
8e9eb9feee5a4b5a8d84dd1b4b132df1

SHA1
eb5cf87402eaa3620ce0138ca23f9565aeab4745

SHA256
05bc59c33c783c439ce7b4666f0bd18b6ca6adaf2ad8520048824b24c1f1183d

SHA512
3b8d62219fb4f98ef00b61f5cc6b03da8ecc174d28ebac4b4567e8c9dd2fd77a6c5231370abd6b3289243ee5ba5c30cc43d3c23b41d43059e0b2b45abea427d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7b2908d13059513e03ab16610a7d22b6

SHA1
1ef1e9a9d14b8d90bc0f1775042d227ad47a9499

SHA256
228754f86a00de091fd4c44b507301c3d4cd5054fa3c1d32cdec6c50eccb8b26

SHA512
a8e5209a9dff6151dadf216a8588b9b8461f0fc2e6f7ca42911388a6754a2eebc3303e54cc7a2c3b18cdecc28b170733ce238f8bb5a5f772496cc195889c2e2f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
795KB

MD5
006aafddbd0d3148ad4032e92a7d8a11

SHA1
35bafe5120ae9c6bc54b96c6d0c14265e7154865

SHA256
682aef62a6796a72c635f11d99ade06a159459234e7ee0a5d89f154354b3bd08

SHA512
03d3406515f4e6c458020fa858bfe2b3755f6a44ef32f06f47400d965bc31eceaa562a79ce29843c891fdebc6c82641f14716e439ce4da49fd07607e48ce93a4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.8MB

MD5
e92332fec24be4816ef945cd68d6e3ca

SHA1
09383f6e379ef497293f1044840592879eebfaf3

SHA256
1e20f6744d67dd327b8e445bf9a263b6bd34a3c0f3e6bf0726640025a8862fbb

SHA512
27201f166ca5b2ea25ff05755e1e060ac18d0162e0c57f695c68cdc2b8b26b45b1132affddc12411e839dcb08bfa6d57c376fa6c80f129fe571776f79831df16

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
294KB

MD5
6dbd3d96dc448fcd4180a2279e778521

SHA1
d34ee0033732958d339c2a35a51a0b121ad3a40d

SHA256
f2597e1e9337a9f7c5dc2789000ec192c5102472ce85924e57face0e971167e6

SHA512
36a537e25bec671ecf837a7c8bedffc266cdd871dc0e4e30a32aaeab2a69ba1076fc78236918e1fa8c11a24a6c49beacbcb1dd0c7b18ff920c069c2b55930cf9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk

Filesize
8KB

MD5
c1f5cb4ea815eaf1863c48339277f22c

SHA1
f61588a1a77e2c91fd89fbcd5a0a8e989345afb1

SHA256
860a105da0925606d57a79b161a34cc6c5334261acb4446e00c815b448a78c30

SHA512
704eb52140b633b2ccdc7d50002385f286c1080cbea2fc458e88cadd05a604bae55e8591ed584f032395338746f9ab77aa62ef94bb32e811b2fb7363f58009ea

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6dd344290eaca3175552a8713f8ea4e7

SHA1
5027123405915bd3e1ec90b6846d0d333406045a

SHA256
92c24e5a452b3364186bce10e0b6e961ec6537aeec15279ed4ceddcb3d93b520

SHA512
3b7405576f2750e6c048fed28940d107ff560edce8c0a258d8eeb0dd3d04b7174a48cb82b91c383f2a9b92826ad807b4e6c45ccf508c33a96434712ddb4f82c0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
832KB

MD5
fd35034e9b7b1ae76cc38adf7a24662e

SHA1
e634e393db77e436f1008cd146fbd51bebe48fab

SHA256
9da3b57d7cf3246aee5ccdd57e49d1f14fc4beded7e8223089dd84b410fb16b3

SHA512
18079e8a9e3d7f7aea5428741627cb66fd225b84f17674d4d731ca6a0ae7fa992f52495b97bfdafab9f87a7a91abf85a163cd3cce843981ca57debf49bc1ac2a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c5c270329cc4e013c48a6ba0fbba0598

SHA1
25dbb9ff529c7472aad13a0f4f6d63682680615a

SHA256
a8c500610240e33ed19082c2983702ffe24f058c07c2f74e6f20eaf4404c5fb3

SHA512
f67409514bce815d1877db5086cffd65350f8658bed08244dc185e0555f9a60758b0ad9d8a5f36c45967decae0be82862a02bc0bd166e8da06195bd351fc57eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
eb2e94bcc93bd84514e7160d0391abf9

