ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05

Analysis

max time kernel
134s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Size

622KB
MD5

a84d3e42fe54fac3f98c067261573a7c
SHA1

8001b05bd0db379de0ca7b0bb27356179296852d
SHA256

ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05
SHA512

5892caa035475b4ec5fd50bdd996955e6d6b7f8a0a39abb6b6f6621801b10e7444970c7d667ec48f2d758b0c57198062a49889c2feb28534bef43083ffab591f
SSDEEP

12288:EueFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+yQRi/o:EunSRQ5UOOU62FBnO+E222YJbNEUQKGg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
480	Process not Found
1572	alg.exe
2808	aspnet_state.exe
2508	mscorsvw.exe
2492	mscorsvw.exe
2736	mscorsvw.exe
1800	mscorsvw.exe
2652	ehRecvr.exe
1172	ehsched.exe
2008	elevation_service.exe
1448	IEEtwCollector.exe
2064	GROOVE.EXE
1884	maintenanceservice.exe
2132	mscorsvw.exe
2992	msdtc.exe
2424	mscorsvw.exe
2392	msiexec.exe
1548	mscorsvw.exe
540	OSE.EXE
2356	OSPPSVC.EXE
1964	mscorsvw.exe
1608	mscorsvw.exe
2984	mscorsvw.exe
1884	mscorsvw.exe
1592	mscorsvw.exe
688	mscorsvw.exe
1532	mscorsvw.exe
996	mscorsvw.exe
1112	perfhost.exe
2028	locator.exe
772	mscorsvw.exe
3016	snmptrap.exe
324	vds.exe
2936	mscorsvw.exe
2980	vssvc.exe
608	wbengine.exe
2996	mscorsvw.exe
2284	WmiApSrv.exe
2968	wmpnetwk.exe
1008	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2392	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
764	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\alg.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa3cf9cbaad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\locator.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	ehRec.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2868	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: 33	1612	EhTray.exe
Token: SeIncBasePriorityPrivilege	1612	EhTray.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeDebugPrivilege	576	ehRec.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	2736	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: 33	1612	EhTray.exe
Token: SeIncBasePriorityPrivilege	1612	EhTray.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe
Token: SeBackupPrivilege	608	wbengine.exe
Token: SeRestorePrivilege	608	wbengine.exe
Token: SeSecurityPrivilege	608	wbengine.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1612	EhTray.exe
1612	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1612	EhTray.exe
1612	EhTray.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2132	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 2132	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 2132	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 2132	2736	mscorsvw.exe	42
PID 2736 wrote to memory of 2424	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2424	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2424	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 2424	2736	mscorsvw.exe	44
PID 2736 wrote to memory of 1548	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 1548	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 1548	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 1548	2736	mscorsvw.exe	46
PID 2736 wrote to memory of 1964	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 1964	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 1964	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 1964	2736	mscorsvw.exe	49
PID 2736 wrote to memory of 1608	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 1608	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 1608	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 1608	2736	mscorsvw.exe	50
PID 2736 wrote to memory of 2984	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 2984	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 2984	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 2984	2736	mscorsvw.exe	51
PID 2736 wrote to memory of 1884	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 1884	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 1884	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 1884	2736	mscorsvw.exe	54
PID 2736 wrote to memory of 1592	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 1592	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 1592	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 1592	2736	mscorsvw.exe	55
PID 2736 wrote to memory of 688	2736	mscorsvw.exe	56
PID 2736 wrote to memory of 688	2736	mscorsvw.exe	56
PID 2736 wrote to memory of 688	2736	mscorsvw.exe	56
PID 2736 wrote to memory of 688	2736	mscorsvw.exe	56
PID 2736 wrote to memory of 1532	2736	mscorsvw.exe	57
PID 2736 wrote to memory of 1532	2736	mscorsvw.exe	57
PID 2736 wrote to memory of 1532	2736	mscorsvw.exe	57
PID 2736 wrote to memory of 1532	2736	mscorsvw.exe	57
PID 2736 wrote to memory of 996	2736	mscorsvw.exe	58
PID 2736 wrote to memory of 996	2736	mscorsvw.exe	58
PID 2736 wrote to memory of 996	2736	mscorsvw.exe	58
PID 2736 wrote to memory of 996	2736	mscorsvw.exe	58
PID 2736 wrote to memory of 772	2736	mscorsvw.exe	61
PID 2736 wrote to memory of 772	2736	mscorsvw.exe	61
PID 2736 wrote to memory of 772	2736	mscorsvw.exe	61
PID 2736 wrote to memory of 772	2736	mscorsvw.exe	61
PID 2736 wrote to memory of 2936	2736	mscorsvw.exe	64
PID 2736 wrote to memory of 2936	2736	mscorsvw.exe	64
PID 2736 wrote to memory of 2936	2736	mscorsvw.exe	64
PID 2736 wrote to memory of 2936	2736	mscorsvw.exe	64
PID 2736 wrote to memory of 2996	2736	mscorsvw.exe	67
PID 2736 wrote to memory of 2996	2736	mscorsvw.exe	67
PID 2736 wrote to memory of 2996	2736	mscorsvw.exe	67
PID 2736 wrote to memory of 2996	2736	mscorsvw.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
"C:\Users\Admin\AppData\Local\Temp\ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2508

