b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838

Analysis

max time kernel
141s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
Size

1.8MB
MD5

068991af80abc1480a79b94f450a636f
SHA1

6c127d05230210bfac1aa1764bc1ab95e1fd01fc
SHA256

b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838
SHA512

b6adee6a147503bb93a3566781be19a8005d4b6d9b87c2e6aaf42f05922e61fa6c4b1e2298bb8a2a9d01edb0a6d09def8dd4d48a355a3af7c63bb88be646776f
SSDEEP

49152:/x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WALaCtFd603n2kBl/9u:/vbjVkjjCAzJWasFdPm21u

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
464	Process not Found
2832	alg.exe
1820	aspnet_state.exe
1732	mscorsvw.exe
768	mscorsvw.exe
524	mscorsvw.exe
1412	mscorsvw.exe
2640	ehRecvr.exe
2008	ehsched.exe
2248	elevation_service.exe
2148	dllhost.exe
2856	GROOVE.EXE
3024	maintenanceservice.exe
1564	mscorsvw.exe
692	OSE.EXE
1280	OSPPSVC.EXE
2396	mscorsvw.exe
1552	mscorsvw.exe
1696	mscorsvw.exe
2768	mscorsvw.exe
3016	mscorsvw.exe
1140	mscorsvw.exe
1596	mscorsvw.exe
2204	mscorsvw.exe
876	mscorsvw.exe
2852	mscorsvw.exe
2024	mscorsvw.exe
2016	mscorsvw.exe
2820	mscorsvw.exe
2620	mscorsvw.exe
1652	mscorsvw.exe
2668	mscorsvw.exe
2164	mscorsvw.exe
2376	mscorsvw.exe
1072	mscorsvw.exe
1828	mscorsvw.exe
3024	mscorsvw.exe
1744	mscorsvw.exe
2540	mscorsvw.exe
944	mscorsvw.exe
2820	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4a6c27ce51113ee7.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_zh-TW.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_pt-BR.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\psuser.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_fr.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\GoogleUpdateSetup.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_ro.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\GoogleCrashHandler.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_fil.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_de.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_gu.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_ja.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_mr.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_vi.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\psmachine_64.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_et.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM427C.tmp\goopdateres_it.dll	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{530CD994-60B8-4DAD-961B-555A4CBB6594}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{530CD994-60B8-4DAD-961B-555A4CBB6594}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1596	ehRec.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2376	b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	1412	mscorsvw.exe
Token: 33	1480	EhTray.exe
Token: SeIncBasePriorityPrivilege	1480	EhTray.exe
Token: SeDebugPrivilege	1596	ehRec.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	1412	mscorsvw.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	1412	mscorsvw.exe
Token: SeShutdownPrivilege	1412	mscorsvw.exe
Token: 33	1480	EhTray.exe
Token: SeIncBasePriorityPrivilege	1480	EhTray.exe
Token: SeDebugPrivilege	2832	alg.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	1412	mscorsvw.exe
Token: SeDebugPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	524	mscorsvw.exe
Token: SeShutdownPrivilege	1412	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1480	EhTray.exe
1480	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1480	EhTray.exe
1480	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 1564	524	mscorsvw.exe	42
PID 524 wrote to memory of 1564	524	mscorsvw.exe	42
PID 524 wrote to memory of 1564	524	mscorsvw.exe	42
PID 524 wrote to memory of 1564	524	mscorsvw.exe	42
PID 524 wrote to memory of 2396	524	mscorsvw.exe	45
PID 524 wrote to memory of 2396	524	mscorsvw.exe	45
