3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac

Analysis

max time kernel
134s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
21/11/2023, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
Size

1.8MB
MD5

27354fde325efb882a843b7c6c567b84
SHA1

d0e160a570a80ce2e9b01b51bdd8b9def1c64df8
SHA256

3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac
SHA512

213151ddd39ae32cef4739acf94c959c7b0e8df60008444fad4a103ca455c5de7784cc3433319f3bd824c8165d2119645b7d30c0fb8037a7f61892e69fa0831d
SSDEEP

49152:wx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAKHq7y1DvrPmCJT:wvbjVkjjCAzJDHqGvrHV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2372	alg.exe
2988	aspnet_state.exe
1124	mscorsvw.exe
1180	mscorsvw.exe
1764	mscorsvw.exe
328	mscorsvw.exe
2928	dllhost.exe
1816	ehRecvr.exe
2412	elevation_service.exe
2664	mscorsvw.exe
2712	GROOVE.EXE
2572	maintenanceservice.exe
3028	mscorsvw.exe
2156	OSE.EXE
2348	OSPPSVC.EXE
1324	mscorsvw.exe
1988	mscorsvw.exe
2384	mscorsvw.exe
2328	mscorsvw.exe
1136	mscorsvw.exe
2724	mscorsvw.exe
976	mscorsvw.exe
2288	mscorsvw.exe
1584	mscorsvw.exe
872	mscorsvw.exe
564	mscorsvw.exe
2688	mscorsvw.exe
2196	mscorsvw.exe
2504	mscorsvw.exe
2780	mscorsvw.exe
2308	mscorsvw.exe
1976	mscorsvw.exe
1148	mscorsvw.exe
2264	mscorsvw.exe
560	mscorsvw.exe
2964	mscorsvw.exe
2980	mscorsvw.exe
1284	mscorsvw.exe
2868	mscorsvw.exe
1548	ehsched.exe
484	IEEtwCollector.exe
2608	msdtc.exe
2144	msiexec.exe
2588	perfhost.exe
2944	locator.exe
1104	snmptrap.exe
2648	vds.exe
2656	vssvc.exe
2044	wbengine.exe
992	WmiApSrv.exe
2764	wmpnetwk.exe
2240	SearchIndexer.exe
932	mscorsvw.exe
1916	mscorsvw.exe
2480	mscorsvw.exe
2840	mscorsvw.exe
1496	mscorsvw.exe
900	mscorsvw.exe
3040	mscorsvw.exe
1436	mscorsvw.exe
2996	mscorsvw.exe
1968	mscorsvw.exe
2916	mscorsvw.exe

Loads dropped DLL 23 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2144	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
752	Process not Found
1496	mscorsvw.exe
1496	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
2996	mscorsvw.exe
2996	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7821466d2abf0469.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_lv.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_ur.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_sr.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_cs.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_da.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_sk.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\GoogleUpdate.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_es-419.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_sv.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{FA7B63D2-2274-4C52-A340-C4DCE8981726}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_bn.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_ta.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3478.tmp\goopdateres_mr.dll	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe

