a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
Size

1.8MB
MD5

ed34b680cf2b4103d23428eb4b766855
SHA1

fc86edf6657ac81d58d1612de7088cc0bd60ce87
SHA256

a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466
SHA512

ee70154b74872c3f0c11a59c58def5bd8133e3157ccf39903bb28e35c4c96847678ae489c4e7be174b0ca597ca809b97de6b48eb1189d51b32300b91baeed85c
SSDEEP

24576:jdFIeHFlGYDAnNQu49sfO+sKK/kMyRZybL0oDMXLHFkY07Vr68KZ:jAyXUGu490TR44XrT07Vr0Z

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
476	Process not Found
2556	alg.exe
1656	aspnet_state.exe
1692	mscorsvw.exe
1244	mscorsvw.exe
316	mscorsvw.exe
2868	mscorsvw.exe
2968	ehRecvr.exe
1904	ehsched.exe
1428	elevation_service.exe
2204	IEEtwCollector.exe
2420	GROOVE.EXE
1632	maintenanceservice.exe
2052	msdtc.exe
1676	msiexec.exe
2116	OSE.EXE
2108	OSPPSVC.EXE
2416	mscorsvw.exe
1692	perfhost.exe
2872	locator.exe
3024	mscorsvw.exe
2360	snmptrap.exe
1984	vds.exe
2176	vssvc.exe
2212	mscorsvw.exe
3068	wbengine.exe
1324	WmiApSrv.exe
2964	wmpnetwk.exe
2584	SearchIndexer.exe
2668	mscorsvw.exe
1480	mscorsvw.exe
2888	mscorsvw.exe
3008	mscorsvw.exe
2552	mscorsvw.exe
1088	mscorsvw.exe
2636	mscorsvw.exe
2656	mscorsvw.exe
468	mscorsvw.exe
1316	mscorsvw.exe
2592	mscorsvw.exe
1548	mscorsvw.exe
3064	mscorsvw.exe
2156	mscorsvw.exe
2604	mscorsvw.exe
1632	mscorsvw.exe
3028	mscorsvw.exe
1788	mscorsvw.exe
2292	mscorsvw.exe
2024	mscorsvw.exe
1928	mscorsvw.exe
1536	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1676	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\95e66e1cd03a5d9e.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	AddInProcess32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\locator.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\msiexec.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\vds.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\msdtc.exe	AddInProcess32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2768 set thread context of 304	2768	AddInProcess32.exe	39
PID 2768 set thread context of 1960	2768	AddInProcess32.exe	66

