ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
Size

1.8MB
MD5

37349e512ce22e87b33f030d07f5ed5f
SHA1

027916dfd71c5667e985694c41efaabf24b84966
SHA256

ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b
SHA512

85bfdf9b2bb74ef18ba272bc2ffe972b1bdd8ef181e460058d542bbf0c587c7b865cb0a03f8c3ff0495def9ffb99aade3014e370a3f451c24facd499b1db2849
SSDEEP

49152:ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAWaB0zj0yjoB2:ovbjVkjjCAzJsB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
468	Process not Found
2056	alg.exe
2728	aspnet_state.exe
1308	mscorsvw.exe
2868	mscorsvw.exe
996	mscorsvw.exe
2748	mscorsvw.exe
2972	ehRecvr.exe
368	ehsched.exe
2076	elevation_service.exe
836	GROOVE.EXE
2856	maintenanceservice.exe
2580	OSE.EXE
1032	OSPPSVC.EXE
1484	mscorsvw.exe
1796	mscorsvw.exe
1036	mscorsvw.exe
2852	mscorsvw.exe
1308	mscorsvw.exe
1968	mscorsvw.exe
1252	mscorsvw.exe
1376	mscorsvw.exe
2656	mscorsvw.exe
1756	mscorsvw.exe
2676	mscorsvw.exe
1028	mscorsvw.exe
2964	mscorsvw.exe
1952	mscorsvw.exe
2440	mscorsvw.exe
680	mscorsvw.exe
868	mscorsvw.exe
2396	mscorsvw.exe
1604	mscorsvw.exe
1728	mscorsvw.exe
784	mscorsvw.exe
748	mscorsvw.exe
3016	mscorsvw.exe
940	mscorsvw.exe
2040	mscorsvw.exe
2676	dllhost.exe
752	mscorsvw.exe
1832	mscorsvw.exe
3012	mscorsvw.exe
2980	mscorsvw.exe
2824	mscorsvw.exe
1948	mscorsvw.exe
1040	mscorsvw.exe
2156	mscorsvw.exe
1128	mscorsvw.exe
1596	mscorsvw.exe
676	mscorsvw.exe