Drops file in Windows directory 63 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{94EFA7F4-5DB3-494A-B43D-1363A4C6B741}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP227E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{94EFA7F4-5DB3-494A-B43D-1363A4C6B741}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1999.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2D19.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP343A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{2D82C84C-29CB-4CB6-A100-DFD8293A56DE}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{2D82C84C-29CB-4CB6-A100-DFD8293A56DE}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
288	ehRec.exe
2988	aspnet_state.exe
2988	aspnet_state.exe
2988	aspnet_state.exe
2988	aspnet_state.exe
2988	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2116	3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeDebugPrivilege	2372	alg.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2988	aspnet_state.exe
Token: 33	2580	EhTray.exe
Token: SeIncBasePriorityPrivilege	2580	EhTray.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeRestorePrivilege	2144	msiexec.exe
Token: SeTakeOwnershipPrivilege	2144	msiexec.exe
Token: SeSecurityPrivilege	2144	msiexec.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeDebugPrivilege	288	ehRec.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeBackupPrivilege	2656	vssvc.exe
Token: SeRestorePrivilege	2656	vssvc.exe
Token: SeAuditPrivilege	2656	vssvc.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeBackupPrivilege	2044	wbengine.exe
Token: SeRestorePrivilege	2044	wbengine.exe
Token: SeSecurityPrivilege	2044	wbengine.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeDebugPrivilege	2988	aspnet_state.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: 33	2580	EhTray.exe
Token: SeIncBasePriorityPrivilege	2580	EhTray.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: 33	2764	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2764	wmpnetwk.exe
Token: SeManageVolumePrivilege	2240	SearchIndexer.exe
Token: 33	2240	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2240	SearchIndexer.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe
Token: SeShutdownPrivilege	328	mscorsvw.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
460	SearchProtocolHost.exe
460	SearchProtocolHost.exe
460	SearchProtocolHost.exe
460	SearchProtocolHost.exe
460	SearchProtocolHost.exe
1980	SearchProtocolHost.exe
1980	SearchProtocolHost.exe
1980	SearchProtocolHost.exe
1980	SearchProtocolHost.exe
1980	SearchProtocolHost.exe
1980	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2664	328	mscorsvw.exe	37
PID 328 wrote to memory of 2664	328	mscorsvw.exe	37
PID 328 wrote to memory of 2664	328	mscorsvw.exe	37
PID 328 wrote to memory of 3028	328	mscorsvw.exe	40
PID 328 wrote to memory of 3028	328	mscorsvw.exe	40
PID 328 wrote to memory of 3028	328	mscorsvw.exe	40
PID 1764 wrote to memory of 1324	1764	mscorsvw.exe	43
PID 1764 wrote to memory of 1324	1764	mscorsvw.exe	43
PID 1764 wrote to memory of 1324	1764	mscorsvw.exe	43
PID 1764 wrote to memory of 1324	1764	mscorsvw.exe	43
PID 1764 wrote to memory of 1988	1764	mscorsvw.exe	44
PID 1764 wrote to memory of 1988	1764	mscorsvw.exe	44
PID 1764 wrote to memory of 1988	1764	mscorsvw.exe	44
PID 1764 wrote to memory of 1988	1764	mscorsvw.exe	44
PID 1764 wrote to memory of 2384	1764	mscorsvw.exe	45
PID 1764 wrote to memory of 2384	1764	mscorsvw.exe	45
PID 1764 wrote to memory of 2384	1764	mscorsvw.exe	45
PID 1764 wrote to memory of 2384	1764	mscorsvw.exe	45
PID 1764 wrote to memory of 2328	1764	mscorsvw.exe	48
PID 1764 wrote to memory of 2328	1764	mscorsvw.exe	48
PID 1764 wrote to memory of 2328	1764	mscorsvw.exe	48
PID 1764 wrote to memory of 2328	1764	mscorsvw.exe	48
PID 1764 wrote to memory of 1136	1764	mscorsvw.exe	49
PID 1764 wrote to memory of 1136	1764	mscorsvw.exe	49
PID 1764 wrote to memory of 1136	1764	mscorsvw.exe	49
PID 1764 wrote to memory of 1136	1764	mscorsvw.exe	49
PID 1764 wrote to memory of 2724	1764	mscorsvw.exe	50
PID 1764 wrote to memory of 2724	1764	mscorsvw.exe	50
PID 1764 wrote to memory of 2724	1764	mscorsvw.exe	50
PID 1764 wrote to memory of 2724	1764	mscorsvw.exe	50
PID 1764 wrote to memory of 976	1764	mscorsvw.exe	51
PID 1764 wrote to memory of 976	1764	mscorsvw.exe	51
PID 1764 wrote to memory of 976	1764	mscorsvw.exe	51
PID 1764 wrote to memory of 976	1764	mscorsvw.exe	51
PID 1764 wrote to memory of 2288	1764	mscorsvw.exe	52
PID 1764 wrote to memory of 2288	1764	mscorsvw.exe	52
PID 1764 wrote to memory of 2288	1764	mscorsvw.exe	52
PID 1764 wrote to memory of 2288	1764	mscorsvw.exe	52
PID 1764 wrote to memory of 1584	1764	mscorsvw.exe	53
PID 1764 wrote to memory of 1584	1764	mscorsvw.exe	53
PID 1764 wrote to memory of 1584	1764	mscorsvw.exe	53
PID 1764 wrote to memory of 1584	1764	mscorsvw.exe	53
PID 1764 wrote to memory of 872	1764	mscorsvw.exe	54
PID 1764 wrote to memory of 872	1764	mscorsvw.exe	54
PID 1764 wrote to memory of 872	1764	mscorsvw.exe	54
PID 1764 wrote to memory of 872	1764	mscorsvw.exe	54
PID 1764 wrote to memory of 564	1764	mscorsvw.exe	55
PID 1764 wrote to memory of 564	1764	mscorsvw.exe	55
PID 1764 wrote to memory of 564	1764	mscorsvw.exe	55
PID 1764 wrote to memory of 564	1764	mscorsvw.exe	55
PID 1764 wrote to memory of 2688	1764	mscorsvw.exe	56
PID 1764 wrote to memory of 2688	1764	mscorsvw.exe	56
PID 1764 wrote to memory of 2688	1764	mscorsvw.exe	56
PID 1764 wrote to memory of 2688	1764	mscorsvw.exe	56
PID 1764 wrote to memory of 2196	1764	mscorsvw.exe	57
PID 1764 wrote to memory of 2196	1764	mscorsvw.exe	57
PID 1764 wrote to memory of 2196	1764	mscorsvw.exe	57
PID 1764 wrote to memory of 2196	1764	mscorsvw.exe	57
PID 1764 wrote to memory of 2504	1764	mscorsvw.exe	58
PID 1764 wrote to memory of 2504	1764	mscorsvw.exe	58
PID 1764 wrote to memory of 2504	1764	mscorsvw.exe	58
PID 1764 wrote to memory of 2504	1764	mscorsvw.exe	58
PID 1764 wrote to memory of 2780	1764	mscorsvw.exe	59
PID 1764 wrote to memory of 2780	1764	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe
"C:\Users\Admin\AppData\Local\Temp\3aba2cd312f97fa707c054732d99aa90f62d1a7755d9bcb30a4a0333e93a84ac.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1124

