4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 12:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
Size

5.1MB
MD5

8317b4e82510946e1916a38601e41b62
SHA1

018d134e03c0119ffbfaeac19eb6afbd9490f618
SHA256

4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e
SHA512

0a5942ba0cf82e65cd4469000149d5e33123cbbdbee6057575f666e5c31d006a2e13afd0c6cbd7f5227c166643724aad0f2908c2c8ca39a61a767c8095024b35
SSDEEP

98304:BqriwhBIJwF42EGaQEnKv0GdTRl8XVtZVnU0:mzBxMxKv0UTRqnJ

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
472	Process not Found
240	alg.exe
568	aspnet_state.exe
2672	mscorsvw.exe
2780	mscorsvw.exe
2552	mscorsvw.exe
1040	mscorsvw.exe
2000	dllhost.exe
1800	ehRecvr.exe
1680	ehsched.exe
2396	elevation_service.exe
2456	IEEtwCollector.exe
3036	GROOVE.EXE
2300	maintenanceservice.exe
3012	msdtc.exe
1216	mscorsvw.exe
2620	msiexec.exe
2536	OSE.EXE
1932	OSPPSVC.EXE
1968	perfhost.exe
1956	mscorsvw.exe
828	locator.exe
944	snmptrap.exe
2592	vds.exe
2716	mscorsvw.exe
664	vssvc.exe
2196	wbengine.exe
2336	WmiApSrv.exe
2172	wmpnetwk.exe
1820	SearchIndexer.exe
2696	mscorsvw.exe
936	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
472	Process not Found
2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2620	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae2dc043cbc56ce8.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4BCBB1B0-7F12-48C2-B575-28DFFCA1AD38}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4BCBB1B0-7F12-48C2-B575-28DFFCA1AD38}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{420B9B8C-8D52-44F3-985F-76611959C004}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{420B9B8C-8D52-44F3-985F-76611959C004}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
2228	ehRec.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
Token: SeBackupPrivilege	2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
Token: SeRestorePrivilege	2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: 33	2120	EhTray.exe
Token: SeIncBasePriorityPrivilege	2120	EhTray.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeDebugPrivilege	2228	ehRec.exe
Token: SeTakeOwnershipPrivilege	568	aspnet_state.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: 33	2120	EhTray.exe
Token: SeIncBasePriorityPrivilege	2120	EhTray.exe
Token: SeBackupPrivilege	664	vssvc.exe
Token: SeRestorePrivilege	664	vssvc.exe
Token: SeAuditPrivilege	664	vssvc.exe
Token: SeBackupPrivilege	2196	wbengine.exe
Token: SeRestorePrivilege	2196	wbengine.exe
Token: SeSecurityPrivilege	2196	wbengine.exe
Token: SeManageVolumePrivilege	1820	SearchIndexer.exe
Token: 33	1820	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1820	SearchIndexer.exe
Token: 33	2172	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2172	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2120	EhTray.exe
2120	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2120	EhTray.exe
2120	EhTray.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2344	4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
2600	SearchProtocolHost.exe
2600	SearchProtocolHost.exe
2600	SearchProtocolHost.exe
2600	SearchProtocolHost.exe
2600	SearchProtocolHost.exe
2600	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1216	2552	mscorsvw.exe	46
PID 2552 wrote to memory of 1216	2552	mscorsvw.exe	46
PID 2552 wrote to memory of 1216	2552	mscorsvw.exe	46
PID 2552 wrote to memory of 1216	2552	mscorsvw.exe	46
PID 2552 wrote to memory of 1956	2552	mscorsvw.exe	51
PID 2552 wrote to memory of 1956	2552	mscorsvw.exe	51
PID 2552 wrote to memory of 1956	2552	mscorsvw.exe	51
PID 2552 wrote to memory of 1956	2552	mscorsvw.exe	51
PID 2552 wrote to memory of 2716	2552	mscorsvw.exe	55
PID 2552 wrote to memory of 2716	2552	mscorsvw.exe	55
PID 2552 wrote to memory of 2716	2552	mscorsvw.exe	55
PID 2552 wrote to memory of 2716	2552	mscorsvw.exe	55
PID 1820 wrote to memory of 2600	1820	SearchIndexer.exe	61
PID 1820 wrote to memory of 2600	1820	SearchIndexer.exe	61
PID 1820 wrote to memory of 2600	1820	SearchIndexer.exe	61
PID 1820 wrote to memory of 848	1820	SearchIndexer.exe	62
PID 1820 wrote to memory of 848	1820	SearchIndexer.exe	62
PID 1820 wrote to memory of 848	1820	SearchIndexer.exe	62
PID 1820 wrote to memory of 2548	1820	SearchIndexer.exe	63
PID 1820 wrote to memory of 2548	1820	SearchIndexer.exe	63
PID 1820 wrote to memory of 2548	1820	SearchIndexer.exe	63
PID 2552 wrote to memory of 2696	2552	mscorsvw.exe	64
PID 2552 wrote to memory of 2696	2552	mscorsvw.exe	64
PID 2552 wrote to memory of 2696	2552	mscorsvw.exe	64
PID 2552 wrote to memory of 2696	2552	mscorsvw.exe	64
PID 2552 wrote to memory of 936	2552	mscorsvw.exe	65
PID 2552 wrote to memory of 936	2552	mscorsvw.exe	65
PID 2552 wrote to memory of 936	2552	mscorsvw.exe	65
PID 2552 wrote to memory of 936	2552	mscorsvw.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe
"C:\Users\Admin\AppData\Local\Temp\4fd5bbce5b6bf8c660ae44d88c1b430ad40e0da3a6a656d4f3501ea200ea410e.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1dc -NGENProcess 1e8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2000

