bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Size

2.0MB
MD5

d11bb9a351b16eb4613df4b8fa07d2ab
SHA1

571a6baacb8a76c605737a1f71088e6ecf4d8f83
SHA256

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624
SHA512

074c6e15377823356fcf60f9476b3a37d683a6879a8565be2de67e42b522d90b9923b792cf40690c4c36209a335965f5fc5a17df4160f6531914267e09799c22
SSDEEP

49152:pRq/irm17kZf9bkl36XT5XT1EZzjv1ZL3ft0f149:TqqSdO9bkh6D5D1mzjv19Vk14

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2052	alg.exe
2016	aspnet_state.exe
2036	mscorsvw.exe
2832	mscorsvw.exe
2464	mscorsvw.exe
1960	mscorsvw.exe
780	ehRecvr.exe
1900	ehsched.exe
1312	elevation_service.exe
3040	IEEtwCollector.exe
2184	GROOVE.EXE
2848	maintenanceservice.exe
1608	msdtc.exe
1088	mscorsvw.exe
2868	msiexec.exe
3048	OSE.EXE
1356	OSPPSVC.EXE
2836	perfhost.exe
2648	locator.exe
2536	snmptrap.exe
2512	vds.exe
1944	mscorsvw.exe
2748	vssvc.exe
2320	wbengine.exe
1508	WmiApSrv.exe
1996	wmpnetwk.exe
1076	SearchIndexer.exe
2620	mscorsvw.exe
1928	mscorsvw.exe
876	mscorsvw.exe
2564	mscorsvw.exe
2732	mscorsvw.exe
1800	mscorsvw.exe
784	mscorsvw.exe
2608	mscorsvw.exe
2420	mscorsvw.exe
2668	mscorsvw.exe
1744	mscorsvw.exe
2012	mscorsvw.exe
2204	mscorsvw.exe
1592	mscorsvw.exe
1728	mscorsvw.exe
996	mscorsvw.exe
1340	mscorsvw.exe
348	mscorsvw.exe
784	mscorsvw.exe
1380	mscorsvw.exe
2248	mscorsvw.exe
2740	mscorsvw.exe
3000	mscorsvw.exe
1316	mscorsvw.exe
1532	mscorsvw.exe
2352	mscorsvw.exe
2896	mscorsvw.exe
1700	mscorsvw.exe
2152	mscorsvw.exe
348	mscorsvw.exe
2080	mscorsvw.exe
1620	mscorsvw.exe
1744	mscorsvw.exe
1928	mscorsvw.exe
1632	mscorsvw.exe
2712	mscorsvw.exe

