782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
Size

1.8MB
MD5

2fedbdbf9d5823088ebc1fcc0f4a1832
SHA1

fd805c36a32b4eaa728c5f4af8ae7f3cdedca902
SHA256

782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90
SHA512

5e04da11c8ecd3b94707379ca43dca5c058f52e5b7fa75022a8c4d2abdd68c42cf896db596ef1898e25f3fac8ac55f53297d57951c7c8fe5fc105f45dbdf5741
SSDEEP

49152:1x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAUaB0zj0yjoB2:1vbjVkjjCAzJSB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 55 IoCs

pid	Process
464	Process not Found
2120	alg.exe
2628	aspnet_state.exe
1056	mscorsvw.exe
3048	mscorsvw.exe
2888	mscorsvw.exe
2868	mscorsvw.exe
1164	ehRecvr.exe
2416	ehsched.exe
692	elevation_service.exe
864	IEEtwCollector.exe
2740	dllhost.exe
2588	maintenanceservice.exe
3000	OSE.EXE
2944	OSPPSVC.EXE
616	mscorsvw.exe
1620	mscorsvw.exe
2400	mscorsvw.exe
1992	mscorsvw.exe
1756	mscorsvw.exe
996	mscorsvw.exe
1552	mscorsvw.exe
2940	mscorsvw.exe
2896	mscorsvw.exe
2880	mscorsvw.exe
2000	mscorsvw.exe
1176	mscorsvw.exe
2196	mscorsvw.exe
2568	mscorsvw.exe
2608	mscorsvw.exe
2436	mscorsvw.exe
2696	mscorsvw.exe
108	mscorsvw.exe
2124	mscorsvw.exe
1192	mscorsvw.exe
1992	mscorsvw.exe
2148	mscorsvw.exe
1884	mscorsvw.exe
2316	mscorsvw.exe
1736	mscorsvw.exe
2144	mscorsvw.exe
2380	mscorsvw.exe
2948	mscorsvw.exe
1264	mscorsvw.exe
1984	mscorsvw.exe
2876	mscorsvw.exe
1632	mscorsvw.exe
2320	mscorsvw.exe
624	mscorsvw.exe
1144	mscorsvw.exe
576	mscorsvw.exe
1372	mscorsvw.exe
1204	mscorsvw.exe
996	mscorsvw.exe
288	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1984	mscorsvw.exe
1984	mscorsvw.exe
1632	mscorsvw.exe
1632	mscorsvw.exe
624	mscorsvw.exe
624	mscorsvw.exe
576	mscorsvw.exe
576	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\567f00b3d795e6c9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ja.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ar.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_is.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_zh-TW.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\GoogleUpdate.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_et.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_th.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\GoogleUpdateOnDemand.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ca.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_es-419.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\GoogleUpdateSetup.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ml.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_am.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_zh-CN.dll	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8A26.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7C32.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8FA2.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E325B4EE-DDDB-4C33-8689-DBD99AC0E306}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E325B4EE-DDDB-4C33-8689-DBD99AC0E306}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP81BD.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1980	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	320	782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
Token: SeShutdownPrivilege	2888	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: 33	2096	EhTray.exe
Token: SeIncBasePriorityPrivilege	2096	EhTray.exe
Token: SeDebugPrivilege	1980	ehRec.exe
Token: SeShutdownPrivilege	2888	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: 33	2096	EhTray.exe
Token: SeIncBasePriorityPrivilege	2096	EhTray.exe
Token: SeShutdownPrivilege	2888	mscorsvw.exe
Token: SeShutdownPrivilege	2888	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeDebugPrivilege	2120	alg.exe
Token: SeShutdownPrivilege	2888	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2888	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2096	EhTray.exe
2096	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2096	EhTray.exe
2096	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 616	2868	mscorsvw.exe	44
PID 2868 wrote to memory of 616	2868	mscorsvw.exe	44
PID 2868 wrote to memory of 616	2868	mscorsvw.exe	44
PID 2868 wrote to memory of 1620	2868	mscorsvw.exe	45
PID 2868 wrote to memory of 1620	2868	mscorsvw.exe	45
PID 2868 wrote to memory of 1620	2868	mscorsvw.exe	45
PID 2888 wrote to memory of 2400	2888	mscorsvw.exe	46
PID 2888 wrote to memory of 2400	2888	mscorsvw.exe	46
PID 2888 wrote to memory of 2400	2888	mscorsvw.exe	46
PID 2888 wrote to memory of 2400	2888	mscorsvw.exe	46
PID 2888 wrote to memory of 1992	2888	mscorsvw.exe	66
PID 2888 wrote to memory of 1992	2888	mscorsvw.exe	66
PID 2888 wrote to memory of 1992	2888	mscorsvw.exe	66
PID 2888 wrote to memory of 1992	2888	mscorsvw.exe	66
PID 2888 wrote to memory of 1756	2888	mscorsvw.exe	48
PID 2888 wrote to memory of 1756	2888	mscorsvw.exe	48
PID 2888 wrote to memory of 1756	2888	mscorsvw.exe	48
PID 2888 wrote to memory of 1756	2888	mscorsvw.exe	48
PID 2888 wrote to memory of 996	2888	mscorsvw.exe	51
PID 2888 wrote to memory of 996	2888	mscorsvw.exe	51
PID 2888 wrote to memory of 996	2888	mscorsvw.exe	51
PID 2888 wrote to memory of 996	2888	mscorsvw.exe	51
PID 2888 wrote to memory of 1552	2888	mscorsvw.exe	52
PID 2888 wrote to memory of 1552	2888	mscorsvw.exe	52
PID 2888 wrote to memory of 1552	2888	mscorsvw.exe	52
PID 2888 wrote to memory of 1552	2888	mscorsvw.exe	52
PID 2888 wrote to memory of 2940	2888	mscorsvw.exe	53
PID 2888 wrote to memory of 2940	2888	mscorsvw.exe	53
PID 2888 wrote to memory of 2940	2888	mscorsvw.exe	53
PID 2888 wrote to memory of 2940	2888	mscorsvw.exe	53
PID 2888 wrote to memory of 2896	2888	mscorsvw.exe	54
PID 2888 wrote to memory of 2896	2888	mscorsvw.exe	54
PID 2888 wrote to memory of 2896	2888	mscorsvw.exe	54
PID 2888 wrote to memory of 2896	2888	mscorsvw.exe	54
PID 2888 wrote to memory of 2880	2888	mscorsvw.exe	55
PID 2888 wrote to memory of 2880	2888	mscorsvw.exe	55
PID 2888 wrote to memory of 2880	2888	mscorsvw.exe	55
PID 2888 wrote to memory of 2880	2888	mscorsvw.exe	55
PID 2888 wrote to memory of 2000	2888	mscorsvw.exe	56
PID 2888 wrote to memory of 2000	2888	mscorsvw.exe	56
PID 2888 wrote to memory of 2000	2888	mscorsvw.exe	56
PID 2888 wrote to memory of 2000	2888	mscorsvw.exe	56
PID 2888 wrote to memory of 1176	2888	mscorsvw.exe	57
PID 2888 wrote to memory of 1176	2888	mscorsvw.exe	57
PID 2888 wrote to memory of 1176	2888	mscorsvw.exe	57
PID 2888 wrote to memory of 1176	2888	mscorsvw.exe	57
PID 2888 wrote to memory of 2196	2888	mscorsvw.exe	58
PID 2888 wrote to memory of 2196	2888	mscorsvw.exe	58
PID 2888 wrote to memory of 2196	2888	mscorsvw.exe	58
PID 2888 wrote to memory of 2196	2888	mscorsvw.exe	58
PID 2888 wrote to memory of 2568	2888	mscorsvw.exe	59
PID 2888 wrote to memory of 2568	2888	mscorsvw.exe	59
PID 2888 wrote to memory of 2568	2888	mscorsvw.exe	59
PID 2888 wrote to memory of 2568	2888	mscorsvw.exe	59
PID 2888 wrote to memory of 2608	2888	mscorsvw.exe	60
PID 2888 wrote to memory of 2608	2888	mscorsvw.exe	60
PID 2888 wrote to memory of 2608	2888	mscorsvw.exe	60
PID 2888 wrote to memory of 2608	2888	mscorsvw.exe	60
PID 2888 wrote to memory of 2436	2888	mscorsvw.exe	61
PID 2888 wrote to memory of 2436	2888	mscorsvw.exe	61
PID 2888 wrote to memory of 2436	2888	mscorsvw.exe	61
PID 2888 wrote to memory of 2436	2888	mscorsvw.exe	61
PID 2888 wrote to memory of 2696	2888	mscorsvw.exe	62
PID 2888 wrote to memory of 2696	2888	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
"C:\Users\Admin\AppData\Local\Temp\782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1056

