44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2

Analysis

max time kernel
138s
max time network
147s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
23/11/2023, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
Size

1.8MB
MD5

d608bd149ff3d1eb5fde2a4ba561eba8
SHA1

235836e87722fcc3b82aabe6c2151e9869d9371f
SHA256

44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2
SHA512

38ff25e6eba1158d6853615e2725c0915c8a1b75a9168df794565b833c5c283c9507d52cb1b48515922705d47df3906dfde201f74c8a0902613496526531fabe
SSDEEP

49152:dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+dN4WdrNGMYSL7:dvbjVkjjCAzJ9diWdZGMx/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 59 IoCs

pid	Process
464	Process not Found
2696	alg.exe
3024	aspnet_state.exe
2840	mscorsvw.exe
2028	mscorsvw.exe
748	mscorsvw.exe
1748	mscorsvw.exe
2944	dllhost.exe
1612	ehRecvr.exe
2324	elevation_service.exe
1520	mscorsvw.exe
2640	mscorsvw.exe
2500	mscorsvw.exe
3056	mscorsvw.exe
696	mscorsvw.exe
568	mscorsvw.exe
2456	mscorsvw.exe
1944	mscorsvw.exe
1772	mscorsvw.exe
988	mscorsvw.exe
1864	mscorsvw.exe
2412	mscorsvw.exe
2612	mscorsvw.exe
2788	mscorsvw.exe
2920	mscorsvw.exe
1572	mscorsvw.exe
2552	mscorsvw.exe
2120	mscorsvw.exe
1644	mscorsvw.exe
1020	mscorsvw.exe
2308	mscorsvw.exe
1712	GROOVE.EXE
2372	mscorsvw.exe
2956	maintenanceservice.exe
2928	OSE.EXE
2656	mscorsvw.exe
2044	OSPPSVC.EXE
2940	mscorsvw.exe
2964	mscorsvw.exe
2708	IEEtwCollector.exe
2372	msdtc.exe
1580	msiexec.exe
3056	perfhost.exe
2408	locator.exe
1308	snmptrap.exe
624	vds.exe
2936	vssvc.exe
988	wbengine.exe
1148	WmiApSrv.exe
2456	wmpnetwk.exe
1508	SearchIndexer.exe
2212	mscorsvw.exe
2828	mscorsvw.exe
1880	mscorsvw.exe
2560	mscorsvw.exe
1492	mscorsvw.exe
1084	mscorsvw.exe
2736	mscorsvw.exe
2492	mscorsvw.exe

Loads dropped DLL 18 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1580	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
764	Process not Found
1492	mscorsvw.exe
1492	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ab7e41f54788660.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_hu.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_uk.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1C9A7525-DD83-4D3E-A997-7B96D14249B1}\chrome_installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_ja.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_pt-PT.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdate.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\GoogleUpdate.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_am.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\GoogleUpdateComRegisterShell64.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\psuser.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_fr.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_pl.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\goopdateres_en.dll	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AEE.tmp\GoogleUpdateSetup.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7850F2C6-7BDC-4214-89F7-CD6659690CD2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C5C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7850F2C6-7BDC-4214-89F7-CD6659690CD2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe

Modifies data under HKEY_USERS 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F8CE8A58-3607-454A-AD67-626F521F65EB}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F8CE8A58-3607-454A-AD67-626F521F65EB}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3024	aspnet_state.exe
3024	aspnet_state.exe
3024	aspnet_state.exe
3024	aspnet_state.exe
3024	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2332	44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeDebugPrivilege	2696	alg.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3024	aspnet_state.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeSecurityPrivilege	1580	msiexec.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeBackupPrivilege	2936	vssvc.exe
Token: SeRestorePrivilege	2936	vssvc.exe
Token: SeAuditPrivilege	2936	vssvc.exe
Token: SeBackupPrivilege	988	wbengine.exe
Token: SeRestorePrivilege	988	wbengine.exe
Token: SeSecurityPrivilege	988	wbengine.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeDebugPrivilege	3024	aspnet_state.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: 33	2456	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2456	wmpnetwk.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeManageVolumePrivilege	1508	SearchIndexer.exe
Token: 33	1508	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1508	SearchIndexer.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe
Token: SeShutdownPrivilege	748	mscorsvw.exe
Token: SeShutdownPrivilege	1748	mscorsvw.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1608	SearchProtocolHost.exe
1608	SearchProtocolHost.exe
1608	SearchProtocolHost.exe
1608	SearchProtocolHost.exe
1608	SearchProtocolHost.exe
2876	SearchProtocolHost.exe
2876	SearchProtocolHost.exe
2876	SearchProtocolHost.exe
2876	SearchProtocolHost.exe
2876	SearchProtocolHost.exe
2876	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1520	748	mscorsvw.exe	37
PID 748 wrote to memory of 1520	748	mscorsvw.exe	37
PID 748 wrote to memory of 1520	748	mscorsvw.exe	37
PID 748 wrote to memory of 1520	748	mscorsvw.exe	37
PID 748 wrote to memory of 2640	748	mscorsvw.exe	38
PID 748 wrote to memory of 2640	748	mscorsvw.exe	38
PID 748 wrote to memory of 2640	748	mscorsvw.exe	38
PID 748 wrote to memory of 2640	748	mscorsvw.exe	38
PID 748 wrote to memory of 2500	748	mscorsvw.exe	39
PID 748 wrote to memory of 2500	748	mscorsvw.exe	39
PID 748 wrote to memory of 2500	748	mscorsvw.exe	39
PID 748 wrote to memory of 2500	748	mscorsvw.exe	39
PID 748 wrote to memory of 3056	748	mscorsvw.exe	40
PID 748 wrote to memory of 3056	748	mscorsvw.exe	40
PID 748 wrote to memory of 3056	748	mscorsvw.exe	40
PID 748 wrote to memory of 3056	748	mscorsvw.exe	40
PID 748 wrote to memory of 696	748	mscorsvw.exe	41
PID 748 wrote to memory of 696	748	mscorsvw.exe	41
PID 748 wrote to memory of 696	748	mscorsvw.exe	41
PID 748 wrote to memory of 696	748	mscorsvw.exe	41
PID 748 wrote to memory of 568	748	mscorsvw.exe	42
PID 748 wrote to memory of 568	748	mscorsvw.exe	42
PID 748 wrote to memory of 568	748	mscorsvw.exe	42
PID 748 wrote to memory of 568	748	mscorsvw.exe	42
PID 748 wrote to memory of 2456	748	mscorsvw.exe	43
PID 748 wrote to memory of 2456	748	mscorsvw.exe	43
PID 748 wrote to memory of 2456	748	mscorsvw.exe	43
PID 748 wrote to memory of 2456	748	mscorsvw.exe	43
PID 748 wrote to memory of 1944	748	mscorsvw.exe	44
PID 748 wrote to memory of 1944	748	mscorsvw.exe	44
PID 748 wrote to memory of 1944	748	mscorsvw.exe	44
PID 748 wrote to memory of 1944	748	mscorsvw.exe	44
PID 748 wrote to memory of 1772	748	mscorsvw.exe	45
PID 748 wrote to memory of 1772	748	mscorsvw.exe	45
PID 748 wrote to memory of 1772	748	mscorsvw.exe	45
PID 748 wrote to memory of 1772	748	mscorsvw.exe	45
PID 748 wrote to memory of 988	748	mscorsvw.exe	46
PID 748 wrote to memory of 988	748	mscorsvw.exe	46
PID 748 wrote to memory of 988	748	mscorsvw.exe	46
PID 748 wrote to memory of 988	748	mscorsvw.exe	46
PID 748 wrote to memory of 1864	748	mscorsvw.exe	47
PID 748 wrote to memory of 1864	748	mscorsvw.exe	47
PID 748 wrote to memory of 1864	748	mscorsvw.exe	47
PID 748 wrote to memory of 1864	748	mscorsvw.exe	47
PID 748 wrote to memory of 2412	748	mscorsvw.exe	48
PID 748 wrote to memory of 2412	748	mscorsvw.exe	48
PID 748 wrote to memory of 2412	748	mscorsvw.exe	48
PID 748 wrote to memory of 2412	748	mscorsvw.exe	48
PID 748 wrote to memory of 2612	748	mscorsvw.exe	49
PID 748 wrote to memory of 2612	748	mscorsvw.exe	49
PID 748 wrote to memory of 2612	748	mscorsvw.exe	49
PID 748 wrote to memory of 2612	748	mscorsvw.exe	49
PID 748 wrote to memory of 2788	748	mscorsvw.exe	50
PID 748 wrote to memory of 2788	748	mscorsvw.exe	50
PID 748 wrote to memory of 2788	748	mscorsvw.exe	50
PID 748 wrote to memory of 2788	748	mscorsvw.exe	50
PID 748 wrote to memory of 2920	748	mscorsvw.exe	51
PID 748 wrote to memory of 2920	748	mscorsvw.exe	51
PID 748 wrote to memory of 2920	748	mscorsvw.exe	51
PID 748 wrote to memory of 2920	748	mscorsvw.exe	51
PID 748 wrote to memory of 1572	748	mscorsvw.exe	52
PID 748 wrote to memory of 1572	748	mscorsvw.exe	52
PID 748 wrote to memory of 1572	748	mscorsvw.exe	52
PID 748 wrote to memory of 1572	748	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe
"C:\Users\Admin\AppData\Local\Temp\44ecdaca89da3877953eec3e9e9fd5de9b67f3ac13d136ff9e8684173b316dc2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 1dc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 1dc -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1dc -NGENProcess 284 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 1dc -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 244 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 288 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 250 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1f0 -NGENProcess 290 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 270 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 24c -NGENProcess 1f4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 228 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1fc -NGENProcess 1d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 2a4 -NGENProcess 270 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2324