Loads dropped DLL 28 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2868	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
772	Process not Found
1700	mscorsvw.exe
1700	mscorsvw.exe
348	mscorsvw.exe
348	mscorsvw.exe
1620	mscorsvw.exe
1620	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
108	mscorsvw.exe
108	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\vds.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\alg.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\fa48c7a47df8f25a.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DACF1076-23BF-40CD-A7B7-7111819689FE}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP96E3.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP900F.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D0A.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A00.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8A74.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81AE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000507e10728b65da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	ehRec.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeDebugPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: 33	2744	EhTray.exe
Token: SeIncBasePriorityPrivilege	2744	EhTray.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeDebugPrivilege	2736	ehRec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe
Token: SeBackupPrivilege	2320	wbengine.exe
Token: SeRestorePrivilege	2320	wbengine.exe
Token: SeSecurityPrivilege	2320	wbengine.exe
Token: 33	2744	EhTray.exe
Token: SeIncBasePriorityPrivilege	2744	EhTray.exe
Token: 33	1996	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1996	wmpnetwk.exe
Token: SeManageVolumePrivilege	1076	SearchIndexer.exe
Token: 33	1076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1076	SearchIndexer.exe
Token: SeDebugPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeDebugPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeDebugPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeDebugPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeDebugPrivilege	1688	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeDebugPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2744	EhTray.exe
2744	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2744	EhTray.exe
2744	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1668	SearchProtocolHost.exe
1668	SearchProtocolHost.exe
1668	SearchProtocolHost.exe
1668	SearchProtocolHost.exe
1668	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe
2756	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1088	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 1088	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 1088	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 1088	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 1944	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 1944	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 1944	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 1944	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 2620	2464	mscorsvw.exe	58
PID 2464 wrote to memory of 2620	2464	mscorsvw.exe	58
PID 2464 wrote to memory of 2620	2464	mscorsvw.exe	58
PID 2464 wrote to memory of 2620	2464	mscorsvw.exe	58
PID 1076 wrote to memory of 1668	1076	SearchIndexer.exe	62
PID 1076 wrote to memory of 1668	1076	SearchIndexer.exe	62
PID 1076 wrote to memory of 1668	1076	SearchIndexer.exe	62
PID 1076 wrote to memory of 1912	1076	SearchIndexer.exe	63
PID 1076 wrote to memory of 1912	1076	SearchIndexer.exe	63
PID 1076 wrote to memory of 1912	1076	SearchIndexer.exe	63
PID 2464 wrote to memory of 1928	2464	mscorsvw.exe	64
PID 2464 wrote to memory of 1928	2464	mscorsvw.exe	64
PID 2464 wrote to memory of 1928	2464	mscorsvw.exe	64
PID 2464 wrote to memory of 1928	2464	mscorsvw.exe	64
PID 2464 wrote to memory of 876	2464	mscorsvw.exe	65
PID 2464 wrote to memory of 876	2464	mscorsvw.exe	65
PID 2464 wrote to memory of 876	2464	mscorsvw.exe	65
PID 2464 wrote to memory of 876	2464	mscorsvw.exe	65
PID 2464 wrote to memory of 2564	2464	mscorsvw.exe	66
PID 2464 wrote to memory of 2564	2464	mscorsvw.exe	66
PID 2464 wrote to memory of 2564	2464	mscorsvw.exe	66
PID 2464 wrote to memory of 2564	2464	mscorsvw.exe	66
PID 2464 wrote to memory of 2732	2464	mscorsvw.exe	67
PID 2464 wrote to memory of 2732	2464	mscorsvw.exe	67
PID 2464 wrote to memory of 2732	2464	mscorsvw.exe	67
PID 2464 wrote to memory of 2732	2464	mscorsvw.exe	67
PID 2464 wrote to memory of 1800	2464	mscorsvw.exe	68
PID 2464 wrote to memory of 1800	2464	mscorsvw.exe	68
PID 2464 wrote to memory of 1800	2464	mscorsvw.exe	68
PID 2464 wrote to memory of 1800	2464	mscorsvw.exe	68
PID 1076 wrote to memory of 2756	1076	SearchIndexer.exe	69
PID 1076 wrote to memory of 2756	1076	SearchIndexer.exe	69
PID 1076 wrote to memory of 2756	1076	SearchIndexer.exe	69
PID 2464 wrote to memory of 784	2464	mscorsvw.exe	70
PID 2464 wrote to memory of 784	2464	mscorsvw.exe	70
PID 2464 wrote to memory of 784	2464	mscorsvw.exe	70
PID 2464 wrote to memory of 784	2464	mscorsvw.exe	70
PID 2464 wrote to memory of 2608	2464	mscorsvw.exe	71
PID 2464 wrote to memory of 2608	2464	mscorsvw.exe	71
PID 2464 wrote to memory of 2608	2464	mscorsvw.exe	71
PID 2464 wrote to memory of 2608	2464	mscorsvw.exe	71
PID 2464 wrote to memory of 2420	2464	mscorsvw.exe	72
PID 2464 wrote to memory of 2420	2464	mscorsvw.exe	72
PID 2464 wrote to memory of 2420	2464	mscorsvw.exe	72
PID 2464 wrote to memory of 2420	2464	mscorsvw.exe	72
PID 2464 wrote to memory of 2668	2464	mscorsvw.exe	73
PID 2464 wrote to memory of 2668	2464	mscorsvw.exe	73
PID 2464 wrote to memory of 2668	2464	mscorsvw.exe	73
PID 2464 wrote to memory of 2668	2464	mscorsvw.exe	73
PID 2464 wrote to memory of 1744	2464	mscorsvw.exe	74
PID 2464 wrote to memory of 1744	2464	mscorsvw.exe	74
PID 2464 wrote to memory of 1744	2464	mscorsvw.exe	74
PID 2464 wrote to memory of 1744	2464	mscorsvw.exe	74
PID 2464 wrote to memory of 2012	2464	mscorsvw.exe	75
PID 2464 wrote to memory of 2012	2464	mscorsvw.exe	75
PID 2464 wrote to memory of 2012	2464	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
"C:\Users\Admin\AppData\Local\Temp\bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2dc -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e8 -NGENProcess 260 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 260 -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2cc -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 2c4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 304 -NGENProcess 2cc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 270 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 260 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 310 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 31c -NGENProcess 308 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 324 -NGENProcess 30c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 320 -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 310 -NGENProcess 2fc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 224 -NGENProcess 2fc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 30c -NGENProcess 338 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 308 -NGENProcess 33c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 340 -NGENProcess 338 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 330 -NGENProcess 344 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 328 -NGENProcess 358 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 440 -NGENProcess 3cc -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 448 -NGENProcess 430 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 40c -NGENProcess 328 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 448 -NGENProcess 440 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 3e4 -NGENProcess 450 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 328 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 220 -NGENProcess 470 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 470 -NGENProcess 450 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 49c -NGENProcess 490 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 488 -NGENProcess 470 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 460 -NGENProcess 48c -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 328 -NGENProcess 470 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 478 -NGENProcess 470 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 478 -NGENProcess 470 -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 478 -NGENProcess 4b8 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 4a8 -NGENProcess 4bc -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b8 -NGENProcess 4bc -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4c0 -NGENProcess 4a8 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:1736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:780