PID 524 wrote to memory of 2396	524	mscorsvw.exe	45
PID 524 wrote to memory of 2396	524	mscorsvw.exe	45
PID 524 wrote to memory of 1552	524	mscorsvw.exe	46
PID 524 wrote to memory of 1552	524	mscorsvw.exe	46
PID 524 wrote to memory of 1552	524	mscorsvw.exe	46
PID 524 wrote to memory of 1552	524	mscorsvw.exe	46
PID 524 wrote to memory of 1696	524	mscorsvw.exe	47
PID 524 wrote to memory of 1696	524	mscorsvw.exe	47
PID 524 wrote to memory of 1696	524	mscorsvw.exe	47
PID 524 wrote to memory of 1696	524	mscorsvw.exe	47
PID 524 wrote to memory of 2768	524	mscorsvw.exe	48
PID 524 wrote to memory of 2768	524	mscorsvw.exe	48
PID 524 wrote to memory of 2768	524	mscorsvw.exe	48
PID 524 wrote to memory of 2768	524	mscorsvw.exe	48
PID 524 wrote to memory of 3016	524	mscorsvw.exe	49
PID 524 wrote to memory of 3016	524	mscorsvw.exe	49
PID 524 wrote to memory of 3016	524	mscorsvw.exe	49
PID 524 wrote to memory of 3016	524	mscorsvw.exe	49
PID 524 wrote to memory of 1140	524	mscorsvw.exe	50
PID 524 wrote to memory of 1140	524	mscorsvw.exe	50
PID 524 wrote to memory of 1140	524	mscorsvw.exe	50
PID 524 wrote to memory of 1140	524	mscorsvw.exe	50
PID 524 wrote to memory of 1596	524	mscorsvw.exe	51
PID 524 wrote to memory of 1596	524	mscorsvw.exe	51
PID 524 wrote to memory of 1596	524	mscorsvw.exe	51
PID 524 wrote to memory of 1596	524	mscorsvw.exe	51
PID 524 wrote to memory of 2204	524	mscorsvw.exe	52
PID 524 wrote to memory of 2204	524	mscorsvw.exe	52
PID 524 wrote to memory of 2204	524	mscorsvw.exe	52
PID 524 wrote to memory of 2204	524	mscorsvw.exe	52
PID 524 wrote to memory of 876	524	mscorsvw.exe	53
PID 524 wrote to memory of 876	524	mscorsvw.exe	53
PID 524 wrote to memory of 876	524	mscorsvw.exe	53
PID 524 wrote to memory of 876	524	mscorsvw.exe	53
PID 524 wrote to memory of 2852	524	mscorsvw.exe	54
PID 524 wrote to memory of 2852	524	mscorsvw.exe	54
PID 524 wrote to memory of 2852	524	mscorsvw.exe	54
PID 524 wrote to memory of 2852	524	mscorsvw.exe	54
PID 524 wrote to memory of 2024	524	mscorsvw.exe	55
PID 524 wrote to memory of 2024	524	mscorsvw.exe	55
PID 524 wrote to memory of 2024	524	mscorsvw.exe	55
PID 524 wrote to memory of 2024	524	mscorsvw.exe	55
PID 524 wrote to memory of 2016	524	mscorsvw.exe	56
PID 524 wrote to memory of 2016	524	mscorsvw.exe	56
PID 524 wrote to memory of 2016	524	mscorsvw.exe	56
PID 524 wrote to memory of 2016	524	mscorsvw.exe	56
PID 524 wrote to memory of 2820	524	mscorsvw.exe	57
PID 524 wrote to memory of 2820	524	mscorsvw.exe	57
PID 524 wrote to memory of 2820	524	mscorsvw.exe	57
PID 524 wrote to memory of 2820	524	mscorsvw.exe	57
PID 524 wrote to memory of 2620	524	mscorsvw.exe	60
PID 524 wrote to memory of 2620	524	mscorsvw.exe	60
PID 524 wrote to memory of 2620	524	mscorsvw.exe	60
PID 524 wrote to memory of 2620	524	mscorsvw.exe	60
PID 524 wrote to memory of 1652	524	mscorsvw.exe	61
PID 524 wrote to memory of 1652	524	mscorsvw.exe	61
PID 524 wrote to memory of 1652	524	mscorsvw.exe	61
PID 524 wrote to memory of 1652	524	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe
"C:\Users\Admin\AppData\Local\Temp\b635f6e01349f1f5652b5aac2d881e77a3d2fcdacc2d88bc41c89c512026e838.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 244 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 268 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 258 -NGENProcess 1ac -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1ac -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e0 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 294 -NGENProcess 280 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 258 -NGENProcess 284 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a4 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 258 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 1d8 -NGENProcess 1e0 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2640