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1800

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2300

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2536

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3185155662-718608226-894467740-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3185155662-718608226-894467740-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
618375577b6ab79b575ef5c5ab8f40cf

SHA1
b6c3cfc4073a19d6d490ef2cf454316716dab705

SHA256
7b0b7e48ef98ca2a952dd6b6c4ac6996485f3ccab92fadce273c73206fd8aa4e

SHA512
4e903593a3bf8f843d40e259cf633f67e837b2f733a3dccef737d79a6a9bd75f6d51d0ca58703a4ba493d7e3bfd9741e28d0cee2d1626ed26f5e6daa2b2f7dbb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bf2dce11e89e02ea486128b382afc6f9

SHA1
71ac3d50c2cd4a9354d85d4035130b30a4e3eaa7

SHA256
318c2fb82eec34c5cd66932a5f3f3f5c6351c167f81c1d6f203a7eb4eaf80c94

SHA512
09d07e973796dcb0a32e77364b2ef56194dac8b8dbfaba9e4bae6a096053aad5e6d0743ea84e9670427160ebd705051d29172b99b1da822607aad46facc87ee3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f79a1978bfdde0200c318e40adcb8c2d

SHA1
adaca28dfc3b7e305a9472eb7dda43cfdbf7ece2

SHA256
8bab68a1ccbf229be55ce57c4e0c878ce24af83564f6f00c1fcb35db58d2267e

SHA512
7dd79b477155583270a5afe661344d23ae4324209419aa2037e901008a55f88897db1df0f6c65fb1d6e6560e46e8d20cb245e4e6ee0e9d2a3bd45005462e8d84

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f79a1978bfdde0200c318e40adcb8c2d

SHA1
adaca28dfc3b7e305a9472eb7dda43cfdbf7ece2

SHA256
8bab68a1ccbf229be55ce57c4e0c878ce24af83564f6f00c1fcb35db58d2267e

SHA512
7dd79b477155583270a5afe661344d23ae4324209419aa2037e901008a55f88897db1df0f6c65fb1d6e6560e46e8d20cb245e4e6ee0e9d2a3bd45005462e8d84

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
7b73c8398e1ee351c770f143690f6390

SHA1
22c30a22a70d42bbd212417f7db705da89e4f8eb

SHA256
0a45aa7e9829527baac228f9249f2ff436a05cf88936193218d7d949b2270cd6

SHA512
bccf4f28840df78d724868310b2d3dd49a8ec73fc2b92681e34635e4042de3c87ae12e1563d83c89a4ed0de97387888c4eab6d7c9d4968e9d50e52d83151524a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
71cdf5a4d0489f1062d3aa4d6c548297

