83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-12-2023 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
Size

1.8MB
MD5

c4a724439f89b867228d416d23407be0
SHA1

83ebc28c7cfd7de64be719b1c057679c9d383a06
SHA256

83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959
SHA512

5430855140174b0e479734523d328176cfc2e4c83856b08faccdb99b2a1ad6ddb6e6314e1672ee46c4af26fb8e9bdc76aac999530140e3aa720e78dc2340ec91
SSDEEP

49152:vx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyJoynw0iv2:vvbjVkjjCAzJ1JC0s2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
476	Process not Found
2848	alg.exe
2672	aspnet_state.exe
2316	mscorsvw.exe
2204	mscorsvw.exe
2732	mscorsvw.exe
2276	mscorsvw.exe
484	ehRecvr.exe
2272	ehsched.exe
1808	elevation_service.exe
1516	IEEtwCollector.exe
2936	GROOVE.EXE
2796	maintenanceservice.exe
2704	msdtc.exe
2464	msiexec.exe
1752	OSE.EXE
2984	OSPPSVC.EXE
2008	perfhost.exe
1180	locator.exe
668	mscorsvw.exe
1496	snmptrap.exe
2296	vds.exe
2644	vssvc.exe
2440	mscorsvw.exe
2188	wbengine.exe
1748	mscorsvw.exe
2476	mscorsvw.exe
1520	dllhost.exe
1212	mscorsvw.exe
1160	mscorsvw.exe
1664	mscorsvw.exe
2752	mscorsvw.exe
1964	mscorsvw.exe
484	mscorsvw.exe
1216	mscorsvw.exe
2320	mscorsvw.exe
632	WmiApSrv.exe

Loads dropped DLL 13 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2464	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\System32\vds.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\vssvc.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\wbengine.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\msiexec.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\locator.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d85e650956fe8faa.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\System32\msdtc.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_fi.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_hu.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_no.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_sk.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_iw.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_ml.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_te.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_da.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_is.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\psmachine_64.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\GoogleUpdateBroker.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_en.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_th.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_hi.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT1852.tmp	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_hr.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1851.tmp\goopdateres_ta.dll	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6E1CCFB2-585C-45E3-BE3B-C7AD01E984DD}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6E1CCFB2-585C-45E3-BE3B-C7AD01E984DD}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3040	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1244	83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: 33	1636	EhTray.exe
Token: SeIncBasePriorityPrivilege	1636	EhTray.exe
Token: SeDebugPrivilege	3040	ehRec.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: 33	1636	EhTray.exe
Token: SeIncBasePriorityPrivilege	1636	EhTray.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeSecurityPrivilege	2464	msiexec.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeDebugPrivilege	2848	alg.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe
Token: SeShutdownPrivilege	2276	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1636	EhTray.exe
1636	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1636	EhTray.exe
1636	EhTray.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 668	2276	mscorsvw.exe	44
PID 2276 wrote to memory of 668	2276	mscorsvw.exe	44
PID 2276 wrote to memory of 668	2276	mscorsvw.exe	44
PID 2276 wrote to memory of 2440	2276	mscorsvw.exe	49
PID 2276 wrote to memory of 2440	2276	mscorsvw.exe	49
PID 2276 wrote to memory of 2440	2276	mscorsvw.exe	49
PID 2732 wrote to memory of 1748	2732	mscorsvw.exe	54
PID 2732 wrote to memory of 1748	2732	mscorsvw.exe	54
PID 2732 wrote to memory of 1748	2732	mscorsvw.exe	54
PID 2732 wrote to memory of 1748	2732	mscorsvw.exe	54
PID 2732 wrote to memory of 2476	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2476	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2476	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2476	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 1212	2732	mscorsvw.exe	57
PID 2732 wrote to memory of 1212	2732	mscorsvw.exe	57
PID 2732 wrote to memory of 1212	2732	mscorsvw.exe	57
PID 2732 wrote to memory of 1212	2732	mscorsvw.exe	57
PID 2732 wrote to memory of 1160	2732	mscorsvw.exe	60
PID 2732 wrote to memory of 1160	2732	mscorsvw.exe	60
PID 2732 wrote to memory of 1160	2732	mscorsvw.exe	60
PID 2732 wrote to memory of 1160	2732	mscorsvw.exe	60
PID 2732 wrote to memory of 1664	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 1664	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 1664	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 1664	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 2752	2732	mscorsvw.exe	62
PID 2732 wrote to memory of 2752	2732	mscorsvw.exe	62
PID 2732 wrote to memory of 2752	2732	mscorsvw.exe	62
PID 2732 wrote to memory of 2752	2732	mscorsvw.exe	62
PID 2732 wrote to memory of 1964	2732	mscorsvw.exe	63
PID 2732 wrote to memory of 1964	2732	mscorsvw.exe	63
PID 2732 wrote to memory of 1964	2732	mscorsvw.exe	63
PID 2732 wrote to memory of 1964	2732	mscorsvw.exe	63
PID 2732 wrote to memory of 484	2732	mscorsvw.exe	64
PID 2732 wrote to memory of 484	2732	mscorsvw.exe	64
PID 2732 wrote to memory of 484	2732	mscorsvw.exe	64
PID 2732 wrote to memory of 484	2732	mscorsvw.exe	64
PID 2732 wrote to memory of 1216	2732	mscorsvw.exe	65
PID 2732 wrote to memory of 1216	2732	mscorsvw.exe	65
PID 2732 wrote to memory of 1216	2732	mscorsvw.exe	65
PID 2732 wrote to memory of 1216	2732	mscorsvw.exe	65
PID 2732 wrote to memory of 2320	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2320	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2320	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2320	2732	mscorsvw.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe
"C:\Users\Admin\AppData\Local\Temp\83567a7b3b9c1f490166cfca81ee834419a3b9a283fa97a1aebd4dd24529d959.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2204

