80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866

Analysis

max time kernel
150s
max time network
166s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20/11/2023, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
Size

1.8MB
MD5

3a458d3678f595f6e843019ff5880863
SHA1

e1b8f3d767c5f9d2197cce2a421be69822cd58de
SHA256

80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866
SHA512

d86485068f4b0c43a15bb64d1c309ecb8052c6688c88a4b67d5cb119f0ef9194dd6bd8180983eb2e45d32bd049cec1dbb2987a336be3e6afc31a9d0aab8847e4
SSDEEP

49152:ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAIgwsZY8/kd6WI7yZr:avbjVkjjCAzJrOCI7ur

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2684	alg.exe
476	aspnet_state.exe
2812	mscorsvw.exe
904	mscorsvw.exe
1972	mscorsvw.exe
636	mscorsvw.exe
2248	dllhost.exe
2144	ehRecvr.exe
2484	ehsched.exe
1480	elevation_service.exe
2860	GROOVE.EXE
2424	maintenanceservice.exe
2864	mscorsvw.exe
624	OSE.EXE
1280	OSPPSVC.EXE
2640	mscorsvw.exe
2220	mscorsvw.exe
2732	mscorsvw.exe
544	mscorsvw.exe
2188	mscorsvw.exe
2096	mscorsvw.exe
1476	mscorsvw.exe
776	mscorsvw.exe
1484	mscorsvw.exe
1608	mscorsvw.exe
2744	mscorsvw.exe
1760	mscorsvw.exe
1796	mscorsvw.exe
3016	mscorsvw.exe
1960	mscorsvw.exe
2480	mscorsvw.exe
2536	mscorsvw.exe
2592	mscorsvw.exe
1940	mscorsvw.exe
860	mscorsvw.exe
2104	mscorsvw.exe
1220	mscorsvw.exe
1976	mscorsvw.exe
892	mscorsvw.exe
1932	mscorsvw.exe
2952	mscorsvw.exe
2380	mscorsvw.exe
2396	mscorsvw.exe
2428	mscorsvw.exe
1780	mscorsvw.exe
1092	mscorsvw.exe
1720	mscorsvw.exe
3028	mscorsvw.exe
2604	mscorsvw.exe
2440	mscorsvw.exe
904	mscorsvw.exe
2812	mscorsvw.exe
2796	mscorsvw.exe
900	mscorsvw.exe
2888	mscorsvw.exe
1508	mscorsvw.exe
2132	mscorsvw.exe
2164	mscorsvw.exe
1600	mscorsvw.exe
2136	mscorsvw.exe
2168	mscorsvw.exe
1076	mscorsvw.exe
1128	mscorsvw.exe

