e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
Size

1.8MB
MD5

990ad1e10e32eb29e04f4a0ca157c7cb
SHA1

d2c109c438e17ace526caac4aed7761ec9b92e8b
SHA256

e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514
SHA512

b44a4911fb174d9a1d91a6346ebf08b81582ee4d7fc7219ff576fe861c59bd4774e28acb2c25573593c28fdb2c1423f2f19bd1f4f54786ff937c5bdb64389e25
SSDEEP

49152:ix5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAGxlMPdlR8v4UC0Eg6ET7M/I:ivbjVkjjCAzJ1l2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 30 IoCs

pid	Process
468	Process not Found
2624	alg.exe
2876	aspnet_state.exe
1888	mscorsvw.exe
2464	mscorsvw.exe
1700	mscorsvw.exe
1644	mscorsvw.exe
2280	ehRecvr.exe
2968	ehsched.exe
1212	mscorsvw.exe
2500	dllhost.exe
2420	elevation_service.exe
2840	IEEtwCollector.exe
556	GROOVE.EXE
760	maintenanceservice.exe
2320	msdtc.exe
1640	msiexec.exe
2740	OSE.EXE
756	OSPPSVC.EXE
1320	perfhost.exe
1252	locator.exe
1624	snmptrap.exe
2824	vds.exe
2136	vssvc.exe
2952	wbengine.exe
1344	WmiApSrv.exe
2812	wmpnetwk.exe
2748	SearchIndexer.exe
2564	mscorsvw.exe
1828	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1640	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4b21b9c8ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_es-419.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_pl.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_ro.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_am.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_ko.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_pt-PT.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\GoogleCrashHandler.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_lt.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_sr.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_bg.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_fa.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\psmachine.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_zh-TW.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_kn.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_fr.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_ta.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\goopdateres_is.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\GoogleUpdateBroker.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM866F.tmp\GoogleUpdateSetup.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3C62A79C-014E-4252-9093-E73A6BA23D18}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3C62A79C-014E-4252-9093-E73A6BA23D18}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A1C1ACDF-1BD2-4332-A086-D466094DE9E6}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{A1C1ACDF-1BD2-4332-A086-D466094DE9E6}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2876	aspnet_state.exe
2876	aspnet_state.exe
2876	aspnet_state.exe
2876	aspnet_state.exe
2876	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1368	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1644	mscorsvw.exe
Token: SeShutdownPrivilege	1644	mscorsvw.exe
Token: SeShutdownPrivilege	1644	mscorsvw.exe
Token: SeShutdownPrivilege	1644	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2876	aspnet_state.exe
Token: SeRestorePrivilege	1640	msiexec.exe
Token: SeTakeOwnershipPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeBackupPrivilege	2136	vssvc.exe
Token: SeRestorePrivilege	2136	vssvc.exe
Token: SeAuditPrivilege	2136	vssvc.exe
Token: SeBackupPrivilege	2952	wbengine.exe
Token: SeRestorePrivilege	2952	wbengine.exe
Token: SeSecurityPrivilege	2952	wbengine.exe
Token: SeManageVolumePrivilege	2748	SearchIndexer.exe
Token: 33	2748	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2748	SearchIndexer.exe
Token: 33	2812	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2812	wmpnetwk.exe
Token: SeShutdownPrivilege	1644	mscorsvw.exe
Token: SeDebugPrivilege	2876	aspnet_state.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2184	SearchProtocolHost.exe
2184	SearchProtocolHost.exe
2184	SearchProtocolHost.exe
2184	SearchProtocolHost.exe
2184	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1212	1644	mscorsvw.exe	36
PID 1644 wrote to memory of 1212	1644	mscorsvw.exe	36
PID 1644 wrote to memory of 1212	1644	mscorsvw.exe	36
PID 1644 wrote to memory of 2564	1644	mscorsvw.exe	57
PID 1644 wrote to memory of 2564	1644	mscorsvw.exe	57
PID 1644 wrote to memory of 2564	1644	mscorsvw.exe	57
PID 2748 wrote to memory of 2864	2748	SearchIndexer.exe	58
PID 2748 wrote to memory of 2864	2748	SearchIndexer.exe	58
PID 2748 wrote to memory of 2864	2748	SearchIndexer.exe	58
PID 2748 wrote to memory of 2524	2748	SearchIndexer.exe	59
PID 2748 wrote to memory of 2524	2748	SearchIndexer.exe	59
PID 2748 wrote to memory of 2524	2748	SearchIndexer.exe	59
PID 1700 wrote to memory of 1828	1700	mscorsvw.exe	60
PID 1700 wrote to memory of 1828	1700	mscorsvw.exe	60
PID 1700 wrote to memory of 1828	1700	mscorsvw.exe	60
PID 1700 wrote to memory of 1828	1700	mscorsvw.exe	60
PID 2748 wrote to memory of 2184	2748	SearchIndexer.exe	61
PID 2748 wrote to memory of 2184	2748	SearchIndexer.exe	61
PID 2748 wrote to memory of 2184	2748	SearchIndexer.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
"C:\Users\Admin\AppData\Local\Temp\e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1cc -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2280