SHA1
f91e625071a85163ab3365f723cb4ee6a87c6b41

SHA256
d8aa22131985f1c45d4e3b7868676d31638b53a3f759193b02807b4e68cf01e4

SHA512
3977f1f9c17bb3c1e8068dce536390023c1e4f57840a2b370267af8110864623850c644aa4afd36949195271c94739a8ef439b5d7bf702363cf5d75a9cba24dd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
27961748d951b294eb0fb2b84d899f72

SHA1
52a1f699e7d52654804a02e6ae1ff5eda98bb399

SHA256
a0d2e0d0a2eaaa24ae5291c6727dddc1bbe3fd6249ce5ca6f5cd73d7732e6cd2

SHA512
0290dfee954f96dba139d7dffa8dd6088671ad100b43228e609d0760c5ab2617899c95be17ba55ee573c66ce41749169b8d42dffd3c768130e8d8d198fd7961e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7facb45148cc3c24e4da6aeb33537dfa

SHA1
9cddbdebd328759213c81d089bd2c9629181e734

SHA256
4dee0a1ff85c0cc5ee60b974e28013c15336655ab0c76c026ede8225142bcb41

SHA512
96552e42753d367e05c3382a37a9237fed3d0c0aa6a0e1719f957454a2c00d9753b493ede6078212ce10651d21fa20642f408632b3c05f072ea7616ec8e66135

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b9a4108b2dc48d6221af95971d6a42d8

SHA1
8ba7ec4e663f49e6e40df6fc73cd3a57c884077f

SHA256
02d6fb1e8da3d3008c012193e1e03e2ea232a607d0b97915d0edba7dab3df1ab

SHA512
88ffa63957cd977aebcdb1d0c7919320eb8bdabc5f60b0220d5612dc86a71420eab75ce206b4642b814d330c77e7d1e889fe5419e9cb00ef17bb9d19ddc81f06

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1024KB

MD5
aa62918f96e08a89f283b89ff0f1dc8d

SHA1
db0e20c71ef1fd90977d9b09f383429af5916d86

SHA256
12b0b5d5cfc5b0bb11766e16a72c6806fa6310629c1d1671a96109481aed6050

SHA512
e8561910787ba51ec875b557b1ec9e6e499c0bd50928a4b6a51a38e585061d9e6bd984bb28cbb92601eec707fcb023863ecb2a39a68cfadadb661e4759d40226

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
ca357fa6ee2ccf82482b1c7505f7bb19

SHA1
ac66c9cf1220b858e7c41e82181521e609a79cd1

SHA256
0cf0b8d5989856a5680431647fe6e297d290d74f52bed2724eb6f67e8de03424

SHA512
dc770779a91543c1cb721b08a7c795881a90c82a6d4a9105eb838b1827d15f189acc455fefb6c68c8dd29d3c42ecca696e511b5e68c32514149651e65c879ac2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
186KB

MD5
5e6f3105bc703002c3f94966a9cec7bf

SHA1
414cf2e5810fc544a375ffdc9f9f4f783f8780aa

SHA256
782bcff0c06927398019b4247ed5f93965bf0d2b28d64aefe5505da1e054f83f

SHA512
1a9df4abcd2da5cf5e8e728c4bc9971b2e6d36bd4c27b819feaa5386215a2bbc64b14de701d566a2e9afd4b70896a13c0fbe9ce4d1bfa78bed11a469ef7d95c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
423KB

MD5
77c9f30c469cb4507a8ffd49aae1d487

SHA1
547452d6caced9d6478ed496383c63316fab10c3

SHA256
80cc55c0c47572338fa948e413cd63d6e15a0bd6a4067221698317901addb48f

SHA512
c251f6646f1418e07e1ef297ed169fdcc93666e632d5454ddab9498b02ea872a8907e1d6d0a1682fc59e1962ff8ab875f9b4fcdea8d80574bae93dfea3965db1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
992KB

MD5
bc1ac7c58942d331ba5b2a63b10945ec

SHA1
a03ee2acff7b6e5d0b96f925a2aa42e55facb4ad

SHA256
0ade882fabfef05afbdb96ed4618cce0f4a58efb9a0de6f71da143702322aa83

SHA512
f449662778da1bba79705acc61ed65b0d49668209c0ca5f4de65a441b8e3c979a1d3a7c7133d4747c9523adfff530ba8ada515d3477c1a61caa2cb568179a0b9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
215KB

