d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
Size

1.8MB
MD5

471796b4ee15fb7152572a9f4cd69f59
SHA1

45c2cadf4dbd5b718a0d1b25bbecd784c6a08ce3
SHA256

d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514
SHA512

5522ae4f32d69df6a0a701ada4f0156160f6608f0ce5aeabaf3c015d7c2f15d22b404af13ff15594a5f305db5cb5edca00a17577a2d7d0e8bbd27e08b2033ccf
SSDEEP

49152:oKBOf2xGs+kgqlSTTLS5KmlwqaEfLNiXicJFFRGNzj3:oKYwnCuPlwqa27wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 58 IoCs

pid	Process
472	Process not Found
2660	alg.exe
2516	aspnet_state.exe
1768	mscorsvw.exe
1772	mscorsvw.exe
2744	mscorsvw.exe
1608	mscorsvw.exe
2088	dllhost.exe
2300	ehsched.exe
3068	elevation_service.exe
3056	IEEtwCollector.exe
2648	GROOVE.EXE
2544	mscorsvw.exe
2592	maintenanceservice.exe
1200	msdtc.exe
2000	msiexec.exe
1972	OSE.EXE
2248	OSPPSVC.EXE
992	perfhost.exe
576	mscorsvw.exe
1712	locator.exe
2968	snmptrap.exe
1272	vds.exe
1528	vssvc.exe
1612	wbengine.exe
2396	WmiApSrv.exe
560	wmpnetwk.exe
2636	SearchIndexer.exe
1492	mscorsvw.exe
2568	mscorsvw.exe
556	mscorsvw.exe
2780	mscorsvw.exe
288	mscorsvw.exe
2132	mscorsvw.exe
2584	mscorsvw.exe
1084	mscorsvw.exe
2600	mscorsvw.exe
3036	mscorsvw.exe
1880	mscorsvw.exe
1016	mscorsvw.exe
1796	mscorsvw.exe
2792	mscorsvw.exe
3008	mscorsvw.exe
1720	mscorsvw.exe
2748	mscorsvw.exe
2948	mscorsvw.exe
320	mscorsvw.exe
1876	mscorsvw.exe
1820	mscorsvw.exe
1448	mscorsvw.exe
2988	mscorsvw.exe
392	mscorsvw.exe
276	mscorsvw.exe
2848	mscorsvw.exe
2072	mscorsvw.exe
1752	mscorsvw.exe
1756	mscorsvw.exe
2436	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2000	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
752	Process not Found
1752	mscorsvw.exe
1752	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d4166da999022096.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_en-GB.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_pt-PT.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_sv.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\GoogleCrashHandler.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\GoogleUpdateOnDemand.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_cs.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_hi.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_vi.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_mr.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FB9.tmp\goopdateres_sl.dll	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{53B84F27-2D93-4245-AED7-585DB351290A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{53B84F27-2D93-4245-AED7-585DB351290A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP647D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{089EAB55-53CC-436E-8A32-2A7D94D998C0}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{089EAB55-53CC-436E-8A32-2A7D94D998C0}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2516	aspnet_state.exe
2516	aspnet_state.exe
2516	aspnet_state.exe
2516	aspnet_state.exe
2516	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2600	d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2516	aspnet_state.exe
Token: 33	2284	EhTray.exe
Token: SeIncBasePriorityPrivilege	2284	EhTray.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: 33	2284	EhTray.exe
Token: SeIncBasePriorityPrivilege	2284	EhTray.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeSecurityPrivilege	2000	msiexec.exe
Token: SeBackupPrivilege	1612	wbengine.exe
Token: SeRestorePrivilege	1612	wbengine.exe
Token: SeSecurityPrivilege	1612	wbengine.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeManageVolumePrivilege	2636	SearchIndexer.exe
Token: 33	560	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	560	wmpnetwk.exe
Token: 33	2636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2636	SearchIndexer.exe
Token: SeDebugPrivilege	2516	aspnet_state.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeDebugPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2284	EhTray.exe
2284	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2284	EhTray.exe
2284	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2828	SearchProtocolHost.exe
2828	SearchProtocolHost.exe
2828	SearchProtocolHost.exe
2828	SearchProtocolHost.exe
2828	SearchProtocolHost.exe