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 24c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 270 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 294 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 274 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 260 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 2b4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1ac -NGENProcess 10c -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 254 -NGENProcess 1b4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 200 -NGENProcess 25c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 22c -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 264 -NGENProcess 25c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 110 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 264 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 278 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 264 -Pipe 10c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1164

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:692

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2740

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2588

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
63e554721515b377e9353367a835dbda

SHA1
7f1664147420520365fc025672e86a5836193262

SHA256
e88946f52acdd0d0f431e2179d87b0540711ce6d7bbcae167dd98a1d18ed8886

SHA512
460a727e3abe249b15c849833466c7dcbacc4d600dcd55ef7f37fac28402cb909413b5dcd7bbebe6d7288b9b62948f53d9ae43722b6bbc2cb69b43af45ce8255

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
ae9573e890e0d758bf5cbd55f14bb678

SHA1
f540f8adcae94adccdaa623fb56189449f67a981

SHA256
637f7a076afbb7652e1936b5aa3f373e14ffd3b8d5b2207969ffb7835596c928

SHA512
4747d18374a8ce5b11e9c2f697259d4d936c9b0110e1433d4b4861ffabb8727ca85d618a5b75dce9ac7606b754772705e4befcd816d3fa4314b38ec388943eaf

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
227909306e60ed3052c44d4a2f9788fb

SHA1
75d6db5f2c18300716eaa33461a1ecd73f57e305

SHA256
fec0be40709b52399c4608934d661539e299f0c98a0f755b2f03309f88d3912b

SHA512
d19f918e0f8a3267d4d2589cc1e37b18a2dbc65e2edffa31343edf07487c7d565642a495d6710502a3d3fe5dfdc54bfcb8938f2f254eef45ff973b6ca33d886a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
9d895bca18107723aa939a0f5f304676

