1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160

Analysis

max time kernel
63s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
Size

1.4MB
MD5

a5e01566b9fb454a593305e9bc3e5491
SHA1

a68b50693be8d5a503f87ccfe51905fb3f1c588c
SHA256

1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160
SHA512

e597f742ed88ffddb188471993d9ddcb89f94a828237a538013374de4b903963bbfbd9348d7d750e20310a93b0f70f7b01e7d548f2d9969b970a7d9d4fbba782
SSDEEP

24576:tde0eaphnw5BdAAVf8j69zBTduSZpUR0GHrVQ1aW4mSOgv3isi:tDeaQ5b/f8jwpAHrVQ1/fSNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
480	Process not Found
2192	alg.exe
2600	aspnet_state.exe
2768	mscorsvw.exe
2700	mscorsvw.exe
2792	mscorsvw.exe
1664	mscorsvw.exe
1712	ehRecvr.exe
1632	ehsched.exe
2288	elevation_service.exe
1000	IEEtwCollector.exe
412	GROOVE.EXE
896	maintenanceservice.exe
2868	msdtc.exe
2936	msiexec.exe
1724	OSE.EXE
2500	mscorsvw.exe
2332	dllhost.exe
2456	OSPPSVC.EXE
768	mscorsvw.exe
2052	perfhost.exe
2020	locator.exe
1060	snmptrap.exe
884	vds.exe
2864	mscorsvw.exe
1600	vssvc.exe
320	wbengine.exe
2656	WmiApSrv.exe
2652	wmpnetwk.exe
2620	SearchIndexer.exe
1560	mscorsvw.exe
1384	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2936	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd15795d78a61a12.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A34DFF8-19E0-48A3-82FD-854F5733666D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A34DFF8-19E0-48A3-82FD-854F5733666D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{40254016-4DA3-495D-B6FC-C29CA442E685}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{40254016-4DA3-495D-B6FC-C29CA442E685}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1480	ehRec.exe
2600	aspnet_state.exe
2600	aspnet_state.exe
2600	aspnet_state.exe
2600	aspnet_state.exe
2600	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2308	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: 33	2960	EhTray.exe
Token: SeIncBasePriorityPrivilege	2960	EhTray.exe
Token: SeDebugPrivilege	1480	ehRec.exe
Token: 33	2960	EhTray.exe
Token: SeIncBasePriorityPrivilege	2960	EhTray.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	2792	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2600	aspnet_state.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: SeBackupPrivilege	320	wbengine.exe
Token: SeRestorePrivilege	320	wbengine.exe
Token: SeSecurityPrivilege	320	wbengine.exe
Token: 33	2652	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2652	wmpnetwk.exe
Token: SeDebugPrivilege	2600	aspnet_state.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2960	EhTray.exe
2960	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2960	EhTray.exe
2960	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2308	1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2500	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 2500	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 2500	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 768	1664	mscorsvw.exe	48
PID 1664 wrote to memory of 768	1664	mscorsvw.exe	48
PID 1664 wrote to memory of 768	1664	mscorsvw.exe	48
PID 2792 wrote to memory of 2864	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 2864	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 2864	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 2864	2792	mscorsvw.exe	53
PID 2792 wrote to memory of 1560	2792	mscorsvw.exe	60
PID 2792 wrote to memory of 1560	2792	mscorsvw.exe	60
PID 2792 wrote to memory of 1560	2792	mscorsvw.exe	60
PID 2792 wrote to memory of 1560	2792	mscorsvw.exe	60
PID 2792 wrote to memory of 1384	2792	mscorsvw.exe	62
PID 2792 wrote to memory of 1384	2792	mscorsvw.exe	62
PID 2792 wrote to memory of 1384	2792	mscorsvw.exe	62
PID 2792 wrote to memory of 1384	2792	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe
"C:\Users\Admin\AppData\Local\Temp\1dff1d2257681dc9f550d4609ff96152e50fc8d58b8a6be1da4e8ab0d9b70160.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:768