Loads dropped DLL 11 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2824	mscorsvw.exe
2824	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
1128	mscorsvw.exe
1128	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\342a72241b98a6ad.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\psmachine_64.dll	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\GoogleUpdate.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\goopdateres_el.dll	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\goopdateres_nl.dll	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\goopdateres_no.dll	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\goopdateres_ro.dll	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\goopdateres_is.dll	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E5D.tmp\GoogleUpdateComRegisterShell64.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97BD.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E3E2BEBC-6982-4556-A559-0B61FD56420D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E9B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E3E2BEBC-6982-4556-A559-0B61FD56420D}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A00.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1584	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: 33	1908	EhTray.exe
Token: SeIncBasePriorityPrivilege	1908	EhTray.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeDebugPrivilege	1584	ehRec.exe
Token: 33	1908	EhTray.exe
Token: SeIncBasePriorityPrivilege	1908	EhTray.exe
Token: SeDebugPrivilege	2056	alg.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeDebugPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe
Token: SeShutdownPrivilege	996	mscorsvw.exe
Token: SeShutdownPrivilege	2748	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1908	EhTray.exe
1908	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1908	EhTray.exe
1908	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1484	996	mscorsvw.exe	43
PID 996 wrote to memory of 1484	996	mscorsvw.exe	43
PID 996 wrote to memory of 1484	996	mscorsvw.exe	43
PID 996 wrote to memory of 1484	996	mscorsvw.exe	43
PID 996 wrote to memory of 1796	996	mscorsvw.exe	44
PID 996 wrote to memory of 1796	996	mscorsvw.exe	44
PID 996 wrote to memory of 1796	996	mscorsvw.exe	44
PID 996 wrote to memory of 1796	996	mscorsvw.exe	44
PID 996 wrote to memory of 1036	996	mscorsvw.exe	45
PID 996 wrote to memory of 1036	996	mscorsvw.exe	45
PID 996 wrote to memory of 1036	996	mscorsvw.exe	45
PID 996 wrote to memory of 1036	996	mscorsvw.exe	45
PID 996 wrote to memory of 2852	996	mscorsvw.exe	47
PID 996 wrote to memory of 2852	996	mscorsvw.exe	47
PID 996 wrote to memory of 2852	996	mscorsvw.exe	47
PID 996 wrote to memory of 2852	996	mscorsvw.exe	47
PID 996 wrote to memory of 1308	996	mscorsvw.exe	46
PID 996 wrote to memory of 1308	996	mscorsvw.exe	46
PID 996 wrote to memory of 1308	996	mscorsvw.exe	46
PID 996 wrote to memory of 1308	996	mscorsvw.exe	46
PID 996 wrote to memory of 1968	996	mscorsvw.exe	48
PID 996 wrote to memory of 1968	996	mscorsvw.exe	48
PID 996 wrote to memory of 1968	996	mscorsvw.exe	48
PID 996 wrote to memory of 1968	996	mscorsvw.exe	48
PID 996 wrote to memory of 1252	996	mscorsvw.exe	49
PID 996 wrote to memory of 1252	996	mscorsvw.exe	49
PID 996 wrote to memory of 1252	996	mscorsvw.exe	49
PID 996 wrote to memory of 1252	996	mscorsvw.exe	49
PID 996 wrote to memory of 1376	996	mscorsvw.exe	50
PID 996 wrote to memory of 1376	996	mscorsvw.exe	50
PID 996 wrote to memory of 1376	996	mscorsvw.exe	50
PID 996 wrote to memory of 1376	996	mscorsvw.exe	50
PID 996 wrote to memory of 2656	996	mscorsvw.exe	51
PID 996 wrote to memory of 2656	996	mscorsvw.exe	51
PID 996 wrote to memory of 2656	996	mscorsvw.exe	51
PID 996 wrote to memory of 2656	996	mscorsvw.exe	51
PID 996 wrote to memory of 1756	996	mscorsvw.exe	52
PID 996 wrote to memory of 1756	996	mscorsvw.exe	52
PID 996 wrote to memory of 1756	996	mscorsvw.exe	52
PID 996 wrote to memory of 1756	996	mscorsvw.exe	52
PID 996 wrote to memory of 2676	996	mscorsvw.exe	54
PID 996 wrote to memory of 2676	996	mscorsvw.exe	54
PID 996 wrote to memory of 2676	996	mscorsvw.exe	54
PID 996 wrote to memory of 2676	996	mscorsvw.exe	54
PID 996 wrote to memory of 1028	996	mscorsvw.exe	56
PID 996 wrote to memory of 1028	996	mscorsvw.exe	56
PID 996 wrote to memory of 1028	996	mscorsvw.exe	56
PID 996 wrote to memory of 1028	996	mscorsvw.exe	56
PID 996 wrote to memory of 2964	996	mscorsvw.exe	57
PID 996 wrote to memory of 2964	996	mscorsvw.exe	57
PID 996 wrote to memory of 2964	996	mscorsvw.exe	57
PID 996 wrote to memory of 2964	996	mscorsvw.exe	57
PID 996 wrote to memory of 1952	996	mscorsvw.exe	58
PID 996 wrote to memory of 1952	996	mscorsvw.exe	58
PID 996 wrote to memory of 1952	996	mscorsvw.exe	58
PID 996 wrote to memory of 1952	996	mscorsvw.exe	58
PID 996 wrote to memory of 2440	996	mscorsvw.exe	59
PID 996 wrote to memory of 2440	996	mscorsvw.exe	59
PID 996 wrote to memory of 2440	996	mscorsvw.exe	59
PID 996 wrote to memory of 2440	996	mscorsvw.exe	59
PID 996 wrote to memory of 680	996	mscorsvw.exe	60
PID 996 wrote to memory of 680	996	mscorsvw.exe	60
PID 996 wrote to memory of 680	996	mscorsvw.exe	60
PID 996 wrote to memory of 680	996	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe
"C:\Users\Admin\AppData\Local\Temp\ab69c9f413c7613979c3be7e65c5f8d17121b6d520b860c92f4db06bbc26633b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 248 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 28c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a4 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1d0 -NGENProcess 1c4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b4 -NGENProcess 2dc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2d8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 11c -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 28c -NGENProcess 2ec -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1c4 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1c4 -NGENProcess 2c8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f8 -NGENProcess 1c4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 118 -NGENProcess 2fc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 118 -NGENProcess 2e4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2c4 -NGENProcess 304 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c4 -NGENProcess 28c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 300 -NGENProcess 30c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 300 -NGENProcess 2b4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2b4 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2972

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1908

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2580

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1032

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
3376c6d9711b250db2195200b06c6648

SHA1
e137cf3831b82311fd5cc95c895067abf68fbba4

SHA256
06d235e83cf6010ac2f98292b6f39e7e2bcf3457b3fac64cbee2eca002eafb07

SHA512
728fba01b9740de0a1ec9ae3bd45c4a9f6055411b08c89306924300c1659033b266e19c801d93381986bd1008e92d06c419c6ba6b849254f19377d07204f706d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
b60ecd25c7f435227897bcd27b4e8f1f

SHA1
c768fa6c7688617a7fae914866283dfef73543d1

SHA256
1f884e0efee9b7e24120225355fc2046812896188b971f24cc50975d05d468dc

SHA512
959a3e573fc17bf05758ec1295468f392e275b4a01d639bd5e17366b1b9bc15649c65b67a5df3ed6563bafa348451862a1857c49f10426cfd9d73d2eac4cf138

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
917ccb03a5125f7aef88e07498ee2947

SHA1
c7dfd803fdbec9fbf899c61ffd04ea99aa437907

SHA256
c963f035e48dad9c3a65302b4da5e52e9ce3884d92a35f0f952ede2c6441e7b1

SHA512
2a4a9c4a8e92b54ede78371cb38b956cc5ff86487440fba42090a6386e395ba47c30192087f8ff22930710bf508871772016d979f6810890dee6aa68ca9ec87e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
10575d699e3d453305c75c89b693beb3