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.1MB

MD5
ea218d7d597c5a7d317aee31ebb8dac5

SHA1
fcfbc73447cf91846c60a6d67c848dcc64b087fc

SHA256
43dc319395d2614b727ce34224829cb1ed9692518888bc9d994765052eafde19

SHA512
d5600372e920168894dbe98fe9c49ad1b22a6b2b23955490758eb2db929154299ca7f06c0fbf8587287d73ca0d60eb81b0122fecdd3fd0ad5eeef69b3daf0f38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
8.3MB

MD5
b98af0a88f2c85e804154aaf483646a8

SHA1
b100ab0dc0c3ec0e7869ee0ac0faa61d8a0154d5

SHA256
0d8df47983441a6895585fc96dddf4c1f7f9df747ba80650ebd39ac79f77b53d

SHA512
64cd50bdf743c751d1f21169a1e33d3701b58875116200721adea4c933bd31931d82f19b64b81fecf6f691d8aefeb4022ba267f9732dd61668d0c9dfb1f17d18

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1331d12aec08243b8f58b5a7a78df4a2

SHA1
b796dbde5dd62225b1627b3781397d36b4534a5a

SHA256
196f03b00198af222c6aaa44cc35bda013e3f16b9f3b76eb24422dc7e047b182

SHA512
1897018e634889774c524a7a9687fb359ce25e67ff2c95822a001cdba367352d7ab75226130d9e10d5fb38e8965ff5debbb1f1013107ad215227fe8700b2be8f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
576KB