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 260 -NGENProcess 1f0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 234 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 184 -NGENProcess 234 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 23c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 234 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 25c -NGENProcess 264 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 184 -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 288 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 290 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 23c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 23c -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 234 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 1e4 -NGENProcess 200 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 230 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1b8 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 228 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 224 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 224 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 230 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1b0 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 264 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2896

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2928

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2156

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2348

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:484

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:992

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3618187007-3650799920-3290345941-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3618187007-3650799920-3290345941-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:460
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
98e11197c93c0ee5293ec371449e530e

SHA1
a02b0951af552adc9625d6e072078b919e1d8248

SHA256
0fde2092925c73627d1e544464e41743597e845f3fd194454f7afe2151d49a63

SHA512
2dd8ad4a280a3d5cb63a69a07ccda3d7cafca43e07a04eb7e77f9951910af55849020b307fd2fdc024fba6ff2c1ac597ef9a2eebf26b8888ced3be60e9368e46

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7e9128576f453adcd01918a20ea82dbc

SHA1
c487c9e6349e070187da1f27b8a0025cc453605b

SHA256
e2c244028b56044a49cf99c559f473a6ce4d7d834f3017054fe12f282a37bf77

SHA512
105e559f3865dc963f875cf66119c8a6d6d769a53badbacea23e209be54e1c319c0aad462d0cda586f8e00d5b0826b570e06ea528102f7c1b9c381fa2f2af061

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8f20938039ee927427d0cb1eeeecf433

SHA1
0daf99e34b225c8038b9d07d995a37b769128ae3

SHA256
a04aae7c66f8f7680f36c544bb311cda6cbd99db8f569215e51c51109829e2ec

SHA512
e449e7722c9f585ca09f2fbed046689f216c24e7ab4bccebf0f3754ef560c4f26f34d72253769e45999e0fa8004b26e02b29b11d07afc725248c2c35249b2123

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8f20938039ee927427d0cb1eeeecf433

SHA1
0daf99e34b225c8038b9d07d995a37b769128ae3

SHA256
a04aae7c66f8f7680f36c544bb311cda6cbd99db8f569215e51c51109829e2ec

SHA512
e449e7722c9f585ca09f2fbed046689f216c24e7ab4bccebf0f3754ef560c4f26f34d72253769e45999e0fa8004b26e02b29b11d07afc725248c2c35249b2123

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
3684878d963350c4efe704964b083aab