SHA1
b50d5422d4f26f63ed525c493dfe54faf893da31

SHA256
4b8bcb243dad69a37c9e17e77672646efb4e797112a9273891b1d89e772fedc8

SHA512
2c520e746fef91a800c2d581353cdb1d66c97428e255d003ca411ae8bd9c38f2b2dd903f504c0121dae3c0011269bfffbfe24ffcc617b2daf546b6a59f791261

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
51KB

MD5
a3a815a8884ce0fcdbb7179443e45546

SHA1
43cbbb68ff6828aa1e330daf5530d76391549ca7

SHA256
faff2d35d7b00bd1e5d6e6c4eb06427d2a7ebcc03b570a25a04457c491996eb1

SHA512
79ddbc7c778adac6b75b9b0d4f5341f8b18681bb3c9f2be81a1ec485e13468166e6e2d850a232bf373618b9d16eb11b71117870900ba4dd14172ee29198ca86b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
767KB

MD5
07f3cbeb3be8e51143a583564a9d0f89

SHA1
9fd616db260ffed5cbdaf04252dc4e3112eb0b55

SHA256
e9b976843225344b640303f30b5509b4e4776337a38d9c89117356a3e4d5decf

SHA512
8f6d837da5f3a9125c5faf2f85786be71744d15cddace49cfbe4c9c6f6da90246b94b56efd6c0a59609540f9d55c490b24696ed25b0001269ff9b6ac7ea55979

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
194KB

MD5
82b74e16de9f6e3380d0242b0361b3ae

SHA1
cde883e622c08ce5a6f15f341ca5ee74a1b5be3e

SHA256
8bf29a1e24203450d378744f441126e9fa68cb3a6ab879d4d05976016426bddc

SHA512
a2841706261196a3b3de3986d50f9d9406dfe6668786c39e8b13a6b942826101cc6b27dd288eb3bb503bdcd8a15c8772f0814c0e42773cf326889306461fb5f5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
39150ba338200b4599f216f10fe42af0

SHA1
b3620f5aacf39d464cdae7e54e20e20cbf7f8a99

SHA256
2df9999453f51d2b2bfec704ec74cfdb58894c4f514e2cef63f28e568978ed2c

SHA512
d3516b9cc8e9b731d61980a0445ca2ea42ae9c979c8a48cf6f051165be228f125025e2bea85884ff962891c4c9c47f82995361ded273867b215827698728e48e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fa03c6beb01d73eb233cde6c25b63257

SHA1
ba9d3acdbc85f05ee20b9b73ace065866a7ef514

SHA256
4d06c42c078e17d09c58f498e5daa0906d9f480e308769cb50a7f1f6af702032

SHA512
851b29619736528814330222e6dbe14feac174c9959e69877a19a4cdc19dd8cc8168c203ef82c5176d87d8746fbdd0f73ff480912a50fb8f3bb6b6cf538c6b88

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aa2c72a8a181f8de04b3d6209f6807c2

SHA1
2e3318aac862b7e7188d4f008488c2478b014bf9

SHA256
4fca08c738c9c19a2ecc827c5323b2e2ae5d5b39219bd35986168ef7562a8a42

SHA512
e0cb95f5f55691ea4f96653dedf403a9f891e821c1001a388b7e7a0e8cbe828f9c3542c479010178f7e5afd9b5836d50cf5187444805009dedaf3048ddb8f5db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8520ba3a8ad41cec6373aa33ea966237

SHA1
522f59845377614d54832c680a08897f3637a866

SHA256
5dde062c072764d9222c13e807497a233604882fafecd75dad163c7e06c7457a

SHA512
fd51e93455552a3c862b2222088e6adb27177256e2871d51ade2f6cfab8929b02344c9636205243f8311ff76d125310153bc7daa0ff9a12c289c43435247c4a4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0a0914892939b8b90f59fa8c8ec428be

SHA1
d5ffdf10ae1c1eb5ce9d06689e4ea9ae5913944b

SHA256
e109fe1e701230ef6fd6235a51d277a1682987fdaaae09b57915453ca0b31999

SHA512
5a4ee3831e8f8a71f0dcff5e51eb6f288c8963de8c1190c1fb2e741df123cf41a69890f7176f7bd6003bbfde5fd3eb8423900f81684347efbfb01f84d2aae37f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
285KB

MD5
14d4509c67d126a5c67df90ebe9c6cc5

SHA1
13da08f69ea0ead62fecf94a31ef050e899bba81

SHA256
23bc65f2b59383f721ad48c509f94754e05fa6bb8cac5eb862323ec59e30b6a2

SHA512
81230fdb35632821add981037c19897661b39cd4939ba2ccdddb46dba46b2fc65f46a8eab5c570111a8cdff64b03035c5f851313cb06c3ca23c5b9e4fa61a024

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
043096f8b0f333aa9da181d9e6358a4d

SHA1
2339630c7924dbbdf0c880b1637c44a3e204a035

SHA256
471336a29a6c7a88af1be8cf1e3e7f35fc0b4e16c6ad94fe1a95689699e17b88

SHA512
efa38ca01227fd18e1a6c63cb0f089ef518a925fc1a3b781be6d900ade9091a35e7dbb72e89781b5a741cee6107929f2cd5602e090e9d02dc29178357566cd32

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
c09c04ef2a4527a68af0af561f227f41