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1e8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 1e8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 244 -NGENProcess 11c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d8 -NGENProcess 118 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 1e8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2316

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1516

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2704

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1752

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:632

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
22KB

MD5
59b38b986430f44d5a76092d90eb94ca

SHA1
8a074cc19bb629bb389a854439944018e372e2b3

SHA256
83698a0a374c4651d716855456b451586c1a90b3c2ba0ba07b934bf017fefaeb

SHA512
c81163c0aee29cdf1961e0b1a98188634db6b8ad7d70000df2599f6803cf82845eced5efca89cfa5e820d4c01ba26fcfe53f58c2241ce272b9ff85e7ad4e9bf2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
16KB

MD5
ecfd0f8524ea4e8be3c3fa911a237d36

SHA1
199e7bbfcb6d9b90de06d7c8c68eaf5b944a1dd6

SHA256
92166f8f512a5d5d4c728613e86d7b20df1eab81f1de8a6f1ba88526777bddfe

SHA512
7a8af1bc575e456b0962f012f37dfb9a182108b6feaa3208f7d1dc6ff6b30f0a3dac49d8450556336728a14b74deb92e143eecaa3112a77b749e5589ee092ab0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
93KB

MD5
907802f6ff0a10864b2828476e097b3d

SHA1
e778f9876f5961a9dad1cd9f999b4ea0d9964439

SHA256
c848d65ddf3bbf2339ee9e597e886febc2914eebf6957e1c7fb2c90358f7b584

SHA512
85a3fefd356dde2a2f52764933fd1fb3523c3d504d4a98b7855bcad731c0c6f9dc19ccae22aa59760931d1f321a48028d6e13c3980b062891edcde0b28211bed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
16KB

MD5
54286545f3b89857b84a34ce92c6b304

SHA1
77bf00f36abeee180ee7385ab6e200aa413bcf4c

SHA256
79909b1909f2f2bbe91c0081ecfe15a7d80b5d64d8cedd52c58934bccc8ef03b

SHA512
73c2293ab774aa3087e6f6df13794218e7b4a167007a4f39a355d03f5da200654e2034e7717a16f4361f34afefbf7c8d11d245d23b4be304a216585367e93ff3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
39KB

MD5
2e7fb7e2ecf0d36bf865a9ae6f61027e

SHA1
1b3d65ce80d08a48abd9baa911fdb449bca3605f

SHA256
c2caf2dbcc90518489f4cb951e96ffa1e64d515ee0f198a94bd4642f9fa1d929

SHA512
2ab28b716393b153d2dfe211b376e102c63289317b012070c09fc429276b92f3659ff9b33c04d29aec8c4a654c28e270796f75a1242adfc1502a9f7f375a8c60

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
216KB

MD5
aa27a3b9033d6070705542e6bc338f86

SHA1
41ac729b5a076c9b5d573fd3329ba06d93b8c7be

SHA256
3ceab1d4a87b5a3f5911198e61bfc3c0e324a31da6548b994a24373f31e0dd82

SHA512
57f16c33cb867c0cfc0ed7813519f81e134540e93c9ac247872ae357933b1d4aad6caf9f3b6cc1196514a1f9a729d125d7a1f9c76316477608aba7fe1c89e1c5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
261KB

MD5
26def90aa110c9208a8b38c98334ad8e

SHA1
7e31614503b9ceb9360a9c087bc361ae3d9f179a

SHA256
226ef68224e14870ce32b73634a1c80665debc582e10530baea4518c73667c41

SHA512
c81df1ca2ba6d28a054112154b5706651367a0e6448fb600ed83ae47e481489c32d74ea1fe37f9fc6930f9e45c92952c08a433eafcdddf324e06815d8f1a9afa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
89KB

MD5
cbff084428dff4432fa2f9bff91ab9ed

SHA1
7020f7948fd24c01e342aa7a56715b0fb9790fe8

SHA256
3810644597074d69286e2a6d6d504a921c8ab765c01a1f7af992483936d00924

SHA512
3cc0e3677e710d926aac10b2db073dda3d20e85bc97d98a735ee946a3936511e4b3458e5505bf79a45658a2fb34aa405ed18739edd517ca35d1ce32935ff1bc0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
1KB