SHA1
96b7bdf39286d49f51f1b511e035c0ab7ec3b217

SHA256
df91cf6a81de4fa8e4ef0360250940f2734ef8d3cb6425e89da633bc06d80859

SHA512
9578ea735037ab00e3bbf815efd60c03d7fc2a5f5727c4bfbddbd27f6c87952ad2afe4b4c9ce3b957651f2bf25cfaf35df404ce743c57f2a06e330d34b7c2e98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d2eff417b61c29c17af017362bebaf07

SHA1
c4318542ad5da7eefe208bc06fbb3f03db2e856b

SHA256
8988ec71a7829cc9ff3b29fd56b20bf7a54cf40b583ec3cb471872feebbe49ba

SHA512
f03c814514c98283df055b64d7f86992978549b8db56104a1ad13a98cb845f47d2a046b09f1574fdc0b5a9ab570bae2ce07a4fcc3cf7ee0cb918b59680e090f9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
1db916940271f23ec35b3b5cf3a35f2e

SHA1
ff6a4e490e59707716de26fbb8db44f82e279405

SHA256
b7aadeda32d1798a567c4372caadca92a947c07c611d5a1ff419103c259525fb

SHA512
d9dc838b7afd88c8a91c7b5cf021e6ae80b2868345141e7f0fdd31f636925525b5076d2c0f7b2cb733a9344a7913396c509348b72333d60f2aabad60e730d6a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
4d6861e0693471eef081dfffa4332fe3

SHA1
f0f62c06521ecebb38166e932930e7eb5a862462

SHA256
6234c78bdc59759b2be9c071e0702cc5ef3a782a09c9811e2bfaa0f1bad91c0e

SHA512
2fbab6e4b8d2f2f1d9ce80bd3ad792aad522b37f32dab4a492aba0f3d249476c6883db91f481b195fc7654dc7960d8370a0ad527bf0d2e703d5c24fd53c4732f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
4d6861e0693471eef081dfffa4332fe3

SHA1
f0f62c06521ecebb38166e932930e7eb5a862462

SHA256
6234c78bdc59759b2be9c071e0702cc5ef3a782a09c9811e2bfaa0f1bad91c0e

SHA512
2fbab6e4b8d2f2f1d9ce80bd3ad792aad522b37f32dab4a492aba0f3d249476c6883db91f481b195fc7654dc7960d8370a0ad527bf0d2e703d5c24fd53c4732f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a8acd87d783d87b683f1244e34b82bc8

SHA1
b88df06b9e94e009bb16fadea7dcb15abadade76

SHA256
e1546b5bb2275fc764f872080cf73b6f7f641f294781d38bbd7d3a248181600d

SHA512
3f9625fd903be385574d7633dfd91ab45bf11c67293f9067a845f3796dea5973b4ae8f4dcf25401b086b03314c0a9a11f18166a833918c075d7dd9503ae14b8d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
6b31c08b176729e2b9ad7f103cd8fa36

SHA1
1fd75c40535ebee849cc3167aaff28566d621c37

SHA256
399e1f8c96ca10911bd9f6ed0afe4e9de07e889cd40f71bf8ff726020ff834ee

SHA512
c9c844271541915981aaa53296d1f7fa6b9c4edb6ab95a796f20c605274e58f091225f52c505e2eaa49cbaa3b740c44d104eaf992ac776b91a275980ec79dce3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e2cd239e9cf0f9bd70775215a65fc5e4

SHA1
37b246a6f99c5a80b53ea9cb156b493a52d1bf33

SHA256
f9bb525d30311c50440311ef400992571b307c5d1026851294a6f8957e9d2319

SHA512
ab2197829b0ada51ac35fce3d9f1a4a5163061c75b72235712141ad1f5fbe49329ea406b47a1df6762fb62ff8a44785ff4e0fa1e8b2802cb7d700da22a80e17e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e2cd239e9cf0f9bd70775215a65fc5e4

SHA1
37b246a6f99c5a80b53ea9cb156b493a52d1bf33

SHA256
f9bb525d30311c50440311ef400992571b307c5d1026851294a6f8957e9d2319

SHA512
ab2197829b0ada51ac35fce3d9f1a4a5163061c75b72235712141ad1f5fbe49329ea406b47a1df6762fb62ff8a44785ff4e0fa1e8b2802cb7d700da22a80e17e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e2cd239e9cf0f9bd70775215a65fc5e4