MD5
ed512fc608555d929a5e908da9fd3e25

SHA1
5c50a573d2bad1c16a81e66f2a04db4b6cceca57

SHA256
f21f60090d6dc390211cf25d89719121a20db6877b7248086a0216163beaf40f

SHA512
2a07bd6c14249d4132650c5ddc09438f5f29ef2a013cdc1cb03eff818c5bd4bd089478fc41762391b446fa6545b20930bd66deb0e8ba94cc0e9e7461f688719d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4821f925ed31c62bee9c06fc9b5d47e0

SHA1
a0ab5b26b5f8b30fae6437d159cfe0ddf098b260

SHA256
95c0cf4dcaecd94b575a8d4a159a826bf1e9f6440a9fa351d59346d0a0ca9efb

SHA512
33927beb7aa86544ab1aa217f6ae709064b13469de7628d7144b98e0c73188d37277c4e20e720907a57bb911a734a436a4c4e184892ebb83a8399575ebc08557

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
8ffd0b15085deb8c23bbc34f24e1bb10

SHA1
d19e5cb8a777bfb3f3a2299af703059beb17aa70

SHA256
75ce390a7438c0da23f713bb31e11ac8ab8aaa32c517d152f1beb99712d557c3

SHA512
e5670046dd288430041945df2dbae52b95d58a33e2afe93f275d8fef2181f9288d4d4f308ddd676fc37e1fb3a6d55e2831b39581fcd3bab48e2651ef96c909ea

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4e3fa0eaa2495f8996e10a944219b4c

SHA1
d151c5ed3cc450b0167f173db504ca6aa3166312

SHA256
c487a145e19e3065a1a60365f8692ca3002b005aa99850c068f4092ee375b7f0

SHA512
720eefc842bc5cd6001fac37f93ff6379f7f2c129afd0c81a775115d8b07e4505fb7124712c40b88ddde36b1a0f9dfd6f0191cac83fb42f35804cd2c84862409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f2526514deea2a0b7fad03d8f012704

SHA1
76c04e3f5e928f306a748898ea5ccd138b1cbdf6

SHA256
aa3e1e5dc1358c0a5f7c0517087a76993f664fa307307daa3539b16c372b823b

SHA512
234b31d0fd35fa2fd2dbdf742d22b44f23340b781055e47f4687f4b983615ef747b141e781d3ed972bd3ffbbe0ea81bbf7facb8c5e2cdd3e35a7a2fe013cd89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE774.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE813.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
dad589583b08a6672dd9ec3222f0973f

SHA1
fac621d62385cb078f9d376cbf101db004f5bdad

SHA256
79d6b8e78ccae919bc79f1a62a3ce8aa23b93ac1dae51a57dc9b21c80c72cd5f

SHA512
237b9ec2b00c471b976b5a3fe699134394fdb4341bf37cf1045b689a88ec013c7909212778cec004f65a29a27243cf959beb2641e033547e18dc75af833d8566

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dbdc5d8571ae6a1f05c8e1d7ddf81d87

SHA1
c6acfef3a904f3505673bf0dceb5e738b9d0ebad

SHA256
e38ceb06bb32ed75716e579617ecd0559311286ce8991b881ddb67fabd7d59b4

SHA512
b92f4280093fffc34d9fefc6033d981250ad652d062ace6db9230b2499aac8585837ac5de184c3dac53cdef8a117eb2eb8508543cd1f553a804404f3ce2090ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
d43e699289ebd6446994d494dfce32f5

SHA1
0e9c442482713fb8ddfeffb220eeae47e0c683e5

SHA256
cbb2b175bda50cc601414c1542f1d18e5cc7b3706d8fa1061ceb1b5720abac8e

SHA512
4b54fc8bb66c55f10276302cf1f3ca99a4259c5f10c908dbfeda27575e6570ca81b498eb516ef67994d7801587b9612060f607a1066b062a03e04ea0e76f8665

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
4c0a355d5ddbfd0db73e189b8e0720c9

