78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f

Analysis

max time kernel
139s
max time network
181s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
24/11/2023, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
Size

1.8MB
MD5

2e44a0605f61ead10fd05c924a344d3a
SHA1

62055dd8cbcc83e7bf36c0c44f5ef0bd09883769
SHA256

78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f
SHA512

2bd89a51b4b53a41752c3afd3982da4f89491c65fee55e95ab7317ca3a095e9845916fa9280ca99d9bd883d3b0d1cc59973b855d9db108cc87d85733b156b74a
SSDEEP

49152:Fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAmDmg27RnWGj:FvbjVkjjCAzJzD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
468	Process not Found
2684	alg.exe
592	aspnet_state.exe
1940	mscorsvw.exe
1624	mscorsvw.exe
856	mscorsvw.exe
1476	mscorsvw.exe
1464	dllhost.exe
2132	ehRecvr.exe
1712	ehsched.exe
2124	mscorsvw.exe
2652	elevation_service.exe
2612	IEEtwCollector.exe
1984	GROOVE.EXE
2892	mscorsvw.exe
1788	maintenanceservice.exe
696	msdtc.exe
1372	msiexec.exe
1688	OSE.EXE
2076	OSPPSVC.EXE
1840	perfhost.exe
2244	locator.exe
564	snmptrap.exe
1764	vds.exe
2620	vssvc.exe
2664	wbengine.exe
2880	WmiApSrv.exe
1756	wmpnetwk.exe
956	SearchIndexer.exe
2592	mscorsvw.exe
3068	mscorsvw.exe
2552	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1372	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bf32b3019c8e5786.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateBroker.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateSetup.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\psuser_64.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_da.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_nl.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_it.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdate.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_th.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateComRegisterShell64.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_am.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_cs.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_uk.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_es-419.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_gu.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ms.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ja.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_sk.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ta.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateCore.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_en-GB.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_et.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ru.dll	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B9C5C34F-DB72-4262-8527-13C19CD61CF1}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B9C5C34F-DB72-4262-8527-13C19CD61CF1}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1B18720E-439D-4613-8136-339AA31A3584}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1B18720E-439D-4613-8136-339AA31A3584}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2532	ehRec.exe
592	aspnet_state.exe
592	aspnet_state.exe
592	aspnet_state.exe
592	aspnet_state.exe
592	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2776	78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
Token: SeTakeOwnershipPrivilege	592	aspnet_state.exe
Token: SeShutdownPrivilege	856	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	856	mscorsvw.exe
Token: SeShutdownPrivilege	856	mscorsvw.exe
Token: SeShutdownPrivilege	856	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: 33	2928	EhTray.exe
Token: SeIncBasePriorityPrivilege	2928	EhTray.exe
Token: SeDebugPrivilege	2532	ehRec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeSecurityPrivilege	1372	msiexec.exe
Token: 33	2928	EhTray.exe
Token: SeIncBasePriorityPrivilege	2928	EhTray.exe
Token: SeBackupPrivilege	2620	vssvc.exe
Token: SeRestorePrivilege	2620	vssvc.exe
Token: SeAuditPrivilege	2620	vssvc.exe
Token: SeBackupPrivilege	2664	wbengine.exe
Token: SeRestorePrivilege	2664	wbengine.exe
Token: SeSecurityPrivilege	2664	wbengine.exe
Token: 33	1756	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1756	wmpnetwk.exe
Token: SeManageVolumePrivilege	956	SearchIndexer.exe
Token: 33	956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	956	SearchIndexer.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeDebugPrivilege	592	aspnet_state.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2928	EhTray.exe
2928	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2928	EhTray.exe
2928	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1832	SearchProtocolHost.exe
1832	SearchProtocolHost.exe
1832	SearchProtocolHost.exe
1832	SearchProtocolHost.exe
1832	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1832	SearchProtocolHost.exe
1332	SearchProtocolHost.exe
1332	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2124	1476	mscorsvw.exe	38
PID 1476 wrote to memory of 2124	1476	mscorsvw.exe	38
PID 1476 wrote to memory of 2124	1476	mscorsvw.exe	38
PID 1476 wrote to memory of 2892	1476	mscorsvw.exe	44
PID 1476 wrote to memory of 2892	1476	mscorsvw.exe	44
PID 1476 wrote to memory of 2892	1476	mscorsvw.exe	44
PID 956 wrote to memory of 1832	956	SearchIndexer.exe	59
PID 956 wrote to memory of 1832	956	SearchIndexer.exe	59
PID 956 wrote to memory of 1832	956	SearchIndexer.exe	59
PID 956 wrote to memory of 1936	956	SearchIndexer.exe	60
PID 956 wrote to memory of 1936	956	SearchIndexer.exe	60
PID 956 wrote to memory of 1936	956	SearchIndexer.exe	60
PID 1476 wrote to memory of 2592	1476	mscorsvw.exe	61
PID 1476 wrote to memory of 2592	1476	mscorsvw.exe	61
PID 1476 wrote to memory of 2592	1476	mscorsvw.exe	61
PID 856 wrote to memory of 3068	856	mscorsvw.exe	62
PID 856 wrote to memory of 3068	856	mscorsvw.exe	62
PID 856 wrote to memory of 3068	856	mscorsvw.exe	62
PID 856 wrote to memory of 3068	856	mscorsvw.exe	62
PID 956 wrote to memory of 1332	956	SearchIndexer.exe	63
PID 956 wrote to memory of 1332	956	SearchIndexer.exe	63
PID 956 wrote to memory of 1332	956	SearchIndexer.exe	63
PID 856 wrote to memory of 2552	856	mscorsvw.exe	64
PID 856 wrote to memory of 2552	856	mscorsvw.exe	64
PID 856 wrote to memory of 2552	856	mscorsvw.exe	64
PID 856 wrote to memory of 2552	856	mscorsvw.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
"C:\Users\Admin\AppData\Local\Temp\78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1464