MD5
123fa8a59a3345271445cd8d8218ec0c

SHA1
53e629df9f4e5a8483635174828a00080aace01e

SHA256
c4cc217b3a872c691e5c49cc6568a7af67fc7a9ca63e66e0c15090e4ed89bc8a

SHA512
7dc81f09ea61270daaa24abeaa006c624750ca9f458061e95cb5906c9042dd567b6c5a5ea76fe01bf012552c2650c2926c967c7035df705679e692d7899fd2bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
59KB

MD5
15804b5f3cfaefbbe1db96c26beec6a8

SHA1
7d746c235c723b41a1ee4130653e5b5d58c69247

SHA256
1d22d6555a2b9c91fb7b65807ad07961231883603e78babf3d37d726d3685384

SHA512
221dc979d2b29a03b0e43be3fdaf72dea1e4f818805612c9ecab6e9a24faaa496a2f80c542dadc50f0cf1d35b02d50955f0675bfc9bedbf3d2604a38b9d82fdc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
118KB

MD5
f9a3509371f6c147b69429af4037ac6a

SHA1
13c8ffddf82a0375b608a314483987c4ca69b1e1

SHA256
088a67e934f4891c115911ef902bce6e5ec735d24e1b8dd95b2de94cb1ab1736

SHA512
f6e78ec813516490a24e86fed825d35d27d974fbe59a20b6c9421700ddccba9cdc405a9f591925cfc35609a8205964d7ceb3d5f1d408edbdeae470e0a78f8809

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
40KB

MD5
7f55b369e57a9c95508040dc94111a50

SHA1
31661f002f358f54a65d760395b18ae803e3ecf9

SHA256
6c15884b5b19b55786fdefdbdadb2d3c8d7b1b59941fe2e3071be38c4633aa3f

SHA512
2874b83b3bc5d23dcc94db4932fd712d81cff67fdbc5ed281e60217de1e16f085a1704144d4b1b11b425cf40ad0cbc04e5b6a32172de5c5294310e104c170a3a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
10KB

MD5
a6bc6bf0397e038d6415096563c4941b

SHA1
8ec9cb5e1ddf484cd813032256185ffa926e1c96

SHA256
130fe96f68a7029b4b087c6ca55c2a6aff4a6ee4d7c60e16c1fc8add3dcca03d

SHA512
1db3af353960064b0afc46cc70fca03c021b276ebbe5dadff01ae7dded465556dcb9c4c83eee1fd69fbd0f001d911277fdbb12a5a35484465cf7bdaad412a08d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
d4948e370093347982a612134afa830f

SHA1
c79f09cb33c40f193bdcdeca2889383aed8d63d9

SHA256
a1761e3584a05d9fcccf34059deb78082a6dc0d01284ad780c6373ffc4771ae2

SHA512
2532fa375ee2868186584397841c7a9d70c15a14c0c104667d97d78d398717176b35f8e0f4f91dc34442a1d740ea78da65a29f3c57e70e7a4b61f9d9a5c79a2e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
267KB

MD5
bed44b6e1447167f089c0c498372fd76

SHA1
0bcb15d44707bc8fcd973bbc0d8087341684b183

SHA256
479db9a5358ac67ddc9c8b2cd0dbd870872e4d4c156e0e1e7e9e9156546b926e

SHA512
86dbde58fcc6d671568f027143eb9c6d7384c594e398a74edf28356f53d72431bf719b6658d2b3382dbb1bcfe0d2264d3eda7ab16949b0cd3f6dbc41a02da0e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
6KB

MD5
58745c2e22dacfefff09a23c2aeafd42

SHA1
0aa0ad860d925087578021c4ab213fc2df9ae978

SHA256
0b85473e15d369f646470263414c16c67011c35da743c68f6c2e3615342af707

SHA512
e181456637012f28a365d4b61dd6fb694a2bfafbebd5daf768dbf53726c8896d3d027118f11434cde1bae94273f7702a6e790c82f4809502fc9713dc7d20dcfc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
73KB

MD5
9d66c98897da042baff5589b641ec00c

SHA1
940be90409c20c8dad932cec2ec0dbcdf25e50f3

SHA256
b6c22ceb14f80a7fa02355f9939b8db1d4e9aff046f9b510e15d422df2eee126

SHA512
4cffcd0503715da10647f7744de73359769db4931e7dff6b76df1a628ec2717a93f3abfbfdcdd78522e597833b8dd69d3db8ea1c2e3c87d54532e1f619617464

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
2bd8623e562221931c44671771030b4c

SHA1
b03b99eea6cfb1b89ee01226cbcf59561287718e

SHA256
5e39a8f7f1d5614cba457f6bc20743a0a670fbfb10dc5806364f8c6f1d63c536

SHA512
6adce518cc2434e33d785731d801cca6845b2f77270fb791042ff0d91122af222a9edfef488805bdd0f7480fb56dd087ba36cc19a69d8a4ac60d35188826ecbb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
39KB