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 274 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 1ac -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1448

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:540

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
58e14bf48afb510be4cd15e0891827bc

SHA1
5c8ec29e6c7ee998d78b269b93ff8e68e71e42b2

SHA256
299791fed005d620ecd8b2c63491f530cc21f7040d72ece0987d9ecd0a0fb917

SHA512
0cbcf1ce7ccbe7ec8d1702c2fdfc1a303e7ea924ae015af097e6cc4734958333220b882af98a4906d671368a2854b70340ea4c743db1b7e04d2e5fc2e1925c03

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
8b92149fadbe00aff1fed416126a987f

SHA1
ed311b03e63368aa5d308e7febfc466eefe69ba2

SHA256
6537d022168dc5fb2766f27fb47b95fecb1edd2642ebfbe72929eed2fdb8962a

SHA512
c751979e6752f06dfd12550532a5a3c9a7695243d1c1d39e7c03b12f0d0ca7d5c8d09b7574a88885fcffbb76e9d2662d51b191f340d267179efc099506e45c49

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
fb2a29480df90b0102041e8cb02056c3

SHA1
8ee9abcaa7e96cf15cac0885a5efdc570a309fe3

SHA256
6a622879bc8f784b2a25fca50f11a43bfdb9a6f9dd8df7a1e6d3c0d4306cb668

SHA512
a58a84285d30268eebae217b785162e42583ce0b8df7f49dff6283ea4027f508580f51f3fd5c51ec3038a553b2c24c30ee0c7f82b0fa946a7760014a2c23ce4e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f597c42d1b6f5b4b6b7d5f263a8c9fe9

SHA1
986ec12b68c4ac7d1e614ccb898b74e0fbb5b295

SHA256
4e7c3319ef9dd6ca5be097aba01688472f477d7a3bbcdb2f42f71c38fd473555

SHA512
463ca24987ce05a1ecdf5d52cb0f500c93ba7a008ccb4ef7a2c4a8b07ed65f5d72c17e28606f26259fc4ccc02b834fb7943acb4c36ae600065e439044d3a22a3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d44f27e8fafaffd72d19159cb8660faf

SHA1
bbbcf84f4556d6346f90194c3ecfdcef0072d99a

SHA256
2d612f5667a2693b5b15a46468843dda3059c091f249bf5599735f08492d2e5c

SHA512
2c2da4272fb3fffa5a7e161db39daba1209c54a6fb1b624f21ecd1a8c3a0e3806edd7770433bdcd7e2819de611e0f8c58241f78f864874c072ce5bea53ec95d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c7d6309a3c44671f2702e0907ca27c8f

SHA1
62df5b5c1083cf7278e85ee7af41d6a5e0238805

SHA256
5f2fabf500997ad457c4b7212d6c2deb676ab89b1b430d2344efb445da28cede

SHA512
88503efe465cb511567c7d6e3c6f874a12959ce1f0e81fd7af541b1291e89d55eef3900117361bf138604cd001d8adde00bcd9ac5e7c8c4850fe9fd25ba5e33d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
2b9d1fef4bf70fa51249be8bb488c8ef