SHA1
3a038693599657eafe97dad993259afdf2544a9c

SHA256
afb6c868d22f526768a65f409f1f00328296a643fcc766c166590cd8291b21d3

SHA512
e71e1670ae35b9b28521841e7104150a6dfd3f816407db1c448516436f1fa32c933d642ddfb824a1f905e29fa268ea6db2cff513783bd5469a7e7cfccade8ad7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ece4c76ba3b89b0aba78484c01f8b138

SHA1
3018bfcc2bdf3aa7440a67575d2f8f65a08ca2e3

SHA256
e7ab08060ae73407c281994e939a11c0932e38847e8c272c289e3a83437b0d5c

SHA512
5610ec83bc23c67799d6b563746d19e41c43989d089611d9ba9b499ee15f2a47634bbef7cd965166a4ac8412ce78dd6b905e85563dd4d741b535f78d09a39c29

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e81b5523e5f72ce1ebf2ffef6e4239ad

SHA1
addd171904a43f180a93bbd7ba9c25188345c8b9

SHA256
d4944d740999c4accebbfb89c67c495c87680c873d95d2785ef9a90b8937c5c6

SHA512
aed082c07a96bbb1210109da5fdb8447e76ea862969b99006a78bc51e773ac5a4467a443e2cbfb324f610af173288ccf58aac829240dd639da9e3064e9c23a97

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
297b6245aa39bc54f6cb91f34729d388

SHA1
61913fc95156a7516745fa0581105eacbb05f671

SHA256
cec2b2c23e6704ca2a49ff1be80b08cb0b9a051e75994784df2828a23a443e2d

SHA512
6aaa684d5fea8b3ae9bef1cc703eed08a6e6787d6001206f2e6c2ce9c2ca2d8602a1f012b604f957fde273332dd2e2b6596ecb04ba63578ef4e8568c1fade442

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
297b6245aa39bc54f6cb91f34729d388

SHA1
61913fc95156a7516745fa0581105eacbb05f671

SHA256
cec2b2c23e6704ca2a49ff1be80b08cb0b9a051e75994784df2828a23a443e2d

SHA512
6aaa684d5fea8b3ae9bef1cc703eed08a6e6787d6001206f2e6c2ce9c2ca2d8602a1f012b604f957fde273332dd2e2b6596ecb04ba63578ef4e8568c1fade442

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a242217fcfbc716aa791f850be100618

SHA1
fb78490b60a943360e98a54f67fa82b8b95b27f7

SHA256
751d3bcfbaefa288fe9736681b44bb9edb59b785f930485cd874ec7d1527a8d5

SHA512
cf485c2ea1cfa197efae7af03660b382a8c02ccc90dbc93d1742f5fd1732495c6d959f0c2e3437d92f6f05eceb15a8f43c864660bed92da49327f485d33ac73c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
574dbf59bb32db03225d109489ffbcc1

SHA1
823ebdab0668284edb64d644178c1062f98be04c

SHA256
681dd061349b87fa6c0149cd388934a7b50118389087610d6dc0e788e0af791f

SHA512
5c7da6a90d0a1bd4dc5a630bda512345f019a80b4d4a97836712c848686fa9e35a0025df16c2c2fcc65e178762f5e5b03f8dc116306c4943ffa0a1382d9e1ba5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8932657e55ea06571b376f0196e74a22

SHA1
1a320d9be24a99886a48639c24ac8c6199d8bb28

SHA256
91b1724f9633537a407d4634f7573f1d4eee0f6bfd665cd6cad22ec6e19e0762

SHA512
e0782f50a12b161cfc4ee4ce11de20e6054b9a36c9585540412820c7f61c50e4a43c0611e84723cd71519f4715cc97c7a4137ddfd81672a1536284c2a024fcc4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8932657e55ea06571b376f0196e74a22