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	AddInProcess32.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	AddInProcess32.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	AddInProcess32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	AddInProcess32.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	AddInProcess32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	AddInProcess32.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	AddInProcess32.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	AddInProcess32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfrgui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a00f56366de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080a113346de8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060d5a4346de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
1616	ehRec.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
2768	AddInProcess32.exe
1960	dfrgui.exe
1960	dfrgui.exe
1960	dfrgui.exe
1960	dfrgui.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2768	AddInProcess32.exe
304	EhTray.exe
304	EhTray.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
Token: SeTakeOwnershipPrivilege	2768	AddInProcess32.exe
Token: SeShutdownPrivilege	316	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: 33	304	EhTray.exe
Token: SeIncBasePriorityPrivilege	304	EhTray.exe
Token: SeDebugPrivilege	1616	ehRec.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	316	mscorsvw.exe
Token: SeShutdownPrivilege	316	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	316	mscorsvw.exe
Token: SeRestorePrivilege	1676	msiexec.exe
Token: SeTakeOwnershipPrivilege	1676	msiexec.exe
Token: SeSecurityPrivilege	1676	msiexec.exe
Token: 33	304	EhTray.exe
Token: SeIncBasePriorityPrivilege	304	EhTray.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe
Token: SeBackupPrivilege	3068	wbengine.exe
Token: SeRestorePrivilege	3068	wbengine.exe
Token: SeSecurityPrivilege	3068	wbengine.exe
Token: 33	2964	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2964	wmpnetwk.exe
Token: SeManageVolumePrivilege	2584	SearchIndexer.exe
Token: 33	2584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2584	SearchIndexer.exe
Token: SeDebugPrivilege	2768	AddInProcess32.exe
Token: SeDebugPrivilege	2768	AddInProcess32.exe
Token: SeDebugPrivilege	2768	AddInProcess32.exe
Token: SeDebugPrivilege	2768	AddInProcess32.exe
Token: SeDebugPrivilege	2768	AddInProcess32.exe
Token: SeShutdownPrivilege	316	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeDebugPrivilege	2556	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
304	EhTray.exe
304	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
304	EhTray.exe
304	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe
1284	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 2956 wrote to memory of 2768	2956	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	30
PID 316 wrote to memory of 2416	316	mscorsvw.exe	49
PID 316 wrote to memory of 2416	316	mscorsvw.exe	49
PID 316 wrote to memory of 2416	316	mscorsvw.exe	49
PID 316 wrote to memory of 2416	316	mscorsvw.exe	49
PID 316 wrote to memory of 3024	316	mscorsvw.exe	52
PID 316 wrote to memory of 3024	316	mscorsvw.exe	52
PID 316 wrote to memory of 3024	316	mscorsvw.exe	52
PID 316 wrote to memory of 3024	316	mscorsvw.exe	52
PID 316 wrote to memory of 2212	316	mscorsvw.exe	56
PID 316 wrote to memory of 2212	316	mscorsvw.exe	56
PID 316 wrote to memory of 2212	316	mscorsvw.exe	56
PID 316 wrote to memory of 2212	316	mscorsvw.exe	56
PID 316 wrote to memory of 2668	316	mscorsvw.exe	61
PID 316 wrote to memory of 2668	316	mscorsvw.exe	61
PID 316 wrote to memory of 2668	316	mscorsvw.exe	61
PID 316 wrote to memory of 2668	316	mscorsvw.exe	61
PID 316 wrote to memory of 1480	316	mscorsvw.exe	62
PID 316 wrote to memory of 1480	316	mscorsvw.exe	62
PID 316 wrote to memory of 1480	316	mscorsvw.exe	62
PID 316 wrote to memory of 1480	316	mscorsvw.exe	62
PID 2584 wrote to memory of 1284	2584	SearchIndexer.exe	63
PID 2584 wrote to memory of 1284	2584	SearchIndexer.exe	63
PID 2584 wrote to memory of 1284	2584	SearchIndexer.exe	63
PID 316 wrote to memory of 2888	316	mscorsvw.exe	64
PID 316 wrote to memory of 2888	316	mscorsvw.exe	64
PID 316 wrote to memory of 2888	316	mscorsvw.exe	64
PID 316 wrote to memory of 2888	316	mscorsvw.exe	64
PID 2584 wrote to memory of 1340	2584	SearchIndexer.exe	65
PID 2584 wrote to memory of 1340	2584	SearchIndexer.exe	65
PID 2584 wrote to memory of 1340	2584	SearchIndexer.exe	65
PID 304 wrote to memory of 1960	304	EhTray.exe	66
PID 304 wrote to memory of 1960	304	EhTray.exe	66
PID 304 wrote to memory of 1960	304	EhTray.exe	66
PID 304 wrote to memory of 1960	304	EhTray.exe	66
PID 316 wrote to memory of 3008	316	mscorsvw.exe	67
PID 316 wrote to memory of 3008	316	mscorsvw.exe	67
PID 316 wrote to memory of 3008	316	mscorsvw.exe	67
PID 316 wrote to memory of 3008	316	mscorsvw.exe	67
PID 316 wrote to memory of 2552	316	mscorsvw.exe	68
PID 316 wrote to memory of 2552	316	mscorsvw.exe	68
PID 316 wrote to memory of 2552	316	mscorsvw.exe	68
PID 316 wrote to memory of 2552	316	mscorsvw.exe	68
PID 316 wrote to memory of 1088	316	mscorsvw.exe	69
PID 316 wrote to memory of 1088	316	mscorsvw.exe	69
PID 316 wrote to memory of 1088	316	mscorsvw.exe	69
PID 316 wrote to memory of 1088	316	mscorsvw.exe	69
PID 316 wrote to memory of 2636	316	mscorsvw.exe	70
PID 316 wrote to memory of 2636	316	mscorsvw.exe	70
PID 316 wrote to memory of 2636	316	mscorsvw.exe	70
PID 316 wrote to memory of 2636	316	mscorsvw.exe	70
PID 316 wrote to memory of 2656	316	mscorsvw.exe	71
PID 316 wrote to memory of 2656	316	mscorsvw.exe	71
PID 316 wrote to memory of 2656	316	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
"C:\Users\Admin\AppData\Local\Temp\a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 260 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 258 -NGENProcess 264 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1ec -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 1ec -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 25c -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\SysWOW64\dfrgui.exe
  "C:\Windows\SysWOW64\dfrgui.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2420

