9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
21/11/2023, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
Size

1.8MB
MD5

6c4900d52218ef10fa5900c33bd8bf69
SHA1

9c833d2a80a7cd1cf9d4a1ca5c7b36e00b6c3cad
SHA256

9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea
SHA512

c4f86e0a96829a41a10868586a4a66059f26da20eae184d35e6d819d45d735390b6e5da04bac555d538408c352f4ce5faa95ea4ee2cb8bc5da3272ba0d577149
SSDEEP

49152:YKJ0WR7AFPyyiSruXKpk3WFDL9zxnSRgwsZY8/kd6WI7yZr:YKlBAFPydSS6W6X9lnaOCI7ur

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
472	Process not Found
3000	alg.exe
2696	aspnet_state.exe
2668	mscorsvw.exe
2156	mscorsvw.exe
2012	mscorsvw.exe
2408	mscorsvw.exe
372	ehRecvr.exe
2868	ehsched.exe
1572	elevation_service.exe
596	IEEtwCollector.exe
2404	GROOVE.EXE
2728	maintenanceservice.exe
2708	dllhost.exe
2624	OSE.EXE
2156	mscorsvw.exe
2876	mscorsvw.exe
2324	mscorsvw.exe
3024	mscorsvw.exe
2464	mscorsvw.exe
3028	mscorsvw.exe
2912	mscorsvw.exe
1968	mscorsvw.exe
2044	mscorsvw.exe
1396	mscorsvw.exe
2200	mscorsvw.exe
1616	mscorsvw.exe
2888	mscorsvw.exe
2128	mscorsvw.exe
1296	mscorsvw.exe
2700	mscorsvw.exe
2704	mscorsvw.exe
1468	mscorsvw.exe
1552	mscorsvw.exe
2068	mscorsvw.exe
2816	mscorsvw.exe
1704	mscorsvw.exe
2948	mscorsvw.exe
3024	mscorsvw.exe
1772	mscorsvw.exe
2684	OSPPSVC.EXE
2536	mscorsvw.exe
1308	mscorsvw.exe
772	mscorsvw.exe
584	mscorsvw.exe
1564	mscorsvw.exe
2052	mscorsvw.exe
2284	mscorsvw.exe
1744	mscorsvw.exe
2892	mscorsvw.exe
824	mscorsvw.exe
2168	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
1564	mscorsvw.exe
1564	mscorsvw.exe
2284	mscorsvw.exe
2284	mscorsvw.exe
2892	mscorsvw.exe
2892	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52d4dd9ea1ae02.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_fil.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_fi.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_fa.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\GoogleCrashHandler64.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_ca.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_no.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_es-419.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_bg.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_cs.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_el.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_pt-BR.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\GoogleUpdateCore.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA1BB.tmp\goopdateres_tr.dll	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE86C.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A7D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7188.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B3D6D8B5-56E2-4345-8AFB-584CE8D1DBBA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99A1.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B3D6D8B5-56E2-4345-8AFB-584CE8D1DBBA}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1100	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1612	9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: 33	344	EhTray.exe
Token: SeIncBasePriorityPrivilege	344	EhTray.exe
Token: SeDebugPrivilege	1100	ehRec.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: 33	344	EhTray.exe
Token: SeIncBasePriorityPrivilege	344	EhTray.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeDebugPrivilege	3000	alg.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeDebugPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe
Token: SeShutdownPrivilege	2408	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
344	EhTray.exe
344	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
344	EhTray.exe
344	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2156	2012	mscorsvw.exe	44
PID 2012 wrote to memory of 2156	2012	mscorsvw.exe	44
PID 2012 wrote to memory of 2156	2012	mscorsvw.exe	44
PID 2012 wrote to memory of 2156	2012	mscorsvw.exe	44
PID 2012 wrote to memory of 2876	2012	mscorsvw.exe	45
PID 2012 wrote to memory of 2876	2012	mscorsvw.exe	45
PID 2012 wrote to memory of 2876	2012	mscorsvw.exe	45
PID 2012 wrote to memory of 2876	2012	mscorsvw.exe	45
PID 2012 wrote to memory of 2324	2012	mscorsvw.exe	46
PID 2012 wrote to memory of 2324	2012	mscorsvw.exe	46