SHA1
1a320d9be24a99886a48639c24ac8c6199d8bb28

SHA256
91b1724f9633537a407d4634f7573f1d4eee0f6bfd665cd6cad22ec6e19e0762

SHA512
e0782f50a12b161cfc4ee4ce11de20e6054b9a36c9585540412820c7f61c50e4a43c0611e84723cd71519f4715cc97c7a4137ddfd81672a1536284c2a024fcc4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
4f32defeff2799cdeca67c0a82fd6f6d

SHA1
d9674c7d8c48c1837644efc439855c3b7db34a03

SHA256
7274660c052a5c384ef8f0bc77370cf6f1f331d6f8cbe71778192b567b532e0d

SHA512
18ef04c01d4793f121fcf4c532c330c9aa2d37676a55580983da625c0c522c7452d28a99d42597e091497fcc4e5fbd070c431d8d3569b38a7cafae27f2cf2f88

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
4f32defeff2799cdeca67c0a82fd6f6d

SHA1
d9674c7d8c48c1837644efc439855c3b7db34a03

SHA256
7274660c052a5c384ef8f0bc77370cf6f1f331d6f8cbe71778192b567b532e0d

SHA512
18ef04c01d4793f121fcf4c532c330c9aa2d37676a55580983da625c0c522c7452d28a99d42597e091497fcc4e5fbd070c431d8d3569b38a7cafae27f2cf2f88

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9490e4038d23a048955df6b91809402c

SHA1
f5b66ba29f1eef1db119da64d6ff92c37c3587e0

SHA256
6f8a31080fa6e6e5dee81cb92bdf001837e9e3871784d4da78b6174501db7661

SHA512
5aec28ec7856cf113f7deda810ca0a13da473c1f08ee2dd07983397229848b98be8cb8ebcc7a017e0e6ccb6a564949428c6a0421b615c8341b55040ddda542b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2796a6576118a25bd66c2ba8baa48e91

SHA1
229178476fea6d31bf8096ea97bd6ec996c367c9

SHA256
f71591fece015df7b88209eefcd817d5ca83df120da5f6b62770ac07e1f2b90e

SHA512
d9c67934c990f3be36fd263de2f8d7003c6bedc1194eace65bfb9a39f7e2cd1d4e19c25d98e04f14936bcde7b90f69f4055322896b0bafe028a89b84a62e5e1c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
1c56d44564b711fc3f15d6252fa5e71e

SHA1
c66de5b88923d0843198cfc70644d7583d66d0b9

SHA256
c7f0270445bcb301e4fb43009c0e027e48b64979df4351d5a0a5d8f29055372d

SHA512
8db4acc5ff5a97324ef575fa2bbadebe17a6b684fde94d2ba7f5b99fdf4271cf29cb8b0993f01232fa9a7e23dbd7b5cd51168cab156c23601e0dd99624a87192

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
9d66d1243e4d859bdeef209b9ed9e19d

SHA1
0130a91927701422c11aef9bd5f5c089298e021a

SHA256
4c0db2b45dcad8c30f16e44719cff65381d5557339f920906c7e7eb0fa3e5db5

SHA512
f8334c179ef8fa513688f2be433f1891c34a53740a53ca9fbd0e4dbdb40f7a132f4ff75b82bd198c2be6e56453f8b427f8ed0fa7c084d93ff6ccacef172ce419

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
6d853b04dd8429d2e451516fd83c35a2

SHA1
394581fd3b754cf5f2f4446f58c6d74bc323bd5a

SHA256
bfe672a150a224a309a73d3e438e9a861e88195f3974ac4fbc2af8be0ec5f3d9

SHA512
bf2263f242eed6bd099d5c7dcaf81ee8287941bc5ac27690b985739c2dca2a61f7223c5ec2489e70cf5f61734954536c55750a4c155d449966bc98587b705ddb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
196b1473fd57611ed95ffc08d559e0c8

SHA1
1f94827dabaf5b0823e643b5907983b32e60002f

SHA256
db724bd8469d77d8ebecbe7c26f651ec51662abdfcb13a4d1765cff8e31f3087

SHA512
d0f867b58fe438947a9c70b17a096a89a4b537e00517f8e29326d90e4a96bbd0cb274424599d4e4327ed30c8be928d09882e736e63d71cfb8b531fc053ffd920