MD5
26f31394aaf4e2484e915cd750ce57db

SHA1
21da7c2d60c9973f1b7e70db1a9eee0ecd61b7e1

SHA256
7570f1b16ff19c454f78d5e9354eab560d649e0891054aee3a41d6ed0bc8755c

SHA512
140eaab980df327807c791a11fed51f3599e1f9cbd442f686c95600ae83265dfbcebbb36ad04171c2d4b536b95a4d442c36451fc21bc857099f5d5975931899a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
205da0f3ef4a86ecef87e3da85e5c40b

SHA1
8406e8b13fd000200c638549d4fa19206299d4a6

SHA256
f2bd82147f5efb66713a9001db47778f5b21c680b9dc57f2eb265b8203f8f963

SHA512
6b31588dc337dfc5ab6cc9b9541e2acb3b69d7ef91e1253ea02d2990736cf96e638d964c918c9f21f1c7f0bff7eb77689bb9f1e3180e32d0276cc9e9faece55d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
56KB

MD5
450e71be82b92e765a966ebf774352f8

SHA1
f02f985ae5423ecf9810539891ed39c7f5cc295a

SHA256
6c10ecf54f02734902063a547d0ca91da1b03ebd799f70343d3cb96c93f671ae

SHA512
b8d74993755a73605f406637d2e40c9d162219f6b10103b340e2f8d615f0b79d6e471e3c84a4a5aa53dfff981b9c51b8a39e7db8ddcccb242b1c7281d5bf24fe

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
85KB

MD5
fe7a3d1329ed0bcc0ca244bcb6111295

SHA1
ddaf074dcafac541680cbe5ddb3ada4efb43a00f

SHA256
a2abf17d1072df5343c05a7e6540661f07623aa177b71234d65f0b2c1e68cc54

SHA512
1866037edf1b4b2726f84c529c1baea1ed7efd90a37c088354e172185edd61f5bec70221b1e53e097be4fcfdb5d1696de09e6bdbe054e2368b83dc19307f2c0a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
100KB

MD5
ea70d9fef35b9825cc09e24952c027f7

SHA1
dc42489e69f9836b632fc7684bb6b429b987f4b6

SHA256
c9f7a24daae806e4c695dcdfa291d9e9dd37e0eb7679ec4b5ad5ec1bb8a73add

SHA512
66947e2933e7dd0cbc6f428bddf696ee87b59e5018893dd92ca71eb6a091aac9ec4cf63d8ad4e7fb3a813b274f4e91f52c39cf77be5f973ef85fdef5cb62f960

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
58KB

MD5
158d980a51a622daa8e96edd4ca67703

SHA1
86f58fd7304afa27a6cffa155752beae8d098ff9

SHA256
4b52100dacda7feea305a3df5172111c7f470e6e1330b908d2eecab6ada21ea1

SHA512
196966a0cf028ddb54325355a663369ed830357cea13cef6e5f996f5b38bffcb7488b1feb0ccedc03e1b16030012186e1b7aa44ae35bfb9d39344468dae387be

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
533KB

MD5
bdd274dd3c3d9b276dc7613d588d8acd

SHA1
78813f2f2e1510f844a96790d439b8b6e52b03f8

SHA256
91f86f9a49a3dd1957879e10d115df00e5d034d47851eb62a32e3ee9d48dcad8

SHA512
9472fbfa70c4be68abeefe33f7e278e3031029a9093df2c7507c70944b040f40f8fa964333bc5f185439cfacb0f168ffa46adc1d47554a3caa6ed73ce040d9a7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
625KB

MD5
7b7ae4a6f2aa1cedb502cbfd1f890716

SHA1
b55d5898785a80729572cdff397c003eee72a76d

SHA256
2e169824afd02b0599eaca8898e3410465906f9c3515d46f02e48f80a42dbf0f

SHA512
18ebeed7b616e0ff9fd921154bbfbb5cdf2420d68eb567e7a1fb19f6fb4b6986cfc56dd01861e0debd383e3c3a7c2ba9ff409e391ad83db9dc6e153c0eae5c60

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
21KB

MD5
0b46ceddddedcfeb6296cbd1d5c95976

SHA1
ae3a9a393af536080aeaac839b14f8cf08e7a53c

SHA256
23cd23e3e4e307575d88bad96effa673a206c01daaccbff3364b66134cbd0452

SHA512
52f6787f7e2bddcc5dfbda4b6283996f5d9e3a03dfb3e440a54c7eb87dde37343df105321003ed80ce717742b0cbf5cd9c01e1b1d616dc51009110bf10d14e6e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
465KB

MD5
c6cc9a5a067360d7e042408bb07cb1cd

SHA1
b42c27a48dc3df1a426aa62b89c16092222aa2c9

SHA256
3f320add886c47d12322fa8d0775666a9aae3a6db3187f6c041d34ed0f1854df

SHA512
31ebe5dcf9fcc85a1596eef35e78062384620570f2479740352441c4c656918d0c827a33d1894bb32c91b10b45a5c85ea1d23ffe275fe3ab55aa88c64684be68

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
98fe1a04d787af497ab80434396a8e20

SHA1
c7c29a567a15e0d330bfba402c5af8cc7936a377

SHA256
a777d9db1395b57010e20fa809417393e03dc54918f8d37fd3199f4ee0ed312a

SHA512
298fca37074607857450d02e29e69d38c7ebbf25474559311394ed152f76dc36cb81bc2d4c951e89059eb25bb5e74a2062aaf65386f1278b050fbe5b1ba08037

