003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
Size

1.8MB
MD5

e9e774c40378d02aa97ac91e949ad718
SHA1

27a82553435647983384208bcae3c57c6e52e665
SHA256

003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2
SHA512

9326fe358da4317957f981c304393630b1334bf9dfe7daf006f576d5a18a6f24fa2b28b3f60fa244e5ddd20ec28eca9d960a6bb729b2dbf921160f791ab606c2
SSDEEP

49152:qKJ0WR7AFPyyiSruXKpk3WFDL9zxnSEksDM2jh3BqS7YtGL/Als:qKlBAFPydSS6W6X9lnk6MMQS7kGLws

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
484	Process not Found
2784	alg.exe
2392	aspnet_state.exe
1688	mscorsvw.exe
1828	mscorsvw.exe
2256	mscorsvw.exe
2216	mscorsvw.exe
588	ehRecvr.exe
1104	ehsched.exe
2092	elevation_service.exe
1044	IEEtwCollector.exe
2040	GROOVE.EXE
292	maintenanceservice.exe
2360	msdtc.exe
2676	msiexec.exe
2564	OSE.EXE
2212	OSPPSVC.EXE
2312	perfhost.exe
2280	dllhost.exe
1808	mscorsvw.exe
1028	locator.exe
2196	snmptrap.exe
1252	vds.exe
2956	vssvc.exe
2556	wbengine.exe
2204	WmiApSrv.exe
2068	wmpnetwk.exe
1984	SearchIndexer.exe
1360	mscorsvw.exe
2304	mscorsvw.exe
1604	mscorsvw.exe
2192	mscorsvw.exe
240	mscorsvw.exe
2952	mscorsvw.exe
2416	mscorsvw.exe
1756	mscorsvw.exe
2192	mscorsvw.exe
832	mscorsvw.exe
1928	mscorsvw.exe
2244	mscorsvw.exe
1576	mscorsvw.exe
1872	mscorsvw.exe
1964	mscorsvw.exe
1780	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
2676	msiexec.exe
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
772	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a1efc0633d2ec148.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\GoogleUpdateOnDemand.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdate.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_th.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_zh-TW.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_bg.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_is.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_mr.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_el.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2397.tmp\goopdateres_uk.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E459F8BB-5085-4001-953D-DDD01E26B22A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E459F8BB-5085-4001-953D-DDD01E26B22A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c053436eaa95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{A5044321-001C-476F-A3B5-4DA1FA733CE6}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e09ce265aa95da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A5044321-001C-476F-A3B5-4DA1FA733CE6}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1164	ehRec.exe
2392	aspnet_state.exe
2392	aspnet_state.exe
2392	aspnet_state.exe
2392	aspnet_state.exe
2392	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: 33	2980	EhTray.exe
Token: SeIncBasePriorityPrivilege	2980	EhTray.exe
Token: SeDebugPrivilege	1164	ehRec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2392	aspnet_state.exe
Token: SeBackupPrivilege	2556	wbengine.exe
Token: SeRestorePrivilege	2556	wbengine.exe
Token: SeSecurityPrivilege	2556	wbengine.exe
Token: SeBackupPrivilege	2956	vssvc.exe
Token: SeRestorePrivilege	2956	vssvc.exe
Token: SeAuditPrivilege	2956	vssvc.exe
Token: 33	2980	EhTray.exe
Token: SeIncBasePriorityPrivilege	2980	EhTray.exe
Token: 33	2068	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2068	wmpnetwk.exe
Token: SeManageVolumePrivilege	1984	SearchIndexer.exe
Token: 33	1984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1984	SearchIndexer.exe
Token: SeDebugPrivilege	2392	aspnet_state.exe
Token: SeDebugPrivilege	2256	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2980	EhTray.exe
2980	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2980	EhTray.exe
2980	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1808	2256	mscorsvw.exe	48
PID 2256 wrote to memory of 1808	2256	mscorsvw.exe	48
PID 2256 wrote to memory of 1808	2256	mscorsvw.exe	48
PID 2256 wrote to memory of 1808	2256	mscorsvw.exe	48
PID 1984 wrote to memory of 1332	1984	SearchIndexer.exe	58