SHA1
439a5f9a4bae48f3486a189ee51fbd66ea103d6e

SHA256
f6ee1fa38dc0e79d3baa08e3da78aa5fda9de8eb7df7b62f1f86439ee400f8ad

SHA512
352b354f848afcfbc49b40d18dc64c46b721cf789461b9ba765e08c3967bd71ca0346b83bb6621927c634616950e48ad01fb4d6b4ae149f1a7229b5d45a81a3e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
476b72e0cb6609797617a761a8c8cb9e

SHA1
ae56bc4b116b15c6722830333b5149e4b5b7341d

SHA256
c654f60ac1a49a8b5859460b2db51bca6e83292439d26822b50f8d9925feb1a6

SHA512
6454a11f3c18c45c72158cbaa0dfdf838f48b9fc76a1a6f7b69b54ded7b809ae563a57831fb8f92d99e97e3bd04a2d7b467d572b9a7028ebbec929c0c00ef926

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d7e80f3dd92017f2e0f6991952b133d4

SHA1
ad9e66af669749d76f4850e42fbf9d3c8859182d

SHA256
847497704de071f52c270f5651ceb8a7f8b04a4c13dff1103351848c680d114a

SHA512
77228670301570ba5eb0c3f6f2513c3a8d528661d7cb06b189284de38afcd4859d8587a997d441cd69aa4e8370ff521d283cbdcb1ac13458537b269db47eed96

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
3e494840ad2404ad3ec759b7b09159a1

SHA1
bb4e15120b38a96d6e4dbec6bbae66df5604258d

SHA256
7c60b379d031d105b5fedb1652c351a4fdc7523b4048b805a6ed6e842a22b06d

SHA512
8bbbe3e62585276d0071ebe632327d310b2b91381fc6b714d4ff10645e861c9bc683d8310ba302c80dd444dbb81b36b4f4285e4919b6dbbcce169898fdf6882b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
1960ba53165157f42549afd0fd90e11a

SHA1
94b8853c876efed6c36b15931fe4d994bba1a88e

SHA256
969db6c8ff8505cd76a8ca2bfa41daffb6d8f52c12c52d22b04e3a5050ed23a5

SHA512
ab54f4e45ae4786af6327639ab9c0ac3d525679ea9507a52aa1329d297a1519b9b4c1e023f0e19df287296f6bb42088221066fea9071e17fa4ad3c1197fcd954

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
93b1b81b87cd93e25565d906bc6bdeeb

SHA1
575a6138af0499a2418599156b87b27c25c55580

SHA256
0e75607a0544428ebfe5eea7f419f2cac49ad1d32eadbc0af76378a969899c63

SHA512
93d6597af8c4dbeab174d2cf9c66a37e861c417e7fe7ccb2e8d9a21de766b0ad7ff4311fe6ac60af9f1862f083c90f9222f64331e609d2747eb5c79b6245b78b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
d6e1c878e5c97944429b5fd20d79ce3f

SHA1
06ed674e685398ccf8b5b7f3bf3aad01cd38afb6

SHA256
1c9e3f2d2af67e598f928fdaddf0f91cfb3431dbf062ed24644ef51909cca71c

SHA512
45d0396e85be62cce1d288515cec94381794ee57a5085f14d6c3481076e3969fe46f09db41c6a78ff989ea95d6e80e0088226842c906c83b2c25361765be2aa2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
7e4b25512c9ade4b71cf1f1531a580a8

SHA1
7ba79d7a43c2f6b9fb846362cd59e644e6f50d1b

SHA256
92f051963b4a1cf4ebac6a99c67421cbab4dcad2cdb617d448dffed8f841204e

SHA512
fa7072c77353c3855bca42aa95ed980ef1199eeb26225326d58dac693f9d9b8e78cf333bc30b40dc957aa54d3d3963ae1cb64eb5a3f24c1644e5fdb0a6a34721