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
5KB

MD5
46a641fe43957f384012f85f931a0c53

SHA1
fbacb503799b050b263186a37878dfbc658fd0fd

SHA256
51a22b250ee870805a34b67fb49beca82619b8b401c682839257460e1b3ab91e

SHA512
daba68871d8e57b66494145297bd8fe4eeccc455c73c90d9c619ed66226ce9e2f507f8233e192a200c799a66d509bcbfae7fca286d32374eab72862b79a0680e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
63KB

MD5
855261292a5760b7236c22601306fcc6

SHA1
ec6ce01bbade6c51f4399b05b0f474b6c4569b9c

SHA256
32c6152806aa1d16d0190b52140844573af826bb53ad86b816462c510813bb86

SHA512
623746374cd31e6d589ab6f9ee50ba0f9638e1bc4e3e9688d129a8368be5686226c76f78b1f432aab2dc134d6b47fd48eaac41be10caa6260dc92225e55283fd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
52KB

MD5
ffd5dc879400b75ad0aeca28af9c379a

SHA1
665eee18809c4c0949e7d185eb890bb995773acb

SHA256
2efe83263e821cb154054095c8714b6c02156ed7486f4fdb5c63b597117b07f4

SHA512
ecfe74146052a123cd400dc9f5f30b03cb49d1e1ffd2254fd5ba2e97a40bb03bf2b119fc8c2d226265bfcf4672ed98d3bfc53dcf3fd4ba4966b7014419cfd4f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
26KB

MD5
8b33cecf98772462ac145437070eacfe

SHA1
0dad21e5c468eca30f04eeb06a480cfaf20c4946

SHA256
aab4af5690792894dd16636a9402c4915a3172164d1797a91b6c9dd57cdd8937

SHA512
f960b55ae7028dba21e276e63dc8b303252f0d240a8859738689c63e9399fae957ebaeea6462d64dc450ccd35d7e696854172d415d27e74f3709a03c53856957

Download Submit
C:\Windows\System32\alg.exe

Filesize
133KB

MD5
897e327667571173b333b70ba4e6f5b9

SHA1
0991a234fb96ba03b77d925d512ee0e61185240c

SHA256
dcfe3376b6fbf3c3990eb3e32656fc6fb96479c75ae382b3e53b26ae569bbaac

SHA512
e3c78c8eaee296ab26534bc5213cb8cd320a526eab6547e6fae18ed9dae4edb1e1c2bbfd7a4e6cf4e2f6eb7ca4cca7a64f97436c94594d68fb33373cbd580d6d

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1KB

MD5
504b1ba51bf4b97f4572f5c61ac58563

SHA1
6bdcd9fba60c7221ac0dcb40443aef91e0402d9e

SHA256
fcfc8e061337823e9f7eeef7e3834502dddbbb0af4166a67b83f5b60086fa93a

SHA512
794ce5b7c849fe47ec69bf11c866fe543bae55f1b8d78f24825bd5ab60da3e0b46cd1d65c738fa685f1dfe68fdb08f04fe667571e6288dbc32c39ae531238a25

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
25KB

MD5
50558f094d4b58e411e6eb5f70ab8080

SHA1
98330daff54ff4d7999545dcb55d08b362209c39

SHA256
f999823515415d0af1ec09eaad4509aa8ef08c4abb539d88812247b6be50cf21

SHA512
33dda8d96dfdefab97b96340dd5a74904c83b9bfa2e7c9f06fe27305bbc52ca08f063a6adef198e229732ee0531d294da3ac32a92024fd9b3a78570c6f19eda0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
13KB

MD5
82788b44a6fb4c5918666fc8130603b8

SHA1
2a7aab1ab2cc6b9fecf45f60bba5feb446b02283

SHA256
ef8ead26c0ab85ffe08f64092ede01466536b523573d31b6213fd2b54d42397f

SHA512
c7443b13157f45b2b655a47e0f0f40410e0327af47d5d7a083510cad1642354b6bbee36977f0c3e88e9d3e79a018a595922ef362cac84ada61400ec4b8a82dbb

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
51KB

MD5
192fa3d538b31a55c224598c8fd3f3de

SHA1
15ad0c553f8ecffad1919277361a9fd85c1f626f

SHA256
761a2940145923cc6f404cc957d61553f60cdb05843991eb4e9a0e682e9f604f

SHA512
05a5af1505c238f5e06296cc74bc316487070553af14e8fd1f8822c0d7827545fdd546a3978dcb03be2fc158d4017bfa13ada5a04eda5447488dbb7b2fa54dd8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
26KB

MD5
cf6bfc435bca9daacf6cb5f65496b793

SHA1
4583a3cf5bda4a33f2f310654dce33184180829f

SHA256
8511b4c4184b9788efa931d3543329c8d2c2b16dcc522f3e7b1f3f246aae31b2

SHA512
d5670d70149bb6dc5b4cb153ca818ae02b572aef70d62a3a639dd22f1d9e68f2b0217ad72e9a486f66a3cad6f3fd78b2a9e76d68d7c0882f655d154c80d4a4d7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1KB

