6af513561a80089bd5d863be42d99d36afd5350d7f11012ec3fe782a09df7361

Analysis

max time kernel
97s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
Size

1.3MB
MD5

b4f11a1e22043cb737f94480b0c240ba
SHA1

c11f380e2c6314d41add5aaaaa4d00361e103598
SHA256

6af513561a80089bd5d863be42d99d36afd5350d7f11012ec3fe782a09df7361
SHA512

989780da68db3049750c3732c0d4983fa3023494e1166e80cd298ee1391419f6a61c566608c349b875e5b7a96e7b45ac7e4e8a1b8d3ea2a9c458580711ee3d46
SSDEEP

24576:N/0JmbJwh0nXkrjE9qLKjDNxHT3cxLU4ki3s34ORrExEWqifuJXVRzzAV2J:N/0Jmn2jE9qLKfNxHT3cxLjkicoOxYET

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 47 IoCs

pid	Process
2508	GPY712A.tmp
464	Process not Found
2568	aspnet_state.exe
2960	mscorsvw.exe
2380	mscorsvw.exe
292	mscorsvw.exe
2700	mscorsvw.exe
1524	dllhost.exe
2028	ehRecvr.exe
2008	ehsched.exe
2760	mscorsvw.exe
1680	elevation_service.exe
1716	IEEtwCollector.exe
2992	GROOVE.EXE
2552	mscorsvw.exe
2424	maintenanceservice.exe
2244	msdtc.exe
1080	msiexec.exe
2204	mscorsvw.exe
436	OSE.EXE
1976	OSPPSVC.EXE
2868	mscorsvw.exe
2640	mscorsvw.exe
2400	perfhost.exe
2788	locator.exe
2636	snmptrap.exe
572	vds.exe
2872	vssvc.exe
2212	wbengine.exe
1916	WmiApSrv.exe
768	wmpnetwk.exe
2288	SearchIndexer.exe
2908	mscorsvw.exe
1788	mscorsvw.exe
2236	mscorsvw.exe
2840	mscorsvw.exe
2640	mscorsvw.exe
2128	mscorsvw.exe
2920	mscorsvw.exe
556	mscorsvw.exe
1444	mscorsvw.exe
3016	mscorsvw.exe
1740	mscorsvw.exe
1068	mscorsvw.exe
2280	mscorsvw.exe
1560	mscorsvw.exe
2132	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
2180	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1080	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3e515f179b392089.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	GPY712A.tmp
File opened for modification	C:\Windows\System32\alg.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	GPY712A.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	GPY712A.tmp
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	GPY712A.tmp
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6244E719-C463-4205-B8D4-D8A9117F7C2C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	GPY712A.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	GPY712A.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6244E719-C463-4205-B8D4-D8A9117F7C2C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D8B58942-CCC1-417A-9DF6-4E63EF14315F}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D8B58942-CCC1-417A-9DF6-4E63EF14315F}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2772	ehRec.exe
2568	aspnet_state.exe
2568	aspnet_state.exe
2568	aspnet_state.exe
2568	aspnet_state.exe
2568	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2180	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
Token: SeTakeOwnershipPrivilege	2568	aspnet_state.exe
Token: SeShutdownPrivilege	292	mscorsvw.exe
Token: SeShutdownPrivilege	2700	mscorsvw.exe
Token: SeShutdownPrivilege	292	mscorsvw.exe
Token: SeShutdownPrivilege	2700	mscorsvw.exe
Token: SeShutdownPrivilege	2700	mscorsvw.exe
Token: SeShutdownPrivilege	292	mscorsvw.exe
Token: SeShutdownPrivilege	2700	mscorsvw.exe
Token: SeShutdownPrivilege	292	mscorsvw.exe
Token: 33	328	EhTray.exe
Token: SeIncBasePriorityPrivilege	328	EhTray.exe
Token: SeDebugPrivilege	2772	ehRec.exe
Token: SeShutdownPrivilege	2700	mscorsvw.exe
Token: SeRestorePrivilege	1080	msiexec.exe
Token: SeTakeOwnershipPrivilege	1080	msiexec.exe
Token: SeSecurityPrivilege	1080	msiexec.exe
Token: 33	328	EhTray.exe
Token: SeIncBasePriorityPrivilege	328	EhTray.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeBackupPrivilege	2212	wbengine.exe
Token: SeRestorePrivilege	2212	wbengine.exe
Token: SeSecurityPrivilege	2212	wbengine.exe
Token: 33	768	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	768	wmpnetwk.exe
Token: SeManageVolumePrivilege	2288	SearchIndexer.exe
Token: 33	2288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2288	SearchIndexer.exe
Token: SeDebugPrivilege	2568	aspnet_state.exe
Token: SeShutdownPrivilege	2700	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
328	EhTray.exe