Loads dropped DLL 41 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2428	mscorsvw.exe
2428	mscorsvw.exe
1092	mscorsvw.exe
1092	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
900	mscorsvw.exe
900	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
1076	mscorsvw.exe
1076	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
1808	mscorsvw.exe
1808	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
832	mscorsvw.exe
832	mscorsvw.exe
1004	mscorsvw.exe
1004	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c9e691d5cb36c99.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{198967AA-917E-4C90-872D-B022E39822F9}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\goopdateres_cs.dll	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\goopdateres_ur.dll	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\goopdateres_hr.dll	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\goopdateres_nl.dll	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\GoogleUpdateCore.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\goopdateres_uk.dll	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\GoogleUpdate.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM932B.tmp\GoogleUpdateComRegisterShell64.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6FF2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPADDC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP77AF.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9721.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA515.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD52A.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7FAB.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC1AA.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C7E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1A0FF6E9-C907-42FD-A3FE-EC594AD1FC3E}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2672	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1756	80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: 33	2848	EhTray.exe
Token: SeIncBasePriorityPrivilege	2848	EhTray.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeDebugPrivilege	2672	ehRec.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: 33	2848	EhTray.exe
Token: SeIncBasePriorityPrivilege	2848	EhTray.exe
Token: SeDebugPrivilege	2684	alg.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeDebugPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	636	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2848	EhTray.exe
2848	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2848	EhTray.exe
2848	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	42
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	42
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	42
PID 1972 wrote to memory of 2864	1972	mscorsvw.exe	42
PID 1972 wrote to memory of 2640	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2640	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2640	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2640	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2220	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 2220	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 2220	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 2220	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 2732	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 2732	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 2732	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 2732	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 544	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 544	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 544	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 544	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 2188	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2188	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2188	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2188	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2096	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 2096	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 2096	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 2096	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 1476	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 1476	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 1476	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 1476	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 776	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 776	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 776	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 776	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 1484	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1484	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1484	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1484	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1608	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 1608	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 1608	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 1608	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 2744	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 2744	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 2744	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 2744	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 1760	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1760	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1760	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1760	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1796	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 1796	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 1796	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 1796	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 3016	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 3016	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 3016	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 3016	1972	mscorsvw.exe	60
PID 1972 wrote to memory of 1960	1972	mscorsvw.exe	61
PID 1972 wrote to memory of 1960	1972	mscorsvw.exe	61
PID 1972 wrote to memory of 1960	1972	mscorsvw.exe	61
PID 1972 wrote to memory of 1960	1972	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe
"C:\Users\Admin\AppData\Local\Temp\80b3034e488036fa331300d8f89960669a9672323b2a195d341010f4c32af866.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 1ec -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 26c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1ec -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 254 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e4 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 280 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 288 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 25c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 280 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 280 -NGENProcess 29c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 220 -NGENProcess 1c8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2cc -NGENProcess 280 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 220 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2b8 -NGENProcess 2bc -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2bc -NGENProcess 2d4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d4 -NGENProcess 1c8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b8 -NGENProcess 1c8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2b8 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 230 -NGENProcess 21c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 230 -NGENProcess 248 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2d0 -NGENProcess 248 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d0 -NGENProcess 21c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2bc -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2f8 -NGENProcess 2d8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2f4 -NGENProcess 2bc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 304 -NGENProcess 2bc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 250 -NGENProcess 30c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 230 -NGENProcess 30c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2f8 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2bc -NGENProcess 318 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2bc -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 314 -NGENProcess 308 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2d0 -NGENProcess 328 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 334 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2f4 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 31c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 330 -NGENProcess 338 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 340 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 320 -NGENProcess 32c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 32c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 344 -NGENProcess 340 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 30c -NGENProcess 350 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 354 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 340 -NGENProcess 358 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 350 -NGENProcess 35c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 308 -NGENProcess 358 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 308 -NGENProcess 35c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2248

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2144

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2860

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2424

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:624

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
7653b14ef1bcabeae59103a6177b557a

SHA1
cc7f38168bcef95cd8d78741c2d9e0f4398d97d4

SHA256
f2e72e710b41a16c1390871de445bf517be4db6b1bc17408a59a933dd91d79fa

SHA512
58ed25e85727368f6c3c085cd945ca9b76627b988f782b3a47a3f45dc869288b89ff6398ffc42173275439b5fdc53ae256235df05aebd19cb396727ce7d6f945

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
c565336c2e66e9f9808d0f74d717fb4c

SHA1
9cc364c41fff74a1a3389cc2c02c2ec414ae4d5a

SHA256
5a524c99689e37961a5b3f5ffd3a51686782db6459c7e0e702ac2d93e27b5901

SHA512
ef6735ab10d190778fbecfe19ba87d59fcaebbbb275d0bc30fb6ade3129cfc81b7c795140fc56f9d8b0f2d66a6068b6f646e2aafaccb15f7a725dc99a0f31f10

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
fb2589df0987d04d4dfc8ae67863d0f8