2828	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2544	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 2544	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 2544	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 2544	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 576	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 576	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 576	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 576	2744	mscorsvw.exe	48
PID 2636 wrote to memory of 2376	2636	SearchIndexer.exe	58
PID 2636 wrote to memory of 2376	2636	SearchIndexer.exe	58
PID 2636 wrote to memory of 2376	2636	SearchIndexer.exe	58
PID 2744 wrote to memory of 1492	2744	mscorsvw.exe	59
PID 2744 wrote to memory of 1492	2744	mscorsvw.exe	59
PID 2744 wrote to memory of 1492	2744	mscorsvw.exe	59
PID 2744 wrote to memory of 1492	2744	mscorsvw.exe	59
PID 2636 wrote to memory of 2728	2636	SearchIndexer.exe	60
PID 2636 wrote to memory of 2728	2636	SearchIndexer.exe	60
PID 2636 wrote to memory of 2728	2636	SearchIndexer.exe	60
PID 2744 wrote to memory of 2568	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 2568	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 2568	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 2568	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 556	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 556	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 556	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 556	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 2780	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 2780	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 2780	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 2780	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 288	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 288	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 288	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 288	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 2132	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2132	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2132	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2132	2744	mscorsvw.exe	65
PID 2636 wrote to memory of 2828	2636	SearchIndexer.exe	68
PID 2636 wrote to memory of 2828	2636	SearchIndexer.exe	68
PID 2636 wrote to memory of 2828	2636	SearchIndexer.exe	68
PID 2744 wrote to memory of 2584	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 2584	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 2584	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 2584	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 1084	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1084	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1084	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1084	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 2600	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 2600	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 2600	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 2600	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 3036	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 3036	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 3036	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 3036	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 1880	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1880	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1880	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1880	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1016	2744	mscorsvw.exe	73
PID 2744 wrote to memory of 1016	2744	mscorsvw.exe	73
PID 2744 wrote to memory of 1016	2744	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe
"C:\Users\Admin\AppData\Local\Temp\d77bc398ad1cef71d62ecb4d38b797e52a3fc2dc764719b3e262d497747eb514.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 254 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 278 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 270 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 278 -NGENProcess 284 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 2a8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 288 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 1c4 -NGENProcess 2b8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2d8 -NGENProcess 280 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2c8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2088