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2956

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2928

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1508
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1861898231-3446828954-4278112889-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1861898231-3446828954-4278112889-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1144
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
7c6b1025fa31b85425376685b7584b02

SHA1
537a7ba6206d9f8d66b5acd227788d2a6749fab2

SHA256
1fe78f599fa8339482cf5bec78cc31328555cee1084777aa036d69ad174b7f19

SHA512
a9f9c6ec26da2662fd14ab9e347b6039ffde8de9a355d365233e5ded8a406afc2f6ba3528a66ca89c88347c3f4396eb67c14e7819f2508d8ccb752f139b7079d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b1b34f76a606433cc085f2f9587b660c

SHA1
196729a7924c66943fcbe8824f29fd9caa217a2e

SHA256
02977afc5b6c4e529a25ed990b76a5eab518a38ea1ea29ccfcea207a5c76f5d8

SHA512
186701f1111200516a8eac8b113b355d8e1f450d30725566cef296b3a0643072b03c8d52eb16f98c332857c2f6d1203de895d7c7169e18a5dc94463a9d114d1d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
e1e48af312c11ecad773fb9de2dfa9a6

SHA1
c11b74e16344686703cdb611f3727c90057e8888

SHA256
79a8014fc9d20897e8c348c3b757032f64eda3e8248df83efc7665e444aafc2c

SHA512
d948eb4a23d0f2eb34ffe5f1d5f7936bd702fbb2c58a88cde4021f90c5d7d78c3296487bb74a558d922efd725181e12377b1294e97d339de852095d7e443a7d8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
e1e48af312c11ecad773fb9de2dfa9a6

SHA1
c11b74e16344686703cdb611f3727c90057e8888

SHA256
79a8014fc9d20897e8c348c3b757032f64eda3e8248df83efc7665e444aafc2c

SHA512
d948eb4a23d0f2eb34ffe5f1d5f7936bd702fbb2c58a88cde4021f90c5d7d78c3296487bb74a558d922efd725181e12377b1294e97d339de852095d7e443a7d8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b0ebd469c5999cbd2bc76ab34b0c2058

SHA1
503bef9d61466fcd28fc7de6d75baeb27d1bca7d

SHA256
7730747ea57179f46c288b7de8b14d346ac1f8746f3951189a5eced328dc0f66

SHA512
f23bca130ba21e96d341ca19d305fbe3c944ee282f0ae2a66378c302a1d5b5eb940923f0000de39d50407579292b51c0d1d85cd68c67c01c928195f1d77732f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7fc405647a5bbd7a5ad1c8e16fb00072

