mylobot | 9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

1.1MB
MD5

9e894f9f5fb995c45c026405c38cbbfe
SHA1

43814153b994f5fa0f0436f7acde3a4a8767ad7c
SHA256

9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac
SHA512

b8b66da6a85449e4e98c10781fef5b97b672e8543ebe4b1e0873056bf08c4ddfda166b8cf6e93485936a9177516c5d58d0f1d551d941dc41f277ccdb985bf57b
SSDEEP

24576:wQ818EiYTmp7kHizJyhZApJXNkNSvnTVUuJLinlyK5AFiogOj0SC3b:8Tmp7p6yd1vnteFL80Pb

Score

10^/10

mylobot botnet discovery persistence spyware stealer

Malware Config

Extracted

Family

mylobot

pqrqtaz.ru:9879

pickcas.ru:6464

quwkbin.ru:3496

rkbupij.ru:6653

pcqmayq.ru:3629

mmuliwe.ru:3541

stoizji.ru:5189

sfdfrhh.ru:3511

ynciazz.ru:4127

mkglhnw.ru:1946

njeeili.ru:9987

dldzeoo.ru:7525

tkbiqjq.ru:5145

uenosbl.ru:2935

faayshc.ru:9865

nttfazc.ru:6761

nfwsyog.ru:7172

uyfusxm.ru:7372

hxkclwx.ru:1294

zgoysam.ru:2338

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Mylobot family
mylobot

Deletes itself 1 IoCs

pid	Process
292	svchost.exe

Executes dropped EXE 50 IoCs

pid	Process
476	Process not Found
2164	alg.exe
2776	aspnet_state.exe
2648	mscorsvw.exe
1324	mscorsvw.exe
2352	mscorsvw.exe
1784	mscorsvw.exe
2064	elevation_service.exe
608	GROOVE.EXE
2412	maintenanceservice.exe
1612	OSE.EXE
3060	mscorsvw.exe
344	mscorsvw.exe
2240	mscorsvw.exe
2564	mscorsvw.exe
1732	mscorsvw.exe
2708	mscorsvw.exe
1148	mscorsvw.exe
864	mscorsvw.exe
2276	mscorsvw.exe
1984	mscorsvw.exe
2968	mscorsvw.exe
2420	mscorsvw.exe
976	mscorsvw.exe
1292	mscorsvw.exe
344	mscorsvw.exe
1624	mscorsvw.exe
952	mscorsvw.exe
2844	mscorsvw.exe
1236	mscorsvw.exe
2372	mscorsvw.exe
1120	mscorsvw.exe
2784	mscorsvw.exe
2360	mscorsvw.exe
2740	mscorsvw.exe
2728	mscorsvw.exe
2756	ehRecvr.exe
1972	ehsched.exe
2876	IEEtwCollector.exe
3000	msdtc.exe
2964	msiexec.exe
2288	perfhost.exe
304	locator.exe
2292	snmptrap.exe
2544	vds.exe
996	vssvc.exe
2904	wbengine.exe
2104	WmiApSrv.exe
2024	wmpnetwk.exe
332	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2964	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
744	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{470F9403-7AAE-E63C-3EC4-1015D71B7937} = "c:\\programdata\\{DB1FBC33-529E-7A2C-3EC4-1015D71B7937}\\76a06cac.exe"	svchost.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\97bcb22b863d01f.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1560	2004	1.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000505c26dcdb9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{DB1FBC30-529D-7A2C-3EC4-1015D71B7937}\ = "1742834528"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{813A9BCE-7563-2009-3EC4-1015D71B7937}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\CLSID\{DB1FBC30-529D-7A2C-3EC4-1015D71B7937}	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1560	1.exe
1560	1.exe
292	svchost.exe
292	svchost.exe
2480	ehRec.exe
2776	aspnet_state.exe
2776	aspnet_state.exe
2776	aspnet_state.exe
2776	aspnet_state.exe
2776	aspnet_state.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1560	1.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2004	1.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeDebugPrivilege	2164	alg.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2776	aspnet_state.exe
Token: 33	2436	EhTray.exe
Token: SeIncBasePriorityPrivilege	2436	EhTray.exe
Token: SeDebugPrivilege	2480	ehRec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	996	vssvc.exe
Token: SeRestorePrivilege	996	vssvc.exe
Token: SeAuditPrivilege	996	vssvc.exe
Token: SeBackupPrivilege	2904	wbengine.exe
Token: SeRestorePrivilege	2904	wbengine.exe
Token: SeSecurityPrivilege	2904	wbengine.exe
Token: 33	2436	EhTray.exe
Token: SeIncBasePriorityPrivilege	2436	EhTray.exe
Token: SeDebugPrivilege	2776	aspnet_state.exe
Token: 33	2024	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2024	wmpnetwk.exe
Token: SeManageVolumePrivilege	332	SearchIndexer.exe