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:692

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.4MB

MD5
6304c637871bb3cf881c34b0bcc95d5c

SHA1
eb9f13e017695e3f2df1b057ae270ea28718d7c3

SHA256
91058e154a84ed7764ea08efd80dd2549d7ba867c3049ba55f6cb62825292b5e

SHA512
430438fc58247d183e9501423016f198f019120a0743b8fc5398bf57d0d8c10d643969cda1eb8a3457f446d9c1fc3e8371b867386413cb0e25afd8a32ed8e011

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
132a127a59385a5812bea9bed7f50cce

SHA1
e50a854353d6589ba89ac02c764fbadcee826579

SHA256
51ff5e2b59be9a6e92a22ef38266adf25964bbd17800985e4a9b4d6c5a04c83e

SHA512
edd40613d9de3e747dc53ec698c284a8e3d85387783eb852e38d9fd7c5b2c8fe9c01237542a091650919009a794172c566dc9d03d09c0082a70353f9e8a9c067

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
7d6ea5f4210d7d8596bc02409ea9a30b

SHA1
3f19806c3f10bde916f38305d29ae8fb8f19518f

SHA256
b94dd80aaab85d878f935e3a3386c4fe4de9723e170c2e02b9fbd24e33d4011b

SHA512
a1b08e61d4e55f0e918fb4a1700361c080b9d1399431f4ea5cb479fcc549861232a72f849db7172eef9596d7b9c0e6a226027ef8d9cb84f82a9e444a3a92a172

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
d6ae4f6d9cc4c3ad3bca72990f4d3153

SHA1
9a20a0fce9bda39ea468afdd7fedaa8d5dfe3db9

SHA256
ef3a0bc68aa780dba49a97832597d4114c9f4c7413c4341ba7fff4d73ba12413

SHA512
436173b091f27d9caa12525d41851aa7bf3f2ee493fa12618c46617f74759b8011068c8d2198cdae11803c6934bd0791c48dba77762b25f1ed0ab169f5118f78

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d943df676faf1a9a62d5ae49fa22062a

SHA1
c0143c96e636464c7f6c4a48a4b51dd1c65b58d5

SHA256
9c9cc6913897d3a13f830e403ddadfa9cdcf633de4346da76f7d3965acb85813

SHA512
c6f8957ff867035b0f4a34fc9c2d36b0a3213a593bcb0600dfdec2b1bdb3a2d2ae3a3aef929df4a8426d0bf91d872784875e2df5ff7ea36c58c1450e6864bac7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
162ec3b6f9882065f0940301c0d33bbb

SHA1
0139b42999476e3f87c0dc1cc015dbe3e16784a2

SHA256
a1a28b047a06b6ce16c1c6d7a1046127f596b624f7116d8098a5aa8275d9f373

SHA512
5857da4582a7cd09abfff82d1013790755b8e07ea79314908f77f1053e0ed05ca359aa2e04796a3537f80d9eb227f9c4b17cad6c2b3d9f6b516efda9309ced92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f2ecfcf46807e71fe0d28f8cbe254789

SHA1
dd65d33d8aca54ea7a1a9221d5792b2d708161c1

SHA256
737f8ea513c7e44d06ef944cc8cb03dd938d4c5a26865f086bf40d34e7855700

SHA512
55f75a1cc386d1df4cf2866755fae97ddbeabb6fbd2d6d773a6c7aaff23335e808dc7bffa7160541b0a5a04eb160398f732a932863c65b746fd0bce35b8c17d7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f2ecfcf46807e71fe0d28f8cbe254789