MD5
7e9eed554c6f3e8f2307eaaacfc6862d

SHA1
bc992d532b17fe8df7cd19d9c245e3b7a12178a6

SHA256
6a77e26dd4ef7fc01c2095f8095bbe10a477b92efbdb89e55e79c2270f5b4947

SHA512
cd45f693491a0e6758bca665f0e191a314d6e83da1ff6046110b073af402a0ed3ac8e8d57cf4616788b6912ff25ccef718417a565ded6b3757b0aed5b653d297

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
64KB

MD5
c541c5d694492fa56fef74b2657c7f3c

SHA1
e1753ca2d121cdd5f253c459f320bdce34dd1c7c

SHA256
068c771848e08e8c80fa4a1d1e383d5b743e82c2f55ac2f6e87daebf33c0c49f

SHA512
9e3b74d3a9dea7df61845ee893cac135369288963ffc775b993ac5ab5314f111841d0fcfc681f27a0818dae4c1d026fe9c2fc07f96be1672722b90c5403f8784

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
39KB

MD5
48a6f7154d39d6704b47f924d50164f7

SHA1
0dc15675170a6869cef743dbccac67598c256806

SHA256
4328802cbf2e5a36f891ff2ef7168d53296dd5fe4bd4bd3799603c80c7e0581b

SHA512
2e09782664ca5ce2511ec8803bde63972322201763fe0bed6038aad9496ca02cc9c826916733152671033dfff77fb38853be02639e62dc9fedff89de180a8042

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
128KB

MD5
7623c06dbb08911365396b8795478d1d

SHA1
f518c61bb0bf8afde7db1f23ed24e49d0ab207b6

SHA256
42592d61d874aed685b9043ae3cdcdd2883dcf8b13717d5542c9f9ce49592a2e

SHA512
fc88cd6217b212d4f9d52feae3a10c000527a00cd04d0740ced90f9dbdcff1db758dc498f23791dbf00fee4adf01cfa02ad43c8ca1337f0fe7adccdfab286ad0

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
36KB

MD5
78a29de6a819d6282e7aea8442fbc031

SHA1
619df6878f5523330df98826e9de0f597ad2fd7b

SHA256
b7e656df74038c72d11a39304670d9bb024f262ced3c1c9f76682079e36ba545

SHA512
620bb772cdbe1380c4708fc22a223fb847028203fea3e9a0fd0fab90e3b92d5539a6404df1401e672f23e0e773a308fbf1e5fef360fe9cfd4b6d432801de028d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
49KB

MD5
3b2a85d2a28ba019f056cce635430131

SHA1
020e9ff5b35732e4bf0939f6e4e96f2dbaeb7c20

SHA256
e3d72a9449eaec74fe0da0ee6b575cc023d8c3813e6a10817c05d5f6c159ba4f

SHA512
602e857862337bf85891fdabc00988b8be7de29b3d71884931e4121bdf9d2d5228945f27a0d27d84f1085bfeca5edaf0bbcf108d56df606a59706618d6be0971

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
58b65be927961456f0e0e07a54c22c45

SHA1
8c098f46bc4c4d9f8c514c055e810ce31be0beff

SHA256
687bfb7d415d619faa5179e5392a327ece2433065b2dc1ea94d71d37e7d9d899

SHA512
c3d7053e8a9c582f6ef9cfc50252a86894f3e93b7de58d8575eb2afa3237e8bd17090e019b99fa582ec285e047777d716a93c5e07a1838b410fe971ff7641de4

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
64KB

MD5
ed6f8fd4468694d6a92176b00d67f1d8

SHA1
5705cec62e2f15c5de395c698150b8684a6f1cf0

SHA256
52f985bc0e1295172ef73fa3fbf3c6ae256d855821cc6fc04bb71348b8e82b46

SHA512
9a229008650de5f193889d0c4f82eaa8024bee12c122478727b5a2f5b7dbee6205dd780e08904fa4636db9896151cad187237e25653f5845d912034d7c8b77d8

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
47KB

MD5
b24cbbb415e762b40fe53882b43f2a08

SHA1
bac054a011969ea8b8bdf6a263be4d5fd20d005e

SHA256
be503857798314ff175f53718f06e11ddadfca21a79ee32a7403557973bb3dfc

SHA512
c7b8d7f351f954a07528c526d1944566523aa1c869f55d8d113b4f3cade4581139768e7427ec6ece083b7bc2713d479cbd390f7099b0d9d3018e7d00008ec7d7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
107KB

MD5
5af327640768b6a23425cc0c3f2089ac

SHA1
48ca548c4cae2b99aff38f263827135101100508

SHA256
3803d344dfe2ce440eb9d10d26c90cc601e75a4a10c9b8215dd13407d9638172

SHA512
3b56e8c7f7f6ae08c2dd5a692e206a0cda2df90ec1e4384fed119806bd4980057db96e3f4d754a4e13f79de42df4e711ef50742a068d5666d003d3dcdc4ca1a6