Token: 33	332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	332	SearchIndexer.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeDebugPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2436	EhTray.exe
2436	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2436	EhTray.exe
2436	EhTray.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe
2708	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 2004 wrote to memory of 1560	2004	1.exe	34
PID 1560 wrote to memory of 292	1560	1.exe	35
PID 1560 wrote to memory of 292	1560	1.exe	35
PID 1560 wrote to memory of 292	1560	1.exe	35
PID 1560 wrote to memory of 292	1560	1.exe	35
PID 1560 wrote to memory of 292	1560	1.exe	35
PID 292 wrote to memory of 2004	292	svchost.exe	29
PID 292 wrote to memory of 2004	292	svchost.exe	29
PID 292 wrote to memory of 2588	292	svchost.exe	37
PID 292 wrote to memory of 2588	292	svchost.exe	37
PID 292 wrote to memory of 2588	292	svchost.exe	37
PID 292 wrote to memory of 2588	292	svchost.exe	37
PID 292 wrote to memory of 2588	292	svchost.exe	37
PID 292 wrote to memory of 2588	292	svchost.exe	37
PID 2352 wrote to memory of 3060	2352	mscorsvw.exe	43
PID 2352 wrote to memory of 3060	2352	mscorsvw.exe	43
PID 2352 wrote to memory of 3060	2352	mscorsvw.exe	43
PID 2352 wrote to memory of 3060	2352	mscorsvw.exe	43
PID 2352 wrote to memory of 344	2352	mscorsvw.exe	44
PID 2352 wrote to memory of 344	2352	mscorsvw.exe	44
PID 2352 wrote to memory of 344	2352	mscorsvw.exe	44
PID 2352 wrote to memory of 344	2352	mscorsvw.exe	44
PID 2352 wrote to memory of 2240	2352	mscorsvw.exe	45
PID 2352 wrote to memory of 2240	2352	mscorsvw.exe	45
PID 2352 wrote to memory of 2240	2352	mscorsvw.exe	45
PID 2352 wrote to memory of 2240	2352	mscorsvw.exe	45
PID 2352 wrote to memory of 2564	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 2564	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 2564	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 2564	2352	mscorsvw.exe	47
PID 2352 wrote to memory of 1732	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 1732	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 1732	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 1732	2352	mscorsvw.exe	48
PID 2352 wrote to memory of 2708	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 2708	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 2708	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 2708	2352	mscorsvw.exe	49
PID 2352 wrote to memory of 1148	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 1148	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 1148	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 1148	2352	mscorsvw.exe	50
PID 2352 wrote to memory of 864	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 864	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 864	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 864	2352	mscorsvw.exe	51
PID 2352 wrote to memory of 2276	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2276	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2276	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 2276	2352	mscorsvw.exe	52
PID 2352 wrote to memory of 1984	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 1984	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 1984	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 1984	2352	mscorsvw.exe	53
PID 2352 wrote to memory of 2968	2352	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1e0 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 268 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1e8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 1f8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 1f8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 278 -NGENProcess 280 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 1e8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 280 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a0 -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 280 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2064