PID 2012 wrote to memory of 2324	2012	mscorsvw.exe	46
PID 2012 wrote to memory of 2324	2012	mscorsvw.exe	46
PID 2012 wrote to memory of 3024	2012	mscorsvw.exe	69
PID 2012 wrote to memory of 3024	2012	mscorsvw.exe	69
PID 2012 wrote to memory of 3024	2012	mscorsvw.exe	69
PID 2012 wrote to memory of 3024	2012	mscorsvw.exe	69
PID 2012 wrote to memory of 2464	2012	mscorsvw.exe	50
PID 2012 wrote to memory of 2464	2012	mscorsvw.exe	50
PID 2012 wrote to memory of 2464	2012	mscorsvw.exe	50
PID 2012 wrote to memory of 2464	2012	mscorsvw.exe	50
PID 2012 wrote to memory of 3028	2012	mscorsvw.exe	51
PID 2012 wrote to memory of 3028	2012	mscorsvw.exe	51
PID 2012 wrote to memory of 3028	2012	mscorsvw.exe	51
PID 2012 wrote to memory of 3028	2012	mscorsvw.exe	51
PID 2012 wrote to memory of 2912	2012	mscorsvw.exe	52
PID 2012 wrote to memory of 2912	2012	mscorsvw.exe	52
PID 2012 wrote to memory of 2912	2012	mscorsvw.exe	52
PID 2012 wrote to memory of 2912	2012	mscorsvw.exe	52
PID 2012 wrote to memory of 1968	2012	mscorsvw.exe	53
PID 2012 wrote to memory of 1968	2012	mscorsvw.exe	53
PID 2012 wrote to memory of 1968	2012	mscorsvw.exe	53
PID 2012 wrote to memory of 1968	2012	mscorsvw.exe	53
PID 2012 wrote to memory of 2044	2012	mscorsvw.exe	54
PID 2012 wrote to memory of 2044	2012	mscorsvw.exe	54
PID 2012 wrote to memory of 2044	2012	mscorsvw.exe	54
PID 2012 wrote to memory of 2044	2012	mscorsvw.exe	54
PID 2012 wrote to memory of 1396	2012	mscorsvw.exe	55
PID 2012 wrote to memory of 1396	2012	mscorsvw.exe	55
PID 2012 wrote to memory of 1396	2012	mscorsvw.exe	55
PID 2012 wrote to memory of 1396	2012	mscorsvw.exe	55
PID 2012 wrote to memory of 2200	2012	mscorsvw.exe	56
PID 2012 wrote to memory of 2200	2012	mscorsvw.exe	56
PID 2012 wrote to memory of 2200	2012	mscorsvw.exe	56
PID 2012 wrote to memory of 2200	2012	mscorsvw.exe	56
PID 2012 wrote to memory of 1616	2012	mscorsvw.exe	57
PID 2012 wrote to memory of 1616	2012	mscorsvw.exe	57
PID 2012 wrote to memory of 1616	2012	mscorsvw.exe	57
PID 2012 wrote to memory of 1616	2012	mscorsvw.exe	57
PID 2012 wrote to memory of 2888	2012	mscorsvw.exe	58
PID 2012 wrote to memory of 2888	2012	mscorsvw.exe	58
PID 2012 wrote to memory of 2888	2012	mscorsvw.exe	58
PID 2012 wrote to memory of 2888	2012	mscorsvw.exe	58
PID 2012 wrote to memory of 2128	2012	mscorsvw.exe	59
PID 2012 wrote to memory of 2128	2012	mscorsvw.exe	59
PID 2012 wrote to memory of 2128	2012	mscorsvw.exe	59
PID 2012 wrote to memory of 2128	2012	mscorsvw.exe	59
PID 2012 wrote to memory of 1296	2012	mscorsvw.exe	60
PID 2012 wrote to memory of 1296	2012	mscorsvw.exe	60
PID 2012 wrote to memory of 1296	2012	mscorsvw.exe	60
PID 2012 wrote to memory of 1296	2012	mscorsvw.exe	60
PID 2012 wrote to memory of 2700	2012	mscorsvw.exe	61
PID 2012 wrote to memory of 2700	2012	mscorsvw.exe	61
PID 2012 wrote to memory of 2700	2012	mscorsvw.exe	61
PID 2012 wrote to memory of 2700	2012	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe
"C:\Users\Admin\AppData\Local\Temp\9a76960d9169e80052a2509ee293be5171bfbbb555daa2d7393395c30a7136ea.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 23c -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 1dc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 240 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 290 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 250 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 240 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 29c -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2ac -NGENProcess 298 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 218 -NGENProcess 250 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2c8 -NGENProcess 254 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a8 -NGENProcess 250 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 2d0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2cc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 250 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b4 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2dc -NGENProcess 250 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e8 -NGENProcess 2a8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 300 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:372