SHA1
1efea7fa2bc8a9e2616151a73bb9936b431b0327

SHA256
8506b2303dcbbe1e71b5270e861c6bb9c34c0763e510938c93ec9c59a48d7bcc

SHA512
81c1e1f1496505628b0e79b35232096d0045ddd80204de369e5d9df45efbd91f67f61cfd9e095721344f7baab25af727c8d81a0d1813c437d033a4e1f886144b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e96fda77bac69fbcb66d02ef84e07956

SHA1
13c840ba0f46454675464f01126b422d7f31bb85

SHA256
1cb63700956c66c6c2d73529a1813382003cf72eb608bf0f80a7a71fbc29bcde

SHA512
5e53daeabd75bb326625ca5b8ef74045c1dcec4b438e9ae1d97feebb8f8e96dc48d1592bafd5118eea7bcf3de3f9a822cc230391b0d4bc5a811cc600b4844b3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.0MB

MD5
59ca6e9fbf0af0dbd34f02a0660a7000

SHA1
a53a0825f65d27b6b9de9b103411861b0626a2b2

SHA256
2dace80ac83f32fce60d5a34c1e154b2e0745b967b01b61d49e63a52aefc9541

SHA512
0bd5683f0f4fc660c8547ae8dec50a91f2215ef808f4300016364f0df1452c3407c890155b7fd8cf0c3ca0d17bf2bf9bdd615a18c7b1c2195bafeb41868c2f87

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
31cae6d8349606cbe807766a96da844f

SHA1
cb4f6eb2b7a7a15eccd4f8760b0b99b9b439ccbf

SHA256
de01535b4086580b084974e7ca8e2766d5d810ec9fe83bf1b89a867ca99d64c2

SHA512
caa90f30d404d7d27212be51847e4e8ed70af3b4354a1fa6a1a69157aa66f0aed12b549efcc64d056c424fa2065fe0296545cafad74d789347d13c11055d7dce

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
7d6b99831bd1a5f715d2957d438468b0

SHA1
88116237411190030e6bf78fa44c5e246efc8d6d

SHA256
f8f3d5144901cbd69619f52902075eefa8b879617f62875917329563e5b4b675

SHA512
b84f441f4430b188da1af542a251404f56f254913a713263168deff135a086ecfebf219870aeee43cc066091f83e3e4ad5b14f685e9c022125718643e1443035

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
3fa91c79b8469bb37bc0594386ccbaa5

SHA1
00b557a903afc26200faee23e1982ac102ff656a

SHA256
8f010dbf4e33e7f2fb1639361f52efa5db38172048953882974c986cfcd583bf

SHA512
34dbb08102f2d53667587193422e1bdf90bf783b3b5e9483ecd42397216ded910e6e9dc93924b9c64b3992ea3b4760665574e1407f4c9910560ce2febb913ca7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
d3d34a5b9361b66f1cf7e7c001cd9328

SHA1
3d68fc9c982e28b323a144a1975ac43fdff1abe9

SHA256
f09ce2af72853c4ffeb2a937e3de0760d339e391829d637c7be7fde133508fca

SHA512
08af3ae94a20c441a8abfe9fcd1178bd3f1faba4fb146130a436d05f97ed4f96ef489ff1b2ed5bf7fad7b25a035c3ad3b9ac6df79a7528ecabfb73a622c33f21

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
e5d00bbf904c6888f81f0fd659315086

SHA1
5c0a500c5f8b94dd70d0c07bdabcb18c2d0c6a97

SHA256
578370b290036753330d9ff7864e86c2543bb1ec450ed8b8c673ae714abc86dc

SHA512
302a00518d3a8e48eec5fa8ec6a57d10d475c24d52ac966fceb2252c54aac8884615d32d6b382775b245d43467b0c3a9ac2c0b58a46744267b2a04f0da6b5307