SHA1
dd65d33d8aca54ea7a1a9221d5792b2d708161c1

SHA256
737f8ea513c7e44d06ef944cc8cb03dd938d4c5a26865f086bf40d34e7855700

SHA512
55f75a1cc386d1df4cf2866755fae97ddbeabb6fbd2d6d773a6c7aaff23335e808dc7bffa7160541b0a5a04eb160398f732a932863c65b746fd0bce35b8c17d7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9ed34650fa437ca6c7d6e6d53b938ee9

SHA1
1bd976548d3748e4ed2a4d53edadc5d137f5a818

SHA256
2fe5598ad942703dc6ccad85b73e9bf53650638163a140e0294ff2821222a3e3

SHA512
5ae739688f33602b89b9fbc2792f8235c69a1e42012d3d695bd8978c2eda422eaae04a488f35976c3c0c47039d0ab6981ed763a71ad3d400f05c32eab9fd854f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
13f8fe60e54fa832addb965d0098886d

SHA1
4c3b5b0589eda54902d6131d540b514c5f578449

SHA256
f377d601d2166e28a5b4a109bf2b293a98ccf9b6cf71b66f3f83a0b2d639c1dc

SHA512
ba2a2661af7ac3430b8be7a8a9b2a1fec5c277901fef9ea19cf6c051a5207e58b822fea1b85727a87c5d1df9d8a3312113c4db63f010dde17ff480cdcf37c4f8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
1f71538e73e39b2d2ba41512d8fdbb3a

SHA1
3855f42470d303829fe60a4de6c71eabcc8fb145

SHA256
7cdb8c185bdd685c6f8403174c48ddc7645a07fc1978bf54fd061cd08b54a5ed

SHA512
682639ba6719fa50adefed819619357fcdb4b8bea8d457769d8cc1664da3c4fbcc77d612f461049508a52dde6098710bc40f4f122a699b11c1bd8a5e20111458

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d2219958be6a241fadbd253fcc1f95de

SHA1
a59fe737d5ff886098bb2bf2b917f6da7f7b9acc

SHA256
fac4cb43e8d2df47e289e3015d7d5522b4f7c80e5e823c3ebbd557710a20de93

SHA512
e12cba3b10e49c51cf9d82eba838e0aae3ec7babe37d06984fa8502c1b8e788200d11e56b68ecd342ccaa58a685032e1a0a301d7aeb3278c0ab7daa8aa5e10a1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
2f3336abb9e259ea3b7132f1fe63c248

SHA1
f0382747d0cca9f95ef732d8ae21756407954756

SHA256
ab815365fc280fd2131462d4ae759e1dc99c30ab1589000188875e95c2c2cc46

SHA512
3c4ecce152abf284a943bbc2398a468f595fbf1b6b8e2cb3e1f1e069284bd831dfeb0002f747e4a98aa960af53e370313ef7375bd48567235db5d7cb8c90eb7a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
db43834c456e2b382e608625277ffe92

SHA1
5ad8f7eb7b09b2f0af657d5b7854e35de26f5f0e

SHA256
f5f77d62e2ea12c7c0c22eb9b943e48d9a6d072261b6a6b2103fc4b6b3868f6e

SHA512
f3b8f8c49830e705d74e7020417cb88115bd6cb17b158aaa34692f66edcbd78d537b0e72f0bac5c7705e43a61322384f2fc8532cd5e31b101d28a54c9ec55493

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
dd09607fae2eb5a335604f1cc119e109

SHA1
54420e31bef08fe6b5425778282f0908a10604e9

SHA256
f4ea3baa6a18d254a04e4e6274cca15acced228d2dc9cc3fbc726d3a36c35353

SHA512
fa0ac0e8d3de91eb0df073cf976fdaec8b35cef26961f4c52a2ebfd1d326478332442e877df538d7548b7295ab59ce455fc5e35c7cf665520c37a2e145def4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
565fa3d6f3382d042ca4626f5b744f09