SHA1
b5c585c7259aa57bc891fb313b9ae75bf3f93287

SHA256
2153722fe5a34da92b064f776e9072f3a7410d68f3db182fa0c58beaa24cbcea

SHA512
01d00a139cb50e354fabe5ba7c2b3138458557a7f219939e4ae8d28559f85acd4bf45316c8330d1f1247ec873615e1fa2076ff2f72a55d3db7f9ab7588a405df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
28032ec7ee9a2552368f8f208e4dea68

SHA1
41b1f51d304a5cf5ceb2aaa2bf7ea85e335fde2f

SHA256
00873dbade34f9b4d9de17bbd7b456f082e18c903d1276a332d81f0aa949437c

SHA512
1cb23fe41b67570c3101d5773aa232d02c6685a9b5f3ac2e9d348048f033c9f9026d98b04fc43796967f3053106d34ab6aedb6d93a1440846936dd5158744eca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
180KB

MD5
cb9b72d64e1f554c7eb882fa8b10f94e

SHA1
01d0f030df72f5430c1ca5339c8a5d6e21ec5adc

SHA256
5afc8371b943872ad58c56efa26fc5ab7eaebf9a70f5a8450573eda8ba05fb75

SHA512
3a0218cf07dab61060d7acdf861f004fcc9e3f9e759cb554a97322b72279b10bd81a61740d9f7bbf7fe4eb4a70983c41c816ca47bb12e2f345ab3f822a58e480

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7358f86460149747dd4c360ec682461b

SHA1
470c361f9dc0965fe34ef9a7cb9f6190e785e5b6

SHA256
e1099c0edb692c577ca83e583a5e84731cafcc72aa95a1838b3c87f8a3039cc2

SHA512
e4df34d407bdba771aeaec3226fd369b47c8c01b32fb1b0761aa2fc43a4c8eafce45c86b5db78a239abfd11f8437d3d063284d194be6e098647f25b613f3612b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
169KB

MD5
986a653e72e06f903ffcad6af9c5fa70

SHA1
da4daa317be07a4c67e9e5ef5c4b80bf640ec0e5

SHA256
fb8359eede7b14b0eccaba95a1b0dd9c5df7b3f14f364546877f6adf1c66d1d0

SHA512
d550b01b2368d6491be897ab2f13ba64e4e830e5ff2c0d1bbf336e005a47fced47b50c919bfce66f5af4d068b3dd05a972d5c04ab309dba4fe8681c3567b3629

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
18KB

MD5
5cc0950acb8667f12ef2c8fae95cbd7b

SHA1
ce53b0c72d1cd1d37e828f7a8787a6ec68957773

SHA256
a080acff285a15e4c57e4240283731d16eba39e0274262aa641e9f65038bbcfe

SHA512
6498f7be07ae1b96844c4ffc16d38b4f6d3905744654f75f9807dcb0da492897be914c39938d954a68cf3511c04dee50dcb3df38003aab711ba199988fe7a1f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
58KB

MD5
b9db35b4110a823821f59bae4b1a1c6d

SHA1
b6b6efb7382258c975360e74db359c06918a5257

SHA256
5bc2dae72092cf317debe7aeb4bfa8c9effab3d3122de249d6ff40f1140c922f

SHA512
b9b5cb9efa7b04c9e2380c4dd8486bd4543c71a678a5ee4123abdd51f31bc4c217df86c3973f2b551624cdc6a7cddacf78dc1e74957dc5e769c8897184cd19cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
ab4162ae3db4e9dc34a9c717b4308dfe

SHA1
305ac226c70563f99d1824b47a3a1a312d19e718

SHA256
ee9c4bcd48063f4f650809e540fb69f64ab51517e5ab4795359b8418926e151c

SHA512
9b1f744505dabc5c6d960a2eb5916cdc06589fbc95d3f46b2792e179d32bf2d60e9bce1d0883137911df287fe8330d2fb1dd3821ba51157da28136b23029792b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
16KB

MD5
b36eee74c31a4e50e569979842eb08bd

SHA1
8b80dc097338de69e5a61ee68ee10885b962838f

SHA256
8d9ad712e3116667889984fddd626667b0180272cb151bf5638984c975d351aa

SHA512
1afbe7f92b664e1bb12d4edc2d88178d453a88fecd823ba9d4ec0c516104d7558feab6602ea3e204733ca6e47ac9c88779bb0bb7616ae97fb1dfd131160636a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
68KB

MD5
03da9afd4ac65e2d858322819ead6708

SHA1
5b2fad6efb6869c64b7d0760db1978d22dcc8126

SHA256
c51a0977833e5032522353d730e6b612502376cff000752b7e29f582ca2b9684

SHA512
ed5dabb96568f83f69e870f28cf185d013d8e2ff830969477af64536c718ed0f46dd556b9af83d18de78f562d1b4eabc2699394272a1b01463fe2feb6efc8383

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
14KB

MD5
11b2b2883d3eb384d4119a2a7241bb9e

SHA1
13d7b4d446cc015867d6966d6b3283fceb36f841

SHA256
067f89f452f755d0205c32f837fcb56632d9f649256965cacaf5fa5744174890

SHA512
8d0746a5c063e4f45ced8da9a3d9cb750061a6beb755d4c467f0a67c6a268499134364fb14e2ffd85c61061ac5eb159a2ad5ec0f78f5fecf2d232c5c9bbfcc26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
151KB

