4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f

Analysis

max time kernel
125s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
Size

1.8MB
MD5

4dfe3940008c9f6e2094db61799626fa
SHA1

b4489816a5a942b62f842156bb30394e20abffdb
SHA256

4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f
SHA512

ac5710357c65501cd0b6fd56f127dc50baa1cfd1a67dc63b20ee633c0fc886a8f2fff74d676246c21bcc5f7856a14c888840dc7c2ba2c1175c025b5e3a3fb98f
SSDEEP

49152:Gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAi/rAfTcZVWUXkfn/V:GvbjVkjjCAzJN/rAfTKVWUUfnN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
464	Process not Found
3060	alg.exe
2556	aspnet_state.exe
2356	mscorsvw.exe
2676	mscorsvw.exe
1960	mscorsvw.exe
2332	mscorsvw.exe
2044	ehRecvr.exe
2040	ehsched.exe
1104	elevation_service.exe
2908	IEEtwCollector.exe
2420	mscorsvw.exe
572	mscorsvw.exe
2804	mscorsvw.exe
752	mscorsvw.exe
1576	mscorsvw.exe
3052	mscorsvw.exe
1080	mscorsvw.exe
1592	mscorsvw.exe
2600	mscorsvw.exe
556	mscorsvw.exe
2300	mscorsvw.exe
1340	mscorsvw.exe
2220	dllhost.exe
1064	mscorsvw.exe
2976	maintenanceservice.exe
1740	mscorsvw.exe
1732	msdtc.exe
1828	mscorsvw.exe
1168	msiexec.exe
1364	OSE.EXE
2204	OSPPSVC.EXE
240	perfhost.exe
1628	locator.exe
2084	snmptrap.exe
2804	vds.exe
936	vssvc.exe
2132	wbengine.exe
2688	WmiApSrv.exe
2916	wmpnetwk.exe
2912	SearchIndexer.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1168	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
728	Process not Found

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3edca53ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_uk.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_fr.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_en.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\GoogleUpdateComRegisterShell64.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_el.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_gu.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_pt-PT.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_ar.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_sr.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\GoogleUpdate.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_is.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_ca.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_ru.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT9696.tmp	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_hr.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_sl.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_ja.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_ro.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_es-419.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_th.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9695.tmp\goopdateres_nl.dll	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{03DC0D78-2381-4275-97D8-31AB7AB5952D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{03DC0D78-2381-4275-97D8-31AB7AB5952D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1F256F08-AB06-4B51-94F3-035FAB6C5622}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1F256F08-AB06-4B51-94F3-035FAB6C5622}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
620	ehRec.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2888	4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: 33	1544	EhTray.exe
Token: SeIncBasePriorityPrivilege	1544	EhTray.exe
Token: SeDebugPrivilege	620	ehRec.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: 33	1544	EhTray.exe
Token: SeIncBasePriorityPrivilege	1544	EhTray.exe
Token: SeTakeOwnershipPrivilege	2556	aspnet_state.exe
Token: SeRestorePrivilege	1168	msiexec.exe
Token: SeTakeOwnershipPrivilege	1168	msiexec.exe
Token: SeSecurityPrivilege	1168	msiexec.exe
Token: SeBackupPrivilege	936	vssvc.exe
Token: SeRestorePrivilege	936	vssvc.exe
Token: SeAuditPrivilege	936	vssvc.exe
Token: SeBackupPrivilege	2132	wbengine.exe
Token: SeRestorePrivilege	2132	wbengine.exe
Token: SeSecurityPrivilege	2132	wbengine.exe
Token: 33	2916	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2916	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1544	EhTray.exe
1544	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1544	EhTray.exe
1544	EhTray.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2420	1960	mscorsvw.exe	40
PID 1960 wrote to memory of 2420	1960	mscorsvw.exe	40
PID 1960 wrote to memory of 2420	1960	mscorsvw.exe	40
PID 1960 wrote to memory of 2420	1960	mscorsvw.exe	40
PID 1960 wrote to memory of 572	1960	mscorsvw.exe	41
PID 1960 wrote to memory of 572	1960	mscorsvw.exe	41
PID 1960 wrote to memory of 572	1960	mscorsvw.exe	41
PID 1960 wrote to memory of 572	1960	mscorsvw.exe	41
PID 1960 wrote to memory of 2804	1960	mscorsvw.exe	42
PID 1960 wrote to memory of 2804	1960	mscorsvw.exe	42
PID 1960 wrote to memory of 2804	1960	mscorsvw.exe	42
PID 1960 wrote to memory of 2804	1960	mscorsvw.exe	42
PID 1960 wrote to memory of 752	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 752	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 752	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 752	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 1576	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 1576	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 1576	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 1576	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 3052	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 3052	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 3052	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 3052	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 1080	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 1080	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 1080	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 1080	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 1592	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 1592	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 1592	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 1592	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 2600	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 2600	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 2600	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 2600	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 556	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 556	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 556	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 556	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 2300	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 2300	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 2300	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 2300	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 1340	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 1340	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 1340	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 1340	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 1064	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 1064	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 1064	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 1064	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 1740	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 1740	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 1740	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 1740	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 1828	1960	mscorsvw.exe	59
PID 1960 wrote to memory of 1828	1960	mscorsvw.exe	59
PID 1960 wrote to memory of 1828	1960	mscorsvw.exe	59
PID 1960 wrote to memory of 1828	1960	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe
"C:\Users\Admin\AppData\Local\Temp\4b8f228bb879f35ee342e149ddea3fba7d8ab2910b6d57db66a837ec7da6b55f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 1ec -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1dc -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1ec -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 268 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 1ec -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 28c -NGENProcess 1ec -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2220