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
640KB

MD5
f29ffddd4adca8187aaa3d7ab4c473fb

SHA1
3a199cf1a36e1c6a7cbbc414496f15ea72a5a5af

SHA256
f42dc633227c63fbcbe17a6e771ff97408f1db222c603026b083cc330bc1ea3f

SHA512
3cc4dfb65fd120f02dda2cb33276cb5d088ab486ba10e259781e7fe6d41bcccf01d2a3dc355840fc7287cf49864f58ebf25b34b743c6a64e5a2cbf61b4ab7b40

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c3f2378df5984ccdac6597484d1e7cea

SHA1
82ec01a29f3d069ee43cebbebf45acbf62286a72

SHA256
06979c0e01dd0acf38c6581268a512d176adab3b7f5c13ed0318abab6df941de

SHA512
ec923696b01e3b7923175735f3d41913e9750764282d0d4847a69f320b9af39e01574bb864965b440d5fe0bca8b288e074a863fad31b159306c5cdca20c26478

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
06e06e046c73650b45c531c5ddaeeb50

SHA1
8bfa593d2a8aeb0aa4ab91a8c553493df15429fc

SHA256
b44ca4e0d3a1c50b8c2f7afd1c2829750447f427d304a867deb7b195f1914a8f

SHA512
585798e2fafe9c12e0f588a941305ada409fc7390612be1e4a0be56a40785fe120236094426db7c2cffe0eb241b1fa2b4e6b024d74a2aa8cfaf77e3cb9adf0a9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
0971b7770d1a556516adb5be9fd0a52e

SHA1
581d959b93fc60c44aac60642bd3eaafdd55b030

SHA256
e87c26580270ec55fc199747390b71e06de65cd19a89a9c786dce1d095507916

SHA512
4ffe6b4008ad483cf95f2c9ec84e5b722d11548caa226ed2d2a4ff48abe10117564278f0d627915b1896471b386b3963ac53a727392793be831ca6ca9f807052

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
192KB

MD5
6e965c646b3dcf6e79406ba08fa64b27

SHA1
dd669d155b458d5f091f5b44f7c41646a79506aa

SHA256
19f2ef1db4099ef2725110aa09a6f0d304df5409bf312b52a2ef00ee014abef1

SHA512
83021717d95b356e0ef018160038ec65f1919879a1042841f7298f15a07cea1f92ff4c791198c5ab31248f6fc1f9f5e3198783e909bb3a14d3482646707c1e01

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
b8f2f2fd833e1c4e96172975e2fe9a4a

SHA1
0b72dcbcf77a30d26cf3338cacda36e7adccf9fb

SHA256
4b896faf5acf4e8acb32af16de6c6ac2bc6c1e85f53fa921a54936f2a685edaa

SHA512
a20fab1a4c972a07dc83d7f0d2730ec38a01571f98c9f9d9f3bdf21f340e1a90d143308ea5f2dda06005cb91b6463cb8e9b91506888b3b1dd6630d1ffc6937a6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
6b9b45959d1921e678cea571107628a3

SHA1
38c840a971f382168351b09c2d2667ae9663ad9a

SHA256
7568db1f63e23ccc1b50c49623d06ed20d3a101cc27ba0a17d73b54e0144f0ab

SHA512
3bf0a6e00049d215e2d9ee775da3e55365f366bea4771446919145ee280554b0dd91a099b36c23529077d788862ad6f4953ac0d4a215084ec0a652a1b0b4a6ae

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
512KB

MD5
77f9465e658f06005328dec64fef4600

SHA1
2d4d1e26536da02e602d7ae4dc5df2d8c39b4dd1

SHA256
3b7a4eefc13ab8bc3736f063c9e12435169f3bd98e5a0dec2f7312b9498c5da7

SHA512
e370c2dafc6ea7415b4ad0577e84ef53ae6e9259677637d78480abb6eb2ff5e6a71453e5eaa175f9cb655ce243460412d01d067238d4d47fc04a01c848739174

