022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
Size

1.2MB
MD5

373765e3fcdf4ce254d91c713a450e0a
SHA1

32b053dd57c90703aab39d76a89e636ece1974d2
SHA256

022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d
SHA512

279445b461f14f998d1b01b010ce6ce5a2d6de5d084f02151e5cf10b305cf3b504f7032e7da42dbaa52dad006d5227c65f279b782db153b6fbd0d48a1ac3a836
SSDEEP

24576:LyhYW6oivxbvbVSLKCdFB2YuEWB/3wgQZlbX7bHsMQ4/O6yMLprOInyT/Swl8Mi9:L8YlbvbaNFwYG93wgwXvYMLprznyDSgo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 33 IoCs

pid	Process
480	Process not Found
2608	alg.exe
2536	aspnet_state.exe
2432	mscorsvw.exe
2940	mscorsvw.exe
2820	mscorsvw.exe
1488	mscorsvw.exe
652	dllhost.exe
1260	ehRecvr.exe
1652	ehsched.exe
2256	mscorsvw.exe
952	elevation_service.exe
2052	IEEtwCollector.exe
564	GROOVE.EXE
1640	maintenanceservice.exe
2504	mscorsvw.exe
2584	msdtc.exe
2900	msiexec.exe
1672	mscorsvw.exe
2480	OSE.EXE
1176	OSPPSVC.EXE
1540	perfhost.exe
1696	locator.exe
2540	mscorsvw.exe
2700	snmptrap.exe
1556	vds.exe
2460	vssvc.exe
676	wbengine.exe
1548	mscorsvw.exe
2256	WmiApSrv.exe
1768	wmpnetwk.exe
1500	SearchIndexer.exe
1476	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2900	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
764	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4f19684aad3ae89.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06565D63-9E23-447A-AB48-72B6D451BCA6}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06565D63-9E23-447A-AB48-72B6D451BCA6}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{7BFE1DE8-670A-4F2C-8DE3-47978822B995}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{7BFE1DE8-670A-4F2C-8DE3-47978822B995}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2296	ehRec.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1888	022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
Token: SeTakeOwnershipPrivilege	2536	aspnet_state.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	2820	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: 33	1068	EhTray.exe
Token: SeIncBasePriorityPrivilege	1068	EhTray.exe
Token: SeDebugPrivilege	2296	ehRec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeSecurityPrivilege	2900	msiexec.exe
Token: 33	1068	EhTray.exe
Token: SeIncBasePriorityPrivilege	1068	EhTray.exe
Token: SeBackupPrivilege	676	wbengine.exe
Token: SeRestorePrivilege	676	wbengine.exe
Token: SeSecurityPrivilege	676	wbengine.exe
Token: SeBackupPrivilege	2460	vssvc.exe
Token: SeRestorePrivilege	2460	vssvc.exe
Token: SeAuditPrivilege	2460	vssvc.exe
Token: SeManageVolumePrivilege	1500	SearchIndexer.exe
Token: 33	1500	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1500	SearchIndexer.exe
Token: 33	1768	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1768	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1068	EhTray.exe
1068	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1068	EhTray.exe
1068	EhTray.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2256	2820	mscorsvw.exe	37
PID 2820 wrote to memory of 2256	2820	mscorsvw.exe	37
PID 2820 wrote to memory of 2256	2820	mscorsvw.exe	37
PID 2820 wrote to memory of 2256	2820	mscorsvw.exe	37
PID 2820 wrote to memory of 2504	2820	mscorsvw.exe	45
PID 2820 wrote to memory of 2504	2820	mscorsvw.exe	45
PID 2820 wrote to memory of 2504	2820	mscorsvw.exe	45
PID 2820 wrote to memory of 2504	2820	mscorsvw.exe	45
PID 2820 wrote to memory of 1672	2820	mscorsvw.exe	47
PID 2820 wrote to memory of 1672	2820	mscorsvw.exe	47
PID 2820 wrote to memory of 1672	2820	mscorsvw.exe	47
PID 2820 wrote to memory of 1672	2820	mscorsvw.exe	47
PID 2820 wrote to memory of 2540	2820	mscorsvw.exe	54
PID 2820 wrote to memory of 2540	2820	mscorsvw.exe	54
PID 2820 wrote to memory of 2540	2820	mscorsvw.exe	54
PID 2820 wrote to memory of 2540	2820	mscorsvw.exe	54
PID 2820 wrote to memory of 1548	2820	mscorsvw.exe	60
PID 2820 wrote to memory of 1548	2820	mscorsvw.exe	60
PID 2820 wrote to memory of 1548	2820	mscorsvw.exe	60
PID 2820 wrote to memory of 1548	2820	mscorsvw.exe	60
PID 2820 wrote to memory of 1476	2820	mscorsvw.exe	63
PID 2820 wrote to memory of 1476	2820	mscorsvw.exe	63
PID 2820 wrote to memory of 1476	2820	mscorsvw.exe	63
PID 2820 wrote to memory of 1476	2820	mscorsvw.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe
"C:\Users\Admin\AppData\Local\Temp\022b2cdfc6f3069ec4f0a0d390cb93d8255aba191afcfe7caa9a4d29fe7d760d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2432