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1712

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1000

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2332

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2456

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:920
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
b1666ef9379648b7d0625a48e45a1979

SHA1
07a89f0b291094c6bf649c7c8b0fd96f4b745ea2

SHA256
6ec7cb05d691ca2f03eb88891a605d1aee16189d7d8ef33af83f1127d91022ca

SHA512
93a9419bfc1b7f3f58dafbad827279999ca691782110450e54d379283944588fb9043435ad1654d4cdf6c1760ad70531891986217b3464be8cf40ee5f9904c84

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
7831c63143cbeec20c7fd5bd924d0eee

SHA1
3487ced3e54bb8bba1cd44b4ea9459c63d542485

SHA256
f4d0f0013157a88e2ceebb8ae89c475554c99bdb628c5dd39e4f9d3754b41fce

SHA512
8528743764e6170d6cb3e87bc008408935471db554f8935a052d4619bdb7bc0477a86b6b893aab2f9ab4744732c1909ecea67c769aefcb4180bdd3d9466693ca

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
e354493503cbbb0bb4ca0673e2a5118b

SHA1
53ea34b68324a9052a4f23dc43e351fa280a1974

SHA256
b71a1f414c9eed09a3361ae2195610af14fedbb8fb84bf08fbde8411d76b0f21

SHA512
58e84a32549af7d06fc8193fb709a637b0529830c07386a4cc071372ca2125bcf1c9894ee724d755f75054984d2c3b3acd3058e960e1f57cb03bce35137e6163

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
ebdb468bd02791fb7fb51ef289baaab8

SHA1
7771604f02d75750dbcc454dfb6f671df2d20efa

SHA256
768faee01f31701b2229fec19e434709f24b6b09bf206a0a1f5c148da95297c2

SHA512
27751e2a89d55c8513912b294a65fbc5e83764095c50929b0d0357ba0f5aa2edc138a1516695712fc44b180081ebbf4bf22911d06e386f645a2800d70000026f

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
9ca4cb71b34fd62100e8279c9d477334

SHA1
d83a9b7fa024c138b3168b925f55c78bc77c5a6f

SHA256
b3ddbc8bd290211be042c969d84952e2b8a7d842eca9f64accf1d29f84bc6d39

SHA512
8ef4c4b03ccc29cd1966920ad5fcc8934845fb51f87f281018b8b31a3a7e8b17e1edbdee2a36396220073752e4713381ad07065407748926067a056b0a880cad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bf15360a4a7eb196b8cb5d1aa770f545

SHA1
517ead13797d43bc92b88c16b89811c5dadafea5

SHA256
5f206fe0f8335c069dc4422637d4d2dae6b160c26cb871b14706230346e0d897

SHA512
615b821b4af7763b15c9bb824651073def703722cc3ce1b94e6cf9333e03a40f6fba43b7b69f60bf12207eba7a0764d57ca20a3bcaf365695653ce836e0c5591

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
036725c0f5a3590d01104e811e3a9d01

SHA1
d73c291522d946a53c92908c9e307a6fcaf8ed7f

SHA256
76cabb8842cf2984e7a9045f1f4e41555f960b4b06471e3d5e52efc61d6dc10f

SHA512
a9b870da7b202c1056a54c68aaa6c77c42f850abd9defad61c9f016ee9cb588fa8e79b32a21afdef7e3a3e19c7841c64d24d8869efde67c16dc28d59e4549115

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
cefa96e800b9bf2e5fafc7a578850b35

SHA1
a1e0e1b475bcd8f1db017df3f4c50aff7ebee744

SHA256
36da434f6a5e67145411e0f1bd8d4095f5fb318843f50b5c0425f5ea8453daf2

SHA512
7d29e70fc0113c5a0ed5f0eae851fecda6a47f6d0b7b24e9fffac37a6ab077ab625b87207cd5e5067bb1366b7e7e29ff15016737970c53b773043867e22083bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ac8c5c1f1dc664504d8e408fd7f45db