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:596

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2728

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2708

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2624

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
1bf6e33c7778b49bb65e21b9d2aa9362

SHA1
3adcc9ea6e7495d4fa0c57301016ab758361e8fd

SHA256
05e55fa3043914bb1dbce39bbb3b027731383f11533e12777a607b54a7f954b5

SHA512
d5fd52bbc02b0fae151291aec7dd57ba0b222bfa539dc4d3267697df03fdcc3d4ce0c6ac5a1531f873fe673d48c713349082c92bb03a6ca8d1092f5a94058a34

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
07b2bdac5560acbb3d632e2eb0152d58

SHA1
df82e4b7f3e7617273e4e12e6c5dfdcfbc883289

SHA256
b1adc0a16677cd60831f54e5030019b7a44c810792df97165e487a246f2d8ca9

SHA512
8ac0dec0605d5f36220732d47a09c64e199f60a37a8cf13317aacf6a921f904831a1e3431c75680291264332817703554ed6ea38b6ab62af690ab588abaef77a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
29d1915ea3d066e75dab8eedd7956447

SHA1
8dfbdd12b2a03f0cc292f20cbbf4b48a53b88fbe

SHA256
67f6f10936d55097681db553df2bb86bfdb4a3fd4e4f74718d05bc88b55cac6f

SHA512
c103eb12798ceb2b631730a09141bba97a0c0d592f87847e47b2048c3d2c8683929a97eb025179797896efe027aadb2e8167f5cd26fed4464ea21362b5b9cde6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
37c289b73fb97a8d3223266b78fe7513

SHA1
1e4dfc36620595f7fe0d263875570106bd6c2b7b

SHA256
b7ddb5ab701f62221db6cd63c6c75d7bbecfc12029e5a22685b25640c16bd17e

SHA512
d7757cdf40c020ab229c6682960ef312c5b5bc5ddd5eee98532bb4dcc89c6291a31bf6b4c7ffa92616c7f2eee465f79c8187528ae41fa386438abcc5c249a8c3

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
49f0bf7386ce9799c82d043cf012a0de

SHA1
3d0cfddfc2dd0a4269253fa58442b49d508ecef8

SHA256
f69b65288caced356b6f90a474727beabf7401da83b499e7eb4d9fee869238bb

SHA512
0db25edc3ab739c98ff60149a676af1018d86ffabd84ae85a0317ccf55773d03c39e273cd0c8d625b4af9d89682e394ad106d7faa9058ce53c4c0c20677e8143

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
49f0bf7386ce9799c82d043cf012a0de

SHA1
3d0cfddfc2dd0a4269253fa58442b49d508ecef8

SHA256
f69b65288caced356b6f90a474727beabf7401da83b499e7eb4d9fee869238bb

SHA512
0db25edc3ab739c98ff60149a676af1018d86ffabd84ae85a0317ccf55773d03c39e273cd0c8d625b4af9d89682e394ad106d7faa9058ce53c4c0c20677e8143

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d2b95893578a0dc754a9021764df8f0c