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2756

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
a098620cf31cdffddb7b5fc88b6299a9

SHA1
0df8682d296e8211dbd5559e53270aa29ce815dd

SHA256
bba53539c41197403d3b1e6ea9317f6b3837f2aa57539201412f8cf4beec393b

SHA512
93cd97559a0072064c4ec826b414468728b977f80c1f790f7b5ab5e24b77d12145423d26d05e466a79c7215000577c616170c76bdc20cb37f1232ecce587022e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
4d7d67f2d11933961d336ff0f207070b

SHA1
e30a904f469f737f2bda35476d4b9747a2066a75

SHA256
12f1a8ca11114f6a290918026c749ea3e32a8fe334a8962e0eb1469655b60f51

SHA512
321c12065b59a141951b3a92a5f8df794f1019a2dab273e758565f1896aeddfd5126a0b6b6899a05e003998de79441f194765e4bd28ab2d592355b486eb91f44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
90a3670b3b0a49a9ab8cc74eeb8496a1

SHA1
4adad96df0c7376deb56c79640b15b02aa536ebf

SHA256
44bff25b00fbc26780559b44e543905ef740c003e982b16c0c903b619dbbaea8

SHA512
a5e030501153d098ee227477be1608498ddce5771a3580e80dee93011eb3098d6fb1baf94e904625562db489f9c53f0114d8bd93edfe0fec034a0743546e4542

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5c75b88ad507d91d578772477b14b2fc

SHA1
a61c9001c74062ba2f5041576ea7cc5b8f167b12

SHA256
bf0bf59d04e124487bb5167102b1d93ecc6ead244a080c420b3f4cc89838e483

SHA512
e2e7b16e7a1e960b52e658af40132c22b7415cd3b1bd9b34b40e2df526c0a7b2feb85bd35ac7532891f9fbf3d92fc008190f63f3e75a1dec784f30372c6931b8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
63ed9b1a53b30ed7eb7c0a785b53e54e

SHA1
fa9c84aab9d90b519041cb48f4f43d536080ef53

SHA256
acc7a05833674ee9d18dcc085ffdf887231c487f4627eb85fca7506abd184325

SHA512
0176fcf16168c740a2e6b384911a421a68391eaf2cc860dc942be929ac24f17d20a991632a1e906bf75144a5ea6fdce66d4586afe83da8342899adaed946cf7e

Download Submit
C:\ProgramData\{DB1FBC33-529E-7A2C-3EC4-1015D71B7937}\76a06cac.exe

Filesize
1.1MB

MD5
9e894f9f5fb995c45c026405c38cbbfe

SHA1
43814153b994f5fa0f0436f7acde3a4a8767ad7c

SHA256
9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac

SHA512
b8b66da6a85449e4e98c10781fef5b97b672e8543ebe4b1e0873056bf08c4ddfda166b8cf6e93485936a9177516c5d58d0f1d551d941dc41f277ccdb985bf57b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
5914db01210fd0bdc25fc928da028d9a

SHA1
319aa2f31677d59c1ff3a59e4b8fc81d0a9efbf2

SHA256
e30d5ceb97abffde74fff25b171cf75f4139a713649586cd55c1dd8d4b7ba080

SHA512
2db57274eec5422eeec00ac60f38506f7c905db4ff04feb188afd147d9be2e20a8623be0bebc7dd06090c5186f378c4ad1b1a6b35c49fcfb52fe1bf7d247b5f5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9071f8058e1108688b622e1fbc2f3805

SHA1
cfe6d657f4f672b375b2afbf950fe2204a2fad47

SHA256
6713d14ea98024a4293a1ce2022b2bddc4a22271a297a4c2eba47b0ba84709d2

SHA512
c211d1ef0dd8537011b40d5ab679dab9a2da017cde9b5472dfb862eb58f5ef0e33bf65978bf8d42a8421429c365891019432ec829daf09e180b84056f3d000e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
31d3f13b30197f05ddeceba296717230