SHA1
cdb5cf9d18e4cd2dc9e5ea21f3aa98037825d95d

SHA256
69dbb8f65b98f4b60ef1f6e16c215318bfdb3d248ee17a16f9853686b86333fc

SHA512
a9500f1cb0f081c422fc4df1adc4891b9bc68d5a9a43f6ca70faa70c21b451aa5fb01eee23b2237ad0a2dfff400aa9132511fde471cfb474a8fbe1e57419e535

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
89KB

MD5
45765a413d5795e1fcd76a195b5b6166

SHA1
3a833c07b27f9d47de15ab203778431c1b120f47

SHA256
63d641ea58c6b153c8cf1073e6b290b8739e4161586e78e4dbd20ad0ebc8abd9

SHA512
12ac3983a1b35b971b8c36ec5e0b13f1f83cd690ad9bd6bebdbb98adcc3e0b6ab77a5ba1e9857d1520ff0d37bce9ca2c09f11da23b84f36175f38d50511423c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
237KB

MD5
9a1d6196e8e88fc0588d3ad957c67fce

SHA1
bd513048d191a26151f697e1e02199d1caabdc7a

SHA256
c0f0f2abdd482864b56d8830c99b48884e38a4a4ddbc455130de049ccec2992c

SHA512
492f6ca987f219b6656889a22de2e43da870802586800187d94026dd79cf3535ef5326d6f2fcb2dd14b7f43594b4febe4fe5cfac6566512a8775b87e333be03c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
40KB

MD5
715a8a0f36962df4ba75bb37036b39f3

SHA1
8e21a4f5f3f381b8c3f48e0d8b600c80e9679a26

SHA256
3b3b5d8e1b3b6a99a4403a3f5a39cce0f98febb147df2df28c474fcebd948977

SHA512
61b01cd92d18a6433d0dc5a67bae207f1ba14b2354f2139ed19a63b5bc05b63131deb69b0528e70412741cecefcb9ba99ba95cea442d862c723c8cfb33d1d99e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9b0d9fb49f3306c81416614e6e4357ea

SHA1
00954cf68c9fbe1b9cb1c29885202867bb209134

SHA256
b8ecfb04bc0a3f70ca27df51e4339311a34e2bb2e0353eeb7b48aae5517b508a

SHA512
75818949dc8bceea881069c981a2bcb5427b734ada4440b4ca46ff2b5de2e569b19a2557632d6236710b2c728346cac0e9b7f5d2c3e443d7059128b924589d77

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b56004969cc24c6f24bcdd08f0a4d2fc

SHA1
077660b17e971edb47e8a08da8a0c0b2b70721ec

SHA256
916f92d301887729a905e0f06c9ad656e5a8319523fffe53b0fd7ab454346b6d

SHA512
eede0a0df03f509697dcbe7e083efbd68ad4e589c7494f23a17b37b21cd5f81989eb91883a0971e2b4298398e2d02dd552d8445fa359cf0476cbd4f882cb9fa8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c2a145941313f80ccbb46125c458ebb2

SHA1
aef5ca3031776b7de8008a930f235a69ff687060

SHA256
315db0461fc169a8a9d976ff0b7782e97f7c7488d1ac29173ddb3d0320ef6937

SHA512
5dd6005a8fa7667657e5ca83e337f46091a84fb9101bbcd8e000e531a366a0b4f47a852516b1d974c1a38f8fa9bd2708091561ab5d6e42a826d37b66c3ab2f18

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cabe0038f0c6314786167f8941558a64

SHA1
74d91e1258c669b05750fd0a053ff260206a2575

SHA256
e1aba6a16c8e61c9915e5ead49b96e8788045f70ef71f6bfa9b9e354b5d4e38d

SHA512
6743eae8e5c93746ec236fa0b7d69cdb96d5ca2947e5a688c6a745ff1849befc7af44582bdfdf907a8bff02dd58f8a3f8fef3a3dea29a41b78a355a2659676a7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e6cd8a5f500a9c4fea24ce03042087ef

SHA1
30e7199473c4b601df6a5fe3fba897f8eec6bbdd

SHA256
51e5d3a97f376ad68215cca265d69c574bc140d849ce2b1ae9579470bfb59474

SHA512
c73c07091718b365b8bd239b249d8244edf8ec8cf4c1405c0d98769893bd1e0a8db739a6af719f78022a41219356ab42a1c2f71d8ebf1d683c0e15efbddeeba5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
17KB

MD5
931eb99ff3e662c7b1fac807b946094d

SHA1
3fbfb1de9e2307aec38a192c02f6a85b384a4439

SHA256
05a16163f38d19cc193aeac056deaba577a3d1da6807d8c89a7b4690e575c27f

SHA512
00fc157831fdc341845c496dd1ce78e12ded6896de5267adae0ad78de526b8deb1dec2d521ec15a7fc87a7cf7a1f3b5ec6f1c1f03ba3234a7d8eeb7daadd0a8e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
100KB

MD5
a73c2053db0a6da985e48f61472429a6

SHA1
aaf5326a4c1ab9634b6e352619701affff4789d4

SHA256
e5a774225a8aaafb26e136da79c0e10f17ae454ccf02fe4e9a802df85b4963ce

SHA512
6c0ba40d34b7e1a704618bcb4ef00131f862c558e935513a0a1940724ed164ca8c00713fa4160a16f5755375373f60fee60691cdaaf37cd073da9580fb341a89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
187KB