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1364

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2204

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
7ce51278270bc5229d7970486f65f084

SHA1
36e6433ad21cae97ab211c5ec49e4af6a3e57dc1

SHA256
d4d3b75f72a3fbb7feeabe7f05e97e04eb2b9e6628c95c001324fe994e777dc9

SHA512
d1b5be9215b3db5d422fb0c2b72aec0f7053110bdb710f2d0e06d332e39576336045d9e7b79f16508fb4b3222270504e9c91d5413e6fc95a9a4c8a30f73db234

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5ce2a2cf96c65aad388f7795aba77e0a

SHA1
1bfb63230a034b4c97af02bd5113810e19198784

SHA256
6c32ddd2a6b8dd78d506475df9b159f1f518fcebc2ee32d7f9f1aff304186d49

SHA512
16e1b80db890183cf2b101a4f9c18030bc0d33d66542fdf8f58e1fea44e0da554c287c12d0ba9c6d139bbfe2c30f0b1bfe76814cb5e2d4124a31430903cc5eef

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dad073cd7931f30965fe0b9d39a60360

SHA1
6794fc81eb8fe79cfc6dd693877d08ada887662b

SHA256
bf5d2e4c458c71d915e8b828c1d1c1eac19a5be3ba7e5c0f14ba7fa5d91d99cd

SHA512
e608c3d6d0765ccd2d98d419978e34eadd3469dd7c7db7508abdc56b41a289f89a07f302544b27bae36ad48df457c8cd9bc5cf605a39686a56a9918564b2acb9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b8501ee27136b5d15b74f8a087c0c762

SHA1
ae0097b3bbecb2098ae329010425fbf494961505

SHA256
c210381ca580f16624b067926b4537f532d3a50c9d667e838428a8b7ca696044

SHA512
2a88c839ac83e905a5a148877d103cb9f7959b28a26e01e804cc3eace58f850e1ec15c2ee8d7193d1e5a345e4c9eb96fa27e5f4efab9ee2b5eb04f42310ed659

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8f3ee2eaba3f77d04168a18c5a9acc9d

SHA1
34cf2a6ac6f1b689539b3e9caff19258820fa99c

SHA256
304c6a5178c98551e9c720c19b9c30ba2149f6ee9011a6a7efc592b2e81e80bd

SHA512
b575ca2319ad0d5344704c232575498dcaad4202da01034272d5af1efb8adb39f4bee36c67738628a1cd2a5a8b65c849f998f4e3691165c58995881c950e6fdb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
af284acd0814ecfe36488316f292a5b5