MD5
f0eb6b034f437717c5746b3585781b7b

SHA1
7e2cdae27481ed64916f63a3d7dd3024bef681c4

SHA256
9ea79e00acd6958c7c7b296ff5d3d5877e5cc4125ada41b0b80853185085aa70

SHA512
99e99b95f99a820e5c27ecfe72079e53fb9d86e66bd14481ae2185f23c2db5910ffa8df983e177ab3b72ff4cdd7de20e6cd8728c94fb27c836a5594e3b671464

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
326KB

MD5
1ce071cbccd60b3a6abdd5bd013762c5

SHA1
d6a36c8e5e13fa2b55c2c0d9320aeb1ffc66b56d

SHA256
0494847de0629bcf6295bd167edef4290010d74f66bf32f4199a674fcda37b40

SHA512
154368cc87148dc47c6f6007d53e885c031c40c3a0cd0fad327c085fdeec936b89da6e6769411c84f159de1bb9905b15fa63654c451db8f4561f06a15d68ae88

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
704KB

MD5
ba5b80e9820696d855ca4a113941bee6

SHA1
dd36025a8cd3128244e2a6cce6f2f9da7343d2f1

SHA256
83a3a552d652c390b899d8503716c11eb62caccdd0c89f34e4efbc9e8ed799dc

SHA512
535cac6449b00d142f7f05182fe098e18ba8b3a3d17b8293993edd9ede94f4fe0c6f834c126b42bfccb19365df0612d3b545d161161829cb4de7ad780f41d412

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
502KB

MD5
b824594d837e7f2b898f96c2f43f7ad2

SHA1
c32aa81e6e079e498b84c68943f34534f7dc40d7

SHA256
dc103a1cd6aa2db386b40b900b62450d8112e7e39f2525e24eb11eb6be6a8d26

SHA512
df111cc90c0ef19f245c4f8390bc07ddc19d66b651baa411e9a4a2681ab62b8f4de4e4c1953aac1fc48ad86220ccb08086787f1332c136db6b79e07ee905fe50

Download Submit
C:\Windows\System32\vds.exe

Filesize
403KB

MD5
e268b323e318cfefc569d93a71f9ead1

SHA1
008ff098945f01c412f30e86f2142ba7578bb0a9

SHA256
addb07eb2cfeb9ffdde493e3e2c55885e0ba93863f02d922c178496508308789

SHA512
fe8f99c1457afc583d5184d76cbea1f0189ce1d861190a25152e93e14b36c92ecf433db7c7d3943ff9ce4ee1de74ab539cba9148d7412ff0761d1b02141c892f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
652KB

MD5
f3765a023756d7fe4cef2a8e45ba0cc0

SHA1
93e802fb99232184171927c6893a743656c93c3b

SHA256
edf7923f256d8510ee680a9ecef5a2f163c2097488b257f91be65f7a29247729

SHA512
6bf32b964f14ef78eee7d1163f9fbb4550049fb3b1e0a601988bfbd961a19a4978fd249b593f2fc8de5bc1cb8c236b5a7a306f838fee2e4cd83be03d3df64526

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
608KB

MD5
28b75086e3c5d4dff2b15cd96bbe1c4b

SHA1
8fb58dbb227d2f65edff213814cc2d99eb330ebc

SHA256
18d6693c82d829a90cd83ba36447de4e5ab276047fb021f81312618409963d9c

SHA512
7e92004b50ce48a0c92821682494800c78b767fa11ea26649d6819898ad71031c6177ad4640679f81aa507249a9a81648d6cc24f25848a8a7c5e42d24bf49e1b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
cce8d8609b6bad6f104d9ffc79aee7ad

SHA1
7224cad7fb2aeabb1177884a38a7d72a55299332

SHA256
3f05d3eef25da66d4873651298ab2862ee5f43e28563140db35e20898c750d40

SHA512
651b39cf6f942d4189dad61f1c4ede6663985316e6301542058d57964d0936921f60c2c8c46ab8b9a5a2571284cc353be86485c138cea28ccf5cc5e603f15262

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
340KB

MD5
271ee41db24bf6be461fa60f18c4dd88

SHA1
54a7b95dcb9b46e33541901b9b0666f1a92b0b06

SHA256
80bd28732d6ab9ac3bac694ff455ae2e6aa5197a998969f84fc15c0282f1e389

SHA512
6e4e09986fbca84e739b495e348090e29222d682d44c8da845c712fd7c1530792fe3699cae81c008beed5e1836c59a29d3379fbc48cb51d6a8b7757e02ace40a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
267KB