SHA1
4ab297e39f6c20c0564289281ada0081da122c7a

SHA256
46933444fd4620188cd806dbfe51205dcc53b0631e81002389f267595c627d61

SHA512
9e784e5c00b5f7e892c183c81365ee30d01ac28a3164aa8b98d6a2ca5ce7db6107eafde86bb25f095983724d6e6fb7573c2577e166c44b7f22cefb6b279e4c9a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
b618fde897b27500b6768b49b218d56e

SHA1
87d138adf5f40f2dde9a98f390ccd01c7c651fe8

SHA256
a88ad7559744a924c619c9df82fef317c0329abf3ed82ab46bcdd28a6e9bf456

SHA512
8ee025ff1c73e04406e09f5ecfebfb1bdd505896ce8690e9c5292212ae03830253b86091ac9b53c8cc336fb9e8ded512167ba29ce2649e8a7ae83ad8f224b87e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
b618fde897b27500b6768b49b218d56e

SHA1
87d138adf5f40f2dde9a98f390ccd01c7c651fe8

SHA256
a88ad7559744a924c619c9df82fef317c0329abf3ed82ab46bcdd28a6e9bf456

SHA512
8ee025ff1c73e04406e09f5ecfebfb1bdd505896ce8690e9c5292212ae03830253b86091ac9b53c8cc336fb9e8ded512167ba29ce2649e8a7ae83ad8f224b87e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
1f97a968c415bba5ae24cadf26ab1a02

SHA1
8b038be0118e6049e5255cc01d8be6ace780c8a9

SHA256
a9bf236fbcb25b71fcdc460ce94cac001e9ab43ddf9a309957f6606b55932abd

SHA512
d789bad9cd7f538bb76c75495657295b338f17df89cb28342edf907f7442c0f7689063c270a13cf7252a8f8542b01b71dae78625aabd860f20e9ba738e332a55

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
dcecbfcbe45edf35a5d01913fb56c5dc

SHA1
4951476187d23eb896c24f6f68bd7ffb9270fd21

SHA256
c70f6516f20ff11c9e6113d0d236c32ea76c69639df2a58ae4de26f2472a1b2d

SHA512
ce19fff1dbd191d34ffbfd31ca43318a3b4b660305b0f09a881c57330f914941d7868e5840c84dcfa942136ac41a5c1db4d72127915cd1eb61747ce81ad68342

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
a99702136a81f37b3c1ebd177ae94b8e

SHA1
d76a9e58bc046b3ebe7be74d17d3d2a98baca465

SHA256
7b6467a2033b3b3ea679a13bc6023a4480729400f9e05fb53b7be79d36506449

SHA512
965d7c1e88735ce3b0bc8ac408be6aafbdf8aade4be5aa658dbbe68ffff7f5c740e1d63c1fb76e4f716d2d66725efa78075858f53c67238ea0e072fb56b800a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
fa84d23c38e94d2504c108d364aca63a

SHA1
145f8f004de97f9a6579b0113247ff39ad053ace

SHA256
2715859e14cb53e46e4ce9e8691300cb57aca257777638d90a4d471fdc208eb7

SHA512
5d5413aac4b4775b3f27450efdbc86f0ddc299b5d4a6acac4b408d94f102d558c0f39daea8a66735232d3ad3791f545e3c2d1536d5b6f9a66464f4816d70b94b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7dcc1d58ca4ba3216c6e85fb8abcd988

SHA1
c2676ff5b561a88c253e5dad09df7495206f319a

SHA256
73dc40c90b566b1584a6c418b9c6802b4b33ea8467306c11105198d2680a4628

SHA512
65c0fb0c4357496b5ea747933ffbdb0fada0624ce48f66bdc7ef8cce3cc76c7ccab642e7b0faaf1ce2edb9eac0f12c6dabe5dcb1376365bf070e171e01a9ebe4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
d8481ae0dd75b0d6e8afb0d685904bed