PID 1984 wrote to memory of 1332	1984	SearchIndexer.exe	58
PID 1984 wrote to memory of 1332	1984	SearchIndexer.exe	58
PID 2256 wrote to memory of 1360	2256	mscorsvw.exe	59
PID 2256 wrote to memory of 1360	2256	mscorsvw.exe	59
PID 2256 wrote to memory of 1360	2256	mscorsvw.exe	59
PID 2256 wrote to memory of 1360	2256	mscorsvw.exe	59
PID 1984 wrote to memory of 2916	1984	SearchIndexer.exe	60
PID 1984 wrote to memory of 2916	1984	SearchIndexer.exe	60
PID 1984 wrote to memory of 2916	1984	SearchIndexer.exe	60
PID 2256 wrote to memory of 2304	2256	mscorsvw.exe	61
PID 2256 wrote to memory of 2304	2256	mscorsvw.exe	61
PID 2256 wrote to memory of 2304	2256	mscorsvw.exe	61
PID 2256 wrote to memory of 2304	2256	mscorsvw.exe	61
PID 2256 wrote to memory of 1604	2256	mscorsvw.exe	62
PID 2256 wrote to memory of 1604	2256	mscorsvw.exe	62
PID 2256 wrote to memory of 1604	2256	mscorsvw.exe	62
PID 2256 wrote to memory of 1604	2256	mscorsvw.exe	62
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	63
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	63
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	63
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	63
PID 2256 wrote to memory of 240	2256	mscorsvw.exe	64
PID 2256 wrote to memory of 240	2256	mscorsvw.exe	64
PID 2256 wrote to memory of 240	2256	mscorsvw.exe	64
PID 2256 wrote to memory of 240	2256	mscorsvw.exe	64
PID 2256 wrote to memory of 2952	2256	mscorsvw.exe	65
PID 2256 wrote to memory of 2952	2256	mscorsvw.exe	65
PID 2256 wrote to memory of 2952	2256	mscorsvw.exe	65
PID 2256 wrote to memory of 2952	2256	mscorsvw.exe	65
PID 2256 wrote to memory of 2416	2256	mscorsvw.exe	66
PID 2256 wrote to memory of 2416	2256	mscorsvw.exe	66
PID 2256 wrote to memory of 2416	2256	mscorsvw.exe	66
PID 2256 wrote to memory of 2416	2256	mscorsvw.exe	66
PID 2256 wrote to memory of 1756	2256	mscorsvw.exe	67
PID 2256 wrote to memory of 1756	2256	mscorsvw.exe	67
PID 2256 wrote to memory of 1756	2256	mscorsvw.exe	67
PID 2256 wrote to memory of 1756	2256	mscorsvw.exe	67
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	69
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	69
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	69
PID 2256 wrote to memory of 2192	2256	mscorsvw.exe	69
PID 2256 wrote to memory of 832	2256	mscorsvw.exe	70
PID 2256 wrote to memory of 832	2256	mscorsvw.exe	70
PID 2256 wrote to memory of 832	2256	mscorsvw.exe	70
PID 2256 wrote to memory of 832	2256	mscorsvw.exe	70
PID 2256 wrote to memory of 1928	2256	mscorsvw.exe	71
PID 2256 wrote to memory of 1928	2256	mscorsvw.exe	71
PID 2256 wrote to memory of 1928	2256	mscorsvw.exe	71
PID 2256 wrote to memory of 1928	2256	mscorsvw.exe	71
PID 2256 wrote to memory of 2244	2256	mscorsvw.exe	72
PID 2256 wrote to memory of 2244	2256	mscorsvw.exe	72
PID 2256 wrote to memory of 2244	2256	mscorsvw.exe	72
PID 2256 wrote to memory of 2244	2256	mscorsvw.exe	72
PID 2256 wrote to memory of 1576	2256	mscorsvw.exe	73
PID 2256 wrote to memory of 1576	2256	mscorsvw.exe	73
PID 2256 wrote to memory of 1576	2256	mscorsvw.exe	73
PID 2256 wrote to memory of 1576	2256	mscorsvw.exe	73
PID 2256 wrote to memory of 1872	2256	mscorsvw.exe	74
PID 2256 wrote to memory of 1872	2256	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
"C:\Users\Admin\AppData\Local\Temp\003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 1dc -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 1e4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 1e4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e4 -NGENProcess 1dc -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 274 -NGENProcess 1dc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 258 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1a8 -NGENProcess 254 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2cc -NGENProcess 2d0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 23c -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 23c -NGENProcess 2f0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:588