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2740

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2524
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
3ef169425be215e6737625a817898a28

SHA1
7ff488bb95c163a51f0b2face610d708e8d7daf3

SHA256
5bdbcf81c9e0cf3854923fbbcc98c6f5f61d9e711e998acd26944d7787a5d37d

SHA512
1461d1dd67ba5e4c4994f45bbf32dec9104cbb4601c02343e7d6d3f2952113a0952447313ba40b3e6b20efa2aeae1a503bdb665dd99ab0861a73f34399e8fb7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
512KB

MD5
95678bcc2a568eb370aad9f22adf24a3

SHA1
bfac40032d4b7130865dc3423f01f8f5b0bae07a

SHA256
50d3271bc1ed137af86c4465911f61f9f070f63bc3869079c742ccacdfc89b07

SHA512
2f02c986d5f905062c9cdfbba4132d151107c001946a9e50357fc628977d9d5cc8b53aced680e57e210052e3ef38fc1782d2182d151cdc1da9ddbd0751ac7e27

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
256KB

MD5
122a221e78d84ab452d297d348b93d00

SHA1
c6473fa5397528e88e7ccdb82421f979748cae9a

SHA256
8956272a05a5da5f6ba1379211e51144ca808fcf7836fca1537c01a0f949e0ae

SHA512
1f35c34d2ad08bec9cc0dc105af92a91d3713c193579e7aaee9f727876a5e240a4a04e53f656efb7130549e028adf893de7f50a613175a9d0b1ebf632228a121

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
192KB

MD5
5d2d50816aa24f936856db859a5a82a7

SHA1
69527480c801b0d984506162026c307332fa604b

SHA256
850d3b928e8f77d6e44a0b48ebd5d2dd46c8a91cc9d902575c26f8972a2b269b

SHA512
12a1ae423cb917e0e3e4b0a39364b5e3858728b8ef7d79434a3186654cc28a0f32357d0b946521a49774144d8e977df67829806c70b3a880f51e9609d47422f6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
c5426e48762920d15884a3ffff1f6bdb

SHA1
1532321170e1e8f0152133d2f49305faa50737b2

SHA256
8d45dfdc5b0eb0b34dd7241af10117e30a597a3bfcbe1d8068b3d3e0daebbc67

SHA512
e02b64746680d6cf02ad0b6ccad890196654a93dfc5c55b8c30b6f004d1f581b54610596b1e51e882fcf46cc8999c871d21a0f61508b62286c23df6fbe931bb3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.1MB

MD5
d136931889b84ea8ee0bf3355255addf

SHA1
18b303bd2242f6fad76f52e1a30cd8e799c93fe9

SHA256
e5e61cedf8c93d7f5f2050931b936f73a40d49dbecbe8616dc9ea799f334de2c

SHA512
61819bfadf5ae08fd98129e1f43fdc8613c323c6b42c2cf81d799c0c6d7cd51093a306a466974045d56d5ca447c4009af052840c4264848f5a55550e405ac88d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ec7ac6e686f8d15ef65c32a606407325