SHA1
37b246a6f99c5a80b53ea9cb156b493a52d1bf33

SHA256
f9bb525d30311c50440311ef400992571b307c5d1026851294a6f8957e9d2319

SHA512
ab2197829b0ada51ac35fce3d9f1a4a5163061c75b72235712141ad1f5fbe49329ea406b47a1df6762fb62ff8a44785ff4e0fa1e8b2802cb7d700da22a80e17e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e2cd239e9cf0f9bd70775215a65fc5e4

SHA1
37b246a6f99c5a80b53ea9cb156b493a52d1bf33

SHA256
f9bb525d30311c50440311ef400992571b307c5d1026851294a6f8957e9d2319

SHA512
ab2197829b0ada51ac35fce3d9f1a4a5163061c75b72235712141ad1f5fbe49329ea406b47a1df6762fb62ff8a44785ff4e0fa1e8b2802cb7d700da22a80e17e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9b273980c0ae96edb65851884481825f

SHA1
ab4d52ecef317d5bb27e521765a42e0476b4763a

SHA256
149ec8a1752051019e99ed3b241ab011476b2a16246822bd4115133ed046cbc1

SHA512
461c1c665f6a5a6143541c8289ddffe54f732a2187781912fec94f67f7ff0044e41232ec598395d810991c4b4e1facf648dca693e63ea023b912167d98465a2e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
608da425f7d7f0e94826648bf0ee0d35

SHA1
efbc3338c8f95fc71de45a39c1bf24f08667cb15

SHA256
990c7a080a767a7d12dc38e2f86d6dbd5b48187293f460f11f659adde39c10f2

SHA512
80ef0559c624caf59ffd961b9f11f9bbc5dc75aea70cab057533c3ad406c7d4ef47b38998442704a9eedc8fc2cfa795104ff20e3c6ab2f37cdaf1fe16c66ac05

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
608da425f7d7f0e94826648bf0ee0d35

SHA1
efbc3338c8f95fc71de45a39c1bf24f08667cb15

SHA256
990c7a080a767a7d12dc38e2f86d6dbd5b48187293f460f11f659adde39c10f2

SHA512
80ef0559c624caf59ffd961b9f11f9bbc5dc75aea70cab057533c3ad406c7d4ef47b38998442704a9eedc8fc2cfa795104ff20e3c6ab2f37cdaf1fe16c66ac05

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1f34c812ea0ab0ffbd460ec8e1d3ed51

SHA1
74e8127d99cd951d92febd7ae9a08f78a2b51bfd

SHA256
2fa8bbc547045e303a9c16c199c21e0126d0aeb91f821af5d110e69e8a943f21

SHA512
6b3477d207e188f7a3229ef18f38944a348a92528474a5267c83a6600e726dbebbf431edaa3abbd70147544b94fe75f1d3f480bb05ac4eb7ad89e91fd96be22c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b4b9690bea0b149d8846af63a44d87c2

SHA1
5aad60eecd24453f06c64499a0f0c0c3cfb71a54

SHA256
dc88843b828fad31041844d8caf532dbcec1d1ed526b1e76a9ac3c8c12dbceb5

SHA512
50f7713858a097fbe5da5429f637cb7f5274dca4d1cc16b6876d8310119029bfaaff36320eb6694fe0660fa7b032f3acce8d9ce9a7449893e617ff554b4f3a81

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5b5bbb346c197ac2bc2a946decf2173d

SHA1
990f4c651092fd0b8334214273bad5550c9aa32b

SHA256
a8ab04b57db76f132d632964628bd3c4f14ccca760b2d1bbbe7aef3265d7c2e9

SHA512
4041c77b8d982b316be217659530b83e5de9676b8ab61c1b39db7912a9f77b9785cd506e329e70d6f1e1de4be4d3a7c83453499039d772755e108c3483db4239

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7a1542fdeba1b01c0296a54e7c0c5469

SHA1
bb77c357a4f038ef7e7ffccd230826ddc11c1a0c

SHA256
664a5d79e650cad468f0c7a06c338dd0697c22f33512e63fe1b03368396f834c

SHA512
fe15b86a117053f185fd348a8dc9a8d94df14b743223603b6f351dba094247cfb71c40c516082f3f04089013924b38d7227b950e030464d87d4fd23b28b2108d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
203bf3ff2f2d61c6fa79d743cf5b687b