SHA1
8687ad67ef922a2baab73a5372f7d7e9fad56163

SHA256
6faebf225627f2a45c1502387493f7531a908535d9b1142ae079388bfdfa401f

SHA512
c8f876c68c47680d755d60dd4df6895d98c0eb28ff77b294e8426370bf2d4a128107ab13e5a8c449730d46cf62f2d8ef0cb48bde7a3f66143c6ee84cbb2b6fa6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
565fa3d6f3382d042ca4626f5b744f09

SHA1
8687ad67ef922a2baab73a5372f7d7e9fad56163

SHA256
6faebf225627f2a45c1502387493f7531a908535d9b1142ae079388bfdfa401f

SHA512
c8f876c68c47680d755d60dd4df6895d98c0eb28ff77b294e8426370bf2d4a128107ab13e5a8c449730d46cf62f2d8ef0cb48bde7a3f66143c6ee84cbb2b6fa6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ceb1bb0ea148ad1969ce6cac8c09a9f6

SHA1
b876f7a32ba80f48dd579c80dd2b3b25f61463ff

SHA256
9e456efc6485e62390eb4ca1510eb3fdd87173d290c001e88b08061c2a87e88a

SHA512
ba5efecf350f38e69155d0a01ad303145f929e8b34d166f0984f324ae81dea7b49fb32b1fbd09f84215d2e3d2057dd303c39ef5f54f96b45b21f33091aeabe44

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
67203fac374ef5dd2d53a02f70199453

SHA1
8187b6d84cf0c8339b6959ea27ea748fe7ade46a

SHA256
51942853833a903a096ecec67602c793c9ba7b4bf4145dab8745bca7624d5eac

SHA512
96e2bcdd3c465daa30b3dbb4a60cc1a392afea349e7885ab88786fd1f20ec7aba919164b46c84c89bf7cd819db588fcfb2a29d440def5023437a8ae109b9b98b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc2458f42915eac1ca0192743714fd08

SHA1
dd47774bfdeb974af1c37ad4d207582e785b67a5

SHA256
00219134ad0cd886c6abdf2cc456e46adbaa477724d324370e72517bf39b1b70

SHA512
856989ce089d62c5dad64381cc4969699cb37b9d3ae2fb9284591d8886bf5ab21cbf58f1c5866d87e30517607a756471003f486b7f0d071e42986e615e8d80c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc2458f42915eac1ca0192743714fd08

SHA1
dd47774bfdeb974af1c37ad4d207582e785b67a5

SHA256
00219134ad0cd886c6abdf2cc456e46adbaa477724d324370e72517bf39b1b70

SHA512
856989ce089d62c5dad64381cc4969699cb37b9d3ae2fb9284591d8886bf5ab21cbf58f1c5866d87e30517607a756471003f486b7f0d071e42986e615e8d80c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc2458f42915eac1ca0192743714fd08

SHA1
dd47774bfdeb974af1c37ad4d207582e785b67a5

SHA256
00219134ad0cd886c6abdf2cc456e46adbaa477724d324370e72517bf39b1b70

SHA512
856989ce089d62c5dad64381cc4969699cb37b9d3ae2fb9284591d8886bf5ab21cbf58f1c5866d87e30517607a756471003f486b7f0d071e42986e615e8d80c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc2458f42915eac1ca0192743714fd08

SHA1
dd47774bfdeb974af1c37ad4d207582e785b67a5

SHA256
00219134ad0cd886c6abdf2cc456e46adbaa477724d324370e72517bf39b1b70

SHA512
856989ce089d62c5dad64381cc4969699cb37b9d3ae2fb9284591d8886bf5ab21cbf58f1c5866d87e30517607a756471003f486b7f0d071e42986e615e8d80c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c9b583b3be85e4571893de2220a3641a