SHA1
f3ec5f8031bcfe4142e87577ab839d3cbc811c85

SHA256
04f7304f630e183dfe82e87ca60ae64ad5f7b6cd3b732c2bcbc822dcd4b4f20a

SHA512
7cede6dfb855bf749dfe356aaca6a53576e716915e1481eaacbea834f7b8db6d7323a2fbc4b927668c5b6445d6c2f58c22fa41cc81f1ebbdbc22fc8169e5152e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
5a809caa775508f733b8f1c9098a5c08

SHA1
b9b7642bdd478af4cb5859777e0570534b41b7f0

SHA256
3ecf893cf0218f23be765b72041f1c4d722c5e46cc3e858f9633785f8d525b10

SHA512
bc14189d4339331e960aa679c3656bd31a18bac338c3ca0ed30542be4c44673102e0a2b6fe2aa018ad524c7c68febb8bd1afc3a1485d45d28dfee2230d5dc864

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a55b11d91545738947cb2a2467829fa4

SHA1
770334ef7feb20ab3f74448ccc1ea1c5a4bbd430

SHA256
0cbfbd086e3efaa2458a96a4aefee1f945a04fdd540d9cf85e748aedc1457244

SHA512
c6b1d2dfea15d2e44ac09023548d497a25ae018ff09786f0c10c003ba790680d63f5cb38309166ca9868f70494cdb38294cda3447344d7e7e9c27a379c0b3412

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c69ede1999c925517f8a5f485b63982e

SHA1
73638ce59ecaea97c73c2d458bda61f8daa68a58

SHA256
66a8cfa168e760d1e26f203513a09034cac7518bf450135c9403ff15d40f224a

SHA512
dcc7a7b34e1b5b8ba58548dcca9d799948198baae41137ec933ff2991fd5acfbba7609fd06b114aefc60067e936f5577e82bc4c01abb536de176322295e1f970

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
85c37c49dd43d424e59eea89b562cbfa

SHA1
46c89eb41fade78aae898a28f04cd20869fa2927

SHA256
72b5b20e6ab330bb8da5800b40111a50dd51f8f8a5990ac09298a386e154110c

SHA512
ce3716b48ab4e65320bc0826d6169621c262b97c10e7df357d1cc3fb86652df34a9dd701e15f1fcc2d0f3aad28e13c80b8c2b1f988036be3a31436861afc1af2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
cccd9918e89efd370c671b351c836fae

SHA1
026eef8fcdff737dd4854aa7bad58b50691d63c0

SHA256
7873a72557c1334785bbfd48e58f3f9c606f79cddf877409dd849f6c853df6ca

SHA512
e6ad739fd711d7db57b0d598a723393382cb3102b3d6d1a9c924897ea3050ced35dd95d6451837a95a5860ca4f89326f1d60a23425072b9d5bed2244dc1d68a5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b6be367aaf58adc11832fa8068fac6cf

SHA1
44d1b27ac778a8c14c2797a0104453fc3e7bf319

SHA256
a6493f7af34531765606fb30bb3ae2f1486f799da3dfddd72624ea43c790cd42

SHA512
730885b8817d0b918669886ed9d4d3d2bb3cfe189abad99dd84f6ca1673b9d851ac4fe3d41a09555343a7f3f7f84d743d381a88155935bc6d9023349f16b0a8c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3ae9aa7c670ed9cb280f3b2c6aa06c4d

SHA1
29180bc7a2997d9b8902db6a2b0b5aa3eadc5691

SHA256
f98cb2cd430f7e0d9c9326e781014f0f287c6b10d96f3a0c02cdc3a28954a756

SHA512
547c3d55fff4533dab75ba2f8c79d5aca08803325819235b2ed624934099b1e34108d81f9151429a003551def16ce6938a1db949240228d9adf4b4d3406b9429