MD5
723ae529793b8b1b1a55bee58945e443

SHA1
9398367be0cc0cfbfd4720a8b150a4b577bc4566

SHA256
1f080a48884e0ec4270654c45d2d72cc2190305ea61ffd595e7ac040d54ef6d1

SHA512
faf79e5982662d49dc92b710d9cfe283d678b186327d96d23fc96b94366ab7145328c57212c97f8f04ff799d141c8c2952d79ac06f469a0d3b3a85ab2f57cc2b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
310KB

MD5
a9e9101dd6fd76934623431374401229

SHA1
d2d0525166c1ab7895c982ea6aa215a3c2c0bb6f

SHA256
2cbf0712d649235768865f50b4beceab1f578f576b7a55f45259170d44e6c43b

SHA512
3c5b723337768d44596a7605ca1597291d54407f7132b4f6a65333b505d2f4c03a5384c6c79636b1b72d632c528309eee6cd120bc1fb8978416d52f101e8b11a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2e66e0451c10abda41630e9a57d1f63e

SHA1
cf639ac777385af09a53e3f46eba16b3fcc3c97d

SHA256
331428e0c74925bc836296ee6713b9e3a1b254e8a7dfd2b699debfa201d90cfc

SHA512
772b33dde532f54b518396eab6a140cf80d863a402800170905f75d0d0e0b5c38faa17906791999d28ab1b04713d74efaada820bb962b84d3b0f878accfc6e2e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
179KB

MD5
a9540f6c0d6318fc84ff1f5838943ece

SHA1
27f7c984632c42dd89edc32b7dc041e718d9f06b

SHA256
9733c011908451a3c43dc3fe35b0da4495d66f8bd375a677ec4227ccdfe20c52

SHA512
a3e869b16b6dca90b1ea15b6fdcf6b527856faba06d5f7e18ca844ae1a85692e4d0316a90ba51d99376049162978bf0f9eecff98192575fce75ca0a6569e2d81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
89KB

MD5
0c4a682edebcea72c6b74ea6e0a8b575

SHA1
968b43175dcee14069a228d439ac2e569f9576fd

SHA256
df6b8d512cd8f8dc5502326fbfde1ad261e9299f2d1e5cb0f59ae53cec1d496e

SHA512
e76eade6acd4f90cde08698107069e3b464178a83b76997da74286047fc262282dce248bc4cd9ad80a2dfa0373a2a961ccd47a0c58533369353980c66307b6fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
205KB

MD5
b7431b3f79c0af3477a116555293ceb3

SHA1
5fcf6b928635415b7b82d8256e61d522e3f76e5e

SHA256
7a4dc4fe5a34cfad38d67e0b2c814e643724243291424308d20ae9ac0b6f5f41

SHA512
43c43d678ed649cdc72d9483cfbb9d4a11943655958975bf577a230ab00451383f166764b1bad28aeb976f5767a454077c3e6269960ad10774a126c77d8b228e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
418KB

MD5
3808bf6dff585f1a49f940e7b24695b0

SHA1
1394dd025fd884674c08280ed99d1e3fc1bdb535

SHA256
003af073f96db6c51d9537a4b0cec8db90853f692f067fd74c910c3c87bd9462

SHA512
ad4acdd33d704e12471265a3a84f216a88d1edb1ebdd6b269985c1896c977f672fd0cf85424bf3bae3e970980f3682188dfa7cb587a6859d8ee32c49dd63a8c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
118KB

MD5
d4ab558def4497d3c6430caf66e3e152

SHA1
4e0a78395571ff4cffe8035e9636df21e2da80d3

SHA256
9e4940bfa69766505538e917a2c488f99c9a426fef41c770ca027f840634e00f

SHA512
e73c68839fe1429350a90a1a0e1e0441dea3824e6309e6603dc08b704430fb50200b62501ef45f19ecca263987d38f91e633d367132fb83ba3dba493c6641e5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
257KB

MD5
73509e8c3381463db144603d343a2386

SHA1
f78525e405c1af4d8a73e106579a41efab19e84f

SHA256
195a14ddffa757fb1cc263393593b71df96e55adad8840c5d2bfc4a605895c0c

SHA512
d9cae883c7a83347ad96effe958371371ee4f7b83b30e6221a4ae6504291a325d71c3a18883c85c8d59fa3428d702967b471b6709f53e4fa39fb920d8978cf3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
56KB

MD5
b8ff19c6b4975c794a5060ba7f56fc04

SHA1
d5cde85d3e689f840f9567281d4feac8dc55dd5f

SHA256
e4d6caf54186c48504b96c9c411d39860d0c185a811533cd9353149b73b43a10

SHA512
678956a47655aa588d1cdc1a4c0aa7b5e412cb51c44a6cf59ab9523d8f6f766182adc72d9646fe09af32f6ce4cd76042ca902fcfb4a5d184f52875674bfb4a47