MD5
231e889ef39f6f616194373ce5fc07d3

SHA1
5fa02d414d90ab475bf448f66407c388ee4b7aaa

SHA256
f7028e5df0d882c89758735a25bc2f8f9c82fdb3de9f68698002059c49ed1d68

SHA512
17424482c6bd16989819dc7753fe7f053fcccadb5ed0acc6ec6ed34e5d9d15132a20aa96313deb00c9994be278b97ec5f1dd77e45c627abc28ebf251c37bccb2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
5cd898fb81d80157c4a748bc95d1cd5d

SHA1
0d5b530abfdba313174caffe000f64322312a36e

SHA256
45441019b15d2422708ec7d98248c2e62d054fcde668da6268a67eb4c3352cf2

SHA512
1b9f717639b4a751ae0cd236795a65c62c7934a083dd30a3c2a7aa29e8c68efc64feaff1d851660e3ee1caba07a3586f09c4a4b3fc9d43b00a39b6010994dd5c

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
62f3a0346d756577e6d15c0c5589e5ec

SHA1
f98505d78b5533be8475c95c3d359c089c931398

SHA256
a083816601ee4a7eb1938ab94f6e5d7ff8f79374a8c59836b61de45a9a5b307e

SHA512
c600167b57d760555eb22efe289b0763281492be7f7b677a8ff25a0971d34bab915be945dfa851395f7e39c07b40e5adbc807f8f79e98275880b600c683eab14

Download Submit
\Windows\System32\Locator.exe

Filesize
946KB

MD5
42d4e75de97d99d3732bed2cd536a4b1

SHA1
3ac03afb086faf5bb9f15bf4f355cc1120061b56

SHA256
fab4c551abf322ad68ddd282fa72109598678d791b7dd373fa7c827c1e431264

SHA512
b12efa7ee304eaf4653a86c62f259f70237ae4a1ddf0444beb39b8d5aa20eea27f07464b01a761a6649709d767d2782fecd6f789c9106c30f83146b18ba7af4d

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
da2a01912330cca516d8efb9abdebee6

SHA1
9144cd1e99f53dc0d8f3740d4f6e9040bfa92984

SHA256
af6b53034b9a3eb85e35eb1d0473675a61b55a97aedebc925db88ae0f983ae5d

SHA512
509e5e22b6c1885b5876786a29336be3f3761fa66dc2745ae028fb23a9c5138b5eb51c6b39a8dbfaa63b6689505cf380c47e474010875571e7b82027872371ee

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
a6ccc195ce1e90ca5463c6b6765e1a26

SHA1
51196a5255f4a6330f23d150a868bf2f0a491bbf

SHA256
673c6f2882f7dc7e096398e6282fe47143194b7ff41f155f6b62d797732d9a70

SHA512
97ef42f937a3f3d075e35948fb0dc886bc22fce2f4e52af3b07efa9bc5aaa7b973e39d00bd3fdb2c81ccb3042d2a56c0618ffddf1a8456b5934ed0c61a92e93f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
4632019270d242732a787bd62059820b

SHA1
2af3f988510001710fe45f4a8a79530a5b9c7b24

SHA256
2b3d6de06a2cf2c7aae8cccf549b8e01529914203b9aa805e20042c8901943a0

SHA512
1248cd0400b505e3ea72bfd73ddacfd0841279a596724e812a929661e10a22e4bbe17436190eec8d3167a66d7396ec19d33b5a814cc2d277ed710fd0a028e986

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
ab639e2e5599620b01e0ea2cd08c5398

SHA1
07d17e3b6e62594b53bc76f938473d8546749dfc

SHA256
bafeea54c48fe4db293658aa27d768f9c7ca217c56631a2f5f27a656bcc10961

SHA512
fcfcd9367020ecc42d8a619e0fcc0382f5b730f77d074e9cf28ddb965199695abf23d93ee46b68c0948fc58a8e46ca10c446b11bba7b7aed63b5e528e823a021

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
2f1fd85625244e970af1bfc6fa1d7895