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
PID:2236

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3056

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1972

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2248

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3513876443-2771975297-1923446376-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3513876443-2771975297-1923446376-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2728
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
81cd89a5de5e982c727944a6f0374ca9

SHA1
0adf2336001e2f6eba0d6c9e7c4e72d674acf2b5

SHA256
fca521478ff017fa54976f83dc574729e461c67cce6c5f776e5d5d5214d4a1e7

SHA512
d4f9bb29af3c34a619ad8f1442ae5a22d9a737e83ebd5c27b653be346d009597f93bdac8ec1525f7d4d4ea787ce5a69b74323de41b50d1f57cf6680f52ccedf3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
1e21156005ceb51da07d5c9abce33c90

SHA1
39690b7e7648acb44b078f73dc2cd1475241f08f

SHA256
701dea00516838bdb437efca50b6f5304bafc86575008274f1750f8e11eeb374

SHA512
342c3abcb5fb458ce2dcaa94150fe769e6e87980f5ced2f3b7fafb1b2107ff315ebce8501fd5cd6795129123839fbfd4d8bb8230bec6201d0fa8fe954457c29b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
280b260081107540b20498b3ee8e7455

SHA1
7b1cf3155a1af9584fcd020beed85d200149abae

SHA256
6a2abf118b2dfff3a1f6ca7dba6661cd19510441c364b60f8b5a71ebdad89d69

SHA512
7ab67550bf0b1f774ac74ef3578eb2bece8e6f36c87cb6d5b6b19f911dddfbbe4744d70025d997e03f1e607c1be4a713cf7117e221fba96fce345e239f3079e9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
13c5b0f10fbbe15aa0463068c5bd18ee

SHA1
eabe1404d6c98a65bb2f1c2c09fdcb6cf79aa9eb

SHA256
202081a58d20485e1e784433f54af365c18367a33dd41ab291fed060cd0102a4

SHA512
5ccc28195fd92ab961b46f5676993d781fd9a248094d7f798ef572ff523103091954d969beaf543b30b542935702d7cf9623be4266972104b46519d9c3e29fd3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c5a8a06a099fa63d3c051177e20e0b34

SHA1
0fc84de2221ffc28ba410687c0108e73e5a5f4bc

SHA256
71154e840675b2706c6bdbbebabc7e450cb5bdba3f2051b15e507fe117b63147

SHA512
31043208993e3e76a1ccd575f069b877d335d7c7a8b29a91ee5a9defa2b3b897f378d6ccd23d0f62941c801d2542404704414b642ab625062700d6eed1171797

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
caeb5583ac303f9aebe49a1cc3131526

SHA1
b51afdfaecd6be22472a70b9dcd8641c381b2e28

SHA256
7690f56882e6644c9f345309c43e99c1c9fba8c9e7395fc3662f6d62163f95ae

SHA512
46e9cbf4587edd53453f70f9491cf92fc532fa79064f3d6d6e73048ebb39882366139f0c9de8d9c2d7a2cf38a8020b109b9f2e3c96cf843d9b9ebeec2649d771

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
bdfab8d50e977c80a0d50a6ab5963188

SHA1
721336367cf334ae38039d0898a794b71690c366

SHA256
1000a4f102d9a11eaf52791eda9e000716624063398772a94e99029cd1c084ef

SHA512
b71e8fdbc799822072753d8693b19ce30df339b008811e48ac3024319a74f7665cf1e9a818cbc50a446a1fc4e44c31d23064118b206a8bf8fe3e6ec3e58a2043

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7a2e7ddd3367adf99b1a0b71498ed345

SHA1
964d7959c5c7c600c63b5d6e170058009a030414

SHA256
eabad23229e53193e40eb15737e603326c0d667d9230189af5d433a6b0887343

SHA512
70d7f7342758b4de46eb961d75f73cca816103b5bc16254f9095043f20bb7b3fe8d87bb9e93b71994bfa7de21cb1c41b9cac69fd66195d8d9da78f8b125e812a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7a2e7ddd3367adf99b1a0b71498ed345

SHA1
964d7959c5c7c600c63b5d6e170058009a030414

SHA256
eabad23229e53193e40eb15737e603326c0d667d9230189af5d433a6b0887343

SHA512
70d7f7342758b4de46eb961d75f73cca816103b5bc16254f9095043f20bb7b3fe8d87bb9e93b71994bfa7de21cb1c41b9cac69fd66195d8d9da78f8b125e812a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
bbb68252e7a00c5e261763e556f53cd2

SHA1
a99a9853ffbdce78225f2c90615f23edb3c13cdd

SHA256
d641ec1bbd22e8acc96b08c8c9e54ea5dc3c255c35b1845eead48a8541426768

SHA512
2aa906f23fa62ef830bc86a54a9bf2bba87ea31fe9181a98d90a18b20e72ab06d49045141d916776e95349edb80ce6f5b1b54cacd138c7072c9b5b7ac16382ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e8470429863a220c0b5ae27984523f9b

SHA1
c5b8657e1ffa62a15cae7b743a412ce78c91ac90

SHA256
ee640f56afccf067678286db8e4fe3c93e47b7cdadb16cbd1dbd5a5681ee513f

SHA512
5c7dace89c10a9eaa7579495564c295ac2f5b598a4f239ac093d12650b2c54a31a4ed07cd1724e6f31ddf8a5fe8d08a6f8577d785fafdc8eab06b37d675745c2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1b973ad0aa0826f093e3516f991f1182