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
b9d8f2d578676f4ed8fca7bb116bdd37

SHA1
d74f3968a4eb1b85d54130ec64ab932bf42f4d37

SHA256
cb9a26b441139b8ee44fad43a4eda134464d10ec2036f72491a49cbd8b309ce0

SHA512
fffe191139aa7a0d8423ddfefde33d7699d05fde4ad9bcf95f0c5c899fea4217475ab13e6c16fe1214dd98aaf5e0be0e2fc0e394e4d714a47ae062b08687882f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
1743ff3f1a723e06906b337272e95372

SHA1
d263f427f595b2e803adb2566a455675b11dd9eb

SHA256
393eba4d5218764544fd091b07c72f1f1bf17af3a99387b01252b29b161aeb78

SHA512
6b9156c175ccde3cced91aa22a0153a68f18d88c1bc19686ad869b26fd441fed1ee698660da6624f4548833f0fb42e33bbb9044848f64012e5799b79aeae5319

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
33bfeb00c04ba654b7cbe60f7b148f4a

SHA1
a351f1bc9d4342e4abd7e5cc08f50706439186be

SHA256
67731d8cb15c995d1cf8737cceb461dbf6b4fecc7482dccb5e16d07398c53746

SHA512
6d1e4cbf7999ac453ae1af37286e5ab508771880aa37d92538db5e4f8c719244d647cec322b7ec300ee0aad94e221535ccd73f8ce0ef8a28afceba1e69e4483c

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ebaa97b2fd2ab800fa6247c64521030b

SHA1
c3a7a6a5f1e5aefb9b2fcec09b501907d96149b1

SHA256
32cd4bf664af7207c5cea88fa6d2855790fd22846ddc934153d8e002ab7ea741

SHA512
b013a6590dec0c8550f5ea982e42b0132295fc893b17ca26841bf8bcbd28ee131780ab3c51b8c770c83406bc674e2d9a87442e28cea9a46b7b62bded6551e881

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f6d0cfd7408fd331eadc6f50cc1a1ff7

SHA1
9934170d8507345e25571fb261718a5e119f26fd

SHA256
4234c8cd986d81858216c947e89826f238b701c121efd0b178889f94aab55919

SHA512
2e1949784bf5a7ddc29d4664fe64f4e478a5338bb765af736c10b0f49e5dd04092d6ca6e1068eab71afd52560ef32d5e639864c516bd67748f7739146e8a484c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
6995f4b4a52cba992761fc5cfa15d731

SHA1
6c19634bdead25110015aabc6ea11245869191fd

SHA256
86d1337009dc28e99d02d0d69fea1cad542ab9edb46e8ca6eac75dad6a07a0a5

SHA512
21825e073bc5d26a080dacf59c509a5a26b5962e32f56d615fffb0822854d1b7029924b6eecf42bf4d59e62e9999f76452ca5010ff09186f268bb9c0c19bafab

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
361c017527468e81fbc7974fadefeb8d

SHA1
96618bdadca586fdd9173ceb387a11b8af0ac710

SHA256
3f04cf2f10154860a10f9d50aa975356b682bd757cab8f2f7409c6825b1cf806

SHA512
2e78317aafe9680e063b1a059e3186b487a8a5592ccdd505e45bfa7b78fb5efdf0287a2d689238653d118262165237ba44b3f08e08b380cee815782aede63dfb

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d355195f477b23676925c2e331bb5a36

SHA1
188f3eae86a12c0c1a1738d75d19553bd41911f9

SHA256
98fa0dccbfa9933156d9eef9366f5a1d3865257b040337ba225df65b04af97e8

SHA512
720480e66a475d62372f749bd971f3f6b1f2bbbd4a65cf0d0d24ff90d21ceba2087f990c1b410c1c383f80a38a691551e051323435f2ac9c4f04b15ef0fa4df3