SHA1
a467d137de6f43ee1400e124aaa109e2f8581c1a

SHA256
34926d9ff0a859fa4c91eea1a1279003a52455e7c5ac20751916ef8660389bf3

SHA512
3d42bf2dd3b04d33a97eabe40323d985a900986d1fe592c6dedb798453afb63fc79de04309fc103649394549af7acfb84fe4cf87914b9c274b3ce4673e68fe53

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bcc2f88175ad31afc115312066545e37

SHA1
007c52ed66508795f978ec43a3ff078db68815aa

SHA256
5f682f5b46d3816b3475d6f42a81da2a3916151cfb31a9f367b2472196edab36

SHA512
2d54cd03670d4ab5f8e853636a5c78721a13ba080e824777d19a25fc44410b47095482d8cc732236f01bf55664e261d29d9b660fef2031974d2fd1d216336d99

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
2da54751f502ba5992c9350435c95cd8

SHA1
4ceacd11398111e67eb007e9448d2b1f06748863

SHA256
7ab1a09f78090bd158e746ff84bb5030fbfabf1f9d19c9a50a129ce88347f34a

SHA512
5b2d0d6b745d221947fb43decb2a9e14c0941531363cfa1adffbc73836920e7665910efe00b465e687855cff391d53f2e614ea9f06883aef8fa77317a7cfcadd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ccdcd4eeba23fb0c91054b8511e83ac0

SHA1
8aa52cc999b867892cda0cf1f8308ad471ca0da1

SHA256
20ef47c542920c907ebbc27559943fca76f748e99b433f038d1d44e08ec919d3

SHA512
d01f184e465cde4269383dc814b247c6e01ce08d8e8e53377fa2ae407bca21461a97f3c62ba54ca557b74a5e0416059db9dac32439b1be76877b2b7038b697e9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
9b624ec17d505ed2d4c235aad5b4f20a

SHA1
07da602db51d7ac0e89b64acf9e7eb498950506d

SHA256
5209d7516d83a8c901f8a829fb092964c00e1f1a888ed935bc9853a644789466

SHA512
0853d3e7000c5f9c4f765490688b83e8b79393ed946bb1b1bdd1830aad044fcf9103fca728a2b6be377d6aa6a6c5a6bd5855829c857bf3b5eee547d865dc6983

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
41ea1ae4d183317b8b63ab7a143737ee

SHA1
b9402f4da098ac80abd0bd2de59362febf1cd653

SHA256
48fe4de2d9fdc4d17dd94116c116f55b685bd26f031523de34fc63ff9f7958a1

SHA512
b01712efcac52c90fbe17abdaf11f8dc38c25cade66dc96cd1a08e5b3a5ddd1e472ae101543eacb43bf6cf3cc636cf31061d75ac28a99273fd9f725fcc1e1bfe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
405b52ec1137eae0505a55fcb8c104ba

SHA1
78558b7cdbf59cf960426c8fb1378838bc788aa3

SHA256
f5f16463ec5f618e90528c394739ff1bf246abcbad0d826f56f402bf40f7064b

SHA512
ab8fc84e7056d497412d39d307eae587b4cf729a7f9a39909fa1d617e06fcac806b27bcc80aea9149207e9e13b303f6037c0f2444abad67b9b7e2d23bcd6574b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
eca7cd2df7a5637bd3966048e7c2d0c3

SHA1
2a9468fc63078c4db90beeed0c8771415d9a9811

SHA256
68976ec5aa1c81528c07feb540c57bc4cc07f9479c118be10d99e3598bd5325c

SHA512
c2d3b34657d578be8ed18a09db77ad86155b1bb7029289465c3b0973a141f028ef131b217a0906e8905b44af97638479cf61c9d7bf54534821a215c614501019

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1414ffc1f8a9cb07e43b58c5130e4937