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
124KB

MD5
474ec41f52962cdafd5a0cac3c0c62f7

SHA1
ba00d37d21d63d3090a59cb49406d5edc55118e4

SHA256
8ade4dbb24b4de35b851ec1682a23ab274b328d1a0b91cb3c4b45f42405d4147

SHA512
6fb31f3acadfa2ac47442b6c40ca7269bfe9b88f9b5dfad91743d2783fd09f5cbb3fbb5a316a24cd4acabc8a2251b232d270a8d5d71fe8d4af31a3c4c9d8ab43

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
92KB

MD5
acd72e475d49bb7dea130467c73d9a16

SHA1
8fa0653dd5ec63cab55ad3382b7e18a9c2b3868a

SHA256
73b1c5cdef621c3e8f02abaffabac86b64b53989225ab4e17e661217c8ea3691

SHA512
d0cecb35bf81a17b3d623d5d04235608ea946e669ed068698d2a809efc0bd6e5c8bd9097b6a93c4e787784bec0a7ffbb9a5b64cb73555b92a85edaa008867bd7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
208KB

MD5
728da49ebd131ac664ebedb4b87ca682

SHA1
8ad8596ba8d3babdcd435925cacd8dd65f4eafdf

SHA256
1f05eb40aba763b28719a687476907c16056619f4803e697503f311863d8764f

SHA512
2f1e30935d337569d0f939b001362ecfeeff1a63b575714fae88f81fa46dfd6fa6ad248123fb5b501197094b1fa6a2160450b2fcf7dd2a36960e65ffc32e1bf8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
18KB

MD5
0d9e443c5555a5cede89496f6fd59ccd

SHA1
eb788d38c47500772c9e2492b2c226212450cdb1

SHA256
0b383a269b9f9f12d024a7797aba813a173ffe99e1db825b805be44ce6a99a54

SHA512
162262a40059644d6f349f8e991dd19c6192ee4d045a5c3c6d97c2925ed046cb17fdbc807e47d67e55c8e6fbfa7ad3f74b4185e31627537fd322e8752f1f621f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
88KB

MD5
5dff9b92e77b83ce832bf7167030e159

SHA1
4698b9761616e8f3c76f87317a832be094af5049

SHA256
22c9dad40594568d055c7e028f1b0f4cc80e1268c8d495663c6c13038d6727e1

SHA512
ad5ddcac843234303b80016b098393fef9ee7a3f668dc95007679230aea7a0725dcecd38e67dc8e51d93523db232e2bcf227ded07de0a949991487133f238ee8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
213KB

MD5
6637860c49510cb03c1ab40b64d60758

SHA1
74e7f9814cb0a93b2f332193c98445c9ab644f61

SHA256
bb44ccbb251eff94b17b3ad717eaaf82c7b2459da6c0b35801f9d328595e6c08

SHA512
3a40a0caecde85f409ce4d25df90a1933425c125c1192d72c2a0b127f8816ef416d15a8930127fdb7148e790673ca7e7cc60c1014e95355d7546311748229058

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
195KB

MD5
711fd6013cc9b794707e19cce1d8f1de

SHA1
7e48512b3bc38bc6956598a14fee9357cfd5cd5a

SHA256
83c39c3c1ec733f9523bf032a8cfe2559e9b56cbca8365442fca113e58b31b2c

SHA512
55797864c85816f787356dcc0d780c7fab23c49baa6b658f9660e795e6af1bfba7deec6101101c29717209146b67145c3595e57e462aaffa8a7dafad16a19990

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
153KB

MD5
9d58d69f47fc52dd656a4a345da7fb37

SHA1
328fa40ec49565fba617e3ae97ee5d7718080c73

SHA256
892a87dd6c641dfa81c62a9db59acab5c0f8ef9e43faa30906030ea77ce702e9

SHA512
2a868b219a6677b1df0ad28025c7570322181c6f6b9d2a6298bba030c5b64c144fab616364d1ee68f89a5fe7440b6bb60b81c85c8d1046e844d15c6298df29d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
290KB

MD5
7a38ff34d670a06d557153bb869026b5

SHA1
fb49feb4a5f826cd6f3d6658ac5fa001c9966b01

SHA256
fc4e0b6e5ec24a8050ffca778cd9a82cad70f685c0a89874468a2b75ef9479a2

SHA512
0ff639aefc6a089159341814a56b4bab22c229702bcd5093d6f31e455d8fa2cac0b118a92c2ccda00778a0f702b4c3ed092744a693d7006dba9a3b6208d03e2b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
197KB

MD5
a521c9aa8d19d98264838b755a2f2a33

SHA1
1c5f75970b083e7f1b9b6668fa60dff2bd5e6c83

SHA256
b6798f086596a42e58ec6857ab13d36a437089ce9fdfc93dc99052d9603c9142

SHA512
166764415f2b107527713ecb6f208357d7c3051e902478b7c6aaa4f59618e7619501307342ca4a2859871f280416895c799d54bf067e21be7dc947c254c6e7f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
199KB