SHA1
f2a11260c2a65c215b4622d8879854ebbf370ed3

SHA256
fbf7dba5142ae3520ba2fd6a4746a1655820a171f2bd586c43562a78a6a4fcf7

SHA512
f693240222f2f7be7da2231e9ccdb81360596e64888d6f213fd2d1a12685b2accee546b11a38a2f6f8a14e40f0786cf1da80abd9923e7f0669f669577bbc4553

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
075f03c9e23af1f922058154c98d6db4

SHA1
879f3e9bc1ddfd3fff6b80962b5c2758dfa73dd9

SHA256
9027ec10f0f6412be4a9620477d28bfb2c61072aab8697c9e3e78e5fdb5b4b13

SHA512
e8ed677297effab442862bbd908374d58e0f2fb654bfdccbc103f4ea29d2eff6770d6e03564f2dbf3f39a6fbfd02f4458b307615c3da3238b5c4f8341374b4e2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
a9bd70ebce780937ec44cba390727521

SHA1
88aeb469b86c2ea8084d686e5cdab84cfdf2ebd4

SHA256
45e7758a65cea2ded985f96c2ca13b1b45a0ed1776dec560e3b0f738d51f533b

SHA512
d3491b027b66a776b7652f9516b42c1345d46e9b77ca11e012a0b66bbc54e2e5cbfb976c6025568d470b719eef37cf68b7e279be1cd5eec97f0adf9a86178158

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7c14b8250377f6e436538966f7352c54

SHA1
25773dc6544c01cc1bec2adc3445deec74646850

SHA256
e7ef3f3f6ea0b6cdc53ca1db508d8c0abe1b9bb0aa9630c88daa3a82d9a27e02

SHA512
76f1473a19a6fee6e61f9c4bd03b462e7830642729193c06dfb046665c63187d15a5564c52126548fa7198512284787f3a6e565b10a0c3d356adf198d52d4d21

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
99cce8217f7b6313a6d57e5f1df78561

SHA1
fc56f5f708f37d3e7a909a9ed3b31fec9ec37430

SHA256
c2fd966c2357ac688502641838f9b42b04ccf89ddb7d05bc2ca5603f42f98583

SHA512
3a974fb5afc6c62dacefe4a3cc90c36c22b61f042745551f0fdb6a610858f823c2e03a4c432e4758e602b74251b59152e14131e6454796238762c44a33ab5b0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
99cce8217f7b6313a6d57e5f1df78561

SHA1
fc56f5f708f37d3e7a909a9ed3b31fec9ec37430

SHA256
c2fd966c2357ac688502641838f9b42b04ccf89ddb7d05bc2ca5603f42f98583

SHA512
3a974fb5afc6c62dacefe4a3cc90c36c22b61f042745551f0fdb6a610858f823c2e03a4c432e4758e602b74251b59152e14131e6454796238762c44a33ab5b0e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
40e51b1339de1957dadd9a2540684480

SHA1
61c7651c81285f720de05876214222e05a3451e7

SHA256
3f66be4dd6523d892136c4643353d44889d1b537473c3718efd7a136c30dd16d

SHA512
c060004e621ab73ac6e09c52c9242e40e7321922a93b4a8a8b815f8290b9253c7e1a16e65b32477a2334dc79b051af372e8d9ad0783e9b3051d793883e723ef1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
2df0807e01f0f59a786e0f140c5cfbe7

SHA1
6dbb7d728599e6ea884d51f646eb264ea1e89828

SHA256
4079b936dfaeb581134c49417a0b562926912f3e151ce5b55226a6dae191bff7

SHA512
f34cebc8b3b4fe840ef4bad84fe7cfc6c5f41fa9dbffd9af84c9e40b355f1733c191db622698f186706ff2b168d55af225f61a243ad1933c190c0e8fc8342fdb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
b92b9e6f9671b5bb8171b90f67aaf8a6