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1e4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1a8 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:652

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1260

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:952

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2052

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:564

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2480

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
bfcb11d3d46562eef098228e8bc23bda

SHA1
95a436eba21769419187e39d3e6bd27643f66314

SHA256
64a8ca929a48519681c247a5ea778c5eccd28236870d529035b613946bfabad0

SHA512
a0fab223076658f236e5a22286e03f830bd1737f226994d0a184bf3d3895e0e6394bc875fb11549aa54567111031445158f9d0e606e8ff84775dccbeb12d01c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a6f24d0f55e08be637881b4dee309aee

SHA1
c85bd5316e8ead0ca92e5861ac41b3fb4239fbf8

SHA256
51abbe0ad5584ff200ca6396b291eb68daf55399a0215292bae777b40671230a

SHA512
58b6a0a8253298169f32a932dc512eb2b065bfeabed83a409e09d663a45a0b53aa0ef9decc93e360dd06150d07c97f04baccee9cc878b2b424b5c66c87e3e6e2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
3f28d69b1decb5ef5807eb505ce3020a

SHA1
c60a3064609e8e2bbdfbf434a95c46f039652d52

SHA256
10d69a4a2fa4d956740e2915e152371fc7c899015b08e5a9f153e6a2ce600e0f

SHA512
899e30b675e223280d1ba5d47b3e3ee38fc86647c53819bd850c900583653a2265b8a5d05208fdd1f3ca55b462e9be1559fc93a180577edf832052fa95f3a86c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9d48f35f649e79c2ec45cbe8012a3771

SHA1
157c3685e98cafc1fea09a80e98bab6cb107f234

SHA256
14aa6f99bc3ba90668cefb5fab93f3d4308e9ac7572811401aa7831220eac4e3

SHA512
51900f082f1172631af040b83490982a7c9ed06d6428f46314a55c8abf54a7f87b9d56e1e3935b2e911bf7c2f17d55d567be5c7f32833da635f54a4f45328219

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
14f5f2c6d0ef0f184f1176527ce5b523

SHA1
5ac4c1ea35de719c1c54084f3b69868ac948d0d2

SHA256
545ae0c04de18fee2fde3112379c84f85dacb1db9bf73d8bc98f2ae7e40044d1

SHA512
f8049d1447f01b1cec1b07d0a224317cbc6952feea1d4f7c25958e1ba547c229ec9f774c7c9634a7f9b39ccd7420ecf145538b1d456b2a466eb557c5fdc5b047

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
8a9c9de04d44187d973e03429a6ccf55

SHA1
a65fd115e7a2761f5d0b4b2113314b5333991b9b

SHA256
b6dcc07e5013df36c7776fc3e300ad85fd4bf96155e7e59f457cb9b0aa413c98

SHA512
1a6d1577ddb70f5d643382bbe49461fa81864e505800ada8f12ad67622a857d10ea795d83aba6806723cdcdddd2152eda9d728e964048a2c1341e88e246be3f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
c6f515bd428aa962e6f6c3e9b4f4cef9