328	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
328	EhTray.exe
328	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2032	SearchProtocolHost.exe
2032	SearchProtocolHost.exe
2032	SearchProtocolHost.exe
2032	SearchProtocolHost.exe
2032	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe
1480	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2508	2180	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	28
PID 2180 wrote to memory of 2508	2180	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	28
PID 2180 wrote to memory of 2508	2180	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	28
PID 2180 wrote to memory of 2508	2180	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	28
PID 2700 wrote to memory of 2760	2700	mscorsvw.exe	38
PID 2700 wrote to memory of 2760	2700	mscorsvw.exe	38
PID 2700 wrote to memory of 2760	2700	mscorsvw.exe	38
PID 2700 wrote to memory of 2552	2700	mscorsvw.exe	44
PID 2700 wrote to memory of 2552	2700	mscorsvw.exe	44
PID 2700 wrote to memory of 2552	2700	mscorsvw.exe	44
PID 292 wrote to memory of 2204	292	mscorsvw.exe	49
PID 292 wrote to memory of 2204	292	mscorsvw.exe	49
PID 292 wrote to memory of 2204	292	mscorsvw.exe	49
PID 292 wrote to memory of 2204	292	mscorsvw.exe	49
PID 292 wrote to memory of 2868	292	mscorsvw.exe	52
PID 292 wrote to memory of 2868	292	mscorsvw.exe	52
PID 292 wrote to memory of 2868	292	mscorsvw.exe	52
PID 292 wrote to memory of 2868	292	mscorsvw.exe	52
PID 292 wrote to memory of 2640	292	mscorsvw.exe	53
PID 292 wrote to memory of 2640	292	mscorsvw.exe	53
PID 292 wrote to memory of 2640	292	mscorsvw.exe	53
PID 292 wrote to memory of 2640	292	mscorsvw.exe	53
PID 292 wrote to memory of 2908	292	mscorsvw.exe	63
PID 292 wrote to memory of 2908	292	mscorsvw.exe	63
PID 292 wrote to memory of 2908	292	mscorsvw.exe	63
PID 292 wrote to memory of 2908	292	mscorsvw.exe	63
PID 2288 wrote to memory of 2032	2288	SearchIndexer.exe	64
PID 2288 wrote to memory of 2032	2288	SearchIndexer.exe	64
PID 2288 wrote to memory of 2032	2288	SearchIndexer.exe	64
PID 292 wrote to memory of 1788	292	mscorsvw.exe	65
PID 292 wrote to memory of 1788	292	mscorsvw.exe	65
PID 292 wrote to memory of 1788	292	mscorsvw.exe	65
PID 292 wrote to memory of 1788	292	mscorsvw.exe	65
PID 2288 wrote to memory of 2960	2288	SearchIndexer.exe	66
PID 2288 wrote to memory of 2960	2288	SearchIndexer.exe	66
PID 2288 wrote to memory of 2960	2288	SearchIndexer.exe	66
PID 292 wrote to memory of 2236	292	mscorsvw.exe	67
PID 292 wrote to memory of 2236	292	mscorsvw.exe	67
PID 292 wrote to memory of 2236	292	mscorsvw.exe	67
PID 292 wrote to memory of 2236	292	mscorsvw.exe	67
PID 292 wrote to memory of 2840	292	mscorsvw.exe	68
PID 292 wrote to memory of 2840	292	mscorsvw.exe	68
PID 292 wrote to memory of 2840	292	mscorsvw.exe	68
PID 292 wrote to memory of 2840	292	mscorsvw.exe	68
PID 292 wrote to memory of 2640	292	mscorsvw.exe	69
PID 292 wrote to memory of 2640	292	mscorsvw.exe	69
PID 292 wrote to memory of 2640	292	mscorsvw.exe	69
PID 292 wrote to memory of 2640	292	mscorsvw.exe	69
PID 292 wrote to memory of 2128	292	mscorsvw.exe	70
PID 292 wrote to memory of 2128	292	mscorsvw.exe	70
PID 292 wrote to memory of 2128	292	mscorsvw.exe	70
PID 292 wrote to memory of 2128	292	mscorsvw.exe	70
PID 2288 wrote to memory of 1480	2288	SearchIndexer.exe	71
PID 2288 wrote to memory of 1480	2288	SearchIndexer.exe	71
PID 2288 wrote to memory of 1480	2288	SearchIndexer.exe	71
PID 292 wrote to memory of 2920	292	mscorsvw.exe	72
PID 292 wrote to memory of 2920	292	mscorsvw.exe	72
PID 292 wrote to memory of 2920	292	mscorsvw.exe	72
PID 292 wrote to memory of 2920	292	mscorsvw.exe	72
PID 292 wrote to memory of 556	292	mscorsvw.exe	73
PID 292 wrote to memory of 556	292	mscorsvw.exe	73
PID 292 wrote to memory of 556	292	mscorsvw.exe	73
PID 292 wrote to memory of 556	292	mscorsvw.exe	73
PID 292 wrote to memory of 1444	292	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\GPY712A.tmp
  "C:\Users\Admin\AppData\Local\Temp\GPY712A.tmp" --wait_pid=2180
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2960