SHA1
72a90e5c3da2a161f64fc5a89282191c0c1c0b28

SHA256
264ac4f1d0826a36cf61ab73f5f85a1742f333891bcf5ebf0270e61c8f23d808

SHA512
08c4a20a17016005bce72d9519a4fe8b24c2e7db0fdc34236d8e93f0c3732ebf2844b39bcdc367ac604bc5d7c7897a723476fb152c9256138398bf24fbd84824

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
d8481ae0dd75b0d6e8afb0d685904bed

SHA1
72a90e5c3da2a161f64fc5a89282191c0c1c0b28

SHA256
264ac4f1d0826a36cf61ab73f5f85a1742f333891bcf5ebf0270e61c8f23d808

SHA512
08c4a20a17016005bce72d9519a4fe8b24c2e7db0fdc34236d8e93f0c3732ebf2844b39bcdc367ac604bc5d7c7897a723476fb152c9256138398bf24fbd84824

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c41ce479a2906eedfcd25f3406a7cf8e

SHA1
944d40870695af123cc27b79e269717a543ecb6c

SHA256
8ad055d76de5fc50e423cc3171876cd937a3bab4a8551afcd8d821de5cf5f9b8

SHA512
dbe6ccdf5c1a47f635b7df5f55222acf36331f2ddf692aafe6b27a0b5b0598c29b0877a6f0e040d3bf77173a5afa98769272cc027f9320ec435c6130d61d0883

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
bf516ab8854ae1d830b6433af95f90a4

SHA1
7f1986f0fcacc8caadd973ad21a6f319c66cc1d0

SHA256
80002b66f2ed35b6fc52bf5a04fd3e4976e61207eb869e4d2078997bfa682496

SHA512
f5d040ac45b5e828466ce6eff4e1f9f95b257155ed1fb671c67b96204ffcb2b4962068a4ccde9029be1d7382598c714aca3c62a00e01c692b7cf3dddc2d1dcea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e7a798170f0359ed209540eb9e55ff96

SHA1
a62d6dba91dd3d6ce251bb1ac6d7c4f46981adfd

SHA256
ed9f3077b2304af8d49cc469596364fb81069e80c5de7702c678f08e90e0fa7f

SHA512
6deee1f436c12320b04ca8f2990bdf16277c21847ce66b99d142603efb52ed9a48fb34c636566a14a877753d26f1b5fbcefc4ab6d4f25ca69c618fdd1f4dcbee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e7a798170f0359ed209540eb9e55ff96

SHA1
a62d6dba91dd3d6ce251bb1ac6d7c4f46981adfd

SHA256
ed9f3077b2304af8d49cc469596364fb81069e80c5de7702c678f08e90e0fa7f

SHA512
6deee1f436c12320b04ca8f2990bdf16277c21847ce66b99d142603efb52ed9a48fb34c636566a14a877753d26f1b5fbcefc4ab6d4f25ca69c618fdd1f4dcbee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e7a798170f0359ed209540eb9e55ff96

SHA1
a62d6dba91dd3d6ce251bb1ac6d7c4f46981adfd

SHA256
ed9f3077b2304af8d49cc469596364fb81069e80c5de7702c678f08e90e0fa7f

SHA512
6deee1f436c12320b04ca8f2990bdf16277c21847ce66b99d142603efb52ed9a48fb34c636566a14a877753d26f1b5fbcefc4ab6d4f25ca69c618fdd1f4dcbee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e7a798170f0359ed209540eb9e55ff96

SHA1
a62d6dba91dd3d6ce251bb1ac6d7c4f46981adfd

SHA256
ed9f3077b2304af8d49cc469596364fb81069e80c5de7702c678f08e90e0fa7f

SHA512
6deee1f436c12320b04ca8f2990bdf16277c21847ce66b99d142603efb52ed9a48fb34c636566a14a877753d26f1b5fbcefc4ab6d4f25ca69c618fdd1f4dcbee

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
c08e7a77527d93783188aab1a0b3dec1