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
875e5e899e9b12d0f0362ce84b7590a9

SHA1
6b855b7fe5dcd8f23bf12e9df86b03ae2ea710f6

SHA256
6d89145d55133181e2eff1868bd4998d2d0939363acef005755141e37893bcee

SHA512
3a90aff60e9f8f2a31ecb734d8c558770eeba2583269ae2973448896e321dbcf13b1d5c91521370dc8356ddc45806e225e7b534c2639a8ddb642aef7aa5cd142

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
9a6e8d280c38c75ad56e2a5ffc0b1f8c

SHA1
663b2da6cf7c432a23ab3fa90d7434a52204ac37

SHA256
c8527a717d0408f0112058c35c8ccf34883fdda4a54b3f035e9c2cde3deea764

SHA512
f60fce94bc008b2e7719db7f2257813abf0ebcf12fe6095c0cdc90ef3c4d96081c621c1b59dd32d02ddd0c59b192d9ba23a1e85d131f6612ab0b9b857caec3f5

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
1231932a9950fd51ef65e3483c4a9b89

SHA1
79b6dfea5125812d16b885d03c3662a99a2e08c6

SHA256
ac107213caedb2a38fd2edeb8ffb67a70ccca3ee581c86a4b56a4d3f9be151c4

SHA512
971b3619675955f1165ca465ff8a7d9ae151c63d4814b0ea69d5e47ac7f5cf2b5004a428d5eefa1ec61736f6c45776046f19c63dbe447c1e740c41e881482cbd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
2056f0ef54ea8f92879cfcd1613a4876

SHA1
bb7830f09411b7e26ddbe5c715626b7200b3eda0

SHA256
9a0f381c0e6a86258ba86c5e313c72f52a5c8d8d2999b3aadce0f13764ef2e82

SHA512
9a171e9b4280e29a5012428a88f7a4cab7489cbcc5ad2e5ab905daf70c1fc55e66a59edc38607d437f8568e050747aeb8f1676a0b50bb37f5b282072b22ef62d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
691KB

MD5
586c93b3550b5e71430ef7f9b3d14aef

SHA1
220b8c7f3b19f4672e0dbe75ab4dc270e747759e

SHA256
9051de3ed1c499ffd67d00c7724063670579b75bbb2ef61ae908152af9f30cdf

SHA512
9e271cb35674b9cc46a1f1c0a0ad5f619b3fdc25092f7953b8148ee996c5c6e0da6882a64911fbc81e80dc12dc3fc4286a78445484d1301324573b8259c3e4a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3ebc96a9431c7ffef2570f527cb8df69

SHA1
b15cbe66438846c841114321bb50f9e1bebc5c46

SHA256
1f1fa43926406747c60ebb49418bf971fd8b552163c7a17408682eea427e6d41

SHA512
4f498dc28a8a246a0237ac57045f7961f727de09a62f457b14136f0fac3917d5d50f2a4df2c64cbfcd32933b9e703a8adff5f7f34752a00169397fba72cd6bff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
1746b2403932979bb76843a08e3d00e3

SHA1
ec6501656013c3ce2323e92629254b11302e10bc

SHA256
1ccf836f4c9f9b451013888d37c172b6d95bbbe382bc21d2b011c7ba8f51f39a

SHA512
aa45a331a022ddabd674f8559b765ede6c1abf7ef9bdddbc77fe84607f3f0432173c8fe5d5c5a275c4678cbbe6c52738b7b35f6413a5b74b71982f0cbca54088

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
14792cdf99a87d9a12dfe12b74b78ae6

SHA1
f26ad0396b3ef48eae1ca6d8ad57530d38907634

SHA256
5e0f2c28a182a21fdeaa0fa85c661c50bc37c34baae2f5a764d1d2517122ef26

SHA512
84a96a50966c2ab31b969cccf33781e7c556f21f3d53de65482a693ed3b034a326921f71b60b3227a869c61fbea877d2fad53c5b2c44577c00eaca96a9bc7c2e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
f09abc822c651f353856792803087158