SHA1
b657168931db795cd93419e62bb323cb5fa46b66

SHA256
851a3c23601da99e17dbdd2f3ca99614ddd516617b736b06fd2677334cb1a560

SHA512
c3d90f5e3b24d593ec0d9e7a364e779dc65338924815226e554af346d006f99720c4afbee675fb5ad24b8e5ca9e3d73d03218cb0331211b51bfc4fb2b2459fd3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
408KB

MD5
ae8c6af2f93c8bed686055ef26d1ef9c

SHA1
b07849d303bb09c34d71eb5097a8bf10f1aac7ec

SHA256
6e81c21079489de2515e9960fdd17d0c3f038e988f4323d0ddcf18cfa162b782

SHA512
6e2178b30ff5f8a6c615496f5634fbf78329394ff2f27a5d7c4115ff4a241bc64e815c9d80f3a1e8dc619cec30c7aba1035275d78e0bc38a0ac1c0d8a01abc72

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8e0aceab5c24c4bd7346f8c93d8a4771

SHA1
5e1521f4a2fc1514efca8684036329d8544ef75f

SHA256
f932736cbb8f847ad30c914205bab408e0d508deda5f441d95a7d5657d9b693e

SHA512
2a33abdb7d56d019072f051c22514883070b8edafaab3bba8a0da10d9ccf496a4c4f21b052607f0bd51fe53a15b2dd5b17c720bef770327a83309b070dd7196d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
576KB

MD5
d9285515539fe10b1ed5dca4cde9d7e3

SHA1
5ab22477a3aaf5f2c00c63bd89d26a9fb6e49535

SHA256
4c2a099389e5a89739395358035f90f8c42b92ac488f375ad2ff6e7c4d04dcc3

SHA512
129756b06cd7dadc7995c33cf7333cb9a308aa085bbeea4f97ff000eae2a8967e59e2780312282b372795dcc659faf9b4078bb7eb072a366d4b6b081f97b0a4e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
73775f9dfef37c74df1cab01dc6e4961

SHA1
4062c4ad35972b9f9cb34d4e97a2641431c7b779

SHA256
cf47934323253f8e6361ac2a397203b99074e9ed6dea54b13c788c160e5d1d01

SHA512
8920cb17d22e0d2aaed44370aaf0355fc23600b7e787aca0e59503a953cb63bd8f9bda77de86955cb1f825e8a528500d2923a379d662e7dddef60ab12c2b6a41

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
44c7269ce13a9539bca3891e5e39ad87

SHA1
b35baab58164269aa1aacfdce8de9175c796bad0

SHA256
e12bcd7c9a16b99b83648a5373f96a8375e91710195325ea425184250262fe67

SHA512
cc2ee0bb2c165a3a323ac20afd62660d2ab877ae20f7535e267d76feb46ad2f80992b249cfff56101709f7186e918dd4d7d79bf7f1c8e63e2676868962f5e833

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
3bc41dc9ddfbb0eaa27c7071456b0ecf

SHA1
d24ac4665a4f8c05fa66a2304f25929a1631c2f9

SHA256
eede6b36191d2fb88178fc2815cfa6a52f8c327ce9e448f14eee508169f343de

SHA512
f8003b985e6f8090e451bb0dc654aa8f125df03645b7ddcd5054bf0d9634025c8fb0935a2066add2e837da4738ab2046118237ec9aff4bde5828a538f62fee70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
384KB

MD5
ab2f320771b1aee071dcf87b61b22b29

SHA1
ced9450978ec04ed040eda5a55139482859a151b

SHA256
596f13d78ef77ec9f1ead2a66256e1a20caa9f0e7b033e4a18fe534818abf2c5

SHA512
1a30590995c6ea0b050404a44b851b65eda5d3bc68c92a25c996186e2a187874de675053c1768dd63bae141144816efd5774dcab4461b548c7ed2889641339f7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
e85e6216ef66224f4ec8cb4611cc0c4f