MD5
4cc998fde77ea48c8b8bb4a983e4aa1e

SHA1
9ad9898437bcebce5b4172b3cc4977d91ebdecee

SHA256
eb2a1a07f04c7f6ddf124c55633bbd42175b892edf818422b55301f647f8eee8

SHA512
b022713157f83ae129c3f63f5d2869967362d53d448b79bbb5c92766ee8746b1091081e239cffb765a470fde936c54db5b5e992bac27cec71838a305c71fd89b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
187KB

MD5
57778ea4894ef21cf25df217dfb6de75

SHA1
a27a82601051d8f437b7d7b7843487eab0f62817

SHA256
be99d754e95a6b73b75f64356c9ad09a79c74398a667296b3dc9a041c03caafa

SHA512
10462589cd59fd9e78ebb4f86eed0bfd3fcee2d1c68d0ad021ac8ffde6a4309bafc8d971fab4e66e0dad9b952e058b27dad369b188f0f5649133acca60927c5b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
47KB

MD5
93cb46d41386820f18e81ced54acef31

SHA1
bc56f2dc1801fc0fa9dd288c1e021649b4a460fa

SHA256
5ff1997adafd7ab8eaecaeea8791e033afaf13f4a0b4d84090d58cdbe40acf84

SHA512
65b006697f56b72d8f35e110e0d41bbe5022c1ecd502d60b61c993e2dfe7cad718c5df2b9d7fd761305138513777252944c70db1522ed37610f5ac1d0024e48e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
106KB

MD5
e1069287d58b889a9ca3823e932bead9

SHA1
a3d015ea4979d121c047287e78134505326a4d55

SHA256
e92ba7d8545c7b9c0e0a7cdf65fafa33ad580f56dd3549637fcb4435ad021936

SHA512
1da0b4d613377df53703e9f877571ed934f0ec15634f065e6aea24a1af34256e18544e685be6001cdcea179a02728a7c418b708808213de8a2110ec28c72c380

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
216KB

MD5
5e85a320d6ecde8b18677959b12785ad

SHA1
8d2b66db302b5a51391f18057e54d5e059051634

SHA256
8222395536c29c4e947433783a0cda53cf7bfd0fff5e17e05c27e8bc761c6987

SHA512
06e9961d9acb90b83a67aa0c04e28dee12387c271878e9e08070c0d54269f000f2057a3dec492196904905d22c8a38a50c04a04fb948b52297f7f1d7cffa94d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
80KB

MD5
b776d0e3ead5cfbfd1f5f0bf8e4dad55

SHA1
8e7610152b2be6eb57d9ec1f8070cc6cb51fcb82

SHA256
95a1f7d725720a162ce129324858ec8d0a3818d4e24c701f423d9be7b021f81c

SHA512
039941046b0871966c216fe9ce1de83d0c97a7fd1158185d873e5264bd1b170c4d28aa131036019042c12624f59296a9d4de78ccbfb8ec2d460a1655c9387dad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
159KB

MD5
ef3a40ce1362d084ef65c591a5f3aa35

SHA1
945072df483fe346289cb83f14c024b1e7a1ce74

SHA256
6c143ca8b0ff78a29b440968905b94425b2740519ce8c733bcc8ef9d1bc5e2e7

SHA512
5c92d5f4107bafc055461634e440eee39264af63870618a2b52464e9ec1ab94c7fad0a7bef78c7d98dd5070605d16ad51fcab845374c1bab392731d53d84ec9c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
0947ba7afb8e0c41301463b5499d9267

SHA1
c9d0c21ed2a5da970525d79d350b73d5675513a7

SHA256
8469e34cd1e3d62ae4f06ca4a5afaf09c9b8bd2e3eb7bdcaa8acacf856127db7

SHA512
10a275be4980c63ce1a71c8bef5d457213996b766fd1bd601f54832c31f30ade36b085db89265bb37833baa27bb753f9bf883d74d01dc9177ce14f15144b2416

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
a738b62b5a9be3e7375efe7ce834756f

SHA1
fc204a5ccc35a39eb4e81ebc71cc868bc11392cf

SHA256
bddbfa7d4e4aefe53efc8a45f160d83cb1c74c7343e53c00730439dc0a927506

SHA512
9f96c0dff0f06f30a62ac40b3a919df23ea4ebf95f83740a57e9541a0b147f0c0b66f29a450ab639b6cfd1aec7b811397be0616440ba35020a7047f0cd8ce6fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
621KB

MD5
3589a7d9f6927bf5dda82fb50672417d

SHA1
22280b22f2b079b72f8adf464226a4b128827d4e

SHA256
d1949df01c1a3162e893de7bcdc174e88b9e087dc25fb171f21c781f9eb955b7

SHA512
1b1efc086360d35e10b9614427f2871fbc70c30f61522cf8f1995b80bc51ff762a3e740c6e3ea0431de104122320c50f08fb3f8e993d20dee2444eb3d7b665b0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
371KB

MD5
0ec7268e894d15c289aeccdd61536c6f

SHA1
1597f410ff8d83c35b34ee133a39f2fd9c919bf1

SHA256
7ae2d54c8755a829435d10d3505d9a32d4e929ae99dc9382de1f7e2be38a8beb

SHA512
288bf7df90d6ad84fd1c53f10665fe9922f62e1cd224b4ae170370abe4cb24594b6beaf163a950488275574613c898c64cbd2e47695f9a4c09fd6621c9da15b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
119KB