SHA1
6576fc5f926dd7190dbad275bb5e39d575ef2339

SHA256
d43fb0d540e4013075666fe7f3e9e0db6872e6068a2cb2102ea65f3a278101f5

SHA512
329c43bb6fb02a4a70ba41b7d88d7c792aa9a4a46050f4fb8d3f78a0966e13d78b550fd73f3220544b47f8823a6d1d3fe3670f9d265e73a63ca14fabdd94df97

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
605f0dd1649ce5576986ac6c3ae0107b

SHA1
a10ebd0c46941a9d540ea2eb6227f57482f3fba6

SHA256
5cf4f49b793992937fc730524c5c075a360d0bc44514d6985570e54bd563ecea

SHA512
e2d9ec98d714a0ed11e7d60649839da5d3dbc57714c51ad5ca16dca74e799bd3c6ab394ead7300e9eb5dfdbb69d2db719276b590c0c75df717b8e1933596fdf0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
85d5426ce72a155b162d19d5294db20b

SHA1
a78b8bd2a0240cae6538240fac99d1ca900c40f6

SHA256
9f596424d477f61dc233d2ebd755918ee13f55c44443f91e38af10c558018cf1

SHA512
9a0ae09a337e151c59e49d3345ab80fa9e94120805ea52ea7a03e9db3ef5315f3f41b3738567ee2a1d65453e631fefda3858b5d1a4bb749c44cbd6c50fc5af85

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
fcfa19ff19ac0027088c626020a6df1e

SHA1
30f6a6114cc5078459662c1d464f44741e0cac2e

SHA256
1b5106080590072f4c8c1895c83840a7952253bfadfa9ca3d026d124766cbb7d

SHA512
5cb59d3664f1d667eae7dbfe6cc4f4a16d2af24aaab4c95c1d9c484365c74cc048947afc631b8cf8171328349cf9ce489d3ca722bb80425d08147aa262f778fd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
586c93b3550b5e71430ef7f9b3d14aef

SHA1
220b8c7f3b19f4672e0dbe75ab4dc270e747759e

SHA256
9051de3ed1c499ffd67d00c7724063670579b75bbb2ef61ae908152af9f30cdf

SHA512
9e271cb35674b9cc46a1f1c0a0ad5f619b3fdc25092f7953b8148ee996c5c6e0da6882a64911fbc81e80dc12dc3fc4286a78445484d1301324573b8259c3e4a2

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ece4c76ba3b89b0aba78484c01f8b138

SHA1
3018bfcc2bdf3aa7440a67575d2f8f65a08ca2e3

SHA256
e7ab08060ae73407c281994e939a11c0932e38847e8c272c289e3a83437b0d5c

SHA512
5610ec83bc23c67799d6b563746d19e41c43989d089611d9ba9b499ee15f2a47634bbef7cd965166a4ac8412ce78dd6b905e85563dd4d741b535f78d09a39c29

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ece4c76ba3b89b0aba78484c01f8b138

SHA1
3018bfcc2bdf3aa7440a67575d2f8f65a08ca2e3

SHA256
e7ab08060ae73407c281994e939a11c0932e38847e8c272c289e3a83437b0d5c

SHA512
5610ec83bc23c67799d6b563746d19e41c43989d089611d9ba9b499ee15f2a47634bbef7cd965166a4ac8412ce78dd6b905e85563dd4d741b535f78d09a39c29

Download Submit
\Users\Admin\AppData\Local\Temp\dr.dll

Filesize
414KB

MD5
e58c7d21a08f8038f2d69cbbae4e7484

SHA1
3be5356e6a32a52d929b3bd2bc13f234ae82801d

SHA256
7083bba256b59c5e9ba62f700b858e0968169653cec8284e5e0c6e0098e9e191

SHA512
e1429957e7a7c9fd8299d9ba451006351457e4e6b9485ee5ed74d427c8b2807270c101ec1eb57e1f20b62541655c8a615dc07056b62ba944cbc19c314e85d65f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
297b6245aa39bc54f6cb91f34729d388