SHA1
975c2e814ab44a4da2f756cd6d67aee131e3d9dd

SHA256
cb4395d05a770431a4e10e1de90cc7875087f1c8bc3f887baed792a2053cd065

SHA512
4748a566b592f645d886dded791559ac04bced366316423e630542415f3c1740156ce35f558524a99edcd6b6ce5589950a559b4e7fe02b6d0d32c81392a0d97c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1b973ad0aa0826f093e3516f991f1182

SHA1
975c2e814ab44a4da2f756cd6d67aee131e3d9dd

SHA256
cb4395d05a770431a4e10e1de90cc7875087f1c8bc3f887baed792a2053cd065

SHA512
4748a566b592f645d886dded791559ac04bced366316423e630542415f3c1740156ce35f558524a99edcd6b6ce5589950a559b4e7fe02b6d0d32c81392a0d97c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
1a1c44b600983ee8ddad0b35126f845e

SHA1
238f53b6a88cde7c63b178e55bcce19c6aa925f0

SHA256
4f4a65a3fd23cc4e3b9b91130c90aa5f7d5a0a08693ade2417209ef3134a7f02

SHA512
31d005c8d3c7fc9d5c1e18b46cc3f7afc1813b554bd5c99456cb921b1f5c0f0fe5558882e1f76761502a221811bce491627520a794301f6e92e079a1d026a3b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
1a1c44b600983ee8ddad0b35126f845e

SHA1
238f53b6a88cde7c63b178e55bcce19c6aa925f0

SHA256
4f4a65a3fd23cc4e3b9b91130c90aa5f7d5a0a08693ade2417209ef3134a7f02

SHA512
31d005c8d3c7fc9d5c1e18b46cc3f7afc1813b554bd5c99456cb921b1f5c0f0fe5558882e1f76761502a221811bce491627520a794301f6e92e079a1d026a3b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b95fc80dac1f2b365c10de0c63cd5408

SHA1
ba7a62be6fa75c06f7c099ff642ebcb95ae20d41

SHA256
8cd2dec6f6c8e9d69749b5aca8ede4d74b952180c46fe3d8a454cbbc408067f6

SHA512
7967698826e3061830c8fee1d6e0a3aa6adc191db1336a1ba18e6c3015880dc18f782a0c4d33346563d127d795ddf8de6da7b97e2e8c5f5a82b0cc6c3cd9758d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
098f2d234dea469e57d69cbb3a4bbbf2

SHA1
5f35b67ab0eb7b8173ca4ba88154d487f4bdf1ae

SHA256
8a1d88c489032a37a2143ea9f2b92db1ca0d4161c55603a48a0bae966c5efea6

SHA512
93956b0d76b88cbb69a5c3698cf5e5a055d52ace1eec2f95c7c443cb713a61892e408628018782a13051f0966319e99a423f5854af73b183bbbe27dc7236dba3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d5cc6d368f8b68b91258f7443e4f1644

SHA1
b23ad03ecc0779dfb637869bc2f08fca74b08b28

SHA256
17334e59b86e98727a0b019a3a8d176e70949766a3fb3a53ddd7b4a5afe8e2a5

SHA512
28e2b70d4d42db56692ffd6e48247685bf254804efccde44be99e73e2fb7a7e620f4f8243cd8c4e247e90d8a6938959adc7b6ae3f253f7a60ee75dafa6ed3977

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4c3757645a4695aba3e4a5260e23767b

SHA1
96b68467aa13a5f7e1e9c229e301d832a4956452

SHA256
e438f50a60c53862b00f28ecb4b1751ccf3fb7d78a99b0e28ce3f54d722ef84c

SHA512
5d10c9023bc0301c0bd9fb9532821542d638741e428dfbfbd96ca7ba653a8fb6877e73cb900b558c51127a88774f3046350aec1b2bc9ea2f0e8af0958856b667

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
f0c840427c73ef3e15092adade916c6a