SHA1
172197e1bf53921f07a5555d513fa9dc8fe92c2b

SHA256
66d853cd56cafe97df10842165c517cf3c1e7751edf4ba16ad6e9d81ec10b739

SHA512
10fb3acfbaa4c6555806aa20a699c53e94e0c6b6d77d9f8c0d5267c02ebc9bc587d95fe5f5859d5f74c541a06435989ac3bb479d034bcb8b05186d2c0a6d214b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e610b97c0a4e7734faf3fdf35ac927c3

SHA1
8a57dc70f0c70ce6c4bde7be2978ecfac1e10688

SHA256
3b74457e7f5cbeac1184100a00982df9d0bbae71133e00b7c7a60ed95cffbd44

SHA512
7caf5ee6db78dc200e5cbe131bdf2dfb582aa9d70cb22bcf293480806919397cfda09929b410953f8f24ba6b8a1f903c69353724f39c46b621392a0089dc11cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
1b59acea469cc686c52a78960e4d7f49

SHA1
250b98c7b4afa520b81b79339c71c081e38ccd79

SHA256
764b23e1e30bc85b88201878882c4be09d0de497b6d1ba960a8717c4c5a59840

SHA512
9c009bd9dbb0b9ebb9e0c1f4502f1a202a1d9f9dd2c990fe0579f0f754f830222a33524a2a4fbaacb4e7d4432c7fdfdd385e5f127a514d07e2d89fcc6e7fbc91

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
4ea0eed8888e244fe16ffc018c949a65

SHA1
bb555a440792893957938a9f7b92ecdfeb2a990e

SHA256
092db516ed77d9b7e92218500454959c4d6630cb14d06d159673aa99485dfe68

SHA512
309d4a09abe6a44e34bbec64ddf96bd8be78a5a5d2230e38ba879c1a345377a8cf5d592ccb307daa37eab224bec18b4df0d622350b50aec1fed67150b533c008

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
f3d784624c7aa091465e1a5a89fffc55

SHA1
9939d03a003f487640b988239968ff8bf9863635

SHA256
3636e175c057f30b5226746f81e09ec2640747475baca6f92723384979bf9cc5

SHA512
2c35d20f16d0dd0db834a69fcb4b6f41c7cd7cf1a12bc0f3744a4d9f4341e41629f8eccbb43cb7ddd7ea0d84076ffc6e0e9b978a6dde5bcf0be3dfa1527a66a6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d50f8a0e971b71e9ee0c9a7f7735f96e

SHA1
e0946e6502001f2b6a2391703772bd4055050ffe

SHA256
e0a71103865f87604e9b8656135e202bb80a57349f0e8e6715d33c4c41c57a16

SHA512
46a1f60e75bf8a53892619018f031ee61e54dd13fe9ae4fad20ee6ec2b63c8660eaf1b5dab47693e1318bbd26c2ce5f8dda93b9a19151c87d0b867b566ba9f78

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
18525db7535cd55f6f330be207d3eee9

SHA1
7f4129cc154b19cbe55a7ebb22abb32dd6534b29

SHA256
4e0ab71a104da91ef5fa9eb27c888e937505ea1224201250ca002cdfe8936bdc

SHA512
066180c4078fc11c72bb409ab3fb8d4597c8526ddd459a31b08d6c28d591098a01792942c8a13c33968eaf06e46e4883acc6174f9f8e9de3163bfcae1037600d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
e8f9fcaea907b9eaebfe74656a7277b0

SHA1
d3cbac0036efbfe440c9725ae083ba64e4083081

SHA256
0d14472dca3af95d0ca25827f157c3fb1253d6ae9c81108c75e5388ada85ee28

SHA512
fd2475b3118d0ee14fc44b7ce0d42622a107d3d25dbc7611b19057fdd84a1e0ccf222126d4b325b2c97bd7a59291b37ff10bf3d42c2056705f8ca708f3839406

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
65a7a52b936af4cf6ee135dd00d3799f

SHA1
fc78808a6855630ec3a10d75f6fc5430d4643616

SHA256
0a33603bb0492a5b92d815fc319b7f2b50acdb3e4ad32281c5a321eba91e39f9

SHA512
a8bd58622439f54103992b2644e492be89a6b0dc4005ebef719c9e3bc00074582de54f54b58a02717ea98302e1b1bbb618a45a418c720a2c21641e9e67946a58