SHA1
d854b41496c9bfe4ca08be1a72217a380f8f6bbb

SHA256
8565cc9f04b07397ef2c2deaabe56999f16b877b906ac22b2f48827035b03d2e

SHA512
3fc98dc00bd710947df90c25763093ca556b396609d1139b00f6b0bc7a7574d782a675eaa798318210ce519119fce271f0cb99dba523ec28ebef3fc04ffab802

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7fc405647a5bbd7a5ad1c8e16fb00072

SHA1
d854b41496c9bfe4ca08be1a72217a380f8f6bbb

SHA256
8565cc9f04b07397ef2c2deaabe56999f16b877b906ac22b2f48827035b03d2e

SHA512
3fc98dc00bd710947df90c25763093ca556b396609d1139b00f6b0bc7a7574d782a675eaa798318210ce519119fce271f0cb99dba523ec28ebef3fc04ffab802

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c9837ce57460ce141c41730dffac3d12

SHA1
6fe593a7aed54a944681945edbf0f08165217c0c

SHA256
4f0df43953e35f5231820f9fbf89d8129a2435ce940b3af52189b0cc4a6d80bc

SHA512
ebb9d91dbbcf5fe8ee4230eb2ac4c71206e2d5d3687a5ee5ce808133a3530e6f35436fea809da108b8d1e305c3fdbb69cc18cdb223260c22e9a634df44f56e1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
063013838c1f4f27a26cc347608870e7

SHA1
2d763922fbb4814c66c5a87cea559492b0735c76

SHA256
6517354d02f25c91749a3fabe0415754b78c1ae4c9afee3b56af82b7e709f2eb

SHA512
889015889e76d2935e9386688abb73276ccad022b89a9e32e6f5d4a7b98bedf27fd1d598e5d01b32fde5c53583c547d779079492c069a440ca9d65183ed0fcba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
063013838c1f4f27a26cc347608870e7

SHA1
2d763922fbb4814c66c5a87cea559492b0735c76

SHA256
6517354d02f25c91749a3fabe0415754b78c1ae4c9afee3b56af82b7e709f2eb

SHA512
889015889e76d2935e9386688abb73276ccad022b89a9e32e6f5d4a7b98bedf27fd1d598e5d01b32fde5c53583c547d779079492c069a440ca9d65183ed0fcba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a4acad27c5112405bc33630d0c528e63

SHA1
a1d58eb195607d5b766978c5efe68eaf44660988

SHA256
79eaf35b4b5a8f0c88f80e026999f49346c190bc0b257dc10b714cfca15f164e

SHA512
862a90cfaff094c05b043d9651d62d438366fc54be54bb158e9a92a6f3269ff43f8050785f38c445b00fa5edf6a833a032fb2d6eae24485ec95b0c8a3c72c116

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
128419029650e1622d8fea55e74f3615

SHA1
b4def07f3ef404087d14b8c265f105615c68f0d9

SHA256
7b0bd4a1e2c4ca2024e788cc291276e8c9bc4e9c874e3031a4ecab47b5f181c4

SHA512
a1c54bd6d5b7673fb79e6b0f1eb069231c45f1f41f2dd97baa31e381da602ed85d73934b7c9489eccffe3154643e095723256e260c894e64c5127fa7a23708bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
17cda9bf48d87a208bf6d31c2d941a83

SHA1
7838e5d1e5ac7eacf241f76554b7c58e185f2362

SHA256
bc27dfae1da361784940febc5d8d259d5c2f6af6950666e09ee1f6ede010cd24

SHA512
14a1b3b79dbf9a795c6ab6ccffabbefb3c9bc8716e190d1c320bca59ad7c7549dfd24373c5b7fb536a4aa7ef5608125c4a56c341166c77884eea05ba3aa0935f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
17cda9bf48d87a208bf6d31c2d941a83

SHA1
7838e5d1e5ac7eacf241f76554b7c58e185f2362

SHA256
bc27dfae1da361784940febc5d8d259d5c2f6af6950666e09ee1f6ede010cd24

SHA512
14a1b3b79dbf9a795c6ab6ccffabbefb3c9bc8716e190d1c320bca59ad7c7549dfd24373c5b7fb536a4aa7ef5608125c4a56c341166c77884eea05ba3aa0935f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
17cda9bf48d87a208bf6d31c2d941a83