SHA1
99649945ff5bace3d86fac0b028df6377acf62f9

SHA256
cf194cbd150a398943ac295dced75c7f100e2313dbf7aae453d26238ef623698

SHA512
2ad6dc9d86ecd527cfb6d37ee02186c7449635d292ec0de91be6d7c32cdbe9dfc0f2096c389f24134c3159633816523cc5748f49d6d34544d7b49202058eb06e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8321670107a0f86600711c5386a2401d

SHA1
11d651e8c1db7a113d9b1af82514154b5cb6df87

SHA256
599b50f9c6cc00a309d2c8f39a5f8e02f8edf275690a4ffd960e376f0e5fd231

SHA512
6e5cd532f553082de79faa30e76ed8b901ce6fdd03266e65fa1eaa0685f1333205c8e13290617bc7d22a14b45a6a2da6be4020611151557cd79178b05b92e91e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
2921f6d5bc30ffe62ed57300fcf3eaf9

SHA1
27a3e8d58878861a63f3deeef2ea8ac550d6f28b

SHA256
25d2d3921e1245893eb3b812673556cbd25c348ff5593bb1b3096acfa47242af

SHA512
eeec70cf71b69f26b85edd17be6b53fa55ea918e6f546b1b826e0e4d2499a266950cd78343b4491f9c0417fc82fb47e773edad96c5db6c0030d8e168c8d2bbb9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f679cc2a29719d1994bcc208716b8ee8

SHA1
cb419a45f0612afd326976034daaddc8b273bc91

SHA256
b484e67863aec24dfd04d876a1d48da81c98c75ed4ff2da5f9982e57869f07d6

SHA512
14cfdb3f1d5fb66400ebb907a02a9de2665ffb8f7d1c62cbecf17ba950203b1cd1e3ae30520de523d11873755662423ec5946270285623502c8130159bacf5ba

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6a8a6f34834d46ae42f5024edb23ce0a

SHA1
ef10f349046f2a0f98ddfc368365d8caf3af99f8

SHA256
7f9afed0d4671ba87cb06f1a1e8d19f869a1f5d22a363c474ff9306eb6938b8c

SHA512
7b45f3d4145a341299cd4652a4a989085a490030c14c079ddc98344a1918fa2152fe432017110ea1e4a3c3539fdc6522be868c592cf2ed7f4fc27f1b398dc366

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7474aebabf7cd0c0a26e66513ebeece7

SHA1
5cdc2408ff1321da3fbbd32cd28df3be66f9d448

SHA256
7843b2432c6f7e7e259b83eec6c89fddb0d86489adad22a8be9f5c00533e326e

SHA512
cdbaff28d15c2a79f033579da1a34ace03fc29a7627c65c8261533188692f180e0a18f85f38860c8092fa03938039d7bebbcfd797fee4ccad030be4726aea7fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bbaf3f798ca954b4b02d33f37b07fa25

SHA1
35a054c4baee2efcd39329a50d23c3be349b6bc9

SHA256
7802c8f52256bd31589697df26132dab9f7775fae27fa09555bbd211bc00664f

SHA512
9a9af4e3139b42df7d5a06591cf8a89296b42683d6180b9ffc00073e8dc2fa98d6a06ed9f7287a5f32c482ac8714ce93e037e2987a1a07896967280751c4d347

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
05a9ea7c807a7e0cd662b03e5580634b

SHA1
452ae5abab394e282baf9b37967f397088420bc8

SHA256
9f7c3ee9282648b1345ddbdac12d444afaecbff359129c213b6b41e550d37755

SHA512
01a14bae489f7ea0abb09135a923c517147dc35c8895b309fcbb8df2790b7e1ccbb4c43e51b8496b53175428d57d834ae3f859ada521ebc020e473dc21f539b8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
52040ef0005e8cf74d9fdaa12f4bf022