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1044

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:292

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1332
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:2916
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:800

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
1c7afb69855b28572f764e4c66aafa99

SHA1
518de79e038133853e3e2774b24b744b68691cf6

SHA256
872c47b811acc23f1c781115fe96609792dd3bbeceba2f3966eee5deb8fe6882

SHA512
5783fa4808db61ef1c266ce7994c41eb83061ca09ca58bc053948bc024b871a75801706126ab73ac3883f6c0836df1c117f92a8cd3cb9ace82dc3224382dabfd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6e0faf5c5f06c7111147a7c47e941da5

SHA1
221a7f1694298341de91e1a20e5cf4dafaed5b66

SHA256
e5a8c27407709db73286f2edd3b3cdf784a3aa53d7b4b4cfce4776ce77b04e3b

SHA512
1649689fac6d813709b407f7d0dca02c91459d626614bf482023871545e2073478391af006c8506258d1b9fbc31121651b15c7b722af177125cec1c848480110

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bd31e90cbb588a06eda7fb32e4a3fe39

SHA1
ad02b2ee1b15580529673a94ce1d4ec7fdbf35fd

SHA256
2b7757d76d92a842221469bd909685389ab8fe7e5ccaddcea4518f1114562480

SHA512
0f17bdd130d7e3a543f53efd43d0d870d1746600560681eb71be12ae51c29223db250897c598db91c506a9929de40b59138a0b72ea6467c5d623ab8918bb951a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f087940a51941fdc94c7f53f9bb604c3

SHA1
ca4f3cfead31e268bf5d7b58bcfa686c926f7adc

SHA256
817ad9ee48cd9713026d7ac8ed33801c37727f4925e590e1073d6c3f37371c90

SHA512
3a141a12b685c97f8ca7a8a760c4c86f5d15d351483e85247cfbd5e779c7208ed7671c4f05242c495354a08d4ae88f39405d2d562276eba367d30510bb807fd5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
187eedf9162644c3451f6c03508404da

SHA1
866f9dbabacdfb714c6134c161b20c7562696e63

SHA256
9e2ef2012db992ceedbddca361b590cd8463e9792f0332a5495eb2f7b4286129

SHA512
c68d7ae16ec6bf3ac8c98820c233928b3144f0c8830b8745d2dcb8ff21d04d6cfa2c4261dd13cc879fc079e9b9546fcce8c69b1b359a7b43132ef1adfe87ce8c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d39409c0042c68b0bd9019e90be192f2

SHA1
28272a57f1975a71d857a521056b402223ae1a38

SHA256
f99dbafbe126bf8f9afa0a52a3fb59762f06af3bdc32af8f19d4232251d80dab

SHA512
70082f524f68549fbc115b02d52f0c37cc19c3ead67991ad9e2a3bc03a83cc74f54690d242715d2724583d5c4fc6f76ff32579420bb7162ce4f1594b85bf1a5a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk

Filesize
8KB

MD5
319700c02695b0a8d0b4e3456ccc1d47

SHA1
4692348d66fff63103a76e0b4845cc65bbe58beb

SHA256
54bb45e060cae19f3116b74cb8b1dc9b083c90281423b82f39f17e9ff16958f3

SHA512
b03565ea31b18803202bc560be6f3e42ca857f3fe8441976c1b08fe9bde50a47d8327b3ab433a7a7b94bd27abebb35117142d4303ae1038c6ce6d66ca1e22b45

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6bdeec76203f6c512fb49d9822365b0e

SHA1
8baaa5be06502de4e7ebddff8c0240a119761ef8

SHA256
6618c0f27d9b98b63bd32070ca65c98fbb5d5501c10551fa0a070c84591af0e6

SHA512
b14909781b277a76c7648a8f517ab0fec400c927f6a0da6aca5c7bd3f71e2920d740bff4e87761a0dffddac855b5737039f43abd9a1d6308a8dc903166bfa4ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
10865012ab1744acbf476f86a4861b22