SHA1
a33c4a6b950d0764e4ea7477f08dc76d19d1c7df

SHA256
0087b63655a7109acb5bdaa283e3ef96ea296e84aac122ad2e392e79507f5814

SHA512
be63dca5f77057bdf1e52859720e909a8221564e0cb74672a967c3ff7db6f2109f08a3800fdc16be980a5721a2c9fdd2c3d2647492ef85a2cb5063381c9f0580

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
a4d82cd32a1a4a86634e7fd587cdfcd9

SHA1
87532567a8398a0a787b1312c81b9b4417ad0808

SHA256
e0ae0ef804e501a0381b5dae7279b0f8e5d2ba14aee9702f67dad75170ae391d

SHA512
ba0e45c1828c6f8341fba1f823ba42697aae98bc3e5f9126c926b556ab4015f4cc5bf97e47a05a600aa404275cb09e644f2188e722ace69874ef3a88fb6a520a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
07261139cfbb336d46284bc843665ba2

SHA1
b2709e9cd95b3e590d444ca6b384aca364c315a8

SHA256
0a92a3d734db040464367c3c87291d5e6c751347516c56b2c1dad15f66b8d7b3

SHA512
8fd0ddd1954e801fe85688275fa91e70776e800fe132b432efedec3457abfa6bfe486b771a3e2496987ecd31914baa3f937e139df32a7dd1e72b274b2b3b63b7

Download Submit
C:\Windows\System32\vds.exe

Filesize
384KB

MD5
915632674e6754e11c09f0bed7272a07

SHA1
a9f8cfc0f5a2c5dab1e0883e46494f08370730e4

SHA256
e52c69f903b4a0f659427aa09c6d117b96f768c5d95d8b9554d12efd202e2c71

SHA512
159d9baff26d5ee2d2212f86bf2efae6d34a680e34b649deed5f589bd4f4ee4298c070c7dfd5bd6c963168c8e7afa8279b1cc8c933b4811587ca64c18d02f494

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
88f2f4271f57888caf4814d31c7ab615

SHA1
59ad7ad13e21c97c941bde1d84d1c70af15df05f

SHA256
62d00c09229cc36abfef5dc19c6ac4e6f7e52d74b3159401498b9ef886867f2c

SHA512
dd1e4f09a11c015f4b046b1b9b9b3c41050f773a46c1b30a68304036d04928f2a4367b19f1c8055d63aa22a026b8679aa911c8f335b9f1287e8e79f3f14170ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.2MB

MD5
7dda78603595441c44212444d746bc7d

SHA1
0604848ba74d9af33cec7aff2a243e2fa9e1b408

SHA256
025a93902b068cbfb292eecba32b12326e54f670ae82454e78b234390bd29ef7

SHA512
1c9efb60ada356abc4dd6fd45bd466ba5ff2a8f8c5c107d6f9e00c9f59c2d0417216a2c25391c6e2c261ee9815d67f338e6abb4b7b446610301d459e9809dd7d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
99ef09e737ba963613eb40d2d3c9289a

SHA1
6e30cdc00dcc0ead4cf904387bea5ba5c589bc55

SHA256
6016cd9a755a231e8f7a1d42f3495f982f927fb55402068feeda1390d0af37c0

SHA512
3c6dc0dd564ba021e5f62ffcb6c7314c4affe43464fa553d1f576f7c0ce01a948ea833dbf85a03ccaffb4ff2dd62a4258dbd0a1be0f9ec5631feac8801dc8238

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
e9b2eff2a959f88786ce2ede8e3a221c

SHA1
3e0b02d149afcefca4d4f5bc345ede2752686c4e

SHA256
de1c0333ea48639b7277632c93005072134244bc56513483c157ab984ee503ef

SHA512
7cadfc0a3f19f6758b93030e97c096eadde3fd1da1f44955c718d27d4fd799dfb3116e8d97f9c1a31b48da2877a06f3577b19619b28fe3f78ab9299aff402e75