SHA1
e3c19868d498b744669d163790f42bcfb123c93f

SHA256
2eb469cdaeb7b93f38ea8e11db19cefde8179463b17b1be828dd3ca1e34db4c3

SHA512
935c6783c5510e79e80d4daedc6e3bc19ff79cf39235a294122938ff6792e147c85086c82d26af8bd60547f2a87167d982fdbcb8a2df1e6df5d1d31ba3c6b8d9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
0af28d1c145afd8070034f80033ad06f

SHA1
58caee1f4dffc725b1ea23e008c8dde99a44359a

SHA256
7af3d68be5da3bd25b768a4aa58cd2027a2ff017b4d18ac3b0d787df348e2429

SHA512
fb120a518ad15fe8b85d65f120dae3249012364705a095d472eed3aedc60ae34b8008abe707404c76404296982ef5a6d54459a6ba0f3764592e4f4aba822dd6d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
adab0b554881f4cf8445980317c5fbb0

SHA1
a7c257db52f3ab2b63dccb5feaa5645f8a3b54d8

SHA256
557f046dfc1a4564379123e2cfc295985c29b89f63482912d1eccaedbccce3f3

SHA512
58b5eb981326f1ac62afa6d7f83f5ca1c6931e4639482a9601dc5542ebfecdcb12e291d7a83a5e6f75a9af43518cba82429215e14da7340f9205ced9129d06a4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
6e7d26568b5f98aea08c7193908f2f4b

SHA1
78f83dd4cfa844f9d8715b4d8b3860a2736b114d

SHA256
c447b9deeab3fa6e76954fe30fe0d5f49611b5c4f0a3f0c1a77719617c321acd

SHA512
afc1300a5cac99d9f75c3c73d0ed1670c575be807b508c675a519b73c4fbb5573965696877a90a9d3ab38b218427f3a046a7c71d06ac4fe20bc9078a94058a6e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ec7fe9f735af063e233b3301bd21d0e3

SHA1
55dc5110a8e557204bca01710efc8a7f7b441044

SHA256
26998cfe9575ca239c979de28da5f06fd5994d6481f0fc107d967e83beda7e7c

SHA512
9c8a15b609f77114c54b27d9d9140d0f0b721dba7d3698e3991a4620753adc10cfd93374ac9020c28e60640c4f721bba7ab67267c526687e5b816ae7c78f82dd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
21ea598d22322fa9adf4e6d6b28201ca

SHA1
3ca871ec27844115514a02e991f7f5cace3149a1

SHA256
4dc018a18ba11150e368364f3f7bd108ab8b22b30188dab8c0fd2f51168afb44

SHA512
3fe3615c0a08727e55b0a353a3994c114e3727e892de352d641b113d08971ccc58bd48d5292ac7446d9fc1a09071a563826865dd484f1ee256ca0c1640150373

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4cca06032a003de8f6242a06adec3475

SHA1
d4b577e60b7529071adeacd5efe80d73c445f508

SHA256
bebcb2da197aa6e1e2a98cff57b599fbc83ac2d08c5987717bbb0a7c8233c1fe

SHA512
1b779ea7fc89b9d5b66492e70c95b75e77740b1c06f857c5568a2a78e631c1e6e2133a779ad5231ddaaecfd319160c04c0f3bdacbfe86e0018cb939038874404

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
48495571d9758297333749ac504d7daf

SHA1
fbbe3697f8ab87954e87349060ac7c157cc6111d

SHA256
b5dfb74639980ffb0351f122b4f98fda6c522f082ad9ca8693b012c6d4e652ae

SHA512
b0e29afab3bafae8c2f328503f75772b127abd44c30f9cbf8ccc497a63bf8aa9e4a161a57b5c27b6a76cd16c5e549fa53535f47a01d765f0d115617c23a852fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
f77bd260123867aac2682dcb9d600863