SHA1
dae50ea20fd75e191a67a1885f34482b16aaa5a0

SHA256
fe41b01bb014bebcf2a57ad09b1b85f155eaa90a868e8a98610f738f5af03c41

SHA512
e997acdf9d4c09a0e494feca55cbaa893b68388a86777b08e4e4785039db383f1c2a55177528c6be85ff58722126424c16c422d15df4fb2a2820a5570b6cebab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6746cd25a48466955ada64c6a6d03955

SHA1
bd3af51bf5d7be0c502ff8be7132d8f2cd07f81f

SHA256
baf06cb6cfa9cbbfec769047898b371e3bad95d1655281133aa681afc0ef7883

SHA512
9c738b8302bb45920a0612ae136808165938512572dbfad48505175d9721ee21e0b29b08f055f4ba721c5390fd075d85f128513dabc680aa4b2d8ba3903d09b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
24f42ba8e916a6bbee377850d690db0d

SHA1
460e9fdffa26e862cf6038cf7e33a8e9044ba237

SHA256
babaab5325f0262ddebab3c0262ca21a3cc8e9f706b2ce1ddf25547cadf297cc

SHA512
5ac8ed33b835f2c9b9a67e27d9afeb29250ec2926c8f6e59e32d31a0600a35d7b47671af46d68d84fd6b078215bd50b6d3093ef34212ae20df5ef1dcb5e26962

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bcedaf780d7c8914222ed9d481e6e8e4

SHA1
d25ff32b646c20f5679cc1ca6d3b70aca551b19c

SHA256
c075997f0d4aca693a0a1b11b3befc46e471fed1cfc02e582a67c9c14ff19657

SHA512
c078f875adf5afbe36a2b24cd5a4d187f3592c8131de56921d88b88abb9420aa4896f1f7a02cb2872e36a3fea0b9ab29047f008a3be551680fa07763337d63ef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
55dff1e90006b80caec6fb63789656d2

SHA1
c0cdbe79ffd5ac5da0d5622152ede4165a655a89

SHA256
5d058569721c06b94cfb4b0309c9ba43efd94fedb4d14c321f9063ce643d2a3d

SHA512
ddbbe593afd99a65d911dd44a8e6bbaa94188a2079c9a4841311f455db726c2a8a0fb90241b9fcb27aa85aeb895c25a94a78cfdbf7f47a3ce749601fd7cf97f6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a8fef6ded33e295b20069d29110ce8c1

SHA1
8b6af55bdbeeb8662d11294a088d6f621534cce7

SHA256
f15371ce74c85d7fc11c23cfd1f8b0bc0cc0aa44f797ba75c22d4dba91694368

SHA512
cbef4559cee74031cb263ab3b890ba1d735e11fe141ac0b1d8172f4a84f75f3929f73e392dce27c53cf2e93bda8c810abf71d6e00472fd2d273fc01f881a5054

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
79c6c3b3765e95e5e353dc965430f68a

SHA1
fbc4012cb4dc3071432323dd0fdaad84ce920a9f

SHA256
facf8e06a46f367c0d11597f7aa46bdeafc6b58c9ab032b36623122ac00f8cd1

SHA512
3878e7592f69e609e786d30a63a8132f00f3868dfd6c4cddef410f3b4f154b0124e201b669cff1c67db968ba7e8f0d3967fe5092bc7414d8aeeedab8926070dc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
22f25b34419fb8ddf836bd1601884445

SHA1
e7954e7b52adcf9454a68f3978ae9b65b7982806

SHA256
0fe2a86b6b6906a10ddc609672aa42cf0216388f27f60daf04aa144812b4351b

SHA512
6eaec9afabd253e4527b4abb3eef2e3929c64f345af0ed7c1a6e62912e5f7ca8fb4698d158b83025b3b8888008a20dc0247e624ffd80b18b86ca5094300aeaf5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
72f2f394964dcae10db857d3eff053a1

SHA1
9d5bfff740bba6b4d15589a57020d95707351834

SHA256
ba02d2fef1c3115a79efd9cd1a94284d2f9dd9a7a6c1071ae2a98b58975fd119

SHA512
460313ac444b62ca5e524fc2a3fa0b3a9c85d0f7ee88291ffa2355526d8cb6f50d3ce43f21779cada3bce651d55b1fe231452cbc773d77aca04aad2129e1c08b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
39a6bc8952054cfa143f5dec5c8aa1da