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 280 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 1d8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 264 -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b0 -NGENProcess 278 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2e8 -NGENProcess 318 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1524

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1716

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:436

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2461186416-2307104501-1787948496-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2461186416-2307104501-1787948496-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
3f77ae8a3d83d4ecb955bd7dcbdb20dd

SHA1
66c80d21cb35ce7405cd8b0496db5129f081469f

SHA256
3f57d303eb5fd3f4951aec8f2b9305238f9a2fdcbd491f504c9e94fdfe7321a2

SHA512
75da26b499d882586be7be10a068af049357ff217ff51b54d1937de29cdefaf4546ac6f5dfca74f7036bc36818e0544a6ff5d1cb28e9d36d556b4beac7c92ade

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.8MB

MD5
e30f170cf2203eb29515bb835054e814

SHA1
39b7a8814984f499b40fbfb3dea505b058603691

SHA256
f56eb8a63455ace41491fc06e49ee8eecfd8b96ea71cf77840d08add4bca555f

SHA512
34f3b9ba0bf5566dea9d2cb8e652c0bb6608c60a46303f611f3755887e1f65d6c6103dc95ea8cd46354a2a3927f52c044aff9a00c15da1144e492e53e04a625f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
affe9164a19bf2e39592a24225fd112e

SHA1
5d7fc8e2be9c1d1a62527d799c400e243e33e5e4

SHA256
85f607d8c9717ae2b084244b0e6d3d0ad87c8a3b7bd5b84631db947d162f4a6f

SHA512
7e821a006b63fa481d325142d4a7504ce78df5e193abe4750f15c8e7d5e43780b53abc39fcc101690340e8f2248b4caf010e838f91387007e8eaf89365f75867

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9fb612d27e82da74ef3ff1e921742288