SHA1
71cf2b556e3115d7b11af17245898a70574f0f01

SHA256
82c27dd142f9c12757c556474c8ed00ad43f55987b02fd96eaf6fe02fbae3fff

SHA512
cd0a2412c8814acb03fc5799806cf8c95b63c60dbcdb1e6aac48c3ce66411801bb282626b28bcbe0ab101b96cd897689bed76d07011cc3e6d963b626cc1bc31a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3e87a431201d4365ce9dd5554a5fd52a

SHA1
6510d0b5e99f690180bc77f273195f3ae768590a

SHA256
7318ba856c942a7e63820787655846904b109aa06ef3889d69d44b4aa0466dac

SHA512
71f7d4d3a3f8f34c2521c35ea813d8fb65080ede976b00fd0213e939604e40e74ad1c3b8bc68f259aedbb7eb0e5103ea1edd7956b3996b036737c17bd56ed45f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
edaa16aee556e70f41f1dc12fb136d8a

SHA1
6f2964e457a612377acf3551d713f4be09518a40

SHA256
deaa6edd70b465b33f667d2eaf62b8e560f19cb880386382e932cacb4746c425

SHA512
4400ac21e8fef91f1fa1de5b305b73a32a1d6cd6d5ade89909d4bbe93f450ff9d9b9973990c7d98dfe29c5c626403f94690405dec69142784657c0294120baae

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
e4acade67d83016009a3597d75293241

SHA1
50e9527caf3bf60e08579f9d8cc465f219ccfd09

SHA256
26571210b35d23bb4b1399eda4ab5a3168abc93a73255b0c8a6ac80d23d3a214

SHA512
bc365b595bc37483aa98a462fc543cf583e2c2735681531c99490ad928b58fdd316b584e42f9809bbe1c04506dd95ec5db1b10c481ee1d03dd1bb5019c18f954

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3572b987c8cfe6c77d270a6a9e53180b

SHA1
b95fc8deacd46731e0730eb8201b1015e6dda1ee

SHA256
e8766c48bb9a27062a92b8d350177cd2445d67efabebc319581db1807f79a6eb

SHA512
4fc4d5acc66cdc8353743f44168efe31ce2d58af57cb70b80b8614ae4a6a3dadf590f79c69666de4f77152591d6fe8dfdb7dccd23fe0cfad48e24c76724369c2

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
91b981b10006c8f9479bd6029727ca96

SHA1
ab9270e98a25fb5f54b9e1d559bc6c6243832da2

SHA256
cee51817969467135660609214ae641dc100ee55ff6102cbdb95991de13b3643

SHA512
4a860935503b18afe962c9ea41f86bbe45cd4bfadc6a2e65efaad12cf2534c5e4b85432a53f699b39a1d980dd37b27d482b21d2549f5b4ab6da59f03434ef02d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
981d11cefe8174d08bf89ef0b32e2152

SHA1
77eab12aee2a0a90a6b8ae6f3be432a615b54bf6

SHA256
14f851919cc83ff4d98eb003435039a6af233a34861376eaa0c6f0ad471f4260

SHA512
609292281bc7723092878def8b37865ecbbf821476117da4218421e9efe8c2d52ce16745c14a5f4c5a8b7b306a94120736f2ee936eaf4f648e7926fa63f10243

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
21067f62c055064f943f0af81c604633

SHA1
b2d66575296bbb16c135e64a9bc3789e66eca450

SHA256
33ce9f2f9f6b30a3cf1c85694c826ed1c361ea7dd93e0ee53c78d451a77014c8

SHA512
4fd7c3cfc3ac093283c43ddfe2f0ef571e830afc7fc3bae5e9023c6dfb5d22f6028f3bf983ad2a240c09a0b4245e980d9b811923669208e2da686324bd188923

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6d296b927fb51a77ef8914d2b66329ed

SHA1
9b1c11dd7c96c3aab10e5c32059ec556806d2437

SHA256
4d9155f510639e8da6e64f1fa84243f1011e31db90ab340507cda24507043093

SHA512
336221bc9857239e42191dfbf8c5f95f301ab3eca78acc0bbe8fd684cb069c55302de6782227aeb9ffca7220316d027f9f4da293c38ca676b26584e17fdaa874

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
039ac81315db8c0ecedeeeeb6cb46ee6