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2132

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2612

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3425689832-2386927309-2650718742-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3425689832-2386927309-2650718742-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1832
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
c5e8dfe8a2519cb4db038ec61b65d7b5

SHA1
3d9b6ab33fc6aeb0a473a789817aba4accf2955c

SHA256
fb1716976d69e537e5057eb01d0bedc411ef86bd56e367571e04ce15686a73a2

SHA512
7b15fe209db2843763a10be1846c36dcce06be022840dc722b50d5ba88b99c5c71136106f5e6691d79ab878a70eb96a9ba94bfbf6311310eba080b8c2fa691aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d283a2d8a50c63d64f82f3829110d309

SHA1
653e45b6786fb5b7d9a4681b03d1aca40310739f

SHA256
f92da5e7a1dd8f2a1eef81ede1581a0653a44731f043158ab7e77896e8d2f694

SHA512
0eab123ade4db16ec8d748aa17a67295127ffd5e5cef02f9c78762c19cb043059de91a05fcf4c9695765033f2a4a4c038781358bec7772adfc9fbd98d9a54432

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3bd7eef7fbb01f41831b5f835f61fac

SHA1
e8f3b804eb2830ca83c946e1e879669890a76399

SHA256
2d637ae4654e1c5cfaaadbbdc22c55f07b3f390d663417f6d1255fab492f238a

SHA512
837ec18012a0504b56d04e449457982a0b750093607d94f2829bc5013b4ce6308e8c6be738fab7a4d8bd9855e283d6bd2e112641f05665f737a9be68c632fa6a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6e49332f3b02b9a8bf456c4fe109d82b

SHA1
3f25c03aea050fcc0f8f36c5ef2e8238a3eba0fb

SHA256
277d2b2e6bb75975667c52bd708303d4e798795a047ef26c8a6c1a1389e6a052

SHA512
04d9eb4798595d4f5b931cc77b724a313f20377f82b1060232c46d148e4a5c4761ba5ea070f81250287e90f9a4a9a5d17606333801846ce3b5e55ae425e5f7c3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0fbccfbc326b589bf0c962e5dbee5484

SHA1
f31838e8acabbcf5b56b2be983a87b334455a3ac

SHA256
84213d52107e7a981149a11197de7a171efafddf6c3620f707574b847c89bd76

SHA512
c6ea8838c91e99699ba6de5edc2335ad09e5f028afac06b0291d9cdc1ed0227312a3f58f331225b4229bbf8ded57fb660b55e331390c83b62616411689a35c30

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d7ff3d0a227cb8086b1b10ed9531bdf7

SHA1
f641d66739448d2f4d72d1abb9749db6460afff7

SHA256
3ee28acc979ce5ddf7f8c5a9ade43d3502cc9cc5dfdb4fe589808be5dcad46d4

SHA512
7b22f844f69e8d14db3b97ac190bf4a41e5f7a6f1a87a031ee44ad1c360d6bd435fca5165fc7be2521c334ea6fe237bbce742dc31d19e1d8d16d814c5667fe15