SHA1
d1d073c2f522bf2a8e698831f70a1bedb4d35970

SHA256
e188f9a036ae966c2d9b657ad5fc972a35c432a6146b615a96d6fa0438dffdcf

SHA512
7cd04d6816fc709c9cd5010a609515ef719f75b351731cdae30956ca5450b587248d4013d606357c1375cf49b4c8a2c2e5ce788c2610fc9347751eb0c2662399

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
497a9d69e704855f478c6adf8f75ed57

SHA1
e80abffc212040d021fe5fdfb729f9f855031159

SHA256
746cd51c6f8392c1bc20d48d1d7f99e1a936b50aa905e9254cab907b4a9d0b18

SHA512
f6e2c1f8589b690f8fd87a44e47d27bf3dd3e6f73ce086beb7fec9c7801ee158efa589af084adb2d28325de4f7d20ec333d79e9abb9837cdfb53861978b5b427

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d188724ee0be60e7e60318789d7614a6

SHA1
7c9df52b8f66bc6b4bf22061d3144435fdcf47c1

SHA256
c95534d227f8d5a2e8ed8c8bfeed1ad65c8b696576223a32ce9fb650e5e47f18

SHA512
40b71d542a6eca343bc40ba806f7f6a1ba451f4debaa372e4707fa9efd2944a2b494b58e0b9bb6ca5764144d62c3da0bddb18d3ea60c41a079e8b09f2d49706e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPY712A.tmp

Filesize
896KB

MD5
35baab87ddda2151ff4ecab404de7276

SHA1
3fe73a96f424710b5dec858b8a037a797da5dd96

SHA256
f9ca22996606b12ee36d56567508c132d5adfa30c54b261e290db7b057099398

SHA512
6073371e48008c0449494a717e7a771820051a950bdb9e857d9f97648edce4ff55679d90f4a084b9396c81f959c6edfbc66c680fe041ee890aaa253b319b8c8a

Download Submit
C:\Users\Admin\AppData\Roaming\3e515f179b392089.bin

Filesize
12KB

MD5
3084a86fa4204ad6285158e5a0d39eb0

SHA1
ecfeb8ffc7c96454d60844d57b25b927eee1dfbe

SHA256
1e7ad8900649d92b3b5c645e22840b8d2cc0f4bd62ed53a7a56c773c5fcffee4

SHA512
b36c14ab0a81545c9c2c457464669b75ace9938bd70da2a2d8ce94ccc1556c9c1e78b56f6764de2c3e97dd58cd2942e8b875b316abae6236dff346f82db6e7ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
1b14b56c4ac08e8ab67d8a17f0c88c11

SHA1
5ec235a554cbd2289585d81a90b85b14702709b5

SHA256
d0c29d88c4de5c3f449b68382a2c93a9e764d96a7d30ec0d35cae877af926960

SHA512
6778193565c484110948a55ebee06dfdcf7e362b795ac6bb65fd609b9fa1461438494ddf68df497e631fc930fbff25a89a7af5733daae16d23dcf56687ea2cdd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f85119157074d079e8fa920aa047c51b

SHA1
fdc4529e958ab6955effe3d4b93b159cb457fd40

SHA256
53b33f7db0089ebe4230a9b05447777611ee44425084a41613f8d927b690cb77

SHA512
47824f4a51a825dbfc3fca8f4f5317ab522b9806830a359b81530d101bcc8bbdfc843319592cbc8cf14b48f297358881ff5f7d048713e3fcd4007880f8b3a6da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
d03d6e85259198e3021a8615558787d5

SHA1
9c469e8d008b650e4163d7e0c8d762dddaae9544

SHA256
19c95348bee2a4c73969b0072ba5fc792122c7cae81283379d3df760ed30e909

SHA512
995fa195d291943751e9bce64578088ad247be358a38b096b2a371a2ca905816461fd99643406c0e30669f792b8bc28e08c41b14913fad390a6a0b51e172fde5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
695KB