SHA1
61913fc95156a7516745fa0581105eacbb05f671

SHA256
cec2b2c23e6704ca2a49ff1be80b08cb0b9a051e75994784df2828a23a443e2d

SHA512
6aaa684d5fea8b3ae9bef1cc703eed08a6e6787d6001206f2e6c2ce9c2ca2d8602a1f012b604f957fde273332dd2e2b6596ecb04ba63578ef4e8568c1fade442

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
574dbf59bb32db03225d109489ffbcc1

SHA1
823ebdab0668284edb64d644178c1062f98be04c

SHA256
681dd061349b87fa6c0149cd388934a7b50118389087610d6dc0e788e0af791f

SHA512
5c7da6a90d0a1bd4dc5a630bda512345f019a80b4d4a97836712c848686fa9e35a0025df16c2c2fcc65e178762f5e5b03f8dc116306c4943ffa0a1382d9e1ba5

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
9d66d1243e4d859bdeef209b9ed9e19d

SHA1
0130a91927701422c11aef9bd5f5c089298e021a

SHA256
4c0db2b45dcad8c30f16e44719cff65381d5557339f920906c7e7eb0fa3e5db5

SHA512
f8334c179ef8fa513688f2be433f1891c34a53740a53ca9fbd0e4dbdb40f7a132f4ff75b82bd198c2be6e56453f8b427f8ed0fa7c084d93ff6ccacef172ce419

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
875e5e899e9b12d0f0362ce84b7590a9

SHA1
6b855b7fe5dcd8f23bf12e9df86b03ae2ea710f6

SHA256
6d89145d55133181e2eff1868bd4998d2d0939363acef005755141e37893bcee

SHA512
3a90aff60e9f8f2a31ecb734d8c558770eeba2583269ae2973448896e321dbcf13b1d5c91521370dc8356ddc45806e225e7b534c2639a8ddb642aef7aa5cd142

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
9a6e8d280c38c75ad56e2a5ffc0b1f8c

SHA1
663b2da6cf7c432a23ab3fa90d7434a52204ac37

SHA256
c8527a717d0408f0112058c35c8ccf34883fdda4a54b3f035e9c2cde3deea764

SHA512
f60fce94bc008b2e7719db7f2257813abf0ebcf12fe6095c0cdc90ef3c4d96081c621c1b59dd32d02ddd0c59b192d9ba23a1e85d131f6612ab0b9b857caec3f5

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
1231932a9950fd51ef65e3483c4a9b89

SHA1
79b6dfea5125812d16b885d03c3662a99a2e08c6

SHA256
ac107213caedb2a38fd2edeb8ffb67a70ccca3ee581c86a4b56a4d3f9be151c4

SHA512
971b3619675955f1165ca465ff8a7d9ae151c63d4814b0ea69d5e47ac7f5cf2b5004a428d5eefa1ec61736f6c45776046f19c63dbe447c1e740c41e881482cbd

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
2056f0ef54ea8f92879cfcd1613a4876

SHA1
bb7830f09411b7e26ddbe5c715626b7200b3eda0

SHA256
9a0f381c0e6a86258ba86c5e313c72f52a5c8d8d2999b3aadce0f13764ef2e82

SHA512
9a171e9b4280e29a5012428a88f7a4cab7489cbcc5ad2e5ab905daf70c1fc55e66a59edc38607d437f8568e050747aeb8f1676a0b50bb37f5b282072b22ef62d

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
586c93b3550b5e71430ef7f9b3d14aef

SHA1
220b8c7f3b19f4672e0dbe75ab4dc270e747759e

SHA256
9051de3ed1c499ffd67d00c7724063670579b75bbb2ef61ae908152af9f30cdf

SHA512
9e271cb35674b9cc46a1f1c0a0ad5f619b3fdc25092f7953b8148ee996c5c6e0da6882a64911fbc81e80dc12dc3fc4286a78445484d1301324573b8259c3e4a2

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
586c93b3550b5e71430ef7f9b3d14aef