MD5
e00473af293e27e9d4d0e0762c5390a1

SHA1
0a85e7d8b38954814b1ded4463a93a924afde222

SHA256
506d764a8466fd90428974df627d5fca00856722cd8e19c71a3e56ace1b0a08d

SHA512
8ad35f94966eef6c19f890a86e4c389fc83661689caa4946f8c58e4b2011990ad1fd11a2fc2e50910083563d3a8578b2db1cd49de17b4c6fd13933a64cb18538

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
13KB

MD5
71be8cea88ee9bf8e8b215bbdb8512a6

SHA1
61ac15d17f85a55ce6c80addacfdcf0bfc368968

SHA256
376e20754260461894fb038a2e8a57d5d0f66a63a7946d019b6b74a1df37c3d1

SHA512
8a5cb28833f25d35978109d75d701a792b1cb6b37ff54649d82daed06522b8d6fb657d7ba1a32ed7fc370730968280dc372b3672aac105306f09ea74894d623a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
83KB

MD5
540c0d38b20d3eadcdacef4e4cda006a

SHA1
51ea2895db3b4cd18c06ec22d63308a200e00141

SHA256
569e9f3647c9371868c643d17824bec9c68b705fdbdd61898cad7e81755deabc

SHA512
537c0f3d119384fbf6e85e1b10ccd2340de7e4910c56fd15938cef64a35d2eeae7fdf20116e7694840799b4909bb63202d74f773f74a12161af087a5d8d93779

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
63KB

MD5
f612608f6b22de9202e70008e9297abd

SHA1
224a8820a507c6fa7c5c66c9c02cf34988e2caec

SHA256
097d68e0b369ede903dff9cccb097cb5bc92c5b37e5c5c79a8fd62c9508b9ba8

SHA512
dea397c9746e3bc77d464007ffbae7561258977f62acdca9a0e2395bd06647e6742670194e9b5ace5001523477c14e99395decafb25953741b0dcdf7c07195d4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
264KB

MD5
da19c41763ef0bfe3705f504f0d84d24

SHA1
2249bfc0cc251a862f550efa44d893e5a2653047

SHA256
1ee89a44249ae1fb74f496864922f4f969551b4cc9e89f46d5e5065c01b7404c

SHA512
1dda4a5f9a02bbe5c12928910b314abe78f713e6de8419da9d1a56540656c0613c621be34e5b45969ccde5379f23e1b39feac2e3b9f41b9bbe505bf322c7cd1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
184KB

MD5
995b986701a22aae8755dbdc67bba456

SHA1
0cb8c3719c03a26dc5c6cc42d07a178a638117d4

SHA256
afbe756f9eb7baa392a9f8df0827f5cce7217b71a4b2199c5bed19391e772268

SHA512
abf12a4f73edd688711c9a17211a5c996445f09b44cec95855eaa6719b98d4b36757cc5b3ae7a2846a7225fc190fe36e1f4460a5d9c72fe4b356d9659697ec0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
442KB

MD5
aaa91b88625dc2dd6bd86e5a2d32e344

SHA1
ea4ee04c73f4f752b4c8a596f7b8c9f081e39a9c

SHA256
9e19c46750a707513e11e2210aa67a022e1583e34ebb70f89212fff29131a4e8

SHA512
c9346f27af6fa4ad11b0f08d5798b0d4bc4c210c05bd07232834b0fb115e28ee09f5d0920d93480bb5f4ac7a17caea2ec836c9b82db886632b1fd9382aae97e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
201KB

MD5
4da3d2694e2f3236b33b9c71ea9b1328

SHA1
956362f784aa4471b0e2ee7618afa9b0baa5e230

SHA256
bffef60111993b02662caf3be5d0ba8862bf816b9d58d736ab1a803555eae707

SHA512
43c86728704c491255662adfef4ab76182993b28e48d37cbf64876a0c1cbee9f9a4054ca6a6cb2a6488b21071bf5df4f2d43147ce0b030a9247ec3f1b1d601e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
86KB

MD5
d415962f58fad6feb45b80f574b1195e

SHA1
252bc03ef1ac6f05ece383408962198c0c1b2402

SHA256
3c420198663214a4e8ff73ff5a45bcb8ed20d77934922f6779b188c6d03580a2

SHA512
6a04b942abe362d37b3197604a179e04f112877b666131d086876e04598eaede141d29769b1d118cb9af8b9588285e742f4e03c9b60d0680d2f959ed555be3cd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
100KB

MD5
77dc26d78755b40454e3ed2578e33094

SHA1
e08b0dc5cb8770998110a5fd8d3ab4b803796216

SHA256
f47ab107b3917b347d2f76b2d4328f2b4f7c528c2cae73c51a1449cfa3e7e797

SHA512
7ef7e34411672d2fcc1873fea4cf0fac7396d3c6c9e5851afb1feb5f84cf4cccb4613f0ea7857c634833a40b8e88077e5605eb5d50a48e2bfcb6aa85551bf121