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e287c6a78097236228e7c7bf1c126917

SHA1
4646ea95b4383c61e4f53833976f30be8502dbfa

SHA256
12b50e27230031e40ba27cb602d67f1e8b5023a2679654b5937a1d95e5416973

SHA512
f5de435bcb5f814ed0f9a994d49a10a3028da147b654e307bad81aeaba7efadb1518015bfe18a5985427847bc2fc1e384264e97b221655d012e1d2448133adb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
808a369997c72dea75e2faf1c14c90db

SHA1
30377ddb79f80e4dba6d8fcefdb1c43b6e27b9a1

SHA256
8b498c755984f88401487708b4d184cf73c37bf6afe6e43753200a145d1d1ea7

SHA512
501a6806a48dcd9d63e90981933a9a3ba0fb83ef5032bf1dcd99ca8b6462e697f52006707e920f66a3686ddf2b0fe2152dcbf6da06ef50facd0b68a72bd3a8c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
808a369997c72dea75e2faf1c14c90db

SHA1
30377ddb79f80e4dba6d8fcefdb1c43b6e27b9a1

SHA256
8b498c755984f88401487708b4d184cf73c37bf6afe6e43753200a145d1d1ea7

SHA512
501a6806a48dcd9d63e90981933a9a3ba0fb83ef5032bf1dcd99ca8b6462e697f52006707e920f66a3686ddf2b0fe2152dcbf6da06ef50facd0b68a72bd3a8c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
28d3d4a3b265e6f978ae4dad33706298

SHA1
e9608cb83b546d962df783cbef4e5b9461dc7ff7

SHA256
2a29188d330a09f133cadb92c6339d904547d060545058e8668fc07ec3eb82b0

SHA512
6941a4ed621cbcee2faa3d580449c2a4d80ede688da4056accc21cbe3aa180b40fbec956c6533a2c8c95e38f1237f3d31149bf39a2a401b91a528a86f67b661b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
b64712b62175123eea3c1fb9fc53d4c7

SHA1
7c1a0b022e24213149ae6e6755bf1400504341f2

SHA256
6659dfd89ba455d2bd2ff7078829b4c4805635f8598806bbae48b7a0e06a996a

SHA512
b8eaa465dd06ecf2d067006d43a1c1d9acfaaa906bfc376b3ad3452d1469bceb822b157ca08ae7377fe8d425306a41a32ecc75a2e3dfd27b2a0020c6b62f4566

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
51f6d5a5d1b7f1f2d666e90ea8bad002

SHA1
0328aced25a11a0b4b65b1a85adc2cb71123364b

SHA256
1323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf

SHA512
a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
51f6d5a5d1b7f1f2d666e90ea8bad002

SHA1
0328aced25a11a0b4b65b1a85adc2cb71123364b

SHA256
1323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf

SHA512
a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
51f6d5a5d1b7f1f2d666e90ea8bad002

SHA1
0328aced25a11a0b4b65b1a85adc2cb71123364b

SHA256
1323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf

SHA512
a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
51f6d5a5d1b7f1f2d666e90ea8bad002

SHA1
0328aced25a11a0b4b65b1a85adc2cb71123364b

SHA256
1323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf

SHA512
a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
51f6d5a5d1b7f1f2d666e90ea8bad002

SHA1
0328aced25a11a0b4b65b1a85adc2cb71123364b

SHA256
1323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf

SHA512
a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
1f72047c4d0e76cc782c76e45967b13a

SHA1
ff6a6935c66074d11f695dfd2cdd75a6085e53a1

SHA256
3650b02d135b4a8e750ee640abf2848fac67cc2c5b33b101b064137d4d799b81

SHA512
ae7c6c5b6029c1f16b4aa0ceae8247bbfbf61e53a7c8d15df9541029df03cde71262444811d57500d9e8c9c6c74945e34add7e288a3bd10238ae1080e8ea3505

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
1f72047c4d0e76cc782c76e45967b13a

SHA1
ff6a6935c66074d11f695dfd2cdd75a6085e53a1

SHA256
3650b02d135b4a8e750ee640abf2848fac67cc2c5b33b101b064137d4d799b81

SHA512
ae7c6c5b6029c1f16b4aa0ceae8247bbfbf61e53a7c8d15df9541029df03cde71262444811d57500d9e8c9c6c74945e34add7e288a3bd10238ae1080e8ea3505