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2052

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1284
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
34240f5a53084b7e38ce0650167c2e42

SHA1
bbd190753913c028a5b498c495fd4c48e59470c3

SHA256
1b90f1c0d1d62f5992fefaa8ec57801149be6eb5a06c9aded45ce1903ac2358a

SHA512
62ea1bbb200654b16dea66fdfeb00a9d4501ae2ec4546e704745bbaf148e7bc7aabb8f1c4130322cfe59644e116ce43b8a4082b50a81de552ca393f4e9f42e2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
922e8e81eeeb47beb42c09fcae658bd6

SHA1
787e327bf16b1480b183631b780f9e0efbbb9994

SHA256
99901346163be7d7f052ad56d7a50714f852e5c878c53caf85a5d18e22da8ce5

SHA512
167baf8954f8398f98357677c9cf47c29e4ff6ed162e3c4afe8065224e774ea41adf95952be48650d3c57ef4a0f62d3160465e1e98db05b7ad5c2e421bb12b16

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
69810a1dcb07234be9f72ed0e1b8745b

SHA1
5e9de9d96ff770116ccf29164db8b8852a97bad0

SHA256
1370c43a44fcba4f11948286d8d865bf4040d8f31ea34f0a2c3ad6e56e23df3c

SHA512
561b23ee75f6b6f690780c9b11ec075bd0c8746576299ce19e4dd71fe92dc2f7dfe352a1d18c74ea94772afe5cf150e4b0f69030ec390eb0e8b0375ed631dd99

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
65d12184918422f82f9edcafbe0c875c

SHA1
9744b1e60b04339e06befdb454eaafac693c64d2

SHA256
3d0941f62515443f3b285b3b6fe3782148b61937c9713432c3220b75fd4f8fb9

SHA512
a2658827960e6ce9f0b1c732a49a8222c97d3f0e9b7a831d933817c2365e88e47626b08b475896aa4221dd16f87ad13a9b2e9e67e82cc615dc3bdb8f570bed3f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2cc2ce3d0a09897c784ca4afe1e7b208

SHA1
baa508743c577c6b85245b0c0956e89abe6dccd8

SHA256
4063bcf9b15ddf4fbf41fcfd7d89584ea446c4247d489b26e254ecdadf230525

SHA512
e227697040f41ea58379d5bb5f62838e7282d089a49ddaf658a8628182f19e5d0eae202a8885433cb50236a5badd8b8dc3f201aeeafbb232c9ccf333c69d786f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a67b918178592db4cdf944747cd50070

SHA1
a1e78225281a6d329b1607a70389ca96053d3089

SHA256
90354ac5db94dd9ec6237ce94823263c72cedea82677e7c64fa20b21a8ccd46d

SHA512
0f485e947f629dd7bbac6a1152966a75d8ff44a6522c66a36930d28a529eaf74982deae4862c24866828222f6b2e6a9f0a61e9b22a01b1b4d49f93865cabd1c9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
84ca72efbf79e289bcc90292b8a5580b

SHA1
e1246a230739351a44850d75a27bc8052a9462bd

SHA256
9c7bc0480510edd003dc9ee6c8b9cbd42301900b8dfcafc18698c896db1aea1e

SHA512
4d037f7fea337a3343456a7c5a7253f38e479faeeb260a189877c752941f81dc6ff55a1087a78f53251428c49979f4f5fd57580cecb4ce146323b4060df0f877

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b4edbf0b6369d67007be9a1a8346092c

SHA1
a27965fbefc348050645c89edbb1ae535fe32dad

SHA256
e28baaaa53c582c337dae39c20a9b27bd13a58285c9893b26a5c82bb634c7ede

SHA512
1cde7e45eb2614ea9e003136dd980999c1633e06385c39a8ec41db14792dec63b75457aba36db40d178f7cbab56a8d220293955676e4571485490ff62b3a1b35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
1513220218a664a9f22ab9d0732fb544

SHA1
aaf84d16968223231063e06050980a2a806f7358

SHA256
185ae1458b0399cf26de0968bbddfe8c7c5ce64f97d5a1ae3c8bdc87cd34e719

SHA512
2a8c5d758b14ebca6561549b80f4cdb5a24b959374a097f3300d7b9404cee794eeae082a962fc3a128e639c5f543d2fc4df1eb90ecd9ee95aa9db81b73646fc9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
3608c84be970dda1aff716d31f075945