SHA1
7838e5d1e5ac7eacf241f76554b7c58e185f2362

SHA256
bc27dfae1da361784940febc5d8d259d5c2f6af6950666e09ee1f6ede010cd24

SHA512
14a1b3b79dbf9a795c6ab6ccffabbefb3c9bc8716e190d1c320bca59ad7c7549dfd24373c5b7fb536a4aa7ef5608125c4a56c341166c77884eea05ba3aa0935f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
17cda9bf48d87a208bf6d31c2d941a83

SHA1
7838e5d1e5ac7eacf241f76554b7c58e185f2362

SHA256
bc27dfae1da361784940febc5d8d259d5c2f6af6950666e09ee1f6ede010cd24

SHA512
14a1b3b79dbf9a795c6ab6ccffabbefb3c9bc8716e190d1c320bca59ad7c7549dfd24373c5b7fb536a4aa7ef5608125c4a56c341166c77884eea05ba3aa0935f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
385166770c21459dbd4bc1daa74e9a0c

SHA1
8024d90c1be1eb381a50c29acd424143baa18536

SHA256
b23ac1b665cae9c1a882271330e6cfac479236719e50f8dbf626db71f74dad33

SHA512
c9a502cbf9b8174b6b6d8c66c38c7af8216dbeac751eb99bb72796d981fadab871a62693eb3f424ef14b8453a907f390e87b81a63ff5bbc0aa37da58121bced8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
385166770c21459dbd4bc1daa74e9a0c

SHA1
8024d90c1be1eb381a50c29acd424143baa18536

SHA256
b23ac1b665cae9c1a882271330e6cfac479236719e50f8dbf626db71f74dad33

SHA512
c9a502cbf9b8174b6b6d8c66c38c7af8216dbeac751eb99bb72796d981fadab871a62693eb3f424ef14b8453a907f390e87b81a63ff5bbc0aa37da58121bced8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
77a9e1db78feb055a2199fb9bf26cb76

SHA1
d20a95bcc48f1a4fee247f5ccee7cebb01f02cd1

SHA256
e6f82a70ae3dacecf97097060a6f1f97b6d995d860b846c352cdff8480faedd8

SHA512
05d5363f02ce2b8d2f74e457e75b6da239600630cfe8b6da37c055ab0d1ff4af404bd85d8da4a00a51eb2e666b907dc8591c40c711b01bc9085232488c7c07f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
bac624381a9455a9c2c29d9e9ca51b62

SHA1
fc18fb8d2d434e255a7c3dc80e8e49a2cecf484b

SHA256
2d15872129ce56e847e5b21fcdb30ad39562c2a97a30a97ad1896a479c90dc33

SHA512
af36306bd20b0f62c5ebbb7424aa948b97e5bbf6d4b3262a01925a4c251afbe8214c6eda6a23b368fddcd0d2f14bf1735da3a3f0cd744cbbbe71c061308eca25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
a9443f1d5ddadf6092d422ae67367dd5

SHA1
e47ecb74f58105702d16a1cc16dc2cdcbcfad0f2

SHA256
5699a818c699e61fd5b4648f74d248240aea79e12d9f7583f79e445a37ab8369

SHA512
53cfe8c520fd75eaa8dfcf58f9934bd2edaa8b48959e4c772f2f19193bf4793c9902826c1de73159785ed254610392eec6cfde10e0f09b1d2de149bd068cabf1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
105310aabb19eb45f370ca7d1bdb0f12

SHA1
2b198e0080a20ab7e944b7e5cc3d4bcbce38cf9c

SHA256
bc3e713b9af407572c20752102cf201d64e8265ce774c4abd7ccb82604a176bf

SHA512
1709cbe86f14bb4569dc81296867941861216593a50d509d0ed6e1d20c1009565acb0e3ffc367ca5c45b663f7b6ce0f2148477587adb85a654ffcb152dc4b5bc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
729128e6316f1ec8b25dc89a81968367

SHA1
40dedfbe9e94f9cb4c189ba20a63f6f1bb1e77f3

SHA256
5e237befe8c4aa0aed331f913d212fd2a26f1918a5cb15b5a73e34523542555c

SHA512
4bbe90d1461d4048203991380bd1c2257a2b37e401855422cc4447c426e225e2d5f6d8dc181cf5e406441150196784021ff149cab3c5e137da6baff8e70c5e33