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2b6a4bdc26c1e2dc4cd1dd3468c72022

SHA1
bf3731b5c4f12b7a233d08b3add2bcd6233ef15b

SHA256
a625f8b137c84bc2dec4c2a118a06d0f0f9d7367bd37a7711dce1bebb47f8322

SHA512
27a516517c1d89fa50295b3b9c4e3ecaad43dc6b6d17fc06d37a32b4f745e40a5d03f170686e1c294e0db2290c22fb2f9fcf207a8b2ac8474c4681ed5d917ecf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
13549a1046562aebe511cd858b3edc8e

SHA1
76bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f

SHA256
386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b

SHA512
2cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
13549a1046562aebe511cd858b3edc8e

SHA1
76bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f

SHA256
386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b

SHA512
2cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
13549a1046562aebe511cd858b3edc8e

SHA1
76bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f

SHA256
386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b

SHA512
2cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
13549a1046562aebe511cd858b3edc8e

SHA1
76bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f

SHA256
386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b

SHA512
2cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
13549a1046562aebe511cd858b3edc8e

SHA1
76bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f

SHA256
386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b

SHA512
2cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
55773d095682aee05966529e2e8f10fc

SHA1
327903a912d7d3472c8b6282d26cece2a57eb263

SHA256
5c83c0054714f9472758c2e19064b795c2edb7f79dc8d1e332161cd1afa2b347

SHA512
a11b593a903cc0d8584da1bc45eda9187b1e8a31b31a6d7f487f3b8efa6f9e3a96e3a05358f89847b5f04c309de423c313c211edc0f7d561451ea85a2ec8d9f2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3d6352fecf768159e1d7e460dd62d7bd

SHA1
c780fcf8a5087e03cefc5a3227293678cdd71b88

SHA256
dce95d57e277a6694fefb0a75dbf73f20b3fd832ef1f982990e75859da1352c4

SHA512
dff98085d8fc2c6d2610d1f1b3737e0e1910a29d952b84a90c0cf77b5ccdb397720cbc1ca274fc565e99453ca2e729725f855d54fc4eedd262943923b37d2366

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
ca86b9bb6d91c908ec7bcb468b329f80

SHA1
785e7fae3307631ac4137ff077f6e533e0cd3d48

SHA256
385ac1d3b9178b8a8b02f9f0a3820deacd1411501cf7c817fc1853fcd3d8992b

SHA512
ed47bd898154a2b0618e9246cfdd4438a3dc633cc483019e48876e8f7226c85ac50bd7f16e1c682a79c26a9a639e771ffef50df3160be1edd7902bcf735a069a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
7327f54ea7f072d015eff5058f4df3d4

SHA1
6ca79947ff13295d4bab93d819f9cd6c10b4c14b

SHA256
35d98d6e75847b3c96d5185522e1e0adaaf6a65626468e2e44037b59c2a6f963

SHA512
f06ae261dfa7d2e966ace92797fdcb0853f1719b188e2b1d82b11d0a938dd67d4a3e2f0509c7166f7ad8dab12d5e1bb71140b999b14b3dcac9fbbe3edb968034

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
94b092197e6efdef3c5b7801791cf29d

SHA1
f21a142c68b86aeb4a9d64a332ac775e1728f371

SHA256
9762d2774e6c09d8c0c952d51b9eb8d289f6344002f3997debc64705b58e25af

SHA512
1cfd7a1fd1b075159b1bc946df9ec582dc07aa7ca59fdeb026721437ac8b5dac59ac5be54690c4a2362e6941bc0855df858c6e9520d58cacd76ff553c8e98610

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
cd04afd0828c253036b54c5cfb4483cd

SHA1
fdc4b0665474358e839e5ff7086437f645816248

SHA256
b305bc873ffa7b579dfe792884ff54ca2191e46906678192be063c6c877f486c

SHA512
20eba0daf9db51bf6d3a0046987d84bf9f4658e45e992c3249c0d13c0a274d04f73a7952accd5894f1cb794ad083dbeeb3b0af7aed4e826f01c078b87579c703

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
b824bbaaf5e8b8787b3b19bf26fb9cfb