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
435490a790b13df386d8816b41bac27f

SHA1
1f932d94c63e9c6541c2c167d16f96394f187c20

SHA256
82c2e4b71db98882d84f537f2154a9f0552fcd0f267a1e84a919d309814f147d

SHA512
179e50b93b9c04e143ca47cb87ca0dae67d9cf000705fca98e2c2f0d48859d7d440f70071d62e878b4c95b2473466b71d40f34b2a3a5571382ea3aea17f7ca7d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
8442b660c7cd1cd3a08848ecea878f17

SHA1
5eef770c79ab9faccabf1a6b9c8648c7b441918b

SHA256
2bf1cc4fbe6af49998d03260dd5e72d04b56f773482c659b09358fea3fe9e9e4

SHA512
a4bae7f02e1fffb6aa8db910b0afc1fd4dcae712abfe96b5beab0b56978eae81717ea711d5becdc4c23d11f4912d630e6dc76685bcb75799a9f0abfe64548d82

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
512KB

MD5
cc13d3620a3fc2e47ea9574c2cbf4ffe

SHA1
b83d9f2e331266fc394e30240d06c6e6eec7e751

SHA256
7edca037343839b244d74b69a8c0d2d50a8d0cab504fc851901d6ed0de795419

SHA512
13ed6b21c3583bf6ab02d73642e9a776bb7e20dd87295f57f06211d4ec6bd01940f7e36c74f27652b0fbfd7b68eb35161f33575c967f756ccfbe9b5a00b02a38

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
3a1d9810259e957149e2744a228a747b

SHA1
308b6b5442950d4d93916e82a1a4c63ac9816b33

SHA256
0c8e1ec591726aaae08092f39704f7dd6c6a61d5b631dc29c411fadfc3d1f86e

SHA512
2da38a29d924652df6bcd83b793485efda5b48867b0cc896424d62cc273c922fc5a7e8e43cd02452b4705e4ad6da5cd1671eaebb35be3d4f9b3a43a8398dc92b

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
16a9d1ed88e4229780e79aee6c175a52

SHA1
d6723556bb3fcaf3556e1d919f6f0abb92cb0b5c

SHA256
d52daa4e23cbf35db21ffd27a89bded4f91f7e2bdfe66483a4f6d41a7d6cde2f

SHA512
ba7ecd2a45106de7d431ea3eba872fa7a273962ef8c3dc8fcd19dd391fa0f4fae4bf4ff277ba640cf1bf1343cc7a887e6cc6aaace7542205b5443964464834b6

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
cd11b7e77f8d123b867474a62d3dab13

SHA1
5bdfd127a2b9b1338a70f52728b78318f5a20e84

SHA256
91662655b73df30e6ea7e5bf7f6b4b7dc3690b0aa7653c11dc607bb2a3bd34a8

SHA512
6c19e69f015acdac6ed3a4323e75e6e628ac25e4645ca47fcac607e61d907ddcbc78f12fc241a5b144343b54aff318b6af4f761ccba8a6c02f982d2f61ac461f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
27a410c31df73f85af04dcd97a13c3ff

SHA1
2e398ef9769b70393315881470f7012e7dba3af8

SHA256
406c6d8d0a0f52285edbad709671807c23505da8c7e92893bc2e9567e1a8f7bd

SHA512
43dfa23ae1f94fde07d291b8ef8ccc19171df1f43aa766335585b8433b9658519d7d76bbfd1595a6671a19f3ac29cd91449d7ee0aa3962aae3d794e69822df1a

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
277b9d60ab5bc5874442873264122a8f

SHA1
2a585b2030828704b1710a6e55469e8d1b12c0e2

SHA256
76e1ede0f94c89531355840512cab5d6b36be65a9a897c10779a61604a1cd5e1

SHA512
25954556e5a4c8b57714ad776a2f632f0c497c889cf63cd2f1434d0d81153664b5dc727e48602eb24420c43acbbad432ee411ecf396504a2c1979ee78ab144c5