SHA1
65f48d53300b9e0a5cb579f9f655bd3a0a4b581c

SHA256
0b3aa91e40948402e8edc1ae113d1afcfa51d744cbcd64e40ff0ea3a6cba4724

SHA512
11f0efc01c0a35dac8f9335eb05466a41e6d4c81a9fe84148f46328c03bcf53e6fe6e7c08d1c5f20053e6543cbc46e1c12d1dd0294e10433256f26595e0fe9bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c9b583b3be85e4571893de2220a3641a

SHA1
65f48d53300b9e0a5cb579f9f655bd3a0a4b581c

SHA256
0b3aa91e40948402e8edc1ae113d1afcfa51d744cbcd64e40ff0ea3a6cba4724

SHA512
11f0efc01c0a35dac8f9335eb05466a41e6d4c81a9fe84148f46328c03bcf53e6fe6e7c08d1c5f20053e6543cbc46e1c12d1dd0294e10433256f26595e0fe9bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
998b8dd452081e0c8fcadec18bac4404

SHA1
9441c1b4ac874e19b394f1ad913a72a5a8129baf

SHA256
f6bff25433883675405bd42c63565eacd286952c67f25cb0421ffcb6288343b1

SHA512
e5aeb314454e99a5c8771ea5939c0a7ac845bfcb541704086d24ad43395c865f5080c101b1f6f3a6884733e96003edf99a62f27fce29901ea4318340cd3aa003

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0c64c0c80c9c6b6f853be58cf5356fe3

SHA1
46872840c9fd1227becf7cf7826b696567632bb8

SHA256
d262e062bd9d27e7e4b792fafc316fcba0d968efb3b56275b736ffe2b2979a57

SHA512
6e0af5d8de35adb56a258f9ef780b5a50078aed8cb8ce05ad4dbbd995dae8ed85bb3e7fa532d103b15af44b33720e2d277a92f89cf0a0c51bbbecbfc6693620f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dea8fb094e3e4653ae4c04f7eac5ced0

SHA1
c741351db91b6cba274420f697c1557f1205b44e

SHA256
147db73513759c14e325ed021756f2611dcdd831648f7bc475953be2f85d9b05

SHA512
8c25f84c9b545047d6ad205daf00a2c4a6fb5bbc8a3a628f0f58268565f095405063e261244146b887d96be04f36d251d7eb5d822083e179067d6a66ffe5446e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
56cc41d5ddc7cff819c423525d01480c

SHA1
5efc759ce9b005fd2f72fb15b14da02a9195d73f

SHA256
2e72d1bda7f88f5e3cb3d987de1828c75a5bf7c412bc6df4d18ff6368c47a3ae

SHA512
17f8a843050821c698d5c821f13a0035d2bcf17f2c4cc3d38a49359f0e0950cc85647a284c2502ee8c958353c2c9e92a742458b1f712044a4b0d30a1f7ec4c96

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
fb8ca89136a4376accba7f155932992d

SHA1
0cb31e9140d1c63e0f64b187fd31f2100bec9678

SHA256
f80ecb73a95ee56805120a115e6a9ad35675c5a32087352be6e8f8649e2116c8

SHA512
c634967b2c73373fd24d763e67717105c9daeea8d8213ef7e44bce2699d439ca45d2deefc6d23d0f3a5e055429f060deadb8e9e922c6b11fac0e68d1c1c164e0

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fb8ca89136a4376accba7f155932992d

SHA1
0cb31e9140d1c63e0f64b187fd31f2100bec9678

SHA256
f80ecb73a95ee56805120a115e6a9ad35675c5a32087352be6e8f8649e2116c8

SHA512
c634967b2c73373fd24d763e67717105c9daeea8d8213ef7e44bce2699d439ca45d2deefc6d23d0f3a5e055429f060deadb8e9e922c6b11fac0e68d1c1c164e0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6ec828a20c90be2f8fb268bbe0e15b67