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.9MB

MD5
7a0bb256a5e8211d88663def60c0e0cd

SHA1
7828e2975eb23d12e8d46253ce0bf705e0694580

SHA256
22080775a5c9be7fe7757395a86e2e9665c1bb9e974a5508a0a0da0328be77cd

SHA512
1195fd5218734f010bddd15f826c5524df82857e2d3d20254f2725f66689f4687ab510f8e589dd7f9eae18cc552a7307dc581aa9b2ccb7cbdff1db2bd44adaf1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c1523e9588f6bbb1b0c49d1a9c66062f

SHA1
3892d9d13a7783d794229009a895b6441587b8ed

SHA256
e8a99f0d86f7d9e8d9616f085b912d909be9eb3c41026b112f4b94164f360056

SHA512
98947c1a4844abb7d63f6c02df5aca682ade0089c198eab4d14e1f5ccb72f7205c6e5af88a0ea096028aca687eef865ee936fb4774e296e3cbc2bcc99ebbb15b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
81146d8ae47de8fcc78f640f276f1d91

SHA1
d5cf6e48a99e338d96f2e26dc5bff50723fdc8fd

SHA256
28ecf0bb6b7d2152fabfaf5a43ecaa0e88549b48e4b0200ec0857bd080370f33

SHA512
a7a009973715ba2bd98cca8f22890fe3778a6040f713081f3189ea02366d3158db183a97146efe57780db4f7d55262e4182a867b1f39444fb0c31279b0292f72

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
f6ba947ed3f50f9817a1d6541741c747

SHA1
5d6bdaca838f32e2533261df67fb253774fb9cb1

SHA256
e9567ceb25c2037456f3f155aee431eca972956a7f193d001affa1232ac13f46

SHA512
e534336b0371d0ca8e049a3406837e1e0b4c4ac88f3044fdf3c4904ad8225e21afdcc260c1cf36b6fc3cd2ab4fff288a1c9c4ccc7278af3a96ef9728b4089bda

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
14466640a0e41b38cb57f5aa15a54a14

SHA1
34e0ba3739750448e5ce06131b1624d4571acabb

SHA256
bd42f58b53eec34aae3babff33e6d84a976ab07acf5acaea449ccf42b792afa6

SHA512
392255cab6eee8bff790361bece7b5993d3ad963322b5e023f76116af0184679974e74001b3f1b6eb33580d7428c223fb471e3c8cdc5f961490302dda9bf4a0b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
e0595f45822d27b2fdac17ede71bc5d1

SHA1
46a9b0cd6978e050d0e9e4cfbeb7e3efeef3929e

SHA256
17aa25e73c91a5f8318c90f023dae6f20acc85d4e39c7dfc43aea8735a0a4c67

SHA512
e62aef90aab513d5625c17220f230b67efaf97b0b1017582dab6e1f8ca65cf2f66a0502b5fb225a5158ee3253f1b7266dab52203226efc835f9f9e7707aecf47

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
02ef0ead9c311f6a31892bd8f9232614

SHA1
541350c3aeb4ca567867dfeef06959178878d78e

SHA256
4d1ae544cb0aaf26570a3529e8ccd3102f2386672a1d2ba8256110a924eec397

SHA512
3700fac890524911606fa620ab7b1c89271cea21d0b611596b060f030eb32c41ec2b7a7fb420a4b7599ba525fa299ca309be2e6c351c5dbcd8f7189e48f52833

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
11ccd94e301bdc2e26c3191d6e1980e0

SHA1
53006f97c2ba377dcd0b835f87365c253cdfe378

SHA256
a36f4269836073ebcb9c3a34eec0f9487012aca1f769006b800fef2bc8d84816

SHA512
8140c17af6d01e1b867b5ed98c23cbc45b543a964d48ad54b955364dc8e89351f3c50652b97aa147d9793affae8cdce2ab40ff58fa9d18e70e89bcf5831454c6

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
c544f104e291b059b1770e1cedcc7a58