SHA1
408f98f1f9b409e0ae2fd9660ba6860cebd817b3

SHA256
e25a429dcaea8d7dbccdef96e0d984e381d226b73caaba52d2200b9fcf35c563

SHA512
7e74fc412abffa6fdba0b01490c619a01e275e13cee6b79b86b11cfc38bf5ff73c24fdef6e022d5b67e17940c0370484ef7880561dce3432ee3751451920be57

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
8b14d7e1edba4d318956dcbbe01fc867

SHA1
8b02381a2738565cd43c0471ddcb0e5b2b5f0c4a

SHA256
1d54c5150e1cbbe2f186d2077db1281f15a5e61b8fa54691fca792713dd57cae

SHA512
f587700e9c84e6cd2097154f621b0bd4b1c701bc6fa8b5e72b70ccc2a9412bf4d824c7012d5e2b91ab60b621a0adddf2106e4c2f1d4d8526f6f1a918b03f44d6

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
adae5fefe39f9b34fc69c2d5680884ba

SHA1
cc49aa3c786b3d40593049b5b65d8330c11d4959

SHA256
ecba32d5ce8574fd4b952e6090a5908d32abeb3ef8a3d064675041b3cf8c454c

SHA512
a4be5edd4a577759bfbfb2acbf883fb26325cfa751e7c434fd614573c45110cf08822a67051b9f255d0735ca520fab8e610bbb0a117ceb0a5fb2c13d024b72e6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
49ff82c39bebe119e5cf07025be28f96

SHA1
578d10307f413e1b49d0c7348943e9fae8998dbf

SHA256
8173b5432dd91cd1b35d8435aa09867ac5e62c528811a573bcc37d3c157ac99c

SHA512
7b76558c1f15ef40a60d30fb03887434368ce174b6faf4b57e306fc7d8b3da237714cad7d8fc60a0380f0683af6abd1794f9760e2177752a3b2984df6533f048

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
b59681797425392e5469f0d2975eb9cf

SHA1
28919c7a4b3f571581c1db219ad78a4b62b407b1

SHA256
2405778033465af1a7488554be13ea17c9c4e32433a851b15ca0a86f8c60b160

SHA512
f0360934d553e5d09bde7fce993a0a5e3e5490b6370a5ede7b076d07942677ee67d161a3a397f60baea6da637f71760a2af050172a55bd23a3feccf6ef344eb2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
6dbcb1e70ea073f1b6e01dd616b511d5

SHA1
d7881829ee6d6eef47543e59027954a686576e49

SHA256
60f4d508e47d80b4749b217f06a7339c8b4fb6efd50e27ef78f922b6dd99f51e

SHA512
1058a7e0c81a5d9474e76cdc5716576884a283a33d4549b9772c3d63ff99c29863208b1393fdf78a4869cde1674cf2d8461681d822c88705b19041b337c9b529

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6dbcb1e70ea073f1b6e01dd616b511d5

SHA1
d7881829ee6d6eef47543e59027954a686576e49

SHA256
60f4d508e47d80b4749b217f06a7339c8b4fb6efd50e27ef78f922b6dd99f51e

SHA512
1058a7e0c81a5d9474e76cdc5716576884a283a33d4549b9772c3d63ff99c29863208b1393fdf78a4869cde1674cf2d8461681d822c88705b19041b337c9b529

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
7d37851719447a0eb8b7ff3f9c549cab

SHA1
21be4f35ee4e924b2ae261215a7c7f6cab5b49a4

SHA256
ac9a985cbde97d5a50792be99b4f5385a2edce262996fb1ae170a2523ac9f25a

SHA512
f8843d5fd71ee0abf143c3fc8fdec9c9b9f05ebcd7978f3d6699ccaa8496fbbc0ea2139f301673951200990ba5e57ca2b270c8397f416cf549eb4adf7c97b27f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
b59681797425392e5469f0d2975eb9cf