SHA1
7d23bb659383ace51aab271e269b392dc9996626

SHA256
a75598fd3aa89aa45f3ee2d827fb923261ae0832c50651ca94c501e30c9404d7

SHA512
c5d79603b3873110176a5c88b12f3866624475c3fd578bcee3043f489e02e89fdde9ae6a1642bd7f7d1957bd04c53256834654dcca5b58d9b871e4521c4182a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2f06ead7d467f4504b9413039bc1c010

SHA1
7a288b26c4c7215ebaf01e18a2ac7b972b42c04f

SHA256
13c464b9c9c7b645ef2cc1a455b7fdea3f05dead598f3724656c1703a05411c0

SHA512
116162c817f362cdb5cc8be8adaa7cba5e7d2fb57dee10935e8aa25f7175002b124aadab8108ae360ad353cff8eba76e311fd30944e1d74e7cd269c847a5ec35

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
292ffb5c25850485faae95aefe78ce2f

SHA1
09b9d77035604ad4f50ffb781660365f868a2f05

SHA256
c77646f5d73d5e1c7d8640159e5cc598c0550ed619421b13139acb3ef7a29b6e

SHA512
cab4f870b2265264edb9a7d26863a9ac5e9edf24adf539f259cdc3f7866edadec3be4e807afebfba59ef6958f9ce99723624b093425eb97c8f7c85bd2702a3e7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
06f72048192220ce8ae2a80225fa6e07

SHA1
440bf003622634f67ef1f5b8c76a2ddc13ef9a7d

SHA256
9e89161978a5c1c509fc50b5f8b60da57d10045f4aeeb927a140c2438447bc7f

SHA512
e4f908094d01792286db825a80f0eed56792b6da3540882504ea6892ad61d03e33acb54cf9d9d357a3b526b2520204eb644dbbe974393eb4bcf9adef1030c95c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
ab759e4a7a78d7f872966a2a3f87df90

SHA1
a82b40a832e51b0a36825009bd809963168ca991

SHA256
e5554173378360eb817e8c66debb3de03f15451900a248f870bd870e1037a151

SHA512
17be5458cfe1b3ee90063bcaa704aa457a2d2329dd8f9f43db7dbf5f96614cafd3b9ae3c3d65315a5dfe34e5f8596040a082f5112fd6bcbd511c97b9c54c5a3d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d782f2e3037c91cb100948f4c2a347e9

SHA1
ebc1dac8f616324cc5ef6393c841f429f0e8980f

SHA256
0009d3243dde30d70f3b2f0ee8308e1cf11d97a2c9cacc8aa3f75506e0b54e08

SHA512
b6eaf4dc4ba8cbf070c995c3fd91926b1d4873c5c5263cd85434a3c112b6f94a3461f11eb222688fa7eda8772a9adc730d8966d3df65db866c010cec8324d520

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
0363e05b97d62af3a5251481aea81273

SHA1
c48fe170f8941887400ba299c24780e28f468558

SHA256
4205ceb178eb6256683c39039a6b83a0986dafdf9cf9b03e4b29add59af4dfb1

SHA512
1787e7e3e739781b7cb2a78398d3db061f4938b6eca2650d1e7dcd1d1d871772a23c7f9a292aadfb6033e35eef051b8bab6fd118285b53ae08b7a9679a40e494

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
0a293e49a6468810a28a40d303bdfb84

SHA1
627258583dfaa36924c28e9e346f1cdb56150b1f

SHA256
384b3bc9d7a9ab5fa45b750d8aaad215b1e5d44b3811fffe45aa8274cf2206c2

SHA512
6fea8aa68c25c61ee6eba3258f76548eb3829c6675eaa650da74a6c8206d806724ff5002fe9ffd70708edd2d5968e319bb3912652ec55dc547759c0cac6d1703

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.6MB

MD5
d3011de2139eb0aa7bd025709dba29d8

SHA1
1ca93177ab9028aebd88cad6e60afe91bb088d04

SHA256
3adb6743b8442d078786045bc4bb771d103b59917f3be1f19df1269ec2249c5b

SHA512
3c55a9d62e76d9129863764ba3b0106c4fa8d52b82447c96e88319af28fb65aef2d56cc0a79462148a36e3f33addad219fd17235a8ab3242b5c4976c370b6432