SHA1
402479585c5e94afe463991cfcb46c2ad6671be2

SHA256
0c42e2a689fa925b4960163c0590b24b3affd5d488c6b118268d97b1e7bfc8bb

SHA512
fabd84936562d7d1ed62a16d2c471e9ab31e3a1bed19b940b24a215ec3e82cee81bf0db5f59e47867186dd90ab7acbc8f6250aad9ed26f6e83091bdf5a446928

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
de8416e620110b225f1d105231f7c16f

SHA1
b9b90e4cf924e85c3f2a30cc56c003ff7c17908d

SHA256
6ceba271c05731bbbfcadb9714047dc2dd8416b82392fd7d3035f5eb6e7b54ce

SHA512
a2a663310015e6cf87172916c2c9bbc638c1a7207a82f78b6eca3895bfcd6fa29026efa4a744aa2f402e80cd8b7633bc3e4673ba3e13e45e456e221eddfe97fc

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4cf6af9fa8669e8e024fa5aa66a2d6a6

SHA1
c5f13f6bd7fc7c4646aedb5193e473f097143fcc

SHA256
9dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041

SHA512
982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
401ca59b0c6f85fc4d7c1894128a2179

SHA1
59e62ab2bf2642df994337f2757a59828ebd9215

SHA256
49a7ab54a77327cae800df5e0b86d3ba0f16c9e18338a5e85b8f6849d118dfc3

SHA512
eaeeffc373b2b00d13222ccb37f7cc3bf4067d45305e61d89b9b09b967bc89d9b90e466d73915f543860887e81648bc7ee44e7c25eb2590ccff71ab3d6a92fbf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
1b3327229d67567008882120780979e8

SHA1
49d2f98b179815b449fb58d4ae8e263a3743d6b6

SHA256
731e6389c2cb51baac02eb5994953d2dc102f9f9ba5e409f60d0234466a64f3a

SHA512
92a60e021431a0be73730b84c889740ef8a17fa317c63c56702672cafa7f6c85778cee1e1ed7e3504a621447135359cbfe9dbcc6ed6bb0c3bafaa75369704f36

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8c646a417c8d624f2478cd12d0ee5738

SHA1
15067b90aa7d3eb852a26607a0768e5f7d730f6b

SHA256
41c817d3a843567a13e7539432faedc26165612ae14c8bf0f21da529aab3c7b2

SHA512
646320ddf6a13c799b1d635f0f2505d07ad09d741e2aa2783967e11f7bdca17f7f644a5422755f8254e86b95e7bf8f4295ffabdeaa17769fb6203e8330fc3b59

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6dd2f01084e3ef46351fcac1ed99cd34

SHA1
c0f2f2ceb601d1ee992b61ab58e81a84bbe83997

SHA256
d805d304185ad7ae4035ce604c89b8187fbc1805bb01e46585efd9451671ad84

SHA512
c34fd1d62740b04b8a831a079ccf8a98cf0e7c825d3fe58e79ac374d9c7aab861562743f94b81eb3e0dd89976040fce94c079b01bc64f224455b70f4336b1ac7

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1d32aba48449065b7f0be714cba28ff1

SHA1
a4256c9521116af3be51a112c1eaede6eb59a9da

SHA256
bdfea8ebad9487b5b4c3a0bab7ceaf2ce7f633608fe62a2aa247dbf3659b6fd4

SHA512
7f2a5305df5a5ee273a0adde87ac02a0fa5f13280cb3938b15620a16a015072fed4fb35355169af95ddc7c736e822f1b3e550dafeeab5b28d2b7f344fef6ba88

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
eca493ddce69bbcc1f30f19703e3a049

SHA1
1bd177c55abdcb97729c55003dfd105c401111ef

SHA256
d56faa59e7132a63ff56735fa0fb5f63862ca1f46237b35c7c7ecda45872e1f7

SHA512
602f28af640db67dfa34b1717bbc7ec6458ba0ec2dd4f338192c381f07107760ea61bbffd763de1474f24279d3255913d8391970730876de0c8cddb4cddd13f9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4cf6af9fa8669e8e024fa5aa66a2d6a6

SHA1
c5f13f6bd7fc7c4646aedb5193e473f097143fcc

SHA256
9dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041

SHA512
982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d7ff3d0a227cb8086b1b10ed9531bdf7