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
96KB

MD5
ccc8e6060bdddc5f23ec642f2bc3debb

SHA1
04afbfb84201e794d9c383a2fcc9b85769615bb6

SHA256
35fef43b783764d8e85ffbd849e0e5b5ef5a1e58954d5598b37a843dcd6e4cf2

SHA512
944223eff6fa544f633b4c816ac2339c62b3c9afd6c92000a38d3a5fc910dcde8c5fa662b6739c11cc877710d150147fd9810266efd87ce01808d29856c230e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
100KB

MD5
919a46d5aaea88920e655e485f37dcfa

SHA1
bfa08790cdd30e2549ccdad3908af8d0b77eb3a1

SHA256
f7bfae0855b053c5bf60468d0d72640708185e7a2d0a252949e29dd0b055a8e1

SHA512
ca91e86475a67dedcf61aebe136cc76f5b9f065559a882ad5258f4bed421324e491eacd84fcae17c02729ff7832e52bdf06360de51efa79f37fea612954df2a9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
22KB

MD5
90620011e17be7567da12f6c44c6ef63

SHA1
68ffb1313d5625fee67bb0052c2cf2a9b35dcfc7

SHA256
ce64c9670ab1d42e42db36ba9b951bb8150b80fd1082a24927f621cd1d26779c

SHA512
e9099a89f300f5d2bfd2b1fd28a5ba6176b6d8312691c7303c287f4227aaab8b514ba179d0e0108afcd641db5938450651d7b0f4cfb685c6117e786e47c0fae5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
aab424674f6d554d62974bf4e4f167bd

SHA1
80b5c31c1a7725cc141955be8b331f78ef928dcf

SHA256
a7fbb8e354dfd723c75ef036c8beac79691029a36b7ac695543bc1213e326296

SHA512
27c594943d0e49b1597fa786c59522eed6701f352855cbdaea5830bc4392550d53f125bf28f703c8c7ef570ed47d405d542e3fdb04eeb3d311edaa3716dd3ae8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
30KB

MD5
d4dbf4b0b3eea5fdfe6f6f26f6e85865

SHA1
520eb0df100a60488116562c322d12b08fe5c7a6

SHA256
5707bba036a86222524a36717e46ef204fd541f5c506b7c7c07a766665724bd9

SHA512
322b6182ffd5a63f7e61cdeb56b6535adc3c541a9ccb290e4422b64601a9d352976d3f0645e5c3b81fd367d630a54021da4cfb232a5af97ac5185b34ee7b8ed3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
66KB

MD5
6d61272211f1eb58e2561daa8c09b3e9

SHA1
85bb392da406b660b02d9cecb1ce9200bcd942da

SHA256
90526c9a122b59138fa1b94b1e017b695c4ed95d87a56d1ad20b39a9dae5c3a7

SHA512
704491ad63db785617b1f5909b50daf157277c304e6e01d96cf96a58bf3a6d844a3b0e40f78dc6aa2ee9886995f21c67d278797179d898506b9bfa0e40765c8d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
22KB

MD5
88a539ce8ba4fc8b083c947bec4df196

SHA1
b621dacc067a53e391c375dbb34b545db18ec2bc

SHA256
27286060511b3ff46de9cbd4729ee981f637d8e0f1defd61dcb3665234182634

SHA512
19fe38144fb3bac4439a232820d983b7b82c388a87970005865beb8c200c90878aa1b8887c52d13af78241ab5bd4e37ef52189ce637804d62cd79310c82f422b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
31KB

MD5
8620def1be2ca57a1f7980f5b52864cf

SHA1
2f5a6da7b9543d96cdf09739d7413989fe757cd6

SHA256
ba8ade13b2b41abedd4d63097245991443b5dbf61c9b8eb5e4b9a118b2025795

SHA512
f6e167eff39339a85513bd7bb6b3ec821391bd6cba1da7ceb34d6d4ed673665862dd55b8568ce21909a5eecf0433b66e804e570e463e70c13c14f6e3609e7a14

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
39KB

MD5
8253fef24362cb8265465e0ed6296a82

SHA1
64da5ef60af4c704ed965667c46f7a609f56f066

SHA256
cde77d6c8e8ff445961afe8a12f2f7b7e9359308fa3aa9fdc41887512ea7a715

SHA512
777e07ed216e2b05bd28d3c96f24c0dfe0a1c223a787143aa05ff1b772e14a41cae11cbea205f8e74018a2d12d4a21d4210c4bf327f3a6f4d74f93431f4b153c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
54KB

MD5
de82b7045daa803910ece59d666fc547

SHA1
a8baa68cdc78d78e1470432513564109feefe8f6

SHA256
95a7ad1144f2e36e35ff3b24d6cc9a18128997401cf4b8591c7b158eefadf82c

SHA512
d4f51f33b56b84ea80fbeb127d9686d8186b4624a836788878c929b2c4ba76ddd32b5bff9f7fb2b91fd74330ca97fd0573b5db110e76285856919a059a178074

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
56KB

MD5
73d5ded72f7e36548cef3566a78c9f18

SHA1
bb1df32e5b08974bec253cfae2709325ede478c0

SHA256
91dc596aa809afcbdb3101ca22d46f7c160176b76eadb383421a801670a8b9bf

SHA512
8cb98ba1c3e19fe996476c2f1665b92f23abbbcb8188e1b1b756932bd80b22105150589853141d94680e4e09db196a9c5206cf02251bdc18d99c7649c9b477b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
0d4ca9ed405ae6f23391e1df7c6983ef