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
31ce2b1d23cbc16e5be748a490a8f490

SHA1
636d6527c655b5f8cb550ddd55b31ee6537c561c

SHA256
b51172214d8b11f722f3d3b34373923c986f21300d52cea608c7d8f6b4ecce11

SHA512
1fb6a8c772bab3ff1b55c41d9cfd662948c141f2b3a7c56a1de0effc6c9d0d9c737606ec921354c179604dfe1ee536c6c87a1277c0dac8c104f119d098abee30

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
a8655b35b665b25818c4df765cabb78f

SHA1
508bfecec14fcb6c70bf246ac79df90b5b221f48

SHA256
6feeb3ee2b188df5466a25f9a022c1b8a3dd192c12f40a8b916ed53c0a3501a1

SHA512
ce6b71c49dce838dd6e66530c9f8add5920d5c5edc54775c89ee2b4fc364af2181b5287c57052304090ad7ba714c05205c24b6a7f3f616c2b3a3d2e83505d6c3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
b55c6d36f8c90210324dc2f58b4cfd3e

SHA1
b57892334349786f88a8f4a5205692cfc5bdee91

SHA256
163dafc7385f7e5111e202b551b468bb0cab001b1ad4d17c78ec421ca89758fc

SHA512
9e161bd8b1265297a1f31a38fce7ed72bf1df1d14fb5f295f64b65e0a6cb2637b54d549e24293612ae51361c237f3746bc544699ecabb6f8c93727c40f912a39

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
bed287fee96ec3cafaa0b4c4c68a999e

SHA1
aee4f96c9724ab1e96d1013f2f306cf390204292

SHA256
ef2a4519c07758f4224d045d1c40aab5896490c7bc1378f94c28bc88d9a3f152

SHA512
c652cfa9d4d58c8fbaadbdbbbf3af34c334d79c53153e1f7753f5b519e2faada79c50eefe3f3234c1f9c12225a4ad46d5b9aaf193f0dd3fadc629e3d074ceee1

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
e5b0f8449f678d608b1d8a2995208a7a

SHA1
9333f3178522d7b2a453ef2c683b1e6f430b0a8e

SHA256
d1257b5884b7c2a86eee1c39a526ea7cc446ba493e5ad29197248f039befc067

SHA512
56244fe2b3075572d6ad324ded8c5af37a977ed00337c08e4a85a23a9d3259195829571e4006c71139f6c907795826ef2d103585a38d6f8462580ce01d83099f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
5fb7201666f8d928b0a4065dc3097f2b

SHA1
23e67c61cf160e8b802da699d65da7e5dadc3e6f

SHA256
7c76627b4c061dff81717a949a0753ca9c475bf2e9ffcb69a8e45a1841b0ea4d

SHA512
e193b008a4870dab67cbe9853b993c0f2b0ed9c1cb6dbb8d49e007cabc1bb5a4111eb507ee2f97fa2b46ba5a82871ea46ed953059192bcdf8eb1bf2526921c94

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
cda8c2c60b5b22e7da352656ca459e3a

SHA1
6654d27878e7b6457ed8417318306f8ac98b420b

SHA256
5f9c98318ef02d7adae6e705d4f424b522437493197730a338629f45522db132

SHA512
2efa642fd234dcbb1c9e0c96592963fa30d28733c26d2f255c3fd5bc1ce93beaf223af9a3ff54571dc24c61a2db1330f20dbe2d1b4f32423e45168063522e143

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a04f17670b24ceafedc41d73f93fbd98

SHA1
445c4485424c939379c6c6860713063b5fa3ad87

SHA256
cac0b261393e9303c3179959288186beb23e26205559f64af04a2f9723ee0a9a

SHA512
33551e63c6940764b2221704eacea587cbd1ce9da13baebc55af021319eac0a8616f8ccb28cf31c0310d61ff1c9210ae02ca43a85a701b9c5d0236fdb800ae03

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
900180840d633950ca99b4c8c475387a

SHA1
02fa57df26608a569ca61bc550151bac1d24d72a

SHA256
cf7b4a269775c456a7ddaa50468a4f36cb9e8652b30a7a2c593164fcefdee7cd

SHA512
aa9aa088301ec69b9b6c4e1ac6efc42b17e6dbeed6d22b5ae777753a495d23583964607ce1a07360d2499ecca3352056b8a7703478513b3f3d5791c39c4bef0e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
5c1345a3df9b1bf50f4959970304bca2