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
8b85933db8d0b0433054d781e2e52d2e

SHA1
a50b8df0b374d1be13e6ef1607e4e4970cb91193

SHA256
b89de4df13fa242418a1f64ce2925af7f47417e223854e2e49bf255409e09c49

SHA512
dd43beebd7bcfa25c99e0fe8a962ec49b7a297cb18a6fb5fe5843b5cbdf563e909314ff209a31709da87de5d46c773c192beb07639b43ef5a59a08e313cbc5d1

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
ceca81df8be567087dd2cebd65233df3

SHA1
3d0576e3ffd2c56ca78bdeee4c735b3054c0a74d

SHA256
bb5fdac926aed3d561e0c02e48bdaa6542ef4815f549fa20e2372ad85f5ba5b3

SHA512
7ff603c9795384601419098c1dc9ddbcfb341c50692d9a694e0e8ddc0af372b42e7b9d943eb07e339b6bf19240a671981689801c3899f271e3f4696f47865396

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
40198a0cf613a6a917a35e16c82aaeeb

SHA1
cd7067f15cf412a62551ed05e7216f2e167297f4

SHA256
56369888e80b6e0dd1c763a032681a82d4a97b3df10d0521aee5e222a143deef

SHA512
3df8259fbbcc57466a9140f93c8a0b284824a08f01faae0c65bcc770663fd7ecca3e237515f7721f30824c950a50cbc420006232dff0c1937668a71af35023e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
3d4048df9444e45996aab1c40e1c8a57

SHA1
e5e3f58a491b99f8b300a133cf081e0708b30144

SHA256
065691ba011ad90c26b9d93223e445a7f5fda76ac02e873b7319d2152deb6fac

SHA512
f124c22f18ef3cb82e8fa187cfbb2ef7259cea3dc693c7e64ac1aa75526a16715618ebd6e0682dff40af36fbaed2d088590300312f25e23f8a9458c8ed1c711b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
26a04448022604014effd635b38944a8

SHA1
4a9badf779526e7b1c87d44390f86ff1b5aa35c3

SHA256
a765cdf8331c2befbe2c1dec8995e7c99be174550f5ca104b2088be4a225ac20

SHA512
d369603c5a78b775b50be286d4efc17339ddb27e16e374ea2e26dcae57c1afd79a646f98d5cfe55126c102f03b769017657cd5fcfb7508d9177367c8eaf2ec1b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
e2f37ce1cd3790ad3065b1ab3e3a5047

SHA1
26a6ce96d1b6a4d87ac7240eb38322203291a626

SHA256
a98c7d74a6c10bf5b6211e4f37ba1214a2cae2b3283ce31adb61ed251388c65c

SHA512
4dfe71b7c1fe9c133e51e17e63f714f80bb0137ae5ed4c8fbdde4598e56027b0f8b7fb89e15e402273f56c0f58ae373a7221ba68f2ddad2ff0d807c974e645d1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e48abd265c1cfe44a1f98bf4ec9fad62

SHA1
88dbc97ea44da3a4166ef383635fd5655d7a1c8e

SHA256
baaa44009c62d82e17dfff74da0c1eabb1852142678dc2e40e4785aee71dd720

SHA512
9ab50e56da9d572a20d09ddb69c695f543d4dd84eabe37c087015f089157a27da8ab2133065dc43fbad41388f7c4f898afb93442bdfc548405fe697e9cc23ea4

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
b0d12679cb863643970ca95818f2b235

SHA1
43293949d68a036bdd48052a52c0ff9cbff9486d

SHA256
13e01578ffcbbc76d37c1f9d4deb27eb9173990b98abd00c33831798562babb1

SHA512
160d992b677864f487670428bf58ec46d8716f32027252e8f69956cafa8aa0b9b63a33c862889956d750243e7b8f944684208b3d0e5fc2d2d2f56fcdd39c48ed

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
69b7c30b9d9a93b95621f11402514dd4