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
260ecfa9fea2c6bc0a7ee762ef77e56e

SHA1
31f9d3fad84353229a87c5b7a73abaa52ecdc5d5

SHA256
e8ac20f90800ab9b573111ab34428af4099821af018e014591858fc925787680

SHA512
d72b04eaf3ce17484f63a79afeae7c137be3a75ca42000ef4bfb04715c226e4dd2aaa6806906e288ab0232a624dc8ae7e73b2a4212533ff3eafc5b71a39933f2

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
d16457ce5769f1aeaac4538b51eafed7

SHA1
9a82652781ba9a8cca05322326862472ac96bf3f

SHA256
8bd21e06c2bd4bae21d98ad9b7121a0d33f21a6f76b4d8f9dd1ba3d2427f32b9

SHA512
6a5d322b47211bd8eb106c2b129aa5cc7d52b5f2fe1095dc9bbd9e22115a0dd9f8e5a74c5b3dd6dd2ad56caf960796bb0d6bc04dd5502a9c9769d89500dd0aaf

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
1fc351b6a09318a972a7732a9d5d96a2

SHA1
35927f1697bacf403619a547570471c3812c2b62

SHA256
281bd135741616abf4ba6909d627bc37c41d641c28765b5ba8c66a7f3c940203

SHA512
52fa64b3f7b4263a3ac8fd071b0d125414608afc6a78cdaf99ff6e2072eae7931ae0553986553b6714f7b25892b24c2e5e7d49ef7132c33009f14ca07c1d3be2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
93568c2f7b4b0742927cbf4ff03be404

SHA1
32d16a7f7c1020e697e07919cb406ecd787c5cf2

SHA256
46476369f2bcec2def2669bf452961de144bc9761ab1eeb2a728864588d44541

SHA512
7f7baa86c2d1cbc0b492a7609cb5bea04317834041acc78cf8538a30f8ebf4f352428398f283f9f54ee9e3525a7242cb2d046828a169f41a5ed6112e92d83d8c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
1fad9362c44a0b4f2c4d1036962b9714

SHA1
8bbe08a88bc34cf8807cabf9bd8738b73460f116

SHA256
d2bd4cf620a46b727bbce80d3cb1034ec2619eb3865faa84fd4b051f7a8e471a

SHA512
a7bd9c3007f22bb7383f03a8ef51c64fc9abf5e5fb094af7dfa337a6726bf5de58d73a9a53254816ec932a4a75c7d561bf1ad2c533cd472889ccda7722a440db

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
e3ef8a295ed3a5681fa52763d028fc9a

SHA1
2f265bf8cceb02b3cb5cab7f379b65328c40db6e

SHA256
c6d25abb4c31d9a5901a905525a8608e85127f4fb41a128ec481710801426c9f

SHA512
885c596150a77291f830f48bc945e234d26c8aaeca9c5ee4f16f428fbc86369f08ad910d5d23db4433c7e7f8c511b500913e6a2d02a10fb12f87ee987420c435

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
142a4d610e18c6cb9477637fcc9b105b

SHA1
b41760028eddf5c42a2978fad2b95961d2d71763

SHA256
7466f572aac07f22ff7591f160de87f5bb307480256fe6facb10aac4cf6242ea

SHA512
be82c173228c98f395488712b0e8fec126c9356d2feabc7b876ef0b119e27f4e95b9ce0f87f31161fc25052fda340d35b31ee948031cebc174ed71da01e15bc2

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
142a4d610e18c6cb9477637fcc9b105b

SHA1
b41760028eddf5c42a2978fad2b95961d2d71763

SHA256
7466f572aac07f22ff7591f160de87f5bb307480256fe6facb10aac4cf6242ea

SHA512
be82c173228c98f395488712b0e8fec126c9356d2feabc7b876ef0b119e27f4e95b9ce0f87f31161fc25052fda340d35b31ee948031cebc174ed71da01e15bc2

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
11c62b546b43fd07f7a982663f9faab9

SHA1
3c0ea8e7c74e5c18d4a319fb6c19dae623318312

SHA256
d6be7466814138ba659ae4328add449ff306559fc48eaecc41747140153e391c

SHA512
2a80f10fcfc8597475b380ed8cbba79e2e8c82e45677384f131b07a29a9c7955fa481e5de452e8b5baa1b6d840030da36893cb8f64c2ca4ccee3cc5586e85f24