MD5
d290f8cba334e650a49e72c3a5e37cdf

SHA1
002cbc2e85d9520324f3a37d70a676c3f1d30d11

SHA256
1b4b4c1737a5ec5eb501d06bf1202692396c2dad9b26b8ef63ed1f8058ad3460

SHA512
177793884c6c75ff0ed9749ebb7df63a0aa9aae17bbb37fc793e55fa404ed53fadaaaa84d9ea010215a99be3db3927fd7b4cc19bff70aeb0fa3d6fb159f6d2ea

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
59KB

MD5
8fedf1cdc9693f9cc1e26d292baf3fa6

SHA1
ac7b3fc980b34611b21b8ade4a766d18800d6f3a

SHA256
3e0cdce6de4109f0e3f9a8d00db4e0bc685ef0bf5905e138b7033f147ca9e06e

SHA512
9fefcb3a51b2db27a72305a3ad6fcddae915e93eabcb676142f221cfe558869f7f6e33daa995992056933952fff345045549bee3b8254d4ed6d646549c7b1144

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
110KB

MD5
5d1019659e7c3ae834205190e6d92d17

SHA1
d44150219b1823ab711e959dab5a4bbee4f23390

SHA256
7bc62b8778c2742677e72040b6a905c422e2d48f4042d8559f9d0b6e0fb625fd

SHA512
e88188f5090b11bff388ec50be87c6d3649b04f6e3632c4cd2ee0b04dfdbfd5bf79e3557f420d3186dad17b00010bd3631ed496cf1a807b56e991f15544472a9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
90KB

MD5
0a650f3b6b524756ccae14a2570c3993

SHA1
b92651dd12e3402888e7e473966c65eff78ac306

SHA256
8f914aead2559855cab908ff9162e06269ff0357d4c24c36e9fb3772ca490f4c

SHA512
94a9f2a7907bd193584d41c976fbc69b71e6308ab2dae81c7b748e535feb91976c1247476c6c21db9cbe370025d77ac2c3260fd8b35e454833a8f395f387ce8c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
86KB

MD5
ce60fc1a47371f18cd810cfcb8dad5d9

SHA1
3ba286deeda9e9d27fe50ddffbf60b2a2e2b291f

SHA256
60fd7a4e461b876ded3e7a4214dd568e1ceb53aa1e21a9f66a082488c780a466

SHA512
98189930ea46e3136f5ecb8bdff2515261fb9a24cc2d93ed4a282339d2a8fd35ec3a68a3689f85c49f881cd0c41d11aa8591cd94ed18e9789c46bf9c8857499d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
104KB

MD5
a260115e6fc5fe9ad9f8ff750f9052b4

SHA1
a7686d0977bfbfdab18e69df0eabac4506fb24e0

SHA256
08666990037458496222e27a2e3a28ccc8dea4f774b88df3b103b4365423bc46

SHA512
148c47a13e072cecb4923f8152a26de2f6e7f015c242aa58d113137f589142920e60892bb189f42a7239f2fc35e78ff77dfb9de865d8046515637976d545c694

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
100KB

MD5
089a1654e41aab1795548cab4bd51569

SHA1
d3a259505d28bed627455108fc37598e6790ca38

SHA256
c4c6273e4842ca50750783ef437154f83e327d3ef35d9bb52cc46f550919149c

SHA512
eb622123a3732935fdb448e2c9aaa2675be53bd5744ea9ca48b36613aadaa1efea5ff981b5ca96c42f9c8dc278a7c3def36f8e448e8f31e2a942e45f7b74ec19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
165KB

MD5
175940a5089dd99833ee82a9da43d370

SHA1
3e4d563a2079819fd1f37117182caf0d2057ac74

SHA256
cf3fe86dd748c7ed97e3040a9919eac5da70a791f20387e002a5fdb60a611a47

SHA512
c215cf281a0cc405f1ebc22e5a0e343cefccfb42311cf29f2d4dd263ff5bcc91bd0bac2d0156bb08b76bbeb713887fc6ec6afc3eab2808d1ce2d9cd3b47186fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f855f48df35d58e2a98fd8e030565a0c

SHA1
6a3c364466a29450125c0d0c60ebb50bfe250d28

SHA256
3e7db31f89d1966b31ebba0c36a5a699726cce38da239108e8063417aed065f0

SHA512
12427b5e9400231ef9ebf6309267b663d3ab4c17823d5be5f5d694e3f895973d9f401402d3c3c4e29f7c924fbb1aec2105af46767c0c7638ef0428793d3086ee

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
e0c4dc933b593ff351c3f884d885dce5

SHA1
4796e6a3f2d4f756352ef9eb57e03e511daece78

SHA256
b40d00db0ebe06a5ce028db29abc601a7e193ac76a202ca25100f5be52ab5a4e

SHA512
830317d5487f65522a31ab84892c861e0a72ac59df8d1e5bbe4233f1e7e0b9c2c469d59d09d1e8b1414dc51affe69e1de2691a637f40b4e5864791047d99224d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
c02643cbcee18d1438be837335846956

SHA1
fcb765f9e41fb5af2afb2e43a9724273eb5fd604

SHA256
e3e057720f56ebb3b410e7633ad7446b900cc70d3ed5539cec4afcce9a3b7e06

SHA512
eafc8492be9061549e33a25c2801a774d49c75bd50244ddaa48db7e2bad9cc6e22cb1964ab61d90f0649e4d3c9ec446d4427c1562202ee6cceb8046697d13b93