SHA1
101d446491f02c708433a64f2c25fc753bb8d7ed

SHA256
aca13bb12e2da81ea5c237c02eb9bbc91fd230a5bd538e9e3965f94df7e2abbb

SHA512
04081cec411fa9d8a0d7b5f0efce0f55f0c09f3fa549049b75902cf4814aa6f699d03e97c650166c1b85f8831ebcd27ae3600911b458401c7e348094b057afaf

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5f451087d73ecdc7741ea4e2c53e058b

SHA1
aed625d8cfbb2ac2fd688126c3ef408db20bb179

SHA256
2bbcac4cab51990c2b0c0feca6851c2e4774576d6019593d105ad1c981a890b7

SHA512
d11fec162aac2dc9074bc3c2fd519900db4c3f2fa8dbc43cd7a4c8c4d763fb7a31ac5a36073ed3d896d66529b2972b0d6afdecc02f068310f051f11fddad00cc

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
11667cb7ef87aa3d6bc255b3b29dfc5e

SHA1
deb4b0c73331315a21fc0e7f7462b508aff3d1b6

SHA256
7772a4e2f20c7c2f99d494aacce8754b595099d6f74354cc9c97d7dbf023533a

SHA512
993baafc1fb833879e2e3d6faa70d9e7854f4d9b19bdacf627b020f089805c7275236e7e5f8db8026495359b316929205adabbd84a204d103c218a458f8aba5d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f377319e892fddca2116adfc89cf205a

SHA1
7d8e44eeb0b730bb81e92e09ff95675bf7c9fe9e

SHA256
6f24f644ec58e19aed25774696c5d0dd746fb7a710458b18155a1157b5a9fb67

SHA512
f61e9abc8737db51a6e25dfc6782f6e1462419162f089c747d8d73bc53558b1815f721018470ee7c6535fd3a978ebbf5c248635435a273321237b548db5c731e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
ef9322890e4d44660f3cf66c1b9765ff

SHA1
b00008e73f6a1d8e9d1d3185451eee72bafe22c3

SHA256
e09b6bac125ff66cad1723325042eabbcafadc0cdbf472ae2c260a9645b0b925

SHA512
ac7ffc8f7255783fa21316987a7d326d4c720e40ce1c6158cd6adb15289315add1346cec760b63ffc4a04cffc56afc452168fb7cd011350c103cac4875e8d64e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
36faf78e9dd538b3a70f03d2df2c3f11

SHA1
722a831c378d6e508e02afb0a8817a8e00ba41ed

SHA256
c6325c4f0eb736d229c840094a2ba67f02d0f5d34a3a925073e68b8f0bd1a6da

SHA512
4f25e0fefbc648d4364a831799eda2eb473c384e1cd9f22c5ac32f9c5931447f30965cd5bc995ed28f9b3ec44129f8218bf67f5b27ee0b9f4182d74c421013ff

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
7347c893c3e4c8fd40ec3259d874745f

SHA1
d793675e8b9c49cad84b1524e5ed9124f75cd13a

SHA256
492115122a31baabcdb6dae06c0e6af0235a38161bd063cc9825a06362c0e94f

SHA512
8cb4e7d041182cd808340076f80b530420b7f3aaeb92c1a8fcf0f57c47bb07e82290b9fb598d3c90e802fc75caf6606780ccfa5871ab5652f8d87894236b2406

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
6f8946b39d1ba1b6081d8e51b5265823

SHA1
da480cfbaf10c5d06eddba947093a897c505bcb9

SHA256
7512812cac35723d224632efeb35071378fa23ba1de1dca1293a9a2c7443a847

SHA512
71783a1d723dd146f556dfec3e48730b4ce06a58ca58c6fc4a9d8a2a46c68b41838bd75f150bf828a28cc328a6af99bdeab81d91761702d4bd63868b20bc65df

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7fdaeaa7fa74de21bb2104e4dd95a73b