SHA1
4b9d2834bbadc12f9f44272ec134e9ba36fce1e2

SHA256
89eecd5a71e99dbdd2d9ee332125a7cd5ac4c131a2e744f74e7d95d7f59a01c5

SHA512
689a7694749b2f7b8f2b526987b879d60536b50e49d09c26a2f403f7c13eafa42b689cfd0d30228489ff6fa3fdbb189c040523697b098a0778593a4017bb9262

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6ec828a20c90be2f8fb268bbe0e15b67

SHA1
4b9d2834bbadc12f9f44272ec134e9ba36fce1e2

SHA256
89eecd5a71e99dbdd2d9ee332125a7cd5ac4c131a2e744f74e7d95d7f59a01c5

SHA512
689a7694749b2f7b8f2b526987b879d60536b50e49d09c26a2f403f7c13eafa42b689cfd0d30228489ff6fa3fdbb189c040523697b098a0778593a4017bb9262

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.3MB

MD5
8a8bd613198bb3dae593ed7ef4ffb9d5

SHA1
316c83e3b132e9316b63f5e2088a7208a034b1b8

SHA256
5d9def501ae926dc579d0ce648b2858faff2aed478ffa5691813a328f02face6

SHA512
164e30e3161d858274bc6e355c5f71cad23cf23c56df43c9b131d48e3b84b0a9d017d83eab323a4db5d4c3e99414985e139c2179ad24971be7fac3b30efc5818

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
1f8b86ad955905b5a505934081c86e9a

SHA1
f57cd2062aa389fe1fb59332d2ba2e9ad831f0cf

SHA256
c60c889a166bd894b50851568c691c8832804f94df1b0a490de841061fb49d70

SHA512
296809792b4fc447d46e1c0d9fff8379ff56272325eabd272c6a0887b7ea45fcaebacb6aa9c8ed984487a6e963104829377148e475a373a5a5a850086e868567

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
565fa3d6f3382d042ca4626f5b744f09

SHA1
8687ad67ef922a2baab73a5372f7d7e9fad56163

SHA256
6faebf225627f2a45c1502387493f7531a908535d9b1142ae079388bfdfa401f

SHA512
c8f876c68c47680d755d60dd4df6895d98c0eb28ff77b294e8426370bf2d4a128107ab13e5a8c449730d46cf62f2d8ef0cb48bde7a3f66143c6ee84cbb2b6fa6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
67203fac374ef5dd2d53a02f70199453

SHA1
8187b6d84cf0c8339b6959ea27ea748fe7ade46a

SHA256
51942853833a903a096ecec67602c793c9ba7b4bf4145dab8745bca7624d5eac

SHA512
96e2bcdd3c465daa30b3dbb4a60cc1a392afea349e7885ab88786fd1f20ec7aba919164b46c84c89bf7cd819db588fcfb2a29d440def5023437a8ae109b9b98b

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dea8fb094e3e4653ae4c04f7eac5ced0

SHA1
c741351db91b6cba274420f697c1557f1205b44e

SHA256
147db73513759c14e325ed021756f2611dcdd831648f7bc475953be2f85d9b05

SHA512
8c25f84c9b545047d6ad205daf00a2c4a6fb5bbc8a3a628f0f58268565f095405063e261244146b887d96be04f36d251d7eb5d822083e179067d6a66ffe5446e

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
56cc41d5ddc7cff819c423525d01480c

SHA1
5efc759ce9b005fd2f72fb15b14da02a9195d73f

SHA256
2e72d1bda7f88f5e3cb3d987de1828c75a5bf7c412bc6df4d18ff6368c47a3ae

SHA512
17f8a843050821c698d5c821f13a0035d2bcf17f2c4cc3d38a49359f0e0950cc85647a284c2502ee8c958353c2c9e92a742458b1f712044a4b0d30a1f7ec4c96