SHA1
f641d66739448d2f4d72d1abb9749db6460afff7

SHA256
3ee28acc979ce5ddf7f8c5a9ade43d3502cc9cc5dfdb4fe589808be5dcad46d4

SHA512
7b22f844f69e8d14db3b97ac190bf4a41e5f7a6f1a87a031ee44ad1c360d6bd435fca5165fc7be2521c334ea6fe237bbce742dc31d19e1d8d16d814c5667fe15

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d7ff3d0a227cb8086b1b10ed9531bdf7

SHA1
f641d66739448d2f4d72d1abb9749db6460afff7

SHA256
3ee28acc979ce5ddf7f8c5a9ade43d3502cc9cc5dfdb4fe589808be5dcad46d4

SHA512
7b22f844f69e8d14db3b97ac190bf4a41e5f7a6f1a87a031ee44ad1c360d6bd435fca5165fc7be2521c334ea6fe237bbce742dc31d19e1d8d16d814c5667fe15

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
808a369997c72dea75e2faf1c14c90db

SHA1
30377ddb79f80e4dba6d8fcefdb1c43b6e27b9a1

SHA256
8b498c755984f88401487708b4d184cf73c37bf6afe6e43753200a145d1d1ea7

SHA512
501a6806a48dcd9d63e90981933a9a3ba0fb83ef5032bf1dcd99ca8b6462e697f52006707e920f66a3686ddf2b0fe2152dcbf6da06ef50facd0b68a72bd3a8c9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
b64712b62175123eea3c1fb9fc53d4c7

SHA1
7c1a0b022e24213149ae6e6755bf1400504341f2

SHA256
6659dfd89ba455d2bd2ff7078829b4c4805635f8598806bbae48b7a0e06a996a

SHA512
b8eaa465dd06ecf2d067006d43a1c1d9acfaaa906bfc376b3ad3452d1469bceb822b157ca08ae7377fe8d425306a41a32ecc75a2e3dfd27b2a0020c6b62f4566

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3d6352fecf768159e1d7e460dd62d7bd

SHA1
c780fcf8a5087e03cefc5a3227293678cdd71b88

SHA256
dce95d57e277a6694fefb0a75dbf73f20b3fd832ef1f982990e75859da1352c4

SHA512
dff98085d8fc2c6d2610d1f1b3737e0e1910a29d952b84a90c0cf77b5ccdb397720cbc1ca274fc565e99453ca2e729725f855d54fc4eedd262943923b37d2366

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
94b092197e6efdef3c5b7801791cf29d

SHA1
f21a142c68b86aeb4a9d64a332ac775e1728f371

SHA256
9762d2774e6c09d8c0c952d51b9eb8d289f6344002f3997debc64705b58e25af

SHA512
1cfd7a1fd1b075159b1bc946df9ec582dc07aa7ca59fdeb026721437ac8b5dac59ac5be54690c4a2362e6941bc0855df858c6e9520d58cacd76ff553c8e98610

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
cd04afd0828c253036b54c5cfb4483cd

SHA1
fdc4b0665474358e839e5ff7086437f645816248

SHA256
b305bc873ffa7b579dfe792884ff54ca2191e46906678192be063c6c877f486c

SHA512
20eba0daf9db51bf6d3a0046987d84bf9f4658e45e992c3249c0d13c0a274d04f73a7952accd5894f1cb794ad083dbeeb3b0af7aed4e826f01c078b87579c703

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
b824bbaaf5e8b8787b3b19bf26fb9cfb

SHA1
402479585c5e94afe463991cfcb46c2ad6671be2

SHA256
0c42e2a689fa925b4960163c0590b24b3affd5d488c6b118268d97b1e7bfc8bb

SHA512
fabd84936562d7d1ed62a16d2c471e9ab31e3a1bed19b940b24a215ec3e82cee81bf0db5f59e47867186dd90ab7acbc8f6250aad9ed26f6e83091bdf5a446928

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
de8416e620110b225f1d105231f7c16f

SHA1
b9b90e4cf924e85c3f2a30cc56c003ff7c17908d

SHA256
6ceba271c05731bbbfcadb9714047dc2dd8416b82392fd7d3035f5eb6e7b54ce

SHA512
a2a663310015e6cf87172916c2c9bbc638c1a7207a82f78b6eca3895bfcd6fa29026efa4a744aa2f402e80cd8b7633bc3e4673ba3e13e45e456e221eddfe97fc

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4cf6af9fa8669e8e024fa5aa66a2d6a6