MD5
623d4a7cfdaa2de01abfc43452fdd7df

SHA1
38590deea4dd869457386ca9ff3aef77114877da

SHA256
64ae1df404f2ee345a75acc67a7388896ad2edf3875ea7e22060794f583709f9

SHA512
da484eecd8855b612423f462d6ab89304adb816cc27951252dcb2ec5586fb8c0658038eef7e9f2b77e93911d93bf9e061845fd95e5a6cebba16a78c27ba69a44

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
5fc5f476a9e50b5101ba52ef615628d7

SHA1
0e15171297af0b3aa0573acc36a7f795664a3d4e

SHA256
707031b276663bc96011519bf06c99e2f83671536c8114a11fb74e82ca00f2cc

SHA512
05483493a38135331709d8f6a0a362f2dabd0fe6eae6ed832641c868ff73e9591db17dbf8cc855b470d50350733a72b978d307d50f4d51698677cd39a12307a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5f109a57dd27b0db1701aae38029fe04

SHA1
0ce9a5894a1951e422b23229fb72ac9f2263c051

SHA256
dd41d94a2c9174ac1d756ecf312ca79504dcde2cbb4ebe5b7f9e2830028a3406

SHA512
77242cbfb360f28436aa5d3824598903da3a78ee551a142972b2eb415fbda7b7d774fcf70c9cbda93156ab1ffe84cae8260f6089bf6681aa7383846a230330e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
0272081ab5bbedec9a9704f2211462c8

SHA1
6495329b45853ba721e07aaa209a767115d789d2

SHA256
d2e000b6cfebfa47f76fb3e12a316ec227269b96dca4a148ab9a86fdd5f7473d

SHA512
f4d5127c18962a7feff0f5de290957f0ad81f23cb6b09e94b4dfb5aa8835e1db520a9e582f2c99f7dd3ef5d79e61e4b285076caa8695486b6574c0446ceddca8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
6c2a7ff3ba05ca27b347a8cb13b27214

SHA1
4beda97f6a593d65f54c02301bc858f1135e1a2d

SHA256
21ede7f0e721edb820f1a30d54e9bf45bed22a37e6e95c4eae9b7a9415fe070f

SHA512
84cf5cfbdc9beb79dc19c5cb11b797f2be8f6e86ddf684769bf2bf60e52a353028f5c02ae89d7fb7154b94c485b735c7d49b4e5c3f9f01cb8026e3bbc99717e2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
192KB

MD5
b75131c52874b7ae31912fa58fefdf49

SHA1
f09a65d0312217e1bcdeb0faf98302d50c299f3e

SHA256
c67ebe03507fe2934696e65c63a458c3d28ffabca6e0296bdb7f8c53ed520836

SHA512
37d3f774d39b420f51d12c77139dd2aae2d30cbace151f8f06a3157374269c6f1d3f954b26516045606dc1b4e6282e71f381dcbb701449465337e408d47675b5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
fb114653cd7752b6208ca28796d5bdf1

SHA1
41339617808e3835fc3c8d776e2d9011efed5a14

SHA256
313c5fa5890395b944b1a709657a135be30e2ad7c7e6e1fc2fe1c348ee2a7272

SHA512
a19f9cf93c23d6d9eed4828b9d63757ddf088c730f308b7d608ce4f24d852d2bc7199c7b6e6de066a59164fc2b157b7e80b6d508c24d53f82fc9811c1f32c2ac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
64KB

MD5
c004df5d41a16038baeee5b2d71e7cf3

SHA1
049768e975216e228084b8b5bb33fde658f92d61

SHA256
c28ad1bfc0d5ecc26faaaa47cdd5e92cbf0c7830e28e10baa752e3d89b30164d

SHA512
16bd8da0ab734d359c633471ebb28ed45f907b6f011dcdc69e74fc40059ca4cc950ca9f1e47dab070f41087f5410b84438b1b00cc6e00fc36398ffb442085c3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
110ad8bc19049e52d1c07fa97b85b1c0