SHA1
28919c7a4b3f571581c1db219ad78a4b62b407b1

SHA256
2405778033465af1a7488554be13ea17c9c4e32433a851b15ca0a86f8c60b160

SHA512
f0360934d553e5d09bde7fce993a0a5e3e5490b6370a5ede7b076d07942677ee67d161a3a397f60baea6da637f71760a2af050172a55bd23a3feccf6ef344eb2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
4d6861e0693471eef081dfffa4332fe3

SHA1
f0f62c06521ecebb38166e932930e7eb5a862462

SHA256
6234c78bdc59759b2be9c071e0702cc5ef3a782a09c9811e2bfaa0f1bad91c0e

SHA512
2fbab6e4b8d2f2f1d9ce80bd3ad792aad522b37f32dab4a492aba0f3d249476c6883db91f481b195fc7654dc7960d8370a0ad527bf0d2e703d5c24fd53c4732f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
6b31c08b176729e2b9ad7f103cd8fa36

SHA1
1fd75c40535ebee849cc3167aaff28566d621c37

SHA256
399e1f8c96ca10911bd9f6ed0afe4e9de07e889cd40f71bf8ff726020ff834ee

SHA512
c9c844271541915981aaa53296d1f7fa6b9c4edb6ab95a796f20c605274e58f091225f52c505e2eaa49cbaa3b740c44d104eaf992ac776b91a275980ec79dce3

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7a1542fdeba1b01c0296a54e7c0c5469

SHA1
bb77c357a4f038ef7e7ffccd230826ddc11c1a0c

SHA256
664a5d79e650cad468f0c7a06c338dd0697c22f33512e63fe1b03368396f834c

SHA512
fe15b86a117053f185fd348a8dc9a8d94df14b743223603b6f351dba094247cfb71c40c516082f3f04089013924b38d7227b950e030464d87d4fd23b28b2108d

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
203bf3ff2f2d61c6fa79d743cf5b687b

SHA1
408f98f1f9b409e0ae2fd9660ba6860cebd817b3

SHA256
e25a429dcaea8d7dbccdef96e0d984e381d226b73caaba52d2200b9fcf35c563

SHA512
7e74fc412abffa6fdba0b01490c619a01e275e13cee6b79b86b11cfc38bf5ff73c24fdef6e022d5b67e17940c0370484ef7880561dce3432ee3751451920be57

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
8b14d7e1edba4d318956dcbbe01fc867

SHA1
8b02381a2738565cd43c0471ddcb0e5b2b5f0c4a

SHA256
1d54c5150e1cbbe2f186d2077db1281f15a5e61b8fa54691fca792713dd57cae

SHA512
f587700e9c84e6cd2097154f621b0bd4b1c701bc6fa8b5e72b70ccc2a9412bf4d824c7012d5e2b91ab60b621a0adddf2106e4c2f1d4d8526f6f1a918b03f44d6

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
adae5fefe39f9b34fc69c2d5680884ba

SHA1
cc49aa3c786b3d40593049b5b65d8330c11d4959

SHA256
ecba32d5ce8574fd4b952e6090a5908d32abeb3ef8a3d064675041b3cf8c454c

SHA512
a4be5edd4a577759bfbfb2acbf883fb26325cfa751e7c434fd614573c45110cf08822a67051b9f255d0735ca520fab8e610bbb0a117ceb0a5fb2c13d024b72e6

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
49ff82c39bebe119e5cf07025be28f96

SHA1
578d10307f413e1b49d0c7348943e9fae8998dbf

SHA256
8173b5432dd91cd1b35d8435aa09867ac5e62c528811a573bcc37d3c157ac99c

SHA512
7b76558c1f15ef40a60d30fb03887434368ce174b6faf4b57e306fc7d8b3da237714cad7d8fc60a0380f0683af6abd1794f9760e2177752a3b2984df6533f048

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
b59681797425392e5469f0d2975eb9cf

SHA1
28919c7a4b3f571581c1db219ad78a4b62b407b1

SHA256
2405778033465af1a7488554be13ea17c9c4e32433a851b15ca0a86f8c60b160

SHA512
f0360934d553e5d09bde7fce993a0a5e3e5490b6370a5ede7b076d07942677ee67d161a3a397f60baea6da637f71760a2af050172a55bd23a3feccf6ef344eb2

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
b59681797425392e5469f0d2975eb9cf