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
17ab25c002e4779f6dddfcdf7d6f0e95

SHA1
07486a529084bd79064f47f94ebd89082023d98f

SHA256
f013dab99f9937f744b2cf1bbff131ada897f3326f66d2fabacebda3eb65181f

SHA512
d29963a9d11a32b265074ed6f9ec25f513ae48233ac93771a0d0662ac015a73a2ad25e33d9081ed4d0f17a76c6eb20ab629d5b426d664f6637f2882800e81cec

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5d4c0ca5f5fd388590dac44b6afbaf56

SHA1
29174a5a811393b302c32db528b9cb706fc838f5

SHA256
d88a5d8fa3045dae231309f121fe73814677a827994615486485c338d41cb636

SHA512
8eeb5d75d0ffd2298563e1e0eb742cb32c62606e04066d6d0ab09a2eadce6e86a430ad18a6043ebbfef20cc2ea0cc8e5d8847194c0cf179805a1799eaf6e4146

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
3425d595a093bd3790d33ead8f101ba9

SHA1
436c6c01793230b5cd81eacb4badb944e58e1842

SHA256
7d95f3258ecd1393e1da771fceccb1f06eedf3a98d643fcd84e8bd208a150995

SHA512
875400f03cf8f5c0631c865db71a3c4462389743b9fa83304ccd7994c9a1bc8afa9e6199cd3112291f3dfb133f5e39f1d60b9bd1e3fb02b26e513b7af27799da

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
5d6c2b4b7f1b44ad091bf785a3a0fed2

SHA1
d95c1be937eb02aaa15b8a950af03a2ea4ff67a2

SHA256
25053fd9174be647254324a0a29437bf23b8f8345e912eacfa7440de26369ef3

SHA512
fde48ec04a3f11f2c94bc390369a56ec00d282c8b9bfbeddd0e11f1345e379e539a931f2976a5c2d1dd2f2a655a85f27513ab9e45ce01929581c8059f08d8b52

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
f34f208024efa8296cde6a3df56e0e6a

SHA1
d5e81c0fe2b92951265d64f87768ac683c27064d

SHA256
3abb6eb0fd00572f526ac3503ec261e54a62202c844dc9a0514d88f837f925aa

SHA512
b1fa8120f14886e9c2c369d83df5a58b1e7987d09ec23a92589315b21901456d65cd04e2fbbb6af70c26a6a25785e29c6ddf8ce2684a4fa5d26e93987c66e161

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
afc38a1f140a0c1461c9238d9c919a2a

SHA1
b98fb826bd357289898d18fd7f49d9981bde4443

SHA256
bf932b46a8dd21190d3d84a5a33ba4ba3206e7af824d10b29fb0c9e0e9c6ef2e

SHA512
5e0b1bc45f65c0076b39898528a112c7107e755a00e172766bbfb11911823e6ddae48ad15197d6b8dedba7205a1ebb68c9d9d113ba14d2a3620f621644d7584a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
cd484b7d0230cf43def9792c1294bda7

SHA1
b6de30dfdd77130abfd2dd2e524869f367ea6918

SHA256
a96e44a45a35c9d7d526797e9ac4a90efd9a7c75838063f8c7a3bb0d202868e0

SHA512
faf2e4ecdd2c5256ff2377530c562d74f72164d1dd30009665370586ac3adb83721975993f514646992ba837d49be49b804996d823740b572b94d899d7cc68e6

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
6bf870f299228eefc1707ef64868a420

SHA1
bfcdedf45248de83ac8d8f7fa38b7cea73a9902a

SHA256
443bf986219a41cf1fed7d3e4c20822312e71777c5f3cffaa408da4019c47699

SHA512
374756a6e5533b10fd15d0b14a2cd09cfc79abc0b0cc27328e76abb621b3ad2042cc3a98825ceb10128a5b48bd377dbe98ec0d3de856b4bfb6658aebfccb9e6b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
d3af63ab6d86efa7c3315a2d86d35d3a