SHA1
c3dda1829aed8a56ec38c1ef28380b148e02691a

SHA256
ba1c0eaf205feb57bafc1eee0b80aec0375e2a10b8754d77cd923bce41cb47d7

SHA512
bd883f8883054f841626f88022628f7180e80aaaf50ac12c857a3f94f94696959a8313f22548981ee22c3a0ee0a36499dcf3e617445652bb472d2b9f093f6338

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
60c867bebd69df6ea45c42902b3cef9c

SHA1
f40c29d124c4770da00a0a91adbcc0205945c0f9

SHA256
ab504bfba8d1a5b7938e848ff70d433cb1995bf606b533ebe8243e7339c4eb0b

SHA512
5026a0405b7f4d024d9078861693b0d7959602c05289c15a2cac48479a9514ac11bccb820e689c21d704b29376abc2803671f38ed9c63f0c263c0c8ee4ea903a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
de91cb548fadb641cf77823d40c4ef45

SHA1
642c0173f969d1d9de2d9afcfe9e394cad05cd85

SHA256
8624aa1e883e3a895c8e11c089f3f2031e12a3bac6db88fd8b61a5af6935b382

SHA512
fb75427bfb0f822da0d9a67b1d0996127fd8b7393d1a219b52ac28f31fa16e609581090f43b91b8f15e276262d446411c2dfb06ddac7c0adb1fc7106f89db5a2

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
bc72b5161d0352140f90f19801cd7a84

SHA1
e7817ae9a8861315710f1bbc86b97a24766adc76

SHA256
7aef8bea33624a65bed575b7232aa1cf468e824ec140621d0b6f4a1fa87d0881

SHA512
cd29ec70bb0bc9d7b5c443d2cb0862304e3132ad82c15c62b9234f938532e3d11ca338b84d825918dcbc0b7dde9cd2e95a1c2b5175754426d9831de8eadb3f30

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7d21691f323bb978e67945d71b08b6a7

SHA1
bfc4bb824d712e908a9f063fe5ec96a2e614295a

SHA256
777fd83de9c959862cf0145021f748cabb2145dbaeafbe1d1eb4f8e41ea188d6

SHA512
b01b0e3e67270b0199aba6d9bf89544e4752db78fd9c7ac2307cb9ac235217b1efc185cc28e98d4726be0def0518c9879f85034e1cee6bd93be09a697cb31c4f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d6e2c6e49832e4d060f301e5c6073621

SHA1
59627e912afd451935e6ccd50aea28894120dc6c

SHA256
3cbc09c4fe39230228078db2f9fca98f08db6dd97453de3e774f0f6cc4df33ec

SHA512
b4d2ab4a9faaa1534ddbdc8c9390186a8b0f1510c8f1f8d0600ec28748e1f0f92e18ee9b606d5d2fa132bbbc69a1a49a96faceed082392846a3a8d79eb3ca8a8

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
6bd73a2a20d8a03bcf747c2305ed437a

SHA1
dce69cbe9bf41bc5f2ccc0c38534a6f0d55ea707

SHA256
b325528ad94236426388a544a3cdf403c572c28e8c5ce5fb4ba45e60176f8059

SHA512
16e4d908c8a08eec0df265c381d9ad19e3286c408fde74d42f25c84cdb83be1c9358fba42ea65990209fe67c2e391f94cc86af373b2e745aacc5582b64f12c97

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
21f7fe90bfac362942a21d7fbad17f6e

SHA1
fcdbb5912233a2df34f4ea76c7fe3ce895d5f544

SHA256
4e370ac5c9bf961f2cd54d85db0465be1a71c6c4407dde85700ef60b0ce062bc

SHA512
178b40b465a26c6d0b32efa505485651678e748f2b6287c0f09e55799466dfbe00c5e4e8006ee41778d45942e08419299d55d45f4c07bcd3604528781489055c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
1019e892045843185720f5d434c99f42