SHA1
42e3b5990ed16525e6348b2d9fcbae567ceaa080

SHA256
cd353fa9c572fd8204734d96c989135206d331bbc3a8cc29163e0dd778dd997e

SHA512
4004778ff5670575ab33dcf4d105da679a82e54b66b3bfc379a37ac7432271f53789cc107adb3e9ce98cabf88f158bdc93b3a0e34722f66319a80b31a6f420cb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
1b4ce7c7f633bbf23667ecc6857fc6cf

SHA1
49304b9ba335722090a32da80a6709eda11b8bf9

SHA256
27a477a156b1d2a46f168e075d1a41faada4b170c2140235190b80b164c0c384

SHA512
f53e6494f1d9c5e7dd1fb116ba7d9987e3f3f428a951e7dd5f6d66c5bd622c6a8dd1cf95f401312e51e0ea9bd0d22588b750a2a603736da874140ac1a904970f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
773d36cfb61bdcf099969a8ee5c6ad39

SHA1
ee6b9d0c2f75cc8f0c8bb8bbc052c08dc4803f0d

SHA256
055e34112f6d23f7067bd9f33e6954d24158cd29b8527796da5620ba464dffe7

SHA512
1c262aeab2a66bf4d65d15b320ba3c22bdef190d710af5f731c2d8fc4189f4f821834ac75b1747bc66bcc24508b3e6240ba9774f423daa7136080ecedea8ee2c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
ea4558157431f5a40c07181faa3313f9

SHA1
58c758b0f1fa9bef3955e632a8421f18e6c0d8dd

SHA256
48f3e6dfa00d058c85e73dd36478c2ffbd8d7de824a453733c442dfca2d0f31e

SHA512
5e741e90fdad75522d23c79d12c8eae06579a9dd7b45f7735ec380fa2adbaa7636aff73be1397f12170a7a2a50809b5bf488e3e8f3f9eb9c3aa8350c70d69937

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
bc6895ceff9718793f3030e2bf585199

SHA1
614ddfd898b3c546542d89c7792511ad4c9d8aef

SHA256
2ffe5dee285c8975083de116b0773f66139cd394b8b05d741d68492c7f6f4869

SHA512
803390a416001e035f0f1878f7bb3aaf706aba860f86622e0a694793decc9cb67cd2051f9e9096daf93bd0e90f55c6443a2236615e286b07160da1f01e32f62d

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
e4eda5d3b146cd1bef60251ab1574cdb

SHA1
493ae17a561c3ee0ca7c9ff815835b9b7e984d96

SHA256
db736aa4484eb90105b870ec4370e34f748837c2093b300989f0d32f9751e27c

SHA512
294c0ed515fcfff880f7877e59b95d9da68d4156c3d913054bca78cbd37d15c2f355d302db504d6e6fd2850efc9be058d9fa3d60d114522aa040616f751151f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
930KB

MD5
8f3cf419b11244446283d6117e0879ba

SHA1
fab97a609f84c1db29a1787b5ebe0d707045f612

SHA256
5fc8f9131daccbf9b52c3896a4f23e38542500172c2c90b858656cc400f4f42b

SHA512
94e2bd1ad427c536558df34738fc78329df7a3a985d0dd8e6d861bf6ca508deb557e24b38054896138e92dcc3debfece89e78dafe303a20ff4a822c5f0ec0293

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
e17c5d9be0495ffd24a89fe787bd2fe8

SHA1
b615abcc879f9219864f682aff71696679cfa48d

SHA256
301df46b95aba0ec47bf997e3be39814b303f711a3e33a28ae59cffba031d9f9

SHA512
f43833c46186ee05e132bcd96f2c6e1bade016f08122c075f89cdff864a235a8bea5baea6997b115793ac360b3e6142dd4ab7a447690434ae28b7c911003aeb7

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5af00dfd152e83a7a0fba3b29f586a98