SHA1
14021824cda4d1a2138034fe5d09edf04cb03f12

SHA256
50e95fea1e8be29acf2584c01e7466f23adc5453014bf8240c7c529a5c79e7f8

SHA512
ef8c86f238d6f8dd062875f2e7abe3e09289e1c99c9e7b8c8b781a49f759d8cafa803c37787e1567a3d9eecee8a083bd1f4750658c4e91f16c59facebbf857ba

Download Submit
\Windows\System32\snmptrap.exe

Filesize
515KB

MD5
037a6ce6cde5903c65b15fe48918cd28

SHA1
fb5f1f5b466f4cfa000e804f8b729c1f6e77d9ca

SHA256
4415c93cf263340a73995caa364c030804411fc99ef44e94278b2e54bd049f81

SHA512
e80a66cea74c0fbc27746b337109fd5940ea08736914dc77779701bdf19646e771568242cd99094d60aa5af381fc693c6643bcbefbb60f94eb32d165a64c25eb

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
773KB

MD5
e0553a75533fac07cfbb3f8ce8d285e7

SHA1
90016953afe51d3099950fb31be56299408d4ae8

SHA256
1e6db9eed849ce7a766f6df708cbd9df75c1b3596b4f531a995856b639df99d2

SHA512
d12ff4ab23606d4b568f31330b7c700ef1c737ab1402bdd81dd5a9a6e3e18015dd90cb06eef07e37256a8d03946135203d31493ca1ea10c2002380e59a7aa8e8

Download Submit
\Windows\System32\wbengine.exe

Filesize
879KB

MD5
1e50656b092a5b7c4b0bdcc80ad2447b

SHA1
0c429ecffa16f68110b0c6a58e7c87723efb9c2a

SHA256
dbf1b635e712b3c291110b47d78c8c1af820bdbafe9bb8055d0772c7d5aca81e

SHA512
5e28882fc55865d909a7651682a4f5a3a474310265e8ca13c1ce62bce1842387128269a3cf19ac50860d10b4465bcad60a4ddd86b0fcaa02f945759faa7653b6

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1d8e0e0a431a84bce74181be18579011

SHA1
fa490da24234bb4843c848b72f1faa4f68980ebf

SHA256
22be637794bdc690b67be7a06f7158e9ab39f54dd728f6dcd9d7bf01a3ef239b

SHA512
d4f7a060243de6d4edc9adb81dc371973bcf7d16fb88a6f6d9da65919d88e06882ae8c529513e5d6636d900b695baf1987f98ec08e716c0da7fcdbf6a5d0216e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
256KB

MD5
b7e4b8f955dcf8820a284ecc1e8d5ab9

SHA1
444bae7c618e5a2c357e962246e5f1bbd65442f7

SHA256
26f1124571cb56b73235c803aa501e459d8ec7a9f9b32a98ebe724a81fced743

SHA512
cda3d60d6584206502ca6a60897053288d081c4b78ea984b8d1b668436b0ea8f868f049955ddcf85167b4e8d1ae7728ea0b2b378de0b492686089d9b4f51588c

Download Submit
memory/292-398-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/292-401-0x00000000005F0000-0x0000000000783000-memory.dmp

Filesize
1.6MB

Download
memory/292-355-0x00000000005F0000-0x0000000000783000-memory.dmp

Filesize
1.6MB

Download
memory/292-352-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/308-114-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/308-103-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/308-97-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/308-96-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/308-341-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/592-349-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/592-350-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/592-329-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/592-326-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/684-338-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/684-283-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/684-196-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/756-281-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/756-134-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/756-135-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/756-140-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/1328-394-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1528-400-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/1756-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1756-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1756-273-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1756-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1756-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2020-151-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2020-125-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2020-117-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2020-118-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2104-389-0x0000000000170000-0x00000000001D7000-memory.dmp

Filesize
412KB

Download
memory/2104-380-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2108-409-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2360-313-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2360-172-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2360-179-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2476-294-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-153-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2476-160-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2476-155-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-402-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2484-374-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2484-362-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2644-185-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2644-328-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2644-184-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2644-191-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2644-348-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2644-278-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2664-300-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2664-364-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2676-312-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2676-320-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2748-301-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2748-371-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2748-369-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2748-404-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2748-377-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-310-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-315-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-367-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-161-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2792-25-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2816-335-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2816-387-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2912-406-0x0000000100000000-0x00000001001F5000-memory.dmp

Filesize
2.0MB

Download
memory/2932-287-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2932-296-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2932-360-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2940-391-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/2940-376-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2992-171-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2992-91-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2992-85-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2992-84-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download