SHA1
986a508d479a22cf1f24b12ccb5fd1d36f641b94

SHA256
9e472293ca7647289f96d070fa9f8321ede9aa3b71d737e2fc46dc8446cf516c

SHA512
b64845da04487424f642ec89384635018951d8057a23542f2f8b884f017429c455b3de3b56fe6930a357c1ee7d9c32373fde1c8040e42aae573a23d19597d83a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
f77bd260123867aac2682dcb9d600863

SHA1
986a508d479a22cf1f24b12ccb5fd1d36f641b94

SHA256
9e472293ca7647289f96d070fa9f8321ede9aa3b71d737e2fc46dc8446cf516c

SHA512
b64845da04487424f642ec89384635018951d8057a23542f2f8b884f017429c455b3de3b56fe6930a357c1ee7d9c32373fde1c8040e42aae573a23d19597d83a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3b1a455d823ceed8aba3fcaa8b7807ed

SHA1
a4c6824d80a1a554683efa44a145eed8b0ba39f0

SHA256
71fad5b01a3b3c5e5afd89e955f30d789aff63ee29a6997bb34781e887706c50

SHA512
c74ffad2401eae94d73c7d7b5caa3afac92f8af34d040b86bca52e35c0faa01543a9743f2d4fd0397a810238a16e92b6a5b4c8f84b081976c61140acf00f3620

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
c1499cdb4db880595b775cd75eac76c4

SHA1
f7d2345e1b96ccc45cf17a730e92ecb3ca74d400

SHA256
256b0d755384690745eaf5bc06c0d5e1c051252cef810f8f65b45c58e9c68519

SHA512
6e1eb05fd8fb8091e4e87155175db0115195ddb05fac26a06e2b4ad56e6ebbc7ad10c33e5445482a3bba63ef19dc0853660106f786d140080766a557060f161c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d07d80a5a2200fb7e2a819492a27a316

SHA1
88572a1159c6de3df88e9f89716c71a60aa3d39a

SHA256
50e04b52fb16f058206584c6fa25d398848258cc5d3bae81d70806ecbc7d420c

SHA512
9d2eb79619910cb95b3f2c3e511c3c7c33aff444fd3b98a4ed157e2e754d8b955cfc0636353c42ad49382a391a0c5788fb514f4f56942f63bb160ab57d373c65

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d07d80a5a2200fb7e2a819492a27a316

SHA1
88572a1159c6de3df88e9f89716c71a60aa3d39a

SHA256
50e04b52fb16f058206584c6fa25d398848258cc5d3bae81d70806ecbc7d420c

SHA512
9d2eb79619910cb95b3f2c3e511c3c7c33aff444fd3b98a4ed157e2e754d8b955cfc0636353c42ad49382a391a0c5788fb514f4f56942f63bb160ab57d373c65

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d07d80a5a2200fb7e2a819492a27a316

SHA1
88572a1159c6de3df88e9f89716c71a60aa3d39a

SHA256
50e04b52fb16f058206584c6fa25d398848258cc5d3bae81d70806ecbc7d420c

SHA512
9d2eb79619910cb95b3f2c3e511c3c7c33aff444fd3b98a4ed157e2e754d8b955cfc0636353c42ad49382a391a0c5788fb514f4f56942f63bb160ab57d373c65

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d07d80a5a2200fb7e2a819492a27a316

SHA1
88572a1159c6de3df88e9f89716c71a60aa3d39a

SHA256
50e04b52fb16f058206584c6fa25d398848258cc5d3bae81d70806ecbc7d420c

SHA512
9d2eb79619910cb95b3f2c3e511c3c7c33aff444fd3b98a4ed157e2e754d8b955cfc0636353c42ad49382a391a0c5788fb514f4f56942f63bb160ab57d373c65

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
b1202dbb59aabd54f0173f192c789c61