SHA1
1725717ca4c306838ea98e3ea76723dd4f90966e

SHA256
e9aa022bf17ee7494e9967620538ab98b055e19a2c034a7637f8b6db217ac011

SHA512
58c090bbe227c5900bdc3bcf739f29922c746ecfd538b2175a7161d1c5065b831cb7471429aa5d46954b8531c9d5cf076fdaa1e2007f7b5d5a8d137468ea67e9

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
6921ca26740c2f798b5ad87915313744

SHA1
5a56b0d2c2cdfe311205df3f509546796531516e

SHA256
87ffb495d96d690059d7d825715145bd1d1b95fbd57651729ca5f8b29c3ab88e

SHA512
f35355c515491f96c9b14edf2e9e0ef94fd5183a8762d9cf763231947fc4d668b00ca90efff0d565117c445662cd9e90e56f2982fbaa422ac62e728e698f923d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d000bc165daa9dbfcbecae9c4b43db58

SHA1
e33c4b81f8aaef4f31511c308ade916ac13cd530

SHA256
7cabf53dfe29fe270787d6b9a585acb5401a3e85cdb6d7c6946d1f0307783c7e

SHA512
48c6bbe0913098dee28fdbc17ab50ad5326c6e4ee8db09943e84d00794ab7c51d71bf64faf595a73f5b28199897c47e474c42f7b69bb6112bc48b7e5d6b0fbc8

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d64b8797cfc0a03f9f2a8779389ed590

SHA1
f42b7051c64add241d1dcc35247cd09df5a8743c

SHA256
ac2c8deafaa5936eaa6fe9dd293f51664d044416686a7be2d32db277b1c2b5f6

SHA512
77bc2ab7e0c7cd50373399a8cb5dd2066e4a383ad6f94c6d12ab4e7b9cf7ebb3ba199dd328592466e17f4747ac286ae3a61c981cd432021d6069c69b8bda04a2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
699076704baabc0336bd8f3b0ee86ff1

SHA1
a274919f6f4b7320721dcf3e6ec1ced256ff0a3b

SHA256
944eeddd17a97e5f5b4aa543415438499fba279a4a88534f479be624dadf9f96

SHA512
69539a906e8af9650e595e56e0dbf07f00833a1d68a1ed114ea1aa1587a1e7d487810c8bca91877b052d25ecdf43f28ba5405d8c10b6f119171adcbd590f78a3

Download Submit
memory/540-298-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/540-301-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/576-159-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/576-214-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/576-221-0x0000000000DC0000-0x0000000000E40000-memory.dmp

Filesize
512KB

Download
memory/576-170-0x0000000000DC0000-0x0000000000E40000-memory.dmp

Filesize
512KB

Download
memory/576-283-0x0000000000DC0000-0x0000000000E40000-memory.dmp

Filesize
512KB

Download
memory/576-155-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/576-150-0x0000000000DC0000-0x0000000000E40000-memory.dmp

Filesize
512KB

Download
memory/576-240-0x0000000000DC0000-0x0000000000E40000-memory.dmp

Filesize
512KB

Download
memory/576-245-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/1172-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1172-135-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1172-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1448-165-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1448-265-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1448-161-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1548-293-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/1548-280-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1548-285-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/1572-88-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1572-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1572-20-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1572-13-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1800-92-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1800-169-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1800-97-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1800-89-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1884-202-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1884-242-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1884-185-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1884-239-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2008-148-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2008-140-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2008-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2064-173-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2064-296-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2064-181-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/2132-216-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2132-196-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2132-261-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-254-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-269-0x00000000005C0000-0x0000000000672000-memory.dmp

Filesize
712KB

Download
memory/2392-272-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2392-277-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2424-243-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-288-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-289-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-275-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2424-267-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-61-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/2492-54-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/2492-55-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2492-102-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2508-44-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2508-90-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2508-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2508-39-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2652-110-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2652-129-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2652-179-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2652-111-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2652-118-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2652-117-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2736-78-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2736-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-73-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2736-157-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-34-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2808-109-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2808-27-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2808-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2868-1-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2868-71-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2868-6-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2868-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2992-219-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2992-225-0x00000000013D0000-0x0000000001430000-memory.dmp

Filesize
384KB

Download