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
5c7a7bc4660d0d5860e940e83e47d8ab

SHA1
dde2414461fa6f7c7a2e1bc1418ea133852ce049

SHA256
0c61cb61fdfc64d400550c1a5163b6d48341477801e5345f9fc751cdab487191

SHA512
3dc1bcf6fba104e2acc291f9bb37522eb96f2dc0f29a2fd8f1b95571e97799c9c395381a1e6216768a1fc97df2ccca861ab5d79c36c2a18d7dd568a19e9ca086

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
493ec59cc3e4b19c3fc3194abd0dcc76

SHA1
8fea2f2b314bec7248f411c34726a5d9f2831800

SHA256
26abcc1d348a318365f487ffe2595688d923336bb8b667a43eecab52584cf862

SHA512
b0c6b1ce2eb889111820c754cc88c347272007a17dd81fc3dbe90e12748d8a8c8f162c345e14a3439257d6c42a362a4420ed70fb16abf0b8199bb880bf4484ee

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.2MB

MD5
e122d3699f8e582bb379ab03f1c4e90c

SHA1
b9adccd20151ba313de41bea3924a9256c38cd4d

SHA256
2b1f4deaa6910fbb07a0ad0869ff7c89f6525723b47d0cd8e3dc57ccab981659

SHA512
3750e99b2afbf7ff315734d5499bb55d4957373848a965af6b6351dc4ae92414d68e23a954681ded0747ce310b4050eea919cc7a9ebc762f9bbea89f5b5e30c5

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5d8e45dda9bb6b010618db8f52d70de5

SHA1
0f28122ca20c255e65ab7ebf1f0d7553fc2759e1

SHA256
a4479ebe28912fe2300ad18a30a188c9ca6c4c1efd0284a0c366d0d82747caec

SHA512
485325764c82e31736e5a038c271e2f005de40b1bd6e32850146112757a864bcfa8b8d7110940b714d01b901261ea301bcc76632bfd5f3752c7faa90c199ed91

Download Submit
memory/556-320-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/556-319-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/756-581-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/756-600-0x0000000074878000-0x000000007488D000-memory.dmp

Filesize
84KB

Download
memory/760-343-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/760-326-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/760-333-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/760-349-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1212-266-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1212-324-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1212-274-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1212-579-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1212-267-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1252-584-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1320-582-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1320-583-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/1344-589-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1368-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1368-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1368-7-0x0000000001EB0000-0x0000000001F17000-memory.dmp

Filesize
412KB

Download
memory/1368-6-0x0000000001EB0000-0x0000000001F17000-memory.dmp

Filesize
412KB

Download
memory/1368-1-0x0000000001EB0000-0x0000000001F17000-memory.dmp

Filesize
412KB

Download
memory/1624-585-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1640-351-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1640-352-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/1644-152-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1644-158-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1644-151-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1644-289-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1700-139-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1700-134-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1700-133-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1700-277-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1888-104-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1888-98-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1888-99-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1888-131-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2136-587-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2280-179-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2280-189-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2280-278-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2280-172-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2280-338-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2280-171-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2280-303-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2320-339-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2420-296-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2420-305-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2464-122-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2464-115-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2464-164-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2464-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2500-291-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2500-348-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2500-282-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2564-601-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-595-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2564-596-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2624-38-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2624-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2740-580-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2748-592-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2748-594-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2812-591-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2812-597-0x000007FEF35A0000-0x000007FEF363E000-memory.dmp

Filesize
632KB

Download
memory/2812-590-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2812-599-0x000007FEF3390000-0x000007FEF3461000-memory.dmp

Filesize
836KB

Download
memory/2812-598-0x000007FEF3470000-0x000007FEF3598000-memory.dmp

Filesize
1.2MB

Download
memory/2824-586-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2840-593-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2840-309-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2876-86-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2876-170-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2876-93-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2876-85-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2952-588-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2968-186-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2968-185-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download