SHA1
70dbe402a21190bc138329a3a6403d5f5d61edb1

SHA256
9f96834ed06ef94365c2eaae39ec90dc04e31e2d2a5bf456fc419f937777d5bc

SHA512
4f1b6a8f1370779d9e6b6ee3ef01475dec61fe66cab66cd4a10fd884277011f4a2c6d6bb45d17d749322e6d4b6b107543f2c7c981c535ea9fe9a5bd5e5b536b1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
2ea7c86e605531d87be8586e5203de3a

SHA1
674a57d190245479b2969678d6509c3213df4a77

SHA256
361e345f3e673320ec50ed74d85580c99a54862b5f73d88bdfdbad594c2ad8e9

SHA512
5b424af4b499007b9761a2ec20d0902882b11ce86a52b6f179dc30dc7506972bc58ee637f46478799f6cced6c393acb1c01fc3f6c5c2fa0c4bc87edd8bfca9ed

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2863d690a79c9a373d5aba140a029962

SHA1
eff38c26aa3b9f3ad756b07d65f6d04493db4636

SHA256
3444554e177d63e7d73c1441f64d20e78f5a8528156e84bf52bb7d7e370aa099

SHA512
93f63c795ea59085bb7527dddf38c67d37bae9fb82c078e7d32571d6500fe412aa6d0863acb119b44bbc195cae9bbac902f380630fdf9f836ed6e6200a47e6a0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
36dcdb66440d255d1fcb36045b2094e1

SHA1
db8431a621f51031405f87cfb84ea61229845692

SHA256
b3208a90cdb63abc1b37f231a739d415ad55c032814b97c9ee0ac03a18f29167

SHA512
6e158d417b873a0f6038d9099a7f96d744e40304fdc55e4a544ef404a1305f3c444eef661942d1a201af75a267f95bcbd74d057e00a24906a2127f8171236536

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
8ee232fe24feab4ed6aa678b03ce1dda

SHA1
122ab3d9d56961731118656641d3a0673fe3f937

SHA256
ed564faaba296c456ab60003b2da7c2a3a4dbcd6d1e0004292fc68b83d313072

SHA512
a6965f53bcfef057e11fa84ef88f1468d84c490669deb39f0d1b9c36da8da39aee2ede3773d900f2c6ca4bae3ba08c54f08c574edd6bce6486ef4f9f248fc6a2

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
1af7947fbf8fb57a97209cb23f8ab2c7

SHA1
e345bed9a0323c67e1aeb518fbeb5e56b45a4dbb

SHA256
d6cb86e85bb70a2062eb81f3cb52b5a654aaac7cd6b90e17b1f4311201e8b32e

SHA512
c1f31c854f7f1c8df46a179301d221d06f7cd654630d2d90473baafcf2dd2c8ac2b021b873376fe6a085e33b861d291c4dcfff238bdd0cc2de0698c90e6856ce

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
da1ce4e728468eb9f14d352e831bcbde

SHA1
523f98fdcc970cf88950e5f08e624a8719e687fd

SHA256
0f8df18d8a47654a0ae89fc99f4bdc3cc8fe84a47f0cc0a3e5f5b5343f7aeebf

SHA512
05a8b8d74f0214189a891d18d75d50d973d0e2c26c9311bc57b4299268b71d907f038e8e7786bd115691690d912070e7fde0c89e6496602791a5e2b71828e127

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
3877640c726c3a581abff78b97b84c4f

SHA1
301cf7bdd0e73b0c92b7d010cf607cfe3f0783c6

SHA256
6d27dda64bcc3d117bbe15c8121a0f848c47d059ca1731f11c9b69a4ff6db64a

SHA512
f5af686416fe3750731529a166a238dd2a833cefbbadc8a40fa2e0a7f6d2e69255bfd314d95828d9e84130ff8a36ed82f18c5db4f94f536d639a696de39a4e9a

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
73ee7c38a7219a0ab9da348506cc7c73

SHA1
89b464cfb4030b9e07afd46d67202410408472f5

SHA256
072090d8d45cbdd2b48612c68de21d3d954b87ddd9d53dbb2eccafd4fe26e588

SHA512
d5b0f97872f4f40838f2b7d3e471c8a56cd70fc1952fda9dd6ef55c83fa275acf28009ad2b060a38dbab918a178ef0113810b1937b2f5beb22a5cecfe3ae9bbf