SHA1
33f41bf17017d19492abc3ff047726880db4ec1b

SHA256
e62752e43de7fbf5ee39c9cd5c5e1d514f21d955a67d16cbef37ef6afc55b11a

SHA512
97ff80a9085a1d80fa35a75978363b78cadf1384971b9410d6a49163b2165118e984b5a52c4bd2695d6a957a8240cf2c5f64712d05b630542e63addd14523330

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
e45d8d80221e04e43cd38410bd14e879

SHA1
85595b2d27e42cd19b2788c591e30c8371282d0e

SHA256
b9a2aefb318dee817f50b09da8ecd178f406d6d37eda696bbaa404667bb52b91

SHA512
7798afd1e29118dcc52b7c4bb04bccc1d591065039aa92dc8fb74b51c037642623adb091c65351d15280aa5c08645e247f5cc5e92689bf10cbf7964d7d654909

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
168cf49983b65c8d526969a695b44526

SHA1
d763264abcf21aee938eee3a26d73bc0531882ad

SHA256
d4733d232c4754f10f88ce3ce09ff4833117b01920b98913c63707eed6cfca21

SHA512
750f82eb7bd75e0a3c4d08c07edc950fcd206f6a9a9a9cbdf4609e592bcec585ad9edd0753c59d7384d09edea7909e7660ce6b7d0a33ec0d0a78e9c0895bfd00

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3dbc16ba6a978e90222bb9dc1f747b58

SHA1
5f9131bf4ea665661f16aac218451173878e3333

SHA256
ce2e42f9f4120e8daca62835de6fcad85058efefbb24550d3a16d96d3a85917c

SHA512
924c83f11a12e2f74cf5a0050dcd6fd602896e9c77c72f8ccdc8c04e542f362a526f0fc2812b3d9ea931d587a739a36b3f58b947a415b90831d6fe6391e433cd

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
eb64f17dae090e7dcc680e814e792b6a

SHA1
397ab8134400fc69d6b600a83071dbe38ba24897

SHA256
e3ac55febf1d521dbb7b7edb9f84c01fe6eb0fd92b0b4899ee563c46abfdca71

SHA512
7d1e953954c043afc75eac36014778a9c64734ad70973acbd826d84c94425933cdcb977b26e1442db59425a489190b8e7c15d3097b73c2c0c268aabacdeb7f00

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
7981714e3e52e35c2a7df61bca2b92e3

SHA1
96a116ba5a525d9d82b82ee24547dd196f8729d9

SHA256
0e38552e165ee9d3d87e0ac4f16f0c2e550c60e1eb1f3dcea8202ac3e96f9b39

SHA512
9cbac2ebd715390b72320f6ac73de0b04904e93e49324ff46a71857cc54e8dc3100de4d65a0774d0f58543ee67d21d0853770e48d6cd76dbfb7f446f5c1f1f0d

Download Submit
memory/564-189-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/564-205-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/652-176-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/652-108-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/652-113-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/652-104-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/952-263-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/952-172-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/952-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1260-120-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1260-122-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-128-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1260-133-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1260-210-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-225-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1488-82-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1488-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1488-81-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1488-92-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1640-221-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1640-224-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1640-206-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1640-204-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1652-146-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1652-137-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1652-236-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1672-247-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/1672-258-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/1672-244-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1888-0-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/1888-1-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/1888-91-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/1888-71-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/1888-7-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2052-188-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2256-161-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2256-229-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2256-230-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-187-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-151-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2296-271-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/2296-265-0x000007FEF4230000-0x000007FEF4BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-273-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/2296-272-0x000007FEF4230000-0x000007FEF4BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-200-0x000007FEF4230000-0x000007FEF4BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-201-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/2296-203-0x000007FEF4230000-0x000007FEF4BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-30-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2432-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2432-119-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2432-36-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2480-260-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2480-267-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2504-253-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-212-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2504-254-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2504-228-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2504-238-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2536-106-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2536-18-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2536-24-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2584-216-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2608-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2608-94-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2820-70-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/2820-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2820-65-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/2820-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-242-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2900-251-0x0000000000460000-0x0000000000512000-memory.dmp

Filesize
712KB

Download
memory/2940-46-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2940-47-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2940-54-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2940-99-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download