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
102KB

MD5
90995d179d15cb554fd8531fd377b37d

SHA1
df428402ba36db2c8ef7f79330e19e5ad7891c30

SHA256
757b763a793624e2eecfcb5c2fa2088889a1ec1380c80e82fce562ef0641fa0e

SHA512
731b61c31659396e1bfc8c17c231895f458ab703d28db6577636ffbdd2d3ae76bed8e19bc2d9e70801bed0e081f70352d769ebebbb4a46ea5a148f99d74e5a5d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
8808690432c54e05211d6fa3f9c7ae30

SHA1
7cff8a6140f4ba636b5e0485815fb2397e6919d2

SHA256
8f1b91615da3f8181d22e98dcce927a3f25a013eb5a06549435475d9fa45aaa6

SHA512
825e9a36755fa8176cc54864d6aa2533ce57e4e46ebc4e9a19fbbeb1e0666cdb039ff3987007ac7db4c190eafc82a886e2e3b08fe6599162af35bbc69ead7a71

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
0ea5c7c806ac4f0af5b4eaa37bde0692

SHA1
0b785c2c9c583b1d531941476263e062a19365ad

SHA256
8f93c1fc5c79793975a71f2dcf9bc9301787d2594e232073c7f79df915a7c028

SHA512
2594f9cc26d21f6a1f9a70f51f14365e5420ae744924911f942c0fd83b26dfddf6ce379520e558148885952e93ea7c5efe3f206b0eb09b913715132060335124

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
308KB

MD5
f07041b53aeb0b188da98773ff8125a0

SHA1
1c66c1b0a96656a37921bf42e489df99fe68c22a

SHA256
cada567528214acad3357e2b74080514c40cc35f744b102e4674f472b05987dc

SHA512
511f7ecdcab9b740a6f6f018272427ce4f1a72063f35a65c6a4aef0f14c67ebb158ef0e4b16543b8ebad304f7b9bba005c4e3b753b1f271d9efd56786f6acd39

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ef39ad4a5ded300c022d2a1badd1fb25

SHA1
c6bf4c306e55f2cfa68fe4cb2b1efe003a8e682b

SHA256
b4c179030cba3422f8d8afc423bad81c6d284359cd9384736a460b0290ba81cc

SHA512
ad3c2b4d38903b5cd2a0356dc610c604271cfe67c2b70f8eebb8d21aa4a7683497573a7dea920ccfaeb53a7dcb437651f658a7172e737eddd3c3ba77ccecee1d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
295KB

MD5
da0e0ae25472b976c86dedbd5a120bce

SHA1
28bb864c9f70c5a4baf0e05d9dbbada1f7c9baef

SHA256
b1edc2323c80eb936bcf71aa6246eab0c0548eaae336a2164b17e54cd7cfb9db

SHA512
762987c285b11ba7912eee9005bd547b64303267341e660088c709617700ef9ee9d5f5aaa11aff84d34f04dbc9484a1dd47509beedc0f030137b65d5be71adaa

Download Submit
memory/368-328-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/368-174-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/368-256-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/368-250-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/836-295-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/836-292-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/996-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/996-121-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/996-126-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/996-269-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1032-353-0x0000000073AF8000-0x0000000073B0D000-memory.dmp

Filesize
84KB

Download
memory/1032-453-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1032-464-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1032-330-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1032-320-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1032-329-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1036-526-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1036-519-0x00000000726F0000-0x0000000072DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1036-456-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1036-465-0x00000000726F0000-0x0000000072DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1036-461-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1308-98-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1308-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1308-133-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1308-103-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1484-337-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1484-419-0x00000000726F0000-0x0000000072DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1484-342-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1484-367-0x00000000726F0000-0x0000000072DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1484-429-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-284-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1584-351-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1584-350-0x000007FEF4150000-0x000007FEF4AED000-memory.dmp

Filesize
9.6MB

Download
memory/1584-472-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1584-304-0x000007FEF4150000-0x000007FEF4AED000-memory.dmp

Filesize
9.6MB

Download
memory/1584-354-0x0000000000910000-0x0000000000990000-memory.dmp

Filesize
512KB

Download
memory/1584-283-0x000007FEF4150000-0x000007FEF4AED000-memory.dmp

Filesize
9.6MB

Download
memory/1584-405-0x000007FEF4150000-0x000007FEF4AED000-memory.dmp

Filesize
9.6MB

Download
memory/1796-417-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1796-462-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1796-444-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/1796-463-0x00000000726F0000-0x0000000072DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1796-448-0x00000000726F0000-0x0000000072DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-30-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2056-12-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2056-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2056-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2076-260-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2076-261-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2076-335-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2076-270-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2220-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2220-249-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2220-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2220-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2220-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2580-442-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2580-307-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2580-315-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2728-172-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2728-74-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2748-301-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2748-139-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2748-148-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2748-142-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2852-509-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2852-536-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2856-299-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2856-302-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2856-303-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2868-113-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2868-150-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2972-247-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2972-314-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2972-160-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2972-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2972-167-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2972-173-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2972-258-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download