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
1fad9362c44a0b4f2c4d1036962b9714

SHA1
8bbe08a88bc34cf8807cabf9bd8738b73460f116

SHA256
d2bd4cf620a46b727bbce80d3cb1034ec2619eb3865faa84fd4b051f7a8e471a

SHA512
a7bd9c3007f22bb7383f03a8ef51c64fc9abf5e5fb094af7dfa337a6726bf5de58d73a9a53254816ec932a4a75c7d561bf1ad2c533cd472889ccda7722a440db

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
063013838c1f4f27a26cc347608870e7

SHA1
2d763922fbb4814c66c5a87cea559492b0735c76

SHA256
6517354d02f25c91749a3fabe0415754b78c1ae4c9afee3b56af82b7e709f2eb

SHA512
889015889e76d2935e9386688abb73276ccad022b89a9e32e6f5d4a7b98bedf27fd1d598e5d01b32fde5c53583c547d779079492c069a440ca9d65183ed0fcba

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
128419029650e1622d8fea55e74f3615

SHA1
b4def07f3ef404087d14b8c265f105615c68f0d9

SHA256
7b0bd4a1e2c4ca2024e788cc291276e8c9bc4e9c874e3031a4ecab47b5f181c4

SHA512
a1c54bd6d5b7673fb79e6b0f1eb069231c45f1f41f2dd97baa31e381da602ed85d73934b7c9489eccffe3154643e095723256e260c894e64c5127fa7a23708bf

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
729128e6316f1ec8b25dc89a81968367

SHA1
40dedfbe9e94f9cb4c189ba20a63f6f1bb1e77f3

SHA256
5e237befe8c4aa0aed331f913d212fd2a26f1918a5cb15b5a73e34523542555c

SHA512
4bbe90d1461d4048203991380bd1c2257a2b37e401855422cc4447c426e225e2d5f6d8dc181cf5e406441150196784021ff149cab3c5e137da6baff8e70c5e33

Download Submit
\Windows\System32\alg.exe

Filesize
1.6MB

MD5
260ecfa9fea2c6bc0a7ee762ef77e56e

SHA1
31f9d3fad84353229a87c5b7a73abaa52ecdc5d5

SHA256
e8ac20f90800ab9b573111ab34428af4099821af018e014591858fc925787680

SHA512
d72b04eaf3ce17484f63a79afeae7c137be3a75ca42000ef4bfb04715c226e4dd2aaa6806906e288ab0232a624dc8ae7e73b2a4212533ff3eafc5b71a39933f2

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
d16457ce5769f1aeaac4538b51eafed7

SHA1
9a82652781ba9a8cca05322326862472ac96bf3f

SHA256
8bd21e06c2bd4bae21d98ad9b7121a0d33f21a6f76b4d8f9dd1ba3d2427f32b9

SHA512
6a5d322b47211bd8eb106c2b129aa5cc7d52b5f2fe1095dc9bbd9e22115a0dd9f8e5a74c5b3dd6dd2ad56caf960796bb0d6bc04dd5502a9c9769d89500dd0aaf

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
1fc351b6a09318a972a7732a9d5d96a2

SHA1
35927f1697bacf403619a547570471c3812c2b62

SHA256
281bd135741616abf4ba6909d627bc37c41d641c28765b5ba8c66a7f3c940203

SHA512
52fa64b3f7b4263a3ac8fd071b0d125414608afc6a78cdaf99ff6e2072eae7931ae0553986553b6714f7b25892b24c2e5e7d49ef7132c33009f14ca07c1d3be2

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
93568c2f7b4b0742927cbf4ff03be404

SHA1
32d16a7f7c1020e697e07919cb406ecd787c5cf2

SHA256
46476369f2bcec2def2669bf452961de144bc9761ab1eeb2a728864588d44541

SHA512
7f7baa86c2d1cbc0b492a7609cb5bea04317834041acc78cf8538a30f8ebf4f352428398f283f9f54ee9e3525a7242cb2d046828a169f41a5ed6112e92d83d8c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
1fad9362c44a0b4f2c4d1036962b9714