SHA1
8eea282a90dbdff881d33c57a0fe4edb7fc26d24

SHA256
854bd4f9b0445e1e7b291c48082e77bdd8eae64e099ed6e3e09e5d6f6f8d409c

SHA512
3d90bde948f1f3187183b00443321fb843abb686ab50e184156069cd51f6c79231f14109b74ca0ea655a89e5b65c01bab20b2f0408adeb22b4d40bd9550c3dc4

Download Submit
\Users\Admin\AppData\Local\Temp\GPY712A.tmp

Filesize
1.3MB

MD5
b4f11a1e22043cb737f94480b0c240ba

SHA1
c11f380e2c6314d41add5aaaaa4d00361e103598

SHA256
6af513561a80089bd5d863be42d99d36afd5350d7f11012ec3fe782a09df7361

SHA512
989780da68db3049750c3732c0d4983fa3023494e1166e80cd298ee1391419f6a61c566608c349b875e5b7a96e7b45ac7e4e8a1b8d3ea2a9c458580711ee3d46

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
fa1525cd09f55c780ccaca375d41dc72

SHA1
4c0b6fd26ad70a1bc99d81c972e25e0e0941ccfe

SHA256
9ac5082da3c5424b227193c4676aa2a977194f802f7f2995e77e8cfcb7c779fe

SHA512
08b2c300864ff9ce40e749625e2998cf631adeb768c4c67e60354c19552315e49474915d1959f32d64951a7cbf770c91f661a69aee201d587048603c0871fb5d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
8fbca0ffcd093da6bcc86de4f58ec50b

SHA1
935a77034db93f4eb1c4c172953ce1b49d0a8718

SHA256
d3ba830c53244759bf92845d940d6f0d9313885d06aef84bd6c4436209e838be

SHA512
4621b5056782a5436dfc036439ed881a302943215dfbb9fef602180140b90e9dee47a4dcd9d9ab47bf3b3a7307b6db1c2e05aac45a224bc704beb902d110aaac

Download Submit
\Windows\System32\msiexec.exe

Filesize
384KB

MD5
382458ed80f551a8e8c8b01b4641f3f2

SHA1
031af5149d0816bb8173b0cab963db9bfdbaf1cd

SHA256
eb29f9f24ae7f09893e352c5834a3724e00f5ccbe63e91453ceadccc869ba770

SHA512
c58b8a9d4aab68a7c0eae796a3edd8449749f88920cc3f7047b07f45babd2c771f7ed6b562b6dbdc2d1a54bcbed56c473780c9d1e18f7ab17684fffe1fab60b0

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
8956a1212be2a6f796bc6bd590aa3a7b

SHA1
4b10f8202179098da0fc19195667878fa7ec0170

SHA256
b1adc375ae9ee6f5f089ee615ac15f295247420ed3fc1c1a1942f219c86d5e3a

SHA512
bc16061ccb7627925826d351a667012277ef4e2ecbe54931577dfdde9b2aa320acecb15219f05231c40d5540fe5abf83f3142249e4b52a9af1fcb8b414035d07

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
4e74726a47a256a2b4a8bd2c51df69b7

SHA1
7607f0ebe25265adaf63224aefa24fdf22afd0e4

SHA256
108f7173fa94ff637514b4bbebc221faa0467d513f61d049e65a8b3c49bec53e

SHA512
038a4a4c9874d9b80e31e35772742816f4a2923ef77feb2713a07ac5bb0669681994cd4f7c2d520290b83ca90a954edc1e26c763ecf53d891a6dddbf71d358a5

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.1MB

MD5
c6ab0a46fc00150b6012fd707353dfd6

SHA1
e54de08e6a7b9129833283ca530ffad5541231b4

SHA256
2ae492c5d3605477ff2acbe02bfa85ea2cfd5b9cb1ce2d131352fac822502e5a

SHA512
648f52c1894879b6b20c1b3758d31d88f51a86019d8708911881cb46b0b44d6e4d8867cb1ee59f10b0a800e797396c68d2b11c6a94814e7df2c9f7d46c96cef9

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fd1a9aaedf6fb6b8cd86295fbf7ec299