SHA1
ca646fcd89690183341199c9bddd895af0a043bb

SHA256
188ffed08f46429f1f49343fbef488fb718254aded38dfc42438dc242f24f3f3

SHA512
4477f0ee1b8977c11aa365a038c541a18a73325cd58e5e6e48b85014afe2e51189bae504fd8274a8968baec00fbe274b44ef8772632a70628854f2d107a58ab9

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
48587464a2704d78785e5c138145a6d6

SHA1
23dfd2f7612ad475fdc9de6f573826ddbe430eb4

SHA256
dc69167cb6d9cfb4c2982cf6294f7a94833ba240a579847e5bfd88f6fbc2944a

SHA512
027b0432a61cba5b4c03533807ef4041e638b71edbfc1c735f550ab5de36b48aad2dfa98e98718cfbcf85a1895f06ed08859e2f90353e4b277358da3348f0e1f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
739KB

MD5
4b96b45d1a5a8a5075d6c83fe1f4e7b3

SHA1
9dc169344e40cdbc622b946eced74c91d5cede72

SHA256
ed35b5c8aa2da8b10d22cd2a9fe8bdecf6e6fcbcf86c141090e957984ce7dcae

SHA512
380270cbeef0dae4099c7f11bdf1eefe7b688d3c8e6cd64cceeb229dab97a7a56097b57fa58b84c0898c9d15be097f89391b6d80360735c1dee385ed60b98651

Download Submit
memory/780-94-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/780-78-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/780-70-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/780-99-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/780-139-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/780-164-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/780-71-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/780-95-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/1088-162-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1088-211-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1088-154-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1088-157-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1088-200-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-102-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/1312-103-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1312-167-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1312-109-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/1356-201-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1356-202-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1356-208-0x00000000745F8000-0x000000007460D000-memory.dmp

Filesize
84KB

Download
memory/1608-152-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1608-206-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1688-21-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-0-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1688-22-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/1688-28-0x000000001B360000-0x000000001B392000-memory.dmp

Filesize
200KB

Download
memory/1688-214-0x0000000002B20000-0x0000000002B2A000-memory.dmp

Filesize
40KB

Download
memory/1688-8-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1688-7-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1688-98-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/1688-77-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1688-165-0x0000000002B20000-0x0000000002B2A000-memory.dmp

Filesize
40KB

Download
memory/1688-219-0x0000000002B20000-0x0000000002B2A000-memory.dmp

Filesize
40KB

Download
memory/1688-166-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/1688-168-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/1688-1-0x0000000001D40000-0x0000000001DA0000-memory.dmp

Filesize
384KB

Download
memory/1688-93-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-222-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/1900-92-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1900-151-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1900-86-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1944-226-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1944-233-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/1960-127-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1960-62-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2016-29-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2036-25-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2052-15-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2052-91-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2184-118-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/2184-123-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/2184-136-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2184-176-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2464-51-0x0000000000870000-0x00000000008D6000-memory.dmp

Filesize
408KB

Download
memory/2464-46-0x0000000000870000-0x00000000008D6000-memory.dmp

Filesize
408KB

Download
memory/2464-44-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2464-110-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2512-215-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2536-212-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2648-205-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2736-130-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-203-0x0000000000800000-0x0000000000880000-memory.dmp

Filesize
512KB

Download
memory/2736-172-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-239-0x0000000000800000-0x0000000000880000-memory.dmp

Filesize
512KB

Download
memory/2736-124-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-126-0x0000000000800000-0x0000000000880000-memory.dmp

Filesize
512KB

Download
memory/2748-229-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2832-35-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2832-57-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2836-204-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2848-145-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2848-148-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2848-141-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2848-142-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2848-133-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2868-174-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2868-237-0x00000000005C0000-0x00000000007C9000-memory.dmp

Filesize
2.0MB

Download
memory/2868-232-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2868-178-0x00000000005C0000-0x00000000007C9000-memory.dmp

Filesize
2.0MB

Download
memory/3040-115-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3040-177-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3048-180-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download