SHA1
5f81a674f2708ca873fbedc1cb32ca49311065e0

SHA256
78451631da7e4f1d33f9ac9846fc61808818ff6a1bcc40222008046b14e5bf38

SHA512
b56fd7236a607c9c28425614e3fc1ecebd7f7913a637b18818a2bd57cc6fab8804edcf8a09377c94cbe0cca21fdaccde0d0d4bd9b400e8ba261816ed4f693be8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0cf0555b096000458391ca90ca2acc8d

SHA1
600d9f3b6de35c8d60cacbb9eee93f7aa17ff619

SHA256
80f0f0c3983df2ca724555640a549d606ec457ea1096f846de257beb515e0a0b

SHA512
37fa5a4af30539e089cf131cd5c56def42c1c7f43a941831bc2668cd3dab8baec898c05a8d925e35bb0a902ee7f424bb17af38eca85feffb68086a21e88589df

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
158KB

MD5
9e4ae19000d5fb72f3549c8bfbba9889

SHA1
d429f4ec3bc9977f94c4860b88e24a76437fa60b

SHA256
c90aff82837c71562495bef0808cf8eb655ad7bcb11ff8add14f0857b5b67e42

SHA512
3ec2b4e154a379579822cc33a1476a079862b2aa001a6bef7676e7da500b9e6da1b282075ed7483010b1ec125828fd8f7f4ecd5e05b367a2c69ead0e97e29207

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
64KB

MD5
098ff9f0d1247b8001fd2b048091d8ca

SHA1
a936543aaa6aa3eae92534f61a7f4c30befc3b81

SHA256
eb28ed2add06e0f53fc5a52520bf764e8224a187374574232cde2daf9367d0d9

SHA512
9a9793d598ffbc186724af8c2008f3e88a4679b8ec92ed495a21a64b960c644ca49ed37d0b5a05fa4cd031c789775a811b887230a6a90d7dc2d81f5730164432

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
41267b7144bea6d657e24c42e1780cfe

SHA1
9c72eaba3b92954f738f96cc9505be5bfa42f9bc

SHA256
62ade8debb1810a8f08f74e0571731590a4f3d2cc3f8ed487d752007f407cdb1

SHA512
1cbbd60361596fa07affa68dcced5bee532fcdea1c327c0965f5d876c6a9e8dd576e1cb2ababe424e6bffa94e978b7f729248515293b94cac1ed33951cfce610

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
45KB

MD5
fe76a5f08f1bb0af4c7c775241b71b26

SHA1
5233a499331aab2295a10779858e58e9c5b5b487

SHA256
a73f9b62327a2eb9fc5e35e8fb3b94e285f9189c9f28b0ae5b0e191071929993

SHA512
008976baf91d476f6e5a9ed1be7b59f1fefe621cfd4575c85ed53855b9c256728ea8ee203535ef0305cad4809ac598595aa8da913eb5e36938bf40a3adc5d5db

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
26KB

MD5
4e3a2b3f0ee1eb6b5d6e50216a5b061a

SHA1
49a24f386d5a6387eb7a57ae23d5a841d6d58b12

SHA256
243b01da7617554672730f2fe0767a1ed2cbf2802e663824e16a6a2132948052

SHA512
074f86a2a065723787a43a9100772c60c514d9fcabce3937999c4ccfeb2715e302f8d5110db5775de0508ad7ba0a428855a3a151d8303a4def158aca8cc6f8ff

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
8844f3f8ba684cef78a61f2365ad581f

SHA1
e72ab5e907138af466080000978f0da193e6b7bd

SHA256
b4ef1d67c572a36c6f10aebb62357369c89e829e487b9640c3d9d35fc35b7357

SHA512
5bdf64ff45ea0555f9d74684338144040c01dfb7b57c0242295a6ea30aedd8527cc6c2d1285e19f6ef32d1fc489eac7431860ad6724cb6192afe4eaa77401f95

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.3MB

MD5
388e1bca06274e35f8ee96cd5e31b756

SHA1
b490303d7fe5485d842e1b65c1784718f75248b4

SHA256
470094c283cf6007dd85288846d37d5fe376af8269c77b8abf7544d1866808a8

SHA512
e752da7b1f552cf0f2ffcf183b712d389c813f6c34e3d3f2a3d9a508ededce2dd6ccfa009d3ec6b5b1cfc5217ff0c4ce93ccbb80205986350172b54dd61172dc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
134KB

MD5
3087753dd236b04e433eb308518ada6d

SHA1
03133d6d999be044bbbf0400b4f079ca81bdedcd

SHA256
c19a4b05124de7034d49ca5f9076a990f827e26f30c7e6ae149d3bb79fd95cd7

SHA512
d74adffea97f5396e73ef891834e0d451028f9f72a5890f6e281fc12a5d276569b0b5622f724f7faf58573e1339d85522449d862fc137f1012c72eb8eb34e3fa

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
412KB

MD5
68a17a2d4071dc955eaa9c477946481b

SHA1
bbfd016348cd195f310739d1ca0bf2a8bd809b38

SHA256
be92d93d602314a9c8eae27840c34bb669576649894227a75f29cbf850756926

SHA512
c0041758202f3eaa2ad378121e3219085211d979d8f2cdb468e9585fa87c6376038e95fb504faa88b19b7d2c7b1ddd129e75f1f20fa2d440b2c5affa0702c754