SHA1
0ca447bb4d1178c4263ebf3ce546d26a24e0c8f5

SHA256
9dcd517deb58be6fe91ed9c2702f4737a153d287d5b2bc5b72fec530d9122f0d

SHA512
dd8a1852020d05b95cbc7216a1875ecfd24894e8a7f3a802a713c43141db7c51678d89a8e89256775caa781027512feff317c2de9d1cf22abe5cf5253ec8ae79

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
b1202dbb59aabd54f0173f192c789c61

SHA1
0ca447bb4d1178c4263ebf3ce546d26a24e0c8f5

SHA256
9dcd517deb58be6fe91ed9c2702f4737a153d287d5b2bc5b72fec530d9122f0d

SHA512
dd8a1852020d05b95cbc7216a1875ecfd24894e8a7f3a802a713c43141db7c51678d89a8e89256775caa781027512feff317c2de9d1cf22abe5cf5253ec8ae79

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c70b19f3a868d5990c61ec3a8410b43b

SHA1
6d4c45425956811cadfd8cce2c0a4cd3cc4caad4

SHA256
4955bf18227c6a9091931feffd65ea798947e6e50add6061fc96e485655ff0b9

SHA512
bef0458395457bc160c3e00a719e709efc14e8f90ffba007bd742d1446593a606a0e419e56c2c13f558967c607c9aa805cf9031a91c43471e60e9f3042a5106e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bfdf72bdcd245dd1a30360c1935c9450

SHA1
8270307a7742539d5875f4fac7df2cc65ef57ffe

SHA256
6c3b2530a101547cdb4ab7af3e3031c21085086a4aeb1a9af5ce152a356809dd

SHA512
e7e25484af1e29a6d7c231781516709fd4d7786693f775d91dd472bf11a8bd82ebd7c4a39825b60b3115e680bab061d0602d4ba9edd6422c5857c5ab2e14e709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
6a22f72a0c7b889d1ccd76e47f9345de

SHA1
0ddc928a6e9c7ed899cb948664904a8537ea5735

SHA256
3ac1221ac485e3068ddc10ea28471809d8f74b7b5bd934a8dac4aa41343466d0

SHA512
71c488827a9d5158d352edb2550544fa6fe7cedd4d3703a3142adfce22524bd5928bf03ec47ede35b4c196b39d44ead09713fe6674d3bf89a16012bd37df0f7b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
6e94fe0242cbdd94f2602ed989c106c9

SHA1
bc6bf28706acb646793c532a2bf7a2b03a289035

SHA256
cdc0e5173518a78a0d49db844e7f2d75d11966800cffccaaa6167254b84c5810

SHA512
0c4b951921d52bd521fddb8d90394aabd70e3bc69d7cfc9407a71a3bd12e7744db2d566620e69f849827400eb01eae07b213e39723885580a9270d42e5db1f9c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
138bd619c0f2fde7c2537d4cf518a4f5

SHA1
f4bcf3e95d66312b30d98fadfec5f00cc92102fc

SHA256
8bb310340cc78c4ba6f9c9b1c943dc9bc7890c3e54007cd254886769aae843ba

SHA512
389348cc650088040add009bc0a19337f7b52a0a3d26c6c72b6e4984bf83a13ef16597e0f0f0b1c83c20dffaa2698923bae26aae7bf473780470a703254cba64

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\246cc99c493017d3b60fdfcb481c91d5\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
7f2e84dc99f9f4370a89dd8d5e476ef5

SHA1
fe58754db168b86781c9c96f59f1aa7e25e10e4a

SHA256
ea86b8073b25c97b58a28616392671fd5a2903093193bd27605c08e244af3df7

SHA512
1d2470e593b2a42b592797712938e2ce381df8e59fe078f422409358af13c91dc9e3a4a4d1721b5db23f1192aad4b2cff18740ff8ca13aa69e338053e96bfc0a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\469bc67c2e44c3c0374abc984f056de3\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
768f9cb2e8e32da7ce617154ba2ecdc7