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
dd19179f4ee72c6cfc9708d6bd00346c

SHA1
2db1feb2dd9553f8fea888014d20395bec21eca4

SHA256
a4ca6306dfd5ab5b2a7b7cc0e00f59293a8069eb53e3b092090f632d68c2e4fb

SHA512
b32bca63d0df04d6e44f2ebc778e8669ba08d86d6c369ed921fefe9354dfa0a186a84401a9e245bcb555317b9c16068c67d4294a26834b23a4ecce5a8833eb29

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
c214ec1316bbde5e1d4a6a3dd70a6edb

SHA1
5f51384099f0536f1d9496179512b5491b47577a

SHA256
7aba8daef5ab5fe848316cd8f2e5bb637304f26b9af1223e78c93b39ffaf62cd

SHA512
3d1a96e5586aed63b02aa946a14f652c463098ee5f8a65cf56e483bec9d2ec2cacdcef0bd0e9efe90cacdd8254c178b783fad2662949cd7e1ebb5d06a5d92d9f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c01544aa53e170f645b142eed70ba60b

SHA1
39a9d7681ec5ae99485a391aac5d7ebe0d9f55ff

SHA256
2f21de83f7a3bf4697787c764aebada68932eb70c2786026596e93ee6a55b200

SHA512
795d855401fe3cf7f6cd5e6227c1cd6e68fdc57a34106ac2ec92f28a17ef0ca56a974280779ea4107fda060f244b1435ada5b189b435d871f089dbbf8539aae7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
32f0a697b24d2def3e990fe9b0c5a6a8

SHA1
b40274d3b380186d5865e145949d9f9f51e7fc04

SHA256
9942ada3c2d60c856658e602da88b8560158f7c7e2d676d1233dad95b78f8eff

SHA512
faa7395b25f39e83171252e50224d7951186a8a61fc3c04e7cedee78081387e822cd3a6becbd73b6863415ce684726a86cae4c2e01fc5de499207e1e13ef4a84

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
db8a7edce9b57580d38a50e036a89255

SHA1
dc5e8d04fdaa8fb46b54fdab8d35f5dfd46065df

SHA256
c4d554598e681eebd02911595a391e2fb9f46482064a2888948df3cb9ac1e5e0

SHA512
039878ea1b4bf581fe489532a1027e25ec1071aa0e5a1e614f84492c477bbdd1d18d254adc4457342a766559e5f7bac38619bd74be3064564aaaf158cdda9b75

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d2eb85e45f956dc5eefb5a09ac4839d2

SHA1
906ee0a02305abe765f7505daca7d329ad09c63e

SHA256
a8f15706936873a2f79b30dda0426828bbc3050062c9ad42fe6842b84f10acf4

SHA512
28bf6521452090ddb5212af2562e7283f42b8fd7265d5337ef440bdbba1cb855dc1e6fcd0fbc8bc59a250dcd2c9209e858c5ef88c9884a30cf64273e7fa8be1c

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
7a068cfc36b062359b400505dd53ab0f

SHA1
37b30066c63cc255cc74b1b907e250d2d957d2c5

SHA256
d55badf97cfe8902d89e23e8370f3a5d709e19fe58d4f9497742e7e0c66db99f

SHA512
7de70900c865c83471bf1e2b94eef2a7e6ffbe61626f020272cdfe98484b00e33bdb4b071c8e4acd48027be71087fb7dec539e77261ca433c6cf6668cb032da7

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
99d3d44da3c0861734c75de2af1ffbe3

SHA1
57db6cd6dd564710d71d7f06ec4a53ffb226372c

SHA256
44b4d98390ff6bec7f78813128e32a9c3892b568d4d05be38110016660124a57

SHA512
b06febc4aa9b67e7021fc1778c7bcc12bae6f233f5df73ea29e44cfe51d7f61ed4f920e1b22a4ec1063a2b5bb6aa876bd29da35ec0fff1aa4ecf6cff15e23d03