SHA1
f6dddb3a74ff70037aa8815c433e8d472b0f3068

SHA256
9ed91788c0d31891c625c4c7d0698a8e65ad6d0bf5c375d66539cd09b44fa66e

SHA512
c29d19a384255e9b0061005aeab070fec3ecdfd904717e57cb806c732e869ec886c2a4584a29ab60bd705356451122bdc07e4ed10098404f14ef97f035f5b3b2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bf59338c8ad8a965b64ff2fa543b07d9

SHA1
2ca0398506fd8eb818d65e6acd76c86edbd3ef77

SHA256
7ee19d94fd2e722c26a86c1dd2e8ced07f38f37e5550d17220b2ed1e696a9272

SHA512
93205d124f13ec39438bd827443f7f950ab9f388ef16e769adb4ab7c80a6909338e317483399cc10b16fe549be4325b99127726a312b26a279e2581e70f77a42

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7981a9ec9536481ed40fd937ad49efc4

SHA1
7f04d9d1daa97e6c7e565cc3649853ecf6f4834b

SHA256
b295843073ad810523c7419d59969b85e684b75810425c4be3de9193abdfb181

SHA512
376662e7f8fe9e39a69e7dba16c3ea6e6469f1f0d8e3ccf4e5899525b596add57278290ad48a644a0dd5e9d5a6e9d7c6bf51b58130199d4733f9a7afb61a2896

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
7faf6b7122fb3245fc91f8acbcc1ab72

SHA1
fae5fcf97bd2d47ae643c28c197949365a16e97f

SHA256
d3900400f13a10f39fc99eb4a96efd76af13718993cf6dc50f83c7d2026d7e5b

SHA512
7ce89aae9c6f4a64bd51d0193edbab89ee74ff63cbec9e003320a3eed6111f81650501c41cca1c88e69976c440c4276e49df0de5caac22111826db32fb0246ea

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fd5260004acee28585740d09dc30d82a

SHA1
d28e358c4ea110a7a573fe79c1ea843d509a0c48

SHA256
4427218aecefedaed638fa82adc769d65f003dc48b64aae8b61b9e2550fe0d6e

SHA512
47a43322e22319023da0cb56d5c0291cf2623b49b4960d1951d65650ced7bc26b5d55b667eb735643b1da6560055bf02e4af8142734370a193cf70fd7e446e07

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
6bd73a2a20d8a03bcf747c2305ed437a

SHA1
dce69cbe9bf41bc5f2ccc0c38534a6f0d55ea707

SHA256
b325528ad94236426388a544a3cdf403c572c28e8c5ce5fb4ba45e60176f8059

SHA512
16e4d908c8a08eec0df265c381d9ad19e3286c408fde74d42f25c84cdb83be1c9358fba42ea65990209fe67c2e391f94cc86af373b2e745aacc5582b64f12c97

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
caeb5583ac303f9aebe49a1cc3131526

SHA1
b51afdfaecd6be22472a70b9dcd8641c381b2e28

SHA256
7690f56882e6644c9f345309c43e99c1c9fba8c9e7395fc3662f6d62163f95ae

SHA512
46e9cbf4587edd53453f70f9491cf92fc532fa79064f3d6d6e73048ebb39882366139f0c9de8d9c2d7a2cf38a8020b109b9f2e3c96cf843d9b9ebeec2649d771

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
caeb5583ac303f9aebe49a1cc3131526

SHA1
b51afdfaecd6be22472a70b9dcd8641c381b2e28

SHA256
7690f56882e6644c9f345309c43e99c1c9fba8c9e7395fc3662f6d62163f95ae

SHA512
46e9cbf4587edd53453f70f9491cf92fc532fa79064f3d6d6e73048ebb39882366139f0c9de8d9c2d7a2cf38a8020b109b9f2e3c96cf843d9b9ebeec2649d771

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7a2e7ddd3367adf99b1a0b71498ed345