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
3649b0bc1a621e62b94787ba48faaa41

SHA1
179cbb441093d54434c190fbe2dcee6fa1fdeb86

SHA256
676af97ca528f8e64518469c2e57448a72b497fd00f5f5db753cda21b578ed69

SHA512
130e05ef344d09424eb69bd9b96b64468e6115884f93f0862e73b5856f7c690e05b9ad5ca2aefd7544c98bbefa6c5f88b39dc1d9715af2509a3eb6b26da3c1e8

Download Submit
memory/292-101-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/292-102-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/292-87-0x0000000000110000-0x000000000022E000-memory.dmp

Filesize
1.1MB

Download
memory/304-941-0x0000000100000000-0x0000000100173000-memory.dmp

Filesize
1.4MB

Download
memory/304-758-0x0000000100000000-0x0000000100173000-memory.dmp

Filesize
1.4MB

Download
memory/344-380-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/344-532-0x0000000003CC0000-0x0000000003D7A000-memory.dmp

Filesize
744KB

Download
memory/344-543-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/344-391-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/608-392-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/608-173-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/864-464-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/952-566-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/976-520-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1120-612-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1148-453-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1148-440-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1236-589-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1292-531-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1324-76-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1324-70-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1324-80-0x0000000010000000-0x0000000010185000-memory.dmp

Filesize
1.5MB

Download
memory/1560-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1560-62-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-190-0x000000002E000000-0x000000002E193000-memory.dmp

Filesize
1.6MB

Download
memory/1612-417-0x000000002E000000-0x000000002E193000-memory.dmp

Filesize
1.6MB

Download
memory/1624-554-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1732-418-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1732-430-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1784-141-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1784-359-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1972-927-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1972-955-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1972-693-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1984-486-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2004-44-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2004-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2004-8-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2004-5-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2004-68-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2004-0-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2004-78-0x0000000005390000-0x00000000054B2000-memory.dmp

Filesize
1.1MB

Download
memory/2004-121-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2064-379-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2064-160-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2164-142-0x0000000100000000-0x0000000100182000-memory.dmp

Filesize
1.5MB

Download
memory/2164-22-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2164-14-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2164-13-0x0000000100000000-0x0000000100182000-memory.dmp

Filesize
1.5MB

Download
memory/2240-393-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2240-405-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2276-475-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2288-741-0x0000000001000000-0x0000000001174000-memory.dmp

Filesize
1.5MB

Download
memory/2288-933-0x0000000001000000-0x0000000001174000-memory.dmp

Filesize
1.5MB

Download
memory/2292-942-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2292-770-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2352-99-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2352-94-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2352-93-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2352-353-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2360-621-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2360-627-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2372-587-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2372-600-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2412-183-0x0000000140000000-0x00000001401A8000-memory.dmp

Filesize
1.7MB

Download
memory/2412-187-0x0000000140000000-0x00000001401A8000-memory.dmp

Filesize
1.7MB

Download
memory/2420-492-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2420-509-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2564-402-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2564-408-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2648-38-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2648-39-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2648-47-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2648-150-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2708-420-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2708-434-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2728-655-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2728-641-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2740-639-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2740-650-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2756-992-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2756-671-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2756-913-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2776-171-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2776-27-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2776-28-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2776-34-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2784-624-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2784-610-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2844-570-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2844-563-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2876-928-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2876-987-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2876-708-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2964-734-0x0000000000580000-0x0000000000710000-memory.dmp

Filesize
1.6MB

Download
memory/2964-930-0x0000000100000000-0x0000000100190000-memory.dmp

Filesize
1.6MB

Download
memory/2964-931-0x0000000000580000-0x0000000000710000-memory.dmp

Filesize
1.6MB

Download
memory/2964-733-0x0000000100000000-0x0000000100190000-memory.dmp

Filesize
1.6MB

Download
memory/2968-498-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/3000-711-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/3000-929-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/3060-367-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/3060-371-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download