SHA1
28919c7a4b3f571581c1db219ad78a4b62b407b1

SHA256
2405778033465af1a7488554be13ea17c9c4e32433a851b15ca0a86f8c60b160

SHA512
f0360934d553e5d09bde7fce993a0a5e3e5490b6370a5ede7b076d07942677ee67d161a3a397f60baea6da637f71760a2af050172a55bd23a3feccf6ef344eb2

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c409dbabf21d73e8c509ef0a9a48219c

SHA1
fe5b9200b93cfe8dd5ea216f95a21db1ecfa5a44

SHA256
35772a3dfb2e6311c741a775cabe4751c3bebdc978e63e7e501900299dd65370

SHA512
bead52c7596f6566fa919edd935466b8cd875ca1f84031a1c3b009c88629b6916f96be37c6f8784c4c272053cf422283b7f1e47d0fb6a2c7382ffae1ad33f166

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6dbcb1e70ea073f1b6e01dd616b511d5

SHA1
d7881829ee6d6eef47543e59027954a686576e49

SHA256
60f4d508e47d80b4749b217f06a7339c8b4fb6efd50e27ef78f922b6dd99f51e

SHA512
1058a7e0c81a5d9474e76cdc5716576884a283a33d4549b9772c3d63ff99c29863208b1393fdf78a4869cde1674cf2d8461681d822c88705b19041b337c9b529

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
7d37851719447a0eb8b7ff3f9c549cab

SHA1
21be4f35ee4e924b2ae261215a7c7f6cab5b49a4

SHA256
ac9a985cbde97d5a50792be99b4f5385a2edce262996fb1ae170a2523ac9f25a

SHA512
f8843d5fd71ee0abf143c3fc8fdec9c9b9f05ebcd7978f3d6699ccaa8496fbbc0ea2139f301673951200990ba5e57ca2b270c8397f416cf549eb4adf7c97b27f

Download Submit
memory/328-166-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/328-165-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/328-296-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/328-173-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/328-172-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1124-107-0x0000000010000000-0x000000001016F000-memory.dmp

Filesize
1.4MB

Download
memory/1124-108-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1124-114-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1124-145-0x0000000010000000-0x000000001016F000-memory.dmp

Filesize
1.4MB

Download
memory/1180-123-0x0000000010000000-0x0000000010177000-memory.dmp

Filesize
1.5MB

Download
memory/1180-159-0x0000000010000000-0x0000000010177000-memory.dmp

Filesize
1.5MB

Download
memory/1180-132-0x0000000000570000-0x00000000005D0000-memory.dmp

Filesize
384KB

Download
memory/1180-125-0x0000000000570000-0x00000000005D0000-memory.dmp

Filesize
384KB

Download
memory/1324-407-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1324-479-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1324-478-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1324-446-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1324-420-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/1764-147-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1764-149-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1764-154-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1764-286-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1816-278-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1816-379-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1816-320-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-322-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1816-196-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-297-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1988-463-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/1988-474-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2116-274-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2116-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2116-7-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/2116-6-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/2116-1-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/2116-146-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-459-0x000000002E000000-0x000000002E185000-memory.dmp

Filesize
1.5MB

Download
memory/2156-364-0x000000002E000000-0x000000002E185000-memory.dmp

Filesize
1.5MB

Download
memory/2156-362-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/2348-378-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2348-368-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2348-473-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2348-380-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2348-381-0x00000000749B8000-0x00000000749CD000-memory.dmp

Filesize
84KB

Download
memory/2372-72-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2372-35-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2372-48-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2372-73-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2372-164-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2412-292-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2412-363-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2412-281-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2572-342-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/2572-340-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2664-377-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2664-376-0x000007FEF6140000-0x000007FEF6B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-359-0x000007FEF6140000-0x000007FEF6B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-309-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2664-357-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2712-321-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2712-404-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2712-319-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2928-190-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2928-185-0x0000000100000000-0x0000000100165000-memory.dmp

Filesize
1.4MB

Download
memory/2928-308-0x0000000100000000-0x0000000100165000-memory.dmp

Filesize
1.4MB

Download
memory/2928-183-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2988-96-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2988-102-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2988-95-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/2988-103-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2988-182-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/3028-374-0x000007FEF6140000-0x000007FEF6B2C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-360-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3028-361-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3028-392-0x000007FEF6140000-0x000007FEF6B2C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-390-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3028-391-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download