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
111KB

MD5
ba1bfe8c9c09292cffa9d0b7bcf66d65

SHA1
3ee9d20e5a3fbdc3b1ac917cb8174339fec9ae41

SHA256
01e4d225d982a14f775ab1a2931acdacf7bf52de8e87573192534e141ac7e520

SHA512
d57226dd39dee13f43584b53a6184e39f14258eb7787a68f4eae1183f75798ff5076a9c483a4bd8db49e402b9c33daa225f40e622087d655eea3276a42934f86

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8abca5006ced567902d63ccbaafe6cc4

SHA1
9bb8701f61cb3e1e47537a083a76ef3923a9b2b9

SHA256
fffe109830c38130de011a19880203360f6c5eea370dcd6ed835cd09d2295b75

SHA512
a16970ca7f3b699136d0b7674a138b74c2e0546c67719353d2d451ab92587e24acb90c2e33a6fc16e5ba0e00095c4db583a4fcb25c8b4a433c2702f43c3a39b1

Download Submit
\Windows\System32\dllhost.exe

Filesize
116KB

MD5
12032973595145239a9b88c1c29c503b

SHA1
d4605f015ef884a01ae21cc3e3e4a375fc94ef30

SHA256
69e1e98b9bcb05d0e5c81ec89ec38b2d80c1f0330c31a6bfc0cbfd9af3e5ae40

SHA512
8fc4313ba0379d0e2cb20f3b36fa20847f77e7e1d9137209d945366917968cafb01534f83ad6a19a1f49f6fb8189a4eaade9487a703233921cd9344d28a40ca4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
26KB

MD5
bc912149fe7c3044a64f66f9af91733e

SHA1
e9554a0752fcd5011ca4dd5077ec1f7c3c6dd9fc

SHA256
a67dea8762db655619412e77e9ae3b8bfd624aa4952a45020f9842b6535477e2

SHA512
47b359ec13a20a4d687fe33f2ffb5c83ecf726e4bf65c919e8cb55ffe9002d25e103047d041703ea89492e62c1fa98538a7519028f2114798ba451183a9263ff

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
63KB

MD5
905cf3c1cf442c59dc38ea3c9a0e77d9

SHA1
d7762f42a2ffa121ebcd5b767e928a9f3e2947df

SHA256
d6761235d3d1b1f001be5ae4944701a4ebff11da1c7ff14cc071d76cd1cb8a50

SHA512
f815ddeb4b614aece58b949d2103b7ca769d717872f8f68d6d3ca995049f8d921625b5274c9dadbc2273abf6b505a773b7e5a58d95bd40af36cfb41a24b53a8b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
44KB

MD5
b1df0a66e6ffe08e3786a6077b73a12e

SHA1
a24f04d3e9decc4fd363f865b0b4254b025a8a43

SHA256
5206ddbccb76e0192eed3b357da829ce3411b94761a2dea806c8094e63f8264e

SHA512
4554148320df0d89238fd60df5b350e66cf91239e4ccfb7708bad1229097796e2db98f6580578b9c8550fe12751192a1b4681a7958db5675d60f49b2dbd8fff8

Download Submit
memory/320-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/320-291-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/320-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/320-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/320-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/616-461-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/616-427-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/616-416-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/616-480-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/616-481-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/616-484-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/692-191-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/692-197-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/692-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/692-340-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/864-268-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/864-214-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1056-104-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1056-97-0x0000000010000000-0x00000000101EC000-memory.dmp

Filesize
1.9MB

Download
memory/1056-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1056-135-0x0000000010000000-0x00000000101EC000-memory.dmp

Filesize
1.9MB

Download
memory/1164-187-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1164-186-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/1164-303-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1164-334-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1164-184-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/1164-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1164-167-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1164-159-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1620-495-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1620-472-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1620-465-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/1620-494-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/1620-493-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-483-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-482-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1980-463-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1980-212-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1980-350-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1980-351-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1980-216-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1980-353-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1980-211-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1980-348-0x000007FEF43A0000-0x000007FEF4D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2120-88-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2120-87-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2120-34-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2120-32-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2120-160-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2416-178-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/2416-323-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/2416-182-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2416-174-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2588-321-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2588-324-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/2588-320-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/2628-175-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2628-94-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2740-304-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2740-294-0x0000000100000000-0x00000001001E2000-memory.dmp

Filesize
1.9MB

Download
memory/2740-361-0x0000000100000000-0x00000001001E2000-memory.dmp

Filesize
1.9MB

Download
memory/2868-141-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2868-213-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2868-143-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2868-149-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2868-148-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2888-198-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-121-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-122-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2888-128-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2944-342-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2944-352-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2944-356-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2944-362-0x0000000074578000-0x000000007458D000-memory.dmp

Filesize
84KB

Download
memory/2944-469-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3000-336-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/3000-327-0x000000002E000000-0x000000002E202000-memory.dmp

Filesize
2.0MB

Download
memory/3000-441-0x000000002E000000-0x000000002E202000-memory.dmp

Filesize
2.0MB

Download
memory/3048-169-0x0000000010000000-0x00000000101F4000-memory.dmp

Filesize
2.0MB

Download
memory/3048-114-0x0000000010000000-0x00000000101F4000-memory.dmp

Filesize
2.0MB

Download