Download Submit
C:\Windows\system32\wbengine.exe

Filesize
55KB

MD5
66dce1c8b8d7afe89b0dd5a78107ef4d

SHA1
8c8b994d2ea8bbddbfac5420b59352cbea7fcdd4

SHA256
922675a0f4cca16a70ddcc5ae2f6d80dd6294df757d13e7bd2bf2702d9796316

SHA512
8896538a25e96d814aa106b6d969fe2e832ccb8decc5ea6454b7c8caee508e47754cfd100556f98479f120432a45755673e43751fe55e9d22f2646ee6545df39

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
386KB

MD5
f1382b8bf7b067cc2dcce49235f9c95b

SHA1
ff53f47f02ac1b8ca410b1608bfc0b23fc5ece45

SHA256
a6c5775362b3d84e762f6dabce9a284637627b342d87a8b3b68532f528371948

SHA512
a4fdd41b67d80dd375d78bdbd10fca0dc03f34cccca9789f36d0ef0307280a83b5edf8e2d92ce83cdee82d206d7d782e69c3d680a7b2a043f074676f9176f32b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
126KB

MD5
4b431ea28b4847c18426621db7c3f6d3

SHA1
6a6e970df9dc2f53d65e487f8db1fde5e63ec455

SHA256
df4f2606435c22949803244fd3be986894a01bebdd4fcd94218155437d6c7a1c

SHA512
3ddc981d9cd700183e3d9c595530c36a01762bb4c90da70ab9a14b56ba0b2cef72394b3164e4cd098533412f466b796c83c6a4f958e3487a368f7d332f81cd21

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
84KB

MD5
a71277e2c8ef3ce551591213a6d3677a

SHA1
e527048eff2cb7b86695bf49a89e50cac5611563

SHA256
e0bb4335397a2152e7e60b44989ef4f3afee74f4915ef984cb31375e5553f3f6

SHA512
e39a66eb572d1a488515ccc0684d4b7a80793862076de521fb61950235c6dc14dc8494ebec1a4385b8e544ac0402624c6119c37eea1fc96d6be0c65f5503c8b2

Download Submit
\Windows\System32\Locator.exe

Filesize
45KB

MD5
75d33b399e92f6a3cb08a0d72004766e

SHA1
3ba1a9cb3097ed2a1ff64d434ae78e04d7bd52e3

SHA256
e3d1749b4bb67eb3210b827b943d7f27dbb67e2e9e98de3ed3fe54a1dfa8d164

SHA512
6689a4ad149c564edf92d8eec6309e4b9838844b2b2662047ba9307519b9c521db60bc96a16d81c8af4af238628d193a891a0f17b03974c5c69f26f9394d30cc

Download Submit
\Windows\System32\alg.exe

Filesize
192KB

MD5
7df25f6fa9af0beba126387058c1d6e0

SHA1
666d6969cb9441e43e4e1ac47eb78300d4b60a14

SHA256
53c21117a1827673de848c222cfa71698848fd3df970237510c758bcc79da900

SHA512
c2c36484df0312510e1eaa8acf4ee507a47c312bc9b8d844cfb03711b587eb60b982032b9d91694ef977fdf1043977810d844721f7e0522ba74087979fcef35e

Download Submit
\Windows\System32\dllhost.exe

Filesize
21KB

MD5
73a8fd401f86be45382984046ea21246

SHA1
c55d145485dbc998ff8073fef302e9eae28a9e06

SHA256
c0c7c5cd076d8a871c06e73ae85ff52f78d57b3f68fd85cc3fa2bea98ebe2ff6

SHA512
de3091ed20337ccfd0dbd040f0a4da84f04b6f7d64a761f91f99f1053e2d97353949e944c5720ce2867df75886c2074ad36fb47f11bf31328df8cc8ae3541cac

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
52KB

MD5
893f3a2ac45a48ec4ec7bb5a361acd1e

SHA1
5906098c98be836e97f4196e39392d364b2d7052

SHA256
a95afb21fce03fc568286da5ae5973d74f2bc0ef83f1508d1436112d8d247b6b

SHA512
fa28aab28f662256dfa46695d264ac883b04407d16cad47946864108b8181179d702a18ede59cfcb21d69d83987c9d317838ab9375bb16e69584f489c608fae7

Download Submit
\Windows\System32\msdtc.exe

Filesize
21KB

MD5
5d660495a863c58105f23922507f1424

SHA1
fd5f5324409ca9e50743ded14a4bcfc4bd473854

SHA256
6db13453ff92d8afcdf0e9286b8cc87b8ee1adbfa179d87c1d1a3976d3d4e30f

SHA512
de9fff2e6e27c2e6a9f256f6f074ae13134b6081f924082a2a1bc0c4e5c6b133dbcdce5af1f87ea311a4e63be72676687a252ed156d3252b081df86dc86639fa