SHA1
8bbe08a88bc34cf8807cabf9bd8738b73460f116

SHA256
d2bd4cf620a46b727bbce80d3cb1034ec2619eb3865faa84fd4b051f7a8e471a

SHA512
a7bd9c3007f22bb7383f03a8ef51c64fc9abf5e5fb094af7dfa337a6726bf5de58d73a9a53254816ec932a4a75c7d561bf1ad2c533cd472889ccda7722a440db

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
1fad9362c44a0b4f2c4d1036962b9714

SHA1
8bbe08a88bc34cf8807cabf9bd8738b73460f116

SHA256
d2bd4cf620a46b727bbce80d3cb1034ec2619eb3865faa84fd4b051f7a8e471a

SHA512
a7bd9c3007f22bb7383f03a8ef51c64fc9abf5e5fb094af7dfa337a6726bf5de58d73a9a53254816ec932a4a75c7d561bf1ad2c533cd472889ccda7722a440db

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
e3ef8a295ed3a5681fa52763d028fc9a

SHA1
2f265bf8cceb02b3cb5cab7f379b65328c40db6e

SHA256
c6d25abb4c31d9a5901a905525a8608e85127f4fb41a128ec481710801426c9f

SHA512
885c596150a77291f830f48bc945e234d26c8aaeca9c5ee4f16f428fbc86369f08ad910d5d23db4433c7e7f8c511b500913e6a2d02a10fb12f87ee987420c435

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
142a4d610e18c6cb9477637fcc9b105b

SHA1
b41760028eddf5c42a2978fad2b95961d2d71763

SHA256
7466f572aac07f22ff7591f160de87f5bb307480256fe6facb10aac4cf6242ea

SHA512
be82c173228c98f395488712b0e8fec126c9356d2feabc7b876ef0b119e27f4e95b9ce0f87f31161fc25052fda340d35b31ee948031cebc174ed71da01e15bc2

Download Submit
memory/568-371-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/568-378-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/568-397-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/568-396-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/568-383-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/696-382-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/696-368-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/696-362-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/696-356-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/696-381-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/748-142-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/748-143-0x00000000005A0000-0x0000000000606000-memory.dmp

Filesize
408KB

Download
memory/748-289-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/748-148-0x00000000005A0000-0x0000000000606000-memory.dmp

Filesize
408KB

Download
memory/1520-319-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1520-293-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1520-301-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/1520-303-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/1520-320-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/1612-331-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1612-194-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1612-201-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1612-282-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1612-317-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1612-324-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1748-159-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1748-163-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1748-167-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1748-166-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1748-300-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1944-401-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2028-124-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2028-130-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2028-122-0x0000000010000000-0x0000000010193000-memory.dmp

Filesize
1.6MB

Download
memory/2028-174-0x0000000010000000-0x0000000010193000-memory.dmp

Filesize
1.6MB

Download
memory/2324-285-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-337-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2332-0-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2332-280-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2332-7-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2332-6-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2332-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2332-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2456-398-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-393-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/2456-387-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2500-352-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-334-0x0000000000680000-0x00000000006E6000-memory.dmp

Filesize
408KB

Download
memory/2500-338-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-326-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2500-351-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2640-318-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-308-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2640-313-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/2640-336-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-335-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2696-33-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2696-46-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2696-23-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2696-24-0x0000000100000000-0x0000000100190000-memory.dmp

Filesize
1.6MB

Download
memory/2696-158-0x0000000100000000-0x0000000100190000-memory.dmp

Filesize
1.6MB

Download
memory/2840-113-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2840-108-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2840-139-0x0000000010000000-0x000000001018B000-memory.dmp

Filesize
1.5MB

Download
memory/2840-107-0x0000000010000000-0x000000001018B000-memory.dmp

Filesize
1.5MB

Download
memory/2944-188-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/2944-182-0x0000000100000000-0x0000000100181000-memory.dmp

Filesize
1.5MB

Download
memory/2944-179-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/2944-306-0x0000000100000000-0x0000000100181000-memory.dmp

Filesize
1.5MB

Download
memory/3024-103-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3024-96-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3024-91-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3024-180-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3056-353-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-366-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-367-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3056-348-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/3056-341-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download