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fb8ca89136a4376accba7f155932992d

SHA1
0cb31e9140d1c63e0f64b187fd31f2100bec9678

SHA256
f80ecb73a95ee56805120a115e6a9ad35675c5a32087352be6e8f8649e2116c8

SHA512
c634967b2c73373fd24d763e67717105c9daeea8d8213ef7e44bce2699d439ca45d2deefc6d23d0f3a5e055429f060deadb8e9e922c6b11fac0e68d1c1c164e0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6ec828a20c90be2f8fb268bbe0e15b67

SHA1
4b9d2834bbadc12f9f44272ec134e9ba36fce1e2

SHA256
89eecd5a71e99dbdd2d9ee332125a7cd5ac4c131a2e744f74e7d95d7f59a01c5

SHA512
689a7694749b2f7b8f2b526987b879d60536b50e49d09c26a2f403f7c13eafa42b689cfd0d30228489ff6fa3fdbb189c040523697b098a0778593a4017bb9262

Download Submit
memory/524-121-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/524-122-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/524-128-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/524-261-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/692-415-0x000000002E000000-0x000000002E15E000-memory.dmp

Filesize
1.4MB

Download
memory/692-330-0x000000002E000000-0x000000002E15E000-memory.dmp

Filesize
1.4MB

Download
memory/768-114-0x0000000010000000-0x0000000010150000-memory.dmp

Filesize
1.3MB

Download
memory/768-143-0x0000000010000000-0x0000000010150000-memory.dmp

Filesize
1.3MB

Download
memory/1280-441-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1280-365-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1280-341-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1280-361-0x00000000743D8000-0x00000000743ED000-memory.dmp

Filesize
84KB

Download
memory/1280-348-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1412-142-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1552-414-0x0000000072FD0000-0x00000000736BE000-memory.dmp

Filesize
6.9MB

Download
memory/1552-399-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/1552-392-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1564-377-0x0000000072FD0000-0x00000000736BE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-360-0x0000000072FD0000-0x00000000736BE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-321-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1564-373-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1564-324-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1596-362-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1596-385-0x000007FEF4B30000-0x000007FEF54CD000-memory.dmp

Filesize
9.6MB

Download
memory/1596-329-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1596-366-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1596-328-0x000007FEF4B30000-0x000007FEF54CD000-memory.dmp

Filesize
9.6MB

Download
memory/1596-270-0x000007FEF4B30000-0x000007FEF54CD000-memory.dmp

Filesize
9.6MB

Download
memory/1596-271-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1596-295-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1596-277-0x000007FEF4B30000-0x000007FEF54CD000-memory.dmp

Filesize
9.6MB

Download
memory/1696-446-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1732-98-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/1732-97-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1732-104-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/1732-136-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1820-173-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1820-94-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2008-166-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2008-165-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2008-300-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2008-172-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2148-275-0x0000000100000000-0x000000010013E000-memory.dmp

Filesize
1.2MB

Download
memory/2148-279-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2148-268-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2148-338-0x0000000100000000-0x000000010013E000-memory.dmp

Filesize
1.2MB

Download
memory/2248-316-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2248-188-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2248-181-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2248-182-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2376-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2376-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2376-264-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2376-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2376-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2396-400-0x0000000072FD0000-0x00000000736BE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-401-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2396-386-0x0000000072FD0000-0x00000000736BE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-382-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2396-371-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2640-158-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2640-152-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2640-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2640-176-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2640-178-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2640-179-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2640-287-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2832-159-0x0000000100000000-0x000000010014D000-memory.dmp

Filesize
1.3MB

Download
memory/2832-58-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2832-43-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2832-48-0x0000000100000000-0x000000010014D000-memory.dmp

Filesize
1.3MB

Download
memory/2856-294-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2856-299-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/2856-347-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3024-303-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3024-310-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/3024-334-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3024-335-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download