SHA1
964d7959c5c7c600c63b5d6e170058009a030414

SHA256
eabad23229e53193e40eb15737e603326c0d667d9230189af5d433a6b0887343

SHA512
70d7f7342758b4de46eb961d75f73cca816103b5bc16254f9095043f20bb7b3fe8d87bb9e93b71994bfa7de21cb1c41b9cac69fd66195d8d9da78f8b125e812a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e8470429863a220c0b5ae27984523f9b

SHA1
c5b8657e1ffa62a15cae7b743a412ce78c91ac90

SHA256
ee640f56afccf067678286db8e4fe3c93e47b7cdadb16cbd1dbd5a5681ee513f

SHA512
5c7dace89c10a9eaa7579495564c295ac2f5b598a4f239ac093d12650b2c54a31a4ed07cd1724e6f31ddf8a5fe8d08a6f8577d785fafdc8eab06b37d675745c2

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4c3757645a4695aba3e4a5260e23767b

SHA1
96b68467aa13a5f7e1e9c229e301d832a4956452

SHA256
e438f50a60c53862b00f28ecb4b1751ccf3fb7d78a99b0e28ce3f54d722ef84c

SHA512
5d10c9023bc0301c0bd9fb9532821542d638741e428dfbfbd96ca7ba653a8fb6877e73cb900b558c51127a88774f3046350aec1b2bc9ea2f0e8af0958856b667

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
de91cb548fadb641cf77823d40c4ef45

SHA1
642c0173f969d1d9de2d9afcfe9e394cad05cd85

SHA256
8624aa1e883e3a895c8e11c089f3f2031e12a3bac6db88fd8b61a5af6935b382

SHA512
fb75427bfb0f822da0d9a67b1d0996127fd8b7393d1a219b52ac28f31fa16e609581090f43b91b8f15e276262d446411c2dfb06ddac7c0adb1fc7106f89db5a2

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
bc72b5161d0352140f90f19801cd7a84

SHA1
e7817ae9a8861315710f1bbc86b97a24766adc76

SHA256
7aef8bea33624a65bed575b7232aa1cf468e824ec140621d0b6f4a1fa87d0881

SHA512
cd29ec70bb0bc9d7b5c443d2cb0862304e3132ad82c15c62b9234f938532e3d11ca338b84d825918dcbc0b7dde9cd2e95a1c2b5175754426d9831de8eadb3f30

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7d21691f323bb978e67945d71b08b6a7

SHA1
bfc4bb824d712e908a9f063fe5ec96a2e614295a

SHA256
777fd83de9c959862cf0145021f748cabb2145dbaeafbe1d1eb4f8e41ea188d6

SHA512
b01b0e3e67270b0199aba6d9bf89544e4752db78fd9c7ac2307cb9ac235217b1efc185cc28e98d4726be0def0518c9879f85034e1cee6bd93be09a697cb31c4f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d6e2c6e49832e4d060f301e5c6073621

SHA1
59627e912afd451935e6ccd50aea28894120dc6c

SHA256
3cbc09c4fe39230228078db2f9fca98f08db6dd97453de3e774f0f6cc4df33ec

SHA512
b4d2ab4a9faaa1534ddbdc8c9390186a8b0f1510c8f1f8d0600ec28748e1f0f92e18ee9b606d5d2fa132bbbc69a1a49a96faceed082392846a3a8d79eb3ca8a8

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
6bd73a2a20d8a03bcf747c2305ed437a

SHA1
dce69cbe9bf41bc5f2ccc0c38534a6f0d55ea707

SHA256
b325528ad94236426388a544a3cdf403c572c28e8c5ce5fb4ba45e60176f8059

SHA512
16e4d908c8a08eec0df265c381d9ad19e3286c408fde74d42f25c84cdb83be1c9358fba42ea65990209fe67c2e391f94cc86af373b2e745aacc5582b64f12c97

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
6bd73a2a20d8a03bcf747c2305ed437a