SHA1
6ba63f8ce254f312560e92532c5419bffecc50c9

SHA256
e989cd272b77962d90a3c4bc876f2b5d568ceb8d653f855f35bea9afad72ca11

SHA512
3267272f0caabf285c5bff9252cafdbb1c8d16a5e2b29672da71f12195fcc9e3d196fc0ae20b6104463e24577e0f4b32ee1de544a08379eb62905fe11e5f1bb2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
832KB

MD5
8eedceb23335c628582a84326fe60dc4

SHA1
8b2200cd05f022c586718588df99963dcb9e2fdd

SHA256
b61ad8310fcc1e6bcbdbf1c20bc82a09f3f2a722c07778afa76f0fdf5c7478c2

SHA512
647b110d05199e829beccea9c3eb2c7d233e2a1469b2efbe027dd5c828603666b868e75beb7a166448ca549674a3bbea44b4e1ad511cc3120faca9a58831d58c

Download Submit
memory/292-108-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/292-113-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/292-187-0x0000000000400000-0x000000000067F000-memory.dmp

Filesize
2.5MB

Download
memory/292-107-0x0000000000400000-0x000000000067F000-memory.dmp

Filesize
2.5MB

Download
memory/1080-298-0x0000000100000000-0x0000000100289000-memory.dmp

Filesize
2.5MB

Download
memory/1080-311-0x00000000005C0000-0x0000000000849000-memory.dmp

Filesize
2.5MB

Download
memory/1080-320-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1524-153-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1524-152-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1524-146-0x0000000100000000-0x000000010026C000-memory.dmp

Filesize
2.4MB

Download
memory/1524-145-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1524-212-0x0000000100000000-0x000000010026C000-memory.dmp

Filesize
2.4MB

Download
memory/1680-296-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1680-213-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1680-206-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1716-230-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/1716-229-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2008-177-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2008-263-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2008-185-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2008-173-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2028-176-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2028-168-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2028-188-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2028-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2028-174-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/2028-167-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2028-160-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2028-231-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2180-42-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2180-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2180-6-0x0000000001DB0000-0x0000000001E16000-memory.dmp

Filesize
408KB

Download
memory/2180-1-0x0000000001DB0000-0x0000000001E16000-memory.dmp

Filesize
408KB

Download
memory/2180-40-0x0000000002C90000-0x0000000002DE5000-memory.dmp

Filesize
1.3MB

Download
memory/2180-7-0x0000000001DB0000-0x0000000001E16000-memory.dmp

Filesize
408KB

Download
memory/2204-328-0x0000000000400000-0x000000000067F000-memory.dmp

Filesize
2.5MB

Download
memory/2244-282-0x0000000140000000-0x000000014028D000-memory.dmp

Filesize
2.6MB

Download
memory/2244-290-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2380-100-0x0000000010000000-0x000000001027E000-memory.dmp

Filesize
2.5MB

Download
memory/2380-139-0x0000000010000000-0x000000001027E000-memory.dmp

Filesize
2.5MB

Download
memory/2424-276-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2424-271-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2424-278-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2424-267-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2508-43-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2508-130-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2552-305-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2552-277-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-258-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2552-256-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2552-306-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-304-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2568-77-0x0000000140000000-0x0000000140274000-memory.dmp

Filesize
2.5MB

Download
memory/2568-159-0x0000000140000000-0x0000000140274000-memory.dmp

Filesize
2.5MB

Download
memory/2568-78-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2568-85-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2700-135-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2700-124-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2700-123-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2700-201-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2700-136-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2760-193-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2760-246-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2760-226-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-252-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-248-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2760-204-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2772-299-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-227-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2772-318-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-309-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2772-297-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2772-254-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-90-0x0000000010000000-0x0000000010276000-memory.dmp

Filesize
2.5MB

Download
memory/2960-103-0x0000000010000000-0x0000000010276000-memory.dmp

Filesize
2.5MB

Download
memory/2992-259-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2992-319-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2992-255-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download