SHA1
c5f13f6bd7fc7c4646aedb5193e473f097143fcc

SHA256
9dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041

SHA512
982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4cf6af9fa8669e8e024fa5aa66a2d6a6

SHA1
c5f13f6bd7fc7c4646aedb5193e473f097143fcc

SHA256
9dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041

SHA512
982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
401ca59b0c6f85fc4d7c1894128a2179

SHA1
59e62ab2bf2642df994337f2757a59828ebd9215

SHA256
49a7ab54a77327cae800df5e0b86d3ba0f16c9e18338a5e85b8f6849d118dfc3

SHA512
eaeeffc373b2b00d13222ccb37f7cc3bf4067d45305e61d89b9b09b967bc89d9b90e466d73915f543860887e81648bc7ee44e7c25eb2590ccff71ab3d6a92fbf

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8c646a417c8d624f2478cd12d0ee5738

SHA1
15067b90aa7d3eb852a26607a0768e5f7d730f6b

SHA256
41c817d3a843567a13e7539432faedc26165612ae14c8bf0f21da529aab3c7b2

SHA512
646320ddf6a13c799b1d635f0f2505d07ad09d741e2aa2783967e11f7bdca17f7f644a5422755f8254e86b95e7bf8f4295ffabdeaa17769fb6203e8330fc3b59

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6dd2f01084e3ef46351fcac1ed99cd34

SHA1
c0f2f2ceb601d1ee992b61ab58e81a84bbe83997

SHA256
d805d304185ad7ae4035ce604c89b8187fbc1805bb01e46585efd9451671ad84

SHA512
c34fd1d62740b04b8a831a079ccf8a98cf0e7c825d3fe58e79ac374d9c7aab861562743f94b81eb3e0dd89976040fce94c079b01bc64f224455b70f4336b1ac7

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1d32aba48449065b7f0be714cba28ff1

SHA1
a4256c9521116af3be51a112c1eaede6eb59a9da

SHA256
bdfea8ebad9487b5b4c3a0bab7ceaf2ce7f633608fe62a2aa247dbf3659b6fd4

SHA512
7f2a5305df5a5ee273a0adde87ac02a0fa5f13280cb3938b15620a16a015072fed4fb35355169af95ddc7c736e822f1b3e550dafeeab5b28d2b7f344fef6ba88

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
eca493ddce69bbcc1f30f19703e3a049

SHA1
1bd177c55abdcb97729c55003dfd105c401111ef

SHA256
d56faa59e7132a63ff56735fa0fb5f63862ca1f46237b35c7c7ecda45872e1f7

SHA512
602f28af640db67dfa34b1717bbc7ec6458ba0ec2dd4f338192c381f07107760ea61bbffd763de1474f24279d3255913d8391970730876de0c8cddb4cddd13f9

Download Submit
memory/592-232-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/592-86-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/592-85-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/592-93-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/696-345-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/856-193-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/856-263-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/856-186-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/856-187-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/856-192-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1372-401-0x00000000005C0000-0x00000000007B1000-memory.dmp

Filesize
1.9MB

Download
memory/1372-353-0x00000000005C0000-0x00000000007B1000-memory.dmp

Filesize
1.9MB

Download
memory/1372-351-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1372-393-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1464-223-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1464-224-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1464-231-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/1464-289-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1476-205-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1476-204-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1476-212-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1476-277-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1624-215-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1624-178-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1688-369-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/1688-361-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1712-254-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1712-341-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1712-262-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1788-346-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1788-334-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1788-332-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1788-347-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1840-395-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/1940-217-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1940-170-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1984-330-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1984-331-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2076-389-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2076-379-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2076-386-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2124-322-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-302-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-320-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2124-268-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2124-278-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2124-318-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2132-255-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2132-238-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2132-333-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2132-265-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2132-239-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2132-252-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2132-246-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2244-398-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2532-335-0x000007FEF3730000-0x000007FEF40CD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-384-0x000007FEF3730000-0x000007FEF40CD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-371-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/2532-374-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/2532-373-0x000007FEF3730000-0x000007FEF40CD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-304-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/2532-327-0x000007FEF3730000-0x000007FEF40CD000-memory.dmp

Filesize
9.6MB

Download
memory/2612-329-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2652-282-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2652-290-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2652-367-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2684-227-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2684-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2776-0-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2776-175-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2776-7-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2776-6-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2776-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2892-358-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2892-385-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2892-336-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download