SHA1
c9dfe70f17cccdc0c4d698165ad19df1427e2911

SHA256
eacdab10bed10c2ab02b7f57ce4e3074b3fce3423a9a98605bc8e71f0f660a94

SHA512
8a97a917d1e8d04e29454ea88a87f7f0783f2b854e0eb5d033851b4df9e937edeba5568b0586df392e0405067a97b5e5e8729e4cbc2e01dc5bca4ed92e685302

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d706b4a5fdb14709743f705a47e53be6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
701b109b68fd5d458d80ba19804f2863

SHA1
229a627edbd63144b32765f5d836bf9e890aa62b

SHA256
d7323275029dcac22b73c4ae984cf48134bcb1d2d2e75c6b2fd3d9a4ceb1d712

SHA512
140bf7bcfd7d85e3fa5bc418e2f3d79f45caa1f5c69bbbff3e897966efc6793a745a82e08b28b581ff30c775d1ba07c036437dbf83e922ce038e62657e3b68f2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
73d740c6f0d1be4ce6b7300eca5f4e43

SHA1
52e85197249dc2a5af5c987a73aca3b8ff9294ad

SHA256
189a5949d050d25838b7d09e7bfa4563abc57b247a7b325c5e2a3f73eff7e1e5

SHA512
5295f74297fffdd73ea693041cb9064ac280845f7cbbf8d6dcb5ad4af3d5b4cb0562be790e81b81c793726b20426416e8af4ed60ba3eaf9d24166415da31232c

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
73d740c6f0d1be4ce6b7300eca5f4e43

SHA1
52e85197249dc2a5af5c987a73aca3b8ff9294ad

SHA256
189a5949d050d25838b7d09e7bfa4563abc57b247a7b325c5e2a3f73eff7e1e5

SHA512
5295f74297fffdd73ea693041cb9064ac280845f7cbbf8d6dcb5ad4af3d5b4cb0562be790e81b81c793726b20426416e8af4ed60ba3eaf9d24166415da31232c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
faa6d75c7ae4d946147c4bbebafcc1ca

SHA1
9e331800b904715a98fe586d222d843444b148bf

SHA256
51918225c814057ea356ce2eaf03cd7f6475af35538056838f42971a4119633b

SHA512
d0b058f548dfb9237dc2e5dcd5b9e5f63cd12df56165c90b142e3719ebb9c0749eb3285367985fd7756f746f77ccea025cec006c92990cd45cba58e89f799474

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
faa6d75c7ae4d946147c4bbebafcc1ca

SHA1
9e331800b904715a98fe586d222d843444b148bf

SHA256
51918225c814057ea356ce2eaf03cd7f6475af35538056838f42971a4119633b

SHA512
d0b058f548dfb9237dc2e5dcd5b9e5f63cd12df56165c90b142e3719ebb9c0749eb3285367985fd7756f746f77ccea025cec006c92990cd45cba58e89f799474

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
f77bd260123867aac2682dcb9d600863

SHA1
986a508d479a22cf1f24b12ccb5fd1d36f641b94

SHA256
9e472293ca7647289f96d070fa9f8321ede9aa3b71d737e2fc46dc8446cf516c

SHA512
b64845da04487424f642ec89384635018951d8057a23542f2f8b884f017429c455b3de3b56fe6930a357c1ee7d9c32373fde1c8040e42aae573a23d19597d83a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
c1499cdb4db880595b775cd75eac76c4

SHA1
f7d2345e1b96ccc45cf17a730e92ecb3ca74d400

SHA256
256b0d755384690745eaf5bc06c0d5e1c051252cef810f8f65b45c58e9c68519

SHA512
6e1eb05fd8fb8091e4e87155175db0115195ddb05fac26a06e2b4ad56e6ebbc7ad10c33e5445482a3bba63ef19dc0853660106f786d140080766a557060f161c

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
6e94fe0242cbdd94f2602ed989c106c9