SHA1
220b8c7f3b19f4672e0dbe75ab4dc270e747759e

SHA256
9051de3ed1c499ffd67d00c7724063670579b75bbb2ef61ae908152af9f30cdf

SHA512
9e271cb35674b9cc46a1f1c0a0ad5f619b3fdc25092f7953b8148ee996c5c6e0da6882a64911fbc81e80dc12dc3fc4286a78445484d1301324573b8259c3e4a2

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3ebc96a9431c7ffef2570f527cb8df69

SHA1
b15cbe66438846c841114321bb50f9e1bebc5c46

SHA256
1f1fa43926406747c60ebb49418bf971fd8b552163c7a17408682eea427e6d41

SHA512
4f498dc28a8a246a0237ac57045f7961f727de09a62f457b14136f0fac3917d5d50f2a4df2c64cbfcd32933b9e703a8adff5f7f34752a00169397fba72cd6bff

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
14792cdf99a87d9a12dfe12b74b78ae6

SHA1
f26ad0396b3ef48eae1ca6d8ad57530d38907634

SHA256
5e0f2c28a182a21fdeaa0fa85c661c50bc37c34baae2f5a764d1d2517122ef26

SHA512
84a96a50966c2ab31b969cccf33781e7c556f21f3d53de65482a693ed3b034a326921f71b60b3227a869c61fbea877d2fad53c5b2c44577c00eaca96a9bc7c2e

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
f09abc822c651f353856792803087158

SHA1
6576fc5f926dd7190dbad275bb5e39d575ef2339

SHA256
d43fb0d540e4013075666fe7f3e9e0db6872e6068a2cb2102ea65f3a278101f5

SHA512
329c43bb6fb02a4a70ba41b7d88d7c792aa9a4a46050f4fb8d3f78a0966e13d78b550fd73f3220544b47f8823a6d1d3fe3670f9d265e73a63ca14fabdd94df97

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
605f0dd1649ce5576986ac6c3ae0107b

SHA1
a10ebd0c46941a9d540ea2eb6227f57482f3fba6

SHA256
5cf4f49b793992937fc730524c5c075a360d0bc44514d6985570e54bd563ecea

SHA512
e2d9ec98d714a0ed11e7d60649839da5d3dbc57714c51ad5ca16dca74e799bd3c6ab394ead7300e9eb5dfdbb69d2db719276b590c0c75df717b8e1933596fdf0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
85d5426ce72a155b162d19d5294db20b

SHA1
a78b8bd2a0240cae6538240fac99d1ca900c40f6

SHA256
9f596424d477f61dc233d2ebd755918ee13f55c44443f91e38af10c558018cf1

SHA512
9a0ae09a337e151c59e49d3345ab80fa9e94120805ea52ea7a03e9db3ef5315f3f41b3738567ee2a1d65453e631fefda3858b5d1a4bb749c44cbd6c50fc5af85

Download Submit
memory/240-15-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/240-59-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/568-20-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/568-67-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/568-27-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/568-19-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/828-267-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1040-75-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1040-76-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1040-83-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1040-133-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1216-258-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/1216-245-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1216-219-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/1216-202-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1216-196-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1680-119-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1680-168-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1680-120-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1680-127-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1800-106-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1800-132-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/1800-107-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1800-113-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1800-185-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1800-157-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1800-131-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/1800-134-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1932-237-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1932-246-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1932-244-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1956-263-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1956-270-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1968-249-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2000-94-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2000-101-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2000-100-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2000-93-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2000-151-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2228-191-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/2228-220-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/2228-145-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-187-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-271-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/2228-146-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/2228-148-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2300-174-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2300-183-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2300-208-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2300-207-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2344-0-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2344-6-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/2344-7-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/2344-36-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2344-179-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2344-1-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/2396-136-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2396-142-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2396-147-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2456-152-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2536-223-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2536-230-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2552-66-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2552-114-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-61-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2620-213-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2620-272-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2620-221-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2620-265-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2672-55-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2672-37-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2780-69-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2780-47-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3012-192-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/3012-241-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/3036-212-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3036-166-0x0000000000AB0000-0x0000000000B17000-memory.dmp

Filesize
412KB

Download
memory/3036-165-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download