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0b79e8ed588e63e11cdb6d5cebb841f1

SHA1
3dcbf60c4563b46c8daf517c83daf2c268c68529

SHA256
619e1144e18be20304e3168ef058f2ae292105104bbfadb24911cff21ff6ab76

SHA512
ee0f3725e35dbc9c7d606cc5ca05349467689513d7ae549c3a335d8fe54444a0fc193ad3a74d639f4a8ed1b84b57e3f662a7d6a305bc98150a4bc9e80993697b

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
dc774e4f31199994a747574208510534

SHA1
288c8d6bb47c74a93740d0645360392c7a60c474

SHA256
838d68aafce952cbbb1b732054ff3add5377d0cd10a968266ca86dcabd298ca6

SHA512
b86e0dbd71b372a7a3483e8d638c6d902d8c20223396fcdfe36acb3a9282d6949a24099deb21b30cd99876d434796e09eb5de8f70a876705165a34a646194a3d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4551774a663a28db8c34f70dfec3486b

SHA1
16a58552bf419fd62bc54844db1860e6f55f3a11

SHA256
6538167d0d3c64b1f53ab19df3e4d75f33deb7669fba08b1eb853fc27ca5eb60

SHA512
aadc7431fe8c71006a28443623ab14985ed239238161098e94a24d226168530cdfbf7461842c553c9817f1607df4fae98a8f5947f1b488e3e4b21a9288dccd86

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
f50900b5ef1ab5d74fcf27a5d655a2c4

SHA1
c6eef2c7a3918e07ca6a73d51034d4b0e9374a4b

SHA256
8ff2ef9f0b7970e6dad5dd157bb0f90f66034281bbc49e5d1aa020993f2ee512

SHA512
988432406d6095ae984bc62690ab9f513490a7c1ce4d59e598772f64fa47ae918c466963a76ac50c54a5731d4093eff6aefac5e768f89a637714e32eb0dfbc6e

Download Submit
memory/412-161-0x0000000000AB0000-0x0000000000B17000-memory.dmp

Filesize
412KB

Download
memory/412-159-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/412-209-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/768-285-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/768-298-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/768-287-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/896-191-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/896-189-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/896-169-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/896-178-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/1000-149-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/1480-199-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-146-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-148-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-203-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/1480-173-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/1480-210-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/1480-244-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/1480-147-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/1632-123-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/1632-177-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/1632-119-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1632-128-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1664-85-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1664-86-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/1664-153-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/1664-92-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1712-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1712-175-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1712-111-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1712-118-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1712-106-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1712-114-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1712-103-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1712-115-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1724-229-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/1724-205-0x000000002E000000-0x000000002E274000-memory.dmp

Filesize
2.5MB

Download
memory/2052-293-0x0000000001000000-0x0000000001255000-memory.dmp

Filesize
2.3MB

Download
memory/2192-94-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2192-13-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2288-135-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-194-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-141-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2308-222-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2308-6-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2308-7-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2308-1-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2308-0-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2308-77-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2332-300-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2332-248-0x0000000100000000-0x0000000100254000-memory.dmp

Filesize
2.3MB

Download
memory/2456-289-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2456-283-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2456-291-0x0000000074D38000-0x0000000074D4D000-memory.dmp

Filesize
84KB

Download
memory/2500-277-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2500-280-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-232-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2500-276-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2500-239-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2600-17-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/2600-18-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2600-24-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2600-104-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/2600-25-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2700-54-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2700-47-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/2700-83-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/2700-48-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2768-30-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/2768-37-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/2768-31-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/2768-66-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/2792-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2792-74-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2792-143-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2792-69-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2868-295-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/2868-183-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/2936-198-0x00000000005E0000-0x0000000000851000-memory.dmp

Filesize
2.4MB

Download
memory/2936-197-0x0000000100000000-0x0000000100271000-memory.dmp

Filesize
2.4MB

Download