SHA1
6c3e87fc2eac8377f22d877babfe05878ca0dd3c

SHA256
85e429bd7565a863c4999d0c5e6ba152e69faa266eb32d2f8dea038585f205d4

SHA512
69f7f5dcc32b79f072baa2348f10e63a3ba28447ce234bb3faf6d7f5bbca7852fb8a80388170b36cd1a24e55f1b7cb4316f4903da081549b03eb9e9c9eb95bce

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a4614997d740969caf9f84f236afe3d3

SHA1
6997e8e848207fccd4b3f644dbbdc30284e2f5bb

SHA256
e35e8410c22176aad97afe0d1a799b6652e1874c332d8a6b0d95e5dcbd0f0aca

SHA512
510d82e044d10bd7c3976f7d6ca8584050d2ffe6285f67ca4480345f002090ed26c3cb4e110f13a4eb0264cd6b445427fb922da1e85d1d488489b22202cf3395

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
80834e04e32070f1003bc4d33093028a

SHA1
431175ff41150189afa2887b57b1ddfe7ebd9448

SHA256
3f0e88ed612520fad9327ad9374cfb39595ede8bc9b0d7cfa404b0789687e451

SHA512
52f4ca123aae2e728014dcd9c1e499eadfeff4e9f2ecc90c47501c0b13366af73a8c310756c9b7cca796e6580621814fe4ccbba5852b2530e5032b64953f2e3f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
4bedc880299bccdf8146f57775bf9e8b

SHA1
dcd4c4eff653ef8475e069f54532a3b3538238c7

SHA256
bd90b7fab9aa5a686094ad712b92be623b11a4b4897c0ed27bb397503bb11fc9

SHA512
0db97984ce89dc1e435ac691c287ee89db1e9887453fe51253c2ad940397c635f890558c623cbee188a0368be84fe45c84e587eb7cb65e9e98ad78eb67395cb5

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e82d1bf911bac9b8be0d2198ae0f7785

SHA1
2837119e15b4cf5f1d45afdd8df92de9fe577db2

SHA256
ef58a265dfe785ff1b5bac78129892a0c3ae36040769a5d6edb3495270beefd3

SHA512
4e082870f32aa66afaea5a55ff1fde36613bb17e257d676ffd16cc1ba1d7c67dd519514d51ffd9ad09df27cc7147ed68b927c6bff1965fa63f2f8c5b7e52f6dc

Download Submit
memory/292-237-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/292-378-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/292-383-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/292-244-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/588-172-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/588-179-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/588-183-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/588-182-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/588-232-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/588-185-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/588-171-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1028-403-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/1044-216-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1104-196-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1104-249-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1104-188-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1104-187-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1164-275-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1164-214-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-217-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-215-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1164-265-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-289-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1164-272-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1164-293-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1164-233-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1252-415-0x0000000100000000-0x00000001001AE000-memory.dmp

Filesize
1.7MB

Download
memory/1688-99-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1688-98-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/1688-128-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/1688-104-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1740-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1740-369-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1740-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1740-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1740-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1808-389-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1808-418-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1828-115-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/1828-116-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/1828-122-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/1828-151-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/2040-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2040-287-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2040-229-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2092-209-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2092-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2092-260-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2196-409-0x0000000100000000-0x000000010012F000-memory.dmp

Filesize
1.2MB

Download
memory/2212-281-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2212-279-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2216-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2216-160-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2216-153-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2216-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2256-132-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/2256-133-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2256-138-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/2256-208-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2280-387-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2280-376-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2312-295-0x0000000000170000-0x00000000001D7000-memory.dmp

Filesize
412KB

Download
memory/2312-291-0x0000000001000000-0x000000000112F000-memory.dmp

Filesize
1.2MB

Download
memory/2360-391-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2360-250-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2392-56-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2392-93-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2392-170-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2392-86-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2556-416-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2564-276-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2564-267-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/2676-259-0x0000000100000000-0x000000010014C000-memory.dmp

Filesize
1.3MB

Download
memory/2676-417-0x0000000000580000-0x00000000006CC000-memory.dmp

Filesize
1.3MB

Download
memory/2676-407-0x0000000100000000-0x000000010014C000-memory.dmp

Filesize
1.3MB

Download
memory/2676-261-0x0000000000580000-0x00000000006CC000-memory.dmp

Filesize
1.3MB

Download
memory/2784-162-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/2784-13-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download