SHA1
78ff1c32e20c1c84076cdba9d9254db857cd2d39

SHA256
b562dcdd537287696313cfe27feeab57125dc27a7ce44c2486c145729cacda99

SHA512
4c5973fa2cbe0e6454436f60cb1d3b5cb039ac530d7029b99c8a8a8cb14e77e3b4661d6442f5ea43533d85bd59cfefcefee0ab192205c77db033001721720a24

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
c08e7a77527d93783188aab1a0b3dec1

SHA1
78ff1c32e20c1c84076cdba9d9254db857cd2d39

SHA256
b562dcdd537287696313cfe27feeab57125dc27a7ce44c2486c145729cacda99

SHA512
4c5973fa2cbe0e6454436f60cb1d3b5cb039ac530d7029b99c8a8a8cb14e77e3b4661d6442f5ea43533d85bd59cfefcefee0ab192205c77db033001721720a24

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e3b74aa7035deaf298b533af5f79b2d9

SHA1
9661073a43206eb20566aaca780d1aab25cbdf32

SHA256
6821f045de31e340a47ddaf0e901c15a0bef3484147907b219a37bfd22f9da53

SHA512
43cfd36d5c14baf2db21548c12f11ddcce3e5cc59c90256da86c08039e060210ea6b0a1cd7af4783338ab743fbe568bfa73d3b352e0d2b3f299623ed1087b86d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
41cbe3a21fdc09403f5d4097952b9908

SHA1
1717c51fc6066c4f9fddad6958fc95b344c68ac0

SHA256
da3708cdd7c2cc6af608518de4835d2fdd2232a97a26f382d43c2e6c3493b9de

SHA512
1779e81ae329fc69e3ae1755833c29521834f7082750f5e6286e4f5bdd61ba0b0931e83bc7b3fff156c3c4ec6f1b899c84716212c03f8a29527436a7a3ecf9da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4913480f3ea169595548725a326ca602

SHA1
9cf21d2cd4e80dd8fd535f1640898441a55c8ed1

SHA256
9eac8e1b63a299fc1a1a1f15226943809372297cdd97e37ad5d3798106744370

SHA512
bde7fd9fafd86e8341da2385b00d8b7b1270bc08b5caded62ac3da80d2e20845f9564374624e5920e748ccadc1fd22ed9e597d679c44bba1e91c874c59dd24b6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
dd991c62b541a001751d5467b2f26084

SHA1
886e6ee6cc67aefbe6a94271543c6fa2a4ad310c

SHA256
be4c9d5c189a59eb5366eb388bc9464c6a11957a7b97f242e0c0dd54fd0151c6

SHA512
860c312e482c2c0bc79fa10582edd232e93e4ed1a2275870e61a2a3e8e5e13d76f48d128163da7ca3bc996b3f3ec4e498c6f154e7fe23ee1ad3550a75bc67e38

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
8ca4c20278e4df354766e50a6e50abee

SHA1
5350a260867e48c2b1f7d701e8dcaf0d9a3106d9

SHA256
2aca568e774d88f75d2a4cb9fbf8a3f632bfb24efbfb52e7a57390d568cc7b22

SHA512
faf97b370eb5e645c35627e40e33a5d476fe470a42a4224a6315147b70216c804eba38d14dba585e4b2a3c3f3ab5dc400e5a50a2388913073e7163ce9d381513

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
a223138e052533f21f77b4ac3c18554a

SHA1
b6a98f6d74fe7fad3b7017f5dc0e54130a61961f

SHA256
941ee8ad8155294a6375612405a03da084585715a1fceec09999fe20b326e5a6

SHA512
981a81e875b6554018ec7d4de208929fbd468310fe952dd0bfbb992e124298b562ff8f66ad7184a7d09d79ffeabbd2164a7eeb8ee25313661e7daac2be403ba0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
ec72f39e223c71c3c84047dd2fbdb871

SHA1
de8625f82db9555083ab8996193168e355c8420e

SHA256
fde655ec4cf8b3e400e72667e4f74dad9af30924b6910819b46a4e5531008dfc

SHA512
eb20c9ee700e59fe4dfff3b3baecc88e360ff73436c5a7a30ce30c80d7d76faf7e2b335695cd25ef900073b303707e30d95dd284eb186c402ff44521fe01add1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ec72f39e223c71c3c84047dd2fbdb871