SHA1
40b81382f065025101c9370c0231e870a8ec61c9

SHA256
7ec33ed5e10988df69a8799c11a5ed9cae4a7175926deaa45bb66481af9071c4

SHA512
af780ceaacc6fdc6993a50957849183e3998d9ebccfadb8ebc220fc4e3683b028777eacbae4320efcac5ce4a99425a8b7e81e1845f506703af4c7f8f2d1c72b3

Download Submit
memory/316-92-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/316-90-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/316-85-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/468-750-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/468-735-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1088-722-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1244-75-0x0000000010000000-0x000000001012D000-memory.dmp

Filesize
1.2MB

Download
memory/1244-97-0x0000000010000000-0x000000001012D000-memory.dmp

Filesize
1.2MB

Download
memory/1316-760-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1316-751-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1324-736-0x0000000100000000-0x000000010014A000-memory.dmp

Filesize
1.3MB

Download
memory/1324-364-0x0000000100000000-0x000000010014A000-memory.dmp

Filesize
1.3MB

Download
memory/1428-293-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1428-155-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1480-626-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1480-441-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1548-776-0x0000000003C80000-0x0000000003D3A000-memory.dmp

Filesize
744KB

Download
memory/1548-780-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1632-207-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1632-190-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1656-189-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1656-56-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1676-235-0x0000000000590000-0x00000000006C8000-memory.dmp

Filesize
1.2MB

Download
memory/1676-362-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/1676-363-0x0000000000590000-0x00000000006C8000-memory.dmp

Filesize
1.2MB

Download
memory/1676-234-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/1692-95-0x0000000010000000-0x0000000010125000-memory.dmp

Filesize
1.1MB

Download
memory/1692-65-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1692-270-0x0000000001000000-0x000000000111C000-memory.dmp

Filesize
1.1MB

Download
memory/1692-59-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1692-418-0x0000000001000000-0x000000000111C000-memory.dmp

Filesize
1.1MB

Download
memory/1692-64-0x0000000010000000-0x0000000010125000-memory.dmp

Filesize
1.1MB

Download
memory/1904-280-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1904-660-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1904-141-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1984-667-0x0000000100000000-0x000000010019A000-memory.dmp

Filesize
1.6MB

Download
memory/1984-321-0x0000000100000000-0x000000010019A000-memory.dmp

Filesize
1.6MB

Download
memory/2052-348-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2052-204-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2108-382-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2108-246-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2116-349-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/2116-245-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/2176-342-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2176-690-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2204-307-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2204-168-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2212-426-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2212-343-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2360-662-0x0000000100000000-0x000000010011C000-memory.dmp

Filesize
1.1MB

Download
memory/2360-310-0x0000000100000000-0x000000010011C000-memory.dmp

Filesize
1.1MB

Download
memory/2416-257-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2416-309-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2420-320-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2420-178-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2552-703-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2552-691-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-50-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2556-43-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2556-167-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2556-42-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2556-49-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2584-761-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2584-389-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2592-762-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2592-775-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2636-737-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2656-738-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2668-451-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2668-419-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2768-37-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-15-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-24-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-11-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-9-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-17-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-26-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-35-0x0000000000140000-0x00000000001A7000-memory.dmp

Filesize
412KB

Download
memory/2768-28-0x0000000000140000-0x00000000001A7000-memory.dmp

Filesize
412KB

Download
memory/2768-154-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-19-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-36-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-153-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-13-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2868-108-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2868-112-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2868-102-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2872-283-0x0000000100000000-0x000000010011B000-memory.dmp

Filesize
1.1MB

Download
memory/2872-440-0x0000000100000000-0x000000010011B000-memory.dmp

Filesize
1.1MB

Download
memory/2888-678-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2888-609-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2956-27-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-8-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-2-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2956-3-0x00000000049B0000-0x00000000049F4000-memory.dmp

Filesize
272KB

Download
memory/2956-23-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-4-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2956-1-0x00000000002D0000-0x00000000004AA000-memory.dmp

Filesize
1.9MB

Download
memory/2956-5-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-6-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/2956-7-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/2964-383-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2964-749-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2968-269-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2968-118-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2968-124-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2968-126-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3008-682-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3008-668-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3024-294-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3024-345-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3064-788-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3068-702-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3068-350-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download