Download Submit
\Windows\System32\msiexec.exe

Filesize
19KB

MD5
8f937009b281602b929cbca79cdce451

SHA1
3cd50e1e782b7c5491a34b71c610ee3e5c24b83e

SHA256
269877fd88ea2c509fcbbbc6da3befb0c2d88e0f0fca953051b6a64db2d17ff2

SHA512
407c8ee9e3d94416d0e296f287c8d0438e3cdf4f5f941901b8f660f1750129e3b42a5f7d74040d840ebf490ae3123ddf26159674e7cd586cb07b6f3cfe0c8d88

Download Submit
\Windows\System32\msiexec.exe

Filesize
12KB

MD5
c96da65ba0745157980c0c7baf781cf8

SHA1
82d7fe4f2178263a63834d513e262a4015c22cea

SHA256
43bde7eeea1c455ac0256bf1d22e03ecba0ad70c51e284e13decb666308e6679

SHA512
38dbba431ca90259e4ea55a22fb696586b3926849e551cd1a075389ec7b8efe729f4736daf584f37c86429e8d9000156148d1d88bc6c37174c0f6791858ad6c0

Download Submit
\Windows\System32\snmptrap.exe

Filesize
31KB

MD5
e415a172bc8957933182503245b19d41

SHA1
93a1e6152433902c8f4e6d5fb5302b2846b394d8

SHA256
58b4e0e168e2f2da196033325cee0c7bda67b8fe1c4b1af9a628dca1a5e0fb2a

SHA512
1af7c7a4e1d1a233511ababe542b18924a1f31902584dab9c97624aea417d777b5ae968c0e53fda62d9726ec69c1f57ed035bf0691c32b5f2ca0ae145c484262

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
85KB

MD5
a968c4c4951b54c913a80ecb7f1d4e77

SHA1
00e4cbf6a8de23ea717dcecf356fbb771ba6cf4e

SHA256
d51379a79e5e2076561a102b531f4a4ae6c95a0b5bc69a42059e390b5f834a71

SHA512
2c041b26db4676d80b7ebec97219d6abcf64a7f395760c44ca075e197c350b2921a31e7cccf1b5a8065b354b4ef7c83cd9017a6824b5f40997cbf2ba9a41cc2b

Download Submit
\Windows\System32\wbengine.exe

Filesize
24KB

MD5
114252f19a3869a058050eadc9b69386

SHA1
390f239eb0e0a2e5c3ec5fec3baa0e3d3912d6c1

SHA256
15d9bf0a2cdfa66e8beda4de54cf2f5e9e97b385fac7e8c47c38d7680f5d558a

SHA512
be4bd3504ffdec58639a4197d49f238726d9f3aa50073fe3c3a18cab6eefa6a98a881ba79a56f25c11e867eb048648e85a4d307bb585d061d293d622e6286438

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
31KB

MD5
7d1b52f33cba1da20e195af3c4990642

SHA1
c41eb05b9c65ec5eebf41dc65356f1ae395dad12

SHA256
6696f259ffe118453d3fe0be0381c2d8b831c6395602b173230a83c34a93f4b8

SHA512
3682ca8f76ed72b387eb856c4d076695949494c545938decce199b1a560db8729416523bc606b746470e2b31df84890604fd74d4262b604ce8bac09928997576

Download Submit
\Windows\ehome\ehsched.exe

Filesize
32KB

MD5
bef82d9eb482361b99125605bdc1fa01

SHA1
416e247a4cfba9f56b3dc5c72b5cd2e5f5ca381d

SHA256
2b1265d92f12fa702594de4ebc480b99a4639e58ed8d0ea32bb468c3b6a8a3b2

SHA512
301dbfa4dc0f1a90664acc6e342099c5bc051c3465f06aec3f3755a0dec61cc60e2770add38c20107036da6ccb59dd44faef8b5507aa1f002172e24eb5125b8b

Download Submit
memory/484-188-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/484-248-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/484-181-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/484-206-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/484-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/668-363-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-366-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1180-350-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1244-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1244-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1244-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1244-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1244-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1516-236-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1516-237-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1752-310-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1752-373-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1752-317-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1808-281-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1808-218-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1808-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2008-336-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2008-345-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/2204-158-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2204-132-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2204-131-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2204-124-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2204-125-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2272-253-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2272-198-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2272-205-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2276-239-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2276-163-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2276-169-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2276-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2316-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2316-157-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2316-108-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2316-114-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2464-360-0x00000000005D0000-0x0000000000682000-memory.dmp

Filesize
712KB

Download
memory/2464-294-0x00000000005D0000-0x0000000000682000-memory.dmp

Filesize
712KB

Download
memory/2464-352-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2464-289-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2464-307-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2672-102-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2672-103-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2672-96-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2672-80-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2672-191-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2704-283-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2704-273-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2704-334-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2732-145-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2732-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-221-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-150-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2796-256-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2796-263-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2796-269-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2796-268-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2848-171-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2848-14-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2848-46-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2848-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2936-306-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2936-249-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2936-246-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2984-332-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2984-322-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2984-330-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2984-348-0x0000000074798000-0x00000000747AD000-memory.dmp

Filesize
84KB

Download
memory/3040-232-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-233-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/3040-343-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/3040-275-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/3040-234-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-288-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-292-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download