SHA1
de8625f82db9555083ab8996193168e355c8420e

SHA256
fde655ec4cf8b3e400e72667e4f74dad9af30924b6910819b46a4e5531008dfc

SHA512
eb20c9ee700e59fe4dfff3b3baecc88e360ff73436c5a7a30ce30c80d7d76faf7e2b335695cd25ef900073b303707e30d95dd284eb186c402ff44521fe01add1

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
6ad528561f95b1f8b4eabbff4b7d3fa4

SHA1
e22777eba6d6f2180f957436fdb3ffd7ccf7ee68

SHA256
177b1e1fe2e33f66278e58a69f4e78e72432bfd0549f6594df0dd01323d8ccf6

SHA512
05f1cc35cb49f41dc78278613d9c6a543b6bba43b434ccb4fec528c1b33c886c070b8a1c71fcd0dafb71dbc685f6913691b7d02bfd00d96138f721b8b200c0f7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
6ad528561f95b1f8b4eabbff4b7d3fa4

SHA1
e22777eba6d6f2180f957436fdb3ffd7ccf7ee68

SHA256
177b1e1fe2e33f66278e58a69f4e78e72432bfd0549f6594df0dd01323d8ccf6

SHA512
05f1cc35cb49f41dc78278613d9c6a543b6bba43b434ccb4fec528c1b33c886c070b8a1c71fcd0dafb71dbc685f6913691b7d02bfd00d96138f721b8b200c0f7

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.2MB

MD5
a223138e052533f21f77b4ac3c18554a

SHA1
b6a98f6d74fe7fad3b7017f5dc0e54130a61961f

SHA256
941ee8ad8155294a6375612405a03da084585715a1fceec09999fe20b326e5a6

SHA512
981a81e875b6554018ec7d4de208929fbd468310fe952dd0bfbb992e124298b562ff8f66ad7184a7d09d79ffeabbd2164a7eeb8ee25313661e7daac2be403ba0

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
41e43b9f4680dad5572a229f07458111

SHA1
0338d4cb37825ced714249a528a9ea2653d3cd5d

SHA256
75c387f7dac2fb1eda7322420eb85619bc58c5298e506d48e99f6e5156747cb3

SHA512
31195d3f1c4c9713fb956e6755e6ccf528414f0409970ce30caa2f685666277c69a1fbc2fa86714393df776052dc51e52acaf29698cd15267de48e78cef2363e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
d8481ae0dd75b0d6e8afb0d685904bed

SHA1
72a90e5c3da2a161f64fc5a89282191c0c1c0b28

SHA256
264ac4f1d0826a36cf61ab73f5f85a1742f333891bcf5ebf0270e61c8f23d808

SHA512
08c4a20a17016005bce72d9519a4fe8b24c2e7db0fdc34236d8e93f0c3732ebf2844b39bcdc367ac604bc5d7c7897a723476fb152c9256138398bf24fbd84824

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
bf516ab8854ae1d830b6433af95f90a4

SHA1
7f1986f0fcacc8caadd973ad21a6f319c66cc1d0

SHA256
80002b66f2ed35b6fc52bf5a04fd3e4976e61207eb869e4d2078997bfa682496

SHA512
f5d040ac45b5e828466ce6eff4e1f9f95b257155ed1fb671c67b96204ffcb2b4962068a4ccde9029be1d7382598c714aca3c62a00e01c692b7cf3dddc2d1dcea

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
dd991c62b541a001751d5467b2f26084

SHA1
886e6ee6cc67aefbe6a94271543c6fa2a4ad310c

SHA256
be4c9d5c189a59eb5366eb388bc9464c6a11957a7b97f242e0c0dd54fd0151c6

SHA512
860c312e482c2c0bc79fa10582edd232e93e4ed1a2275870e61a2a3e8e5e13d76f48d128163da7ca3bc996b3f3ec4e498c6f154e7fe23ee1ad3550a75bc67e38