SHA1
bc6bf28706acb646793c532a2bf7a2b03a289035

SHA256
cdc0e5173518a78a0d49db844e7f2d75d11966800cffccaaa6167254b84c5810

SHA512
0c4b951921d52bd521fddb8d90394aabd70e3bc69d7cfc9407a71a3bd12e7744db2d566620e69f849827400eb01eae07b213e39723885580a9270d42e5db1f9c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
138bd619c0f2fde7c2537d4cf518a4f5

SHA1
f4bcf3e95d66312b30d98fadfec5f00cc92102fc

SHA256
8bb310340cc78c4ba6f9c9b1c943dc9bc7890c3e54007cd254886769aae843ba

SHA512
389348cc650088040add009bc0a19337f7b52a0a3d26c6c72b6e4984bf83a13ef16597e0f0f0b1c83c20dffaa2698923bae26aae7bf473780470a703254cba64

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
73d740c6f0d1be4ce6b7300eca5f4e43

SHA1
52e85197249dc2a5af5c987a73aca3b8ff9294ad

SHA256
189a5949d050d25838b7d09e7bfa4563abc57b247a7b325c5e2a3f73eff7e1e5

SHA512
5295f74297fffdd73ea693041cb9064ac280845f7cbbf8d6dcb5ad4af3d5b4cb0562be790e81b81c793726b20426416e8af4ed60ba3eaf9d24166415da31232c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
faa6d75c7ae4d946147c4bbebafcc1ca

SHA1
9e331800b904715a98fe586d222d843444b148bf

SHA256
51918225c814057ea356ce2eaf03cd7f6475af35538056838f42971a4119633b

SHA512
d0b058f548dfb9237dc2e5dcd5b9e5f63cd12df56165c90b142e3719ebb9c0749eb3285367985fd7756f746f77ccea025cec006c92990cd45cba58e89f799474

Download Submit
memory/476-175-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/476-95-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/624-344-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/624-337-0x000000002E000000-0x000000002E139000-memory.dmp

Filesize
1.2MB

Download
memory/624-478-0x000000002E000000-0x000000002E139000-memory.dmp

Filesize
1.2MB

Download
memory/636-142-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/636-285-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/636-151-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/636-150-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/636-145-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/904-114-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/904-136-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/1280-460-0x00000000747D8000-0x00000000747ED000-memory.dmp

Filesize
84KB

Download
memory/1280-363-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1280-356-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1280-364-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1480-278-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1480-287-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1480-332-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1756-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1756-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1756-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1756-272-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1756-2-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1972-127-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1972-274-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1972-134-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1972-128-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2144-191-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2144-275-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2144-183-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2144-190-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2144-305-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2144-176-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2144-178-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2220-510-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2248-162-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2248-297-0x0000000100000000-0x0000000100119000-memory.dmp

Filesize
1.1MB

Download
memory/2248-170-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2248-163-0x0000000100000000-0x0000000100119000-memory.dmp

Filesize
1.1MB

Download
memory/2424-311-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2424-319-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2424-348-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2424-347-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2484-188-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2484-316-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2484-271-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2640-519-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2640-473-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2640-479-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-351-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2672-293-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2672-296-0x000007FEF49F0000-0x000007FEF538D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-459-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2672-291-0x000007FEF49F0000-0x000007FEF538D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-327-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2672-477-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2672-343-0x000007FEF49F0000-0x000007FEF538D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-361-0x000007FEF49F0000-0x000007FEF538D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-20-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/2684-161-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/2684-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2684-13-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2684-29-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2812-99-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2812-121-0x0000000010000000-0x0000000010123000-memory.dmp

Filesize
1.1MB

Download
memory/2812-104-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2812-98-0x0000000010000000-0x0000000010123000-memory.dmp

Filesize
1.1MB

Download
memory/2860-354-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2860-302-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/2860-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2864-465-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-469-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-470-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-341-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2864-323-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-458-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download