SHA1
6b1cf5c8f29e58389b87a4727bf290997c298a71

SHA256
fdfb0c31917e27d315f04227534b3888d23e49969882ece0c07a48ef5352d845

SHA512
e2a44519510913113eef5b513ea447115d25c3525b393345699e984fe59a812f185ce64074d791abc86fda38872e5e00b86d0c640ff027b8e50038f955508f08

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
f17e8e708d96e068d6e15e1f2486e04e

SHA1
93362cabc8746b0c8a1e8808216867d8242b25ff

SHA256
04d3334593a9cc9ee4d5ace9952173b578c257133a529a1d7578a1d74b56a01a

SHA512
9f4eb8041a581f72045d8ac8ca4edb6d8ce53bfaacd4c17ea36b498e836ac87a812aca3638c05f1465ca060ab4b1fd7ea973629f6d5e5e3be4e3c90feea362c6

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
83ab38f04b4824a606dd293e1b759062

SHA1
3f5f3afe06c1a2bf90ec4801315c0cb0130b2bdb

SHA256
6fd644a24e6c54d41c4753905739f571cc60739e0460f305005e388e0800e5a6

SHA512
718a5357dd05b1398f5e8dc1f16f8a3729323cfccc0993249f4cff553b8a61b3eaab6d52f175f4e55758ef647ae0766ce22f978b765d3df5a2682c8c5bb36133

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
70c9d2e3566edc6eb5fe72eb83b4c380

SHA1
4ad551e8bc49fe31a07cc7b2e63d691573e962a8

SHA256
628d30a92fd0a20d8ea6268c56eed1e6d9df96c9af458028315ecae612a82cf3

SHA512
45d8995b92eac56a434488fc0be9003a0b98381cbd5caf50215b8379c7e340179e44611f49858f6e172a1ea1ab9f4433beb1a35207b9cbfd61c3726eb0fca3dc

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5573d82f35a66c47cb594de8ed1f194c

SHA1
8425d3f6e6c156a2c9610ce17b1d17078d25f62e

SHA256
a71f71a2519421b399aa4e7e1f0041b76611ea7c6352e1e40fda018f391cc0ca

SHA512
10bf8b681f449e979ec3a0e8d29671587699da8c6f422d34902325ccc1f9bdec66ecc44a489e00f89edd6eb8c998af5949d9b6ca957d7199ecf664722faefabc

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fc6a0ff1327b5f0f8ea1057112ecfd5b

SHA1
10bd9c6eb2fd1057ca2199335ad629addd5ef914

SHA256
84e32e27561b78289139cd6c3a1ba10d77b78e30ce66cf13fbeb743f93e164da

SHA512
2475bdd606ea6cd2ebef4702edb418047e0c43803c58aabb9c8416f59fa4a7ecefc42fcf797ab46895ad99231ef434a7b774368b0082573ea3c22edb5fd25e68

Download Submit
memory/572-323-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/572-343-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/572-335-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/572-320-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/572-344-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/620-292-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/620-379-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/620-294-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/620-332-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/620-356-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/620-345-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/620-290-0x000007FEF4120000-0x000007FEF4ABD000-memory.dmp

Filesize
9.6MB

Download
memory/620-216-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/752-350-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/752-362-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/752-357-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/752-376-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/752-375-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-322-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1104-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1104-211-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1576-371-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1576-365-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1576-377-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-141-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/1960-136-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/1960-135-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1960-209-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2040-196-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2040-299-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2040-315-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2040-188-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2040-187-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2044-310-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2044-293-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2044-172-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2044-190-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2044-171-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2044-183-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2044-184-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2044-179-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2332-157-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2332-151-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2332-150-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2332-217-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2356-97-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2356-98-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2356-104-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2356-133-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2420-327-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-311-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-307-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/2420-326-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2420-302-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2556-92-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2556-85-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2556-170-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2556-80-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2676-122-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2676-163-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2676-114-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2676-115-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2804-346-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-360-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-337-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2804-361-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2804-339-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2888-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2888-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2888-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2888-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2908-215-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2908-330-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3052-388-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/3052-383-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3060-159-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/3060-29-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download