SHA1
dce69cbe9bf41bc5f2ccc0c38534a6f0d55ea707

SHA256
b325528ad94236426388a544a3cdf403c572c28e8c5ce5fb4ba45e60176f8059

SHA512
16e4d908c8a08eec0df265c381d9ad19e3286c408fde74d42f25c84cdb83be1c9358fba42ea65990209fe67c2e391f94cc86af373b2e745aacc5582b64f12c97

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
21f7fe90bfac362942a21d7fbad17f6e

SHA1
fcdbb5912233a2df34f4ea76c7fe3ce895d5f544

SHA256
4e370ac5c9bf961f2cd54d85db0465be1a71c6c4407dde85700ef60b0ce062bc

SHA512
178b40b465a26c6d0b32efa505485651678e748f2b6287c0f09e55799466dfbe00c5e4e8006ee41778d45942e08419299d55d45f4c07bcd3604528781489055c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bf59338c8ad8a965b64ff2fa543b07d9

SHA1
2ca0398506fd8eb818d65e6acd76c86edbd3ef77

SHA256
7ee19d94fd2e722c26a86c1dd2e8ced07f38f37e5550d17220b2ed1e696a9272

SHA512
93205d124f13ec39438bd827443f7f950ab9f388ef16e769adb4ab7c80a6909338e317483399cc10b16fe549be4325b99127726a312b26a279e2581e70f77a42

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7981a9ec9536481ed40fd937ad49efc4

SHA1
7f04d9d1daa97e6c7e565cc3649853ecf6f4834b

SHA256
b295843073ad810523c7419d59969b85e684b75810425c4be3de9193abdfb181

SHA512
376662e7f8fe9e39a69e7dba16c3ea6e6469f1f0d8e3ccf4e5899525b596add57278290ad48a644a0dd5e9d5a6e9d7c6bf51b58130199d4733f9a7afb61a2896

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fd5260004acee28585740d09dc30d82a

SHA1
d28e358c4ea110a7a573fe79c1ea843d509a0c48

SHA256
4427218aecefedaed638fa82adc769d65f003dc48b64aae8b61b9e2550fe0d6e

SHA512
47a43322e22319023da0cb56d5c0291cf2623b49b4960d1951d65650ced7bc26b5d55b667eb735643b1da6560055bf02e4af8142734370a193cf70fd7e446e07

Download Submit
memory/560-445-0x000007FEEEE70000-0x000007FEEEF98000-memory.dmp

Filesize
1.2MB

Download
memory/560-444-0x000007FEEEFC0000-0x000007FEEF091000-memory.dmp

Filesize
836KB

Download
memory/560-439-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/560-440-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/560-443-0x000007FEEF0A0000-0x000007FEEF13E000-memory.dmp

Filesize
632KB

Download
memory/576-405-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/576-398-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/576-414-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/992-396-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1200-313-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1272-408-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1528-418-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1608-134-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1608-270-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1608-136-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1608-142-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1612-421-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1712-404-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1768-112-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1768-97-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1772-106-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1772-131-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1972-333-0x00000000003B0000-0x0000000000416000-memory.dmp

Filesize
408KB

Download
memory/1972-330-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2000-329-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2000-331-0x0000000000530000-0x0000000000739000-memory.dmp

Filesize
2.0MB

Download
memory/2000-592-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2088-151-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2088-155-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2088-159-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2088-285-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2248-391-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2248-389-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2248-425-0x0000000071F48000-0x0000000071F5D000-memory.dmp

Filesize
84KB

Download
memory/2300-295-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2300-241-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2300-240-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2300-248-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2396-424-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2516-92-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2516-160-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2516-86-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2516-63-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2544-292-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2544-287-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2544-283-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2544-497-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2544-380-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-315-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2592-298-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2592-303-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2592-320-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2600-7-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2600-1-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2600-0-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2600-133-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2600-6-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2600-236-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2636-441-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2636-442-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2648-271-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2648-273-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2648-438-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2648-277-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2660-152-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2660-16-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2744-123-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2744-117-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2744-116-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-266-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2968-407-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/3056-267-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3056-332-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3068-253-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3068-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3068-261-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3068-309-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download