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
8ca4c20278e4df354766e50a6e50abee

SHA1
5350a260867e48c2b1f7d701e8dcaf0d9a3106d9

SHA256
2aca568e774d88f75d2a4cb9fbf8a3f632bfb24efbfb52e7a57390d568cc7b22

SHA512
faf97b370eb5e645c35627e40e33a5d476fe470a42a4224a6315147b70216c804eba38d14dba585e4b2a3c3f3ab5dc400e5a50a2388913073e7163ce9d381513

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
a223138e052533f21f77b4ac3c18554a

SHA1
b6a98f6d74fe7fad3b7017f5dc0e54130a61961f

SHA256
941ee8ad8155294a6375612405a03da084585715a1fceec09999fe20b326e5a6

SHA512
981a81e875b6554018ec7d4de208929fbd468310fe952dd0bfbb992e124298b562ff8f66ad7184a7d09d79ffeabbd2164a7eeb8ee25313661e7daac2be403ba0

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ec72f39e223c71c3c84047dd2fbdb871

SHA1
de8625f82db9555083ab8996193168e355c8420e

SHA256
fde655ec4cf8b3e400e72667e4f74dad9af30924b6910819b46a4e5531008dfc

SHA512
eb20c9ee700e59fe4dfff3b3baecc88e360ff73436c5a7a30ce30c80d7d76faf7e2b335695cd25ef900073b303707e30d95dd284eb186c402ff44521fe01add1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
6ad528561f95b1f8b4eabbff4b7d3fa4

SHA1
e22777eba6d6f2180f957436fdb3ffd7ccf7ee68

SHA256
177b1e1fe2e33f66278e58a69f4e78e72432bfd0549f6594df0dd01323d8ccf6

SHA512
05f1cc35cb49f41dc78278613d9c6a543b6bba43b434ccb4fec528c1b33c886c070b8a1c71fcd0dafb71dbc685f6913691b7d02bfd00d96138f721b8b200c0f7

Download Submit
memory/372-169-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/372-180-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/372-173-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/372-322-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/372-172-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/372-302-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/372-161-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/372-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/596-216-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/596-214-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1100-343-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-213-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-211-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-212-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/1100-383-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/1100-348-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-351-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/1100-327-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/1100-364-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/1572-197-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1572-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1572-190-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1572-330-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1612-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1612-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1612-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1612-144-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1612-301-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2012-127-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2012-133-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2012-198-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2012-128-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2156-355-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2156-381-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2156-115-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/2156-367-0x0000000072ED0000-0x00000000735BE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-141-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/2156-363-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2156-382-0x0000000072ED0000-0x00000000735BE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-399-0x0000000072ED0000-0x00000000735BE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-394-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2404-226-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2404-303-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2404-362-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2408-143-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2408-146-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2408-215-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2408-152-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2624-345-0x000000002E000000-0x000000002E139000-memory.dmp

Filesize
1.2MB

Download
memory/2624-352-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2624-392-0x000000002E000000-0x000000002E139000-memory.dmp

Filesize
1.2MB

Download
memory/2668-125-0x0000000010000000-0x0000000010123000-memory.dmp

Filesize
1.1MB

Download
memory/2668-98-0x0000000010000000-0x0000000010123000-memory.dmp

Filesize
1.1MB

Download
memory/2668-99-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2668-105-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2696-95-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/2696-176-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/2708-376-0x0000000100000000-0x0000000100119000-memory.dmp

Filesize
1.1MB

Download
memory/2708-332-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2708-325-0x0000000100000000-0x0000000100119000-memory.dmp

Filesize
1.1MB

Download
memory/2728-338-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/2728-316-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/2728-336-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2728-307-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2868-314-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2868-179-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2868-177-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2868-185-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2876-370-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2876-397-0x0000000072ED0000-0x00000000735BE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-398-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2876-384-0x0000000072ED0000-0x00000000735BE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-378-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/3000-162-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/3000-39-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3000-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3000-13-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3000-14-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/3024-407-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download