606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 18:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Size

1.6MB
MD5

bdd9593d3d1003cd38c96618fd4e5590
SHA1

a8f0618f12d0ecc4d75b4b6a3791cf94520ecdcb
SHA256

606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6
SHA512

d6b8c4fab4e54b8fd1cb7ab8e82f8b2a7b37eac1d699d283b1c159b09ef84ffeb23c1a01eba57db3ba7654049d24d7bb6b988d1b159fabab04e9d2f068e9b453
SSDEEP

12288:iW9B+VdGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:iW9BRt/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
2404	alg.exe
2960	aspnet_state.exe
2696	mscorsvw.exe
3068	mscorsvw.exe
2544	mscorsvw.exe
1192	mscorsvw.exe
2184	ehRecvr.exe
2208	ehsched.exe
2792	elevation_service.exe
2320	IEEtwCollector.exe
1052	GROOVE.EXE
2904	maintenanceservice.exe
2992	msdtc.exe
2328	msiexec.exe
2392	OSE.EXE
2384	OSPPSVC.EXE
2688	perfhost.exe
656	mscorsvw.exe
2852	locator.exe
1352	snmptrap.exe
2988	vds.exe
284	vssvc.exe
2284	wbengine.exe
2200	WmiApSrv.exe
2704	wmpnetwk.exe
2684	SearchIndexer.exe
1452	mscorsvw.exe
1312	mscorsvw.exe
2584	mscorsvw.exe
2908	mscorsvw.exe
1076	mscorsvw.exe
2984	mscorsvw.exe
2764	mscorsvw.exe
2736	mscorsvw.exe
2740	mscorsvw.exe
2516	mscorsvw.exe
320	mscorsvw.exe
2220	mscorsvw.exe
2088	mscorsvw.exe
2320	mscorsvw.exe
2164	mscorsvw.exe
1452	mscorsvw.exe
2712	mscorsvw.exe
620	mscorsvw.exe
2696	mscorsvw.exe
1724	mscorsvw.exe
2348	mscorsvw.exe
2268	mscorsvw.exe
2788	mscorsvw.exe
864	mscorsvw.exe
2840	dllhost.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2328	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\System32\vds.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\locator.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35bfbb2bc0d5d3a4.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1F795201-EDA0-47B7-84FE-21921244564E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1F795201-EDA0-47B7-84FE-21921244564E}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000903a93a6bc44da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0f1f8a1bc44da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1280	ehRec.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Token: SeShutdownPrivilege	2544	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: 33	1524	EhTray.exe
Token: SeIncBasePriorityPrivilege	1524	EhTray.exe
Token: SeShutdownPrivilege	2544	mscorsvw.exe
Token: SeShutdownPrivilege	2544	mscorsvw.exe
Token: SeShutdownPrivilege	2544	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeSecurityPrivilege	2328	msiexec.exe
Token: SeDebugPrivilege	1280	ehRec.exe
Token: SeBackupPrivilege	284	vssvc.exe
Token: SeRestorePrivilege	284	vssvc.exe
Token: SeAuditPrivilege	284	vssvc.exe
Token: SeBackupPrivilege	2284	wbengine.exe
Token: SeRestorePrivilege	2284	wbengine.exe
Token: SeSecurityPrivilege	2284	wbengine.exe
Token: 33	1524	EhTray.exe
Token: SeIncBasePriorityPrivilege	1524	EhTray.exe
Token: 33	2704	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2704	wmpnetwk.exe
Token: SeManageVolumePrivilege	2684	SearchIndexer.exe
Token: 33	2684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2684	SearchIndexer.exe
Token: SeDebugPrivilege	3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Token: SeDebugPrivilege	3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Token: SeDebugPrivilege	3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Token: SeDebugPrivilege	3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Token: SeDebugPrivilege	3052	606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
Token: SeShutdownPrivilege	2544	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeDebugPrivilege	2404	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1524	EhTray.exe
1524	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1524	EhTray.exe
1524	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
876	SearchProtocolHost.exe
876	SearchProtocolHost.exe
876	SearchProtocolHost.exe
876	SearchProtocolHost.exe
876	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe
1408	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 656	2544	mscorsvw.exe	48
PID 2544 wrote to memory of 656	2544	mscorsvw.exe	48
PID 2544 wrote to memory of 656	2544	mscorsvw.exe	48
PID 2544 wrote to memory of 656	2544	mscorsvw.exe	48
PID 2684 wrote to memory of 876	2684	SearchIndexer.exe	58
PID 2684 wrote to memory of 876	2684	SearchIndexer.exe	58
PID 2684 wrote to memory of 876	2684	SearchIndexer.exe	58
PID 2684 wrote to memory of 1748	2684	SearchIndexer.exe	59
PID 2684 wrote to memory of 1748	2684	SearchIndexer.exe	59
PID 2684 wrote to memory of 1748	2684	SearchIndexer.exe	59
PID 2544 wrote to memory of 1452	2544	mscorsvw.exe	60
PID 2544 wrote to memory of 1452	2544	mscorsvw.exe	60
PID 2544 wrote to memory of 1452	2544	mscorsvw.exe	60
PID 2544 wrote to memory of 1452	2544	mscorsvw.exe	60
PID 2544 wrote to memory of 1312	2544	mscorsvw.exe	61
PID 2544 wrote to memory of 1312	2544	mscorsvw.exe	61
PID 2544 wrote to memory of 1312	2544	mscorsvw.exe	61
PID 2544 wrote to memory of 1312	2544	mscorsvw.exe	61
PID 2684 wrote to memory of 1408	2684	SearchIndexer.exe	62
PID 2684 wrote to memory of 1408	2684	SearchIndexer.exe	62
PID 2684 wrote to memory of 1408	2684	SearchIndexer.exe	62
PID 2544 wrote to memory of 2584	2544	mscorsvw.exe	63
PID 2544 wrote to memory of 2584	2544	mscorsvw.exe	63
PID 2544 wrote to memory of 2584	2544	mscorsvw.exe	63
PID 2544 wrote to memory of 2584	2544	mscorsvw.exe	63
PID 2544 wrote to memory of 2908	2544	mscorsvw.exe	64
PID 2544 wrote to memory of 2908	2544	mscorsvw.exe	64
PID 2544 wrote to memory of 2908	2544	mscorsvw.exe	64
PID 2544 wrote to memory of 2908	2544	mscorsvw.exe	64
PID 2544 wrote to memory of 1076	2544	mscorsvw.exe	65
PID 2544 wrote to memory of 1076	2544	mscorsvw.exe	65
PID 2544 wrote to memory of 1076	2544	mscorsvw.exe	65
PID 2544 wrote to memory of 1076	2544	mscorsvw.exe	65
PID 2544 wrote to memory of 2984	2544	mscorsvw.exe	66
PID 2544 wrote to memory of 2984	2544	mscorsvw.exe	66
PID 2544 wrote to memory of 2984	2544	mscorsvw.exe	66
PID 2544 wrote to memory of 2984	2544	mscorsvw.exe	66
PID 2544 wrote to memory of 2764	2544	mscorsvw.exe	67
PID 2544 wrote to memory of 2764	2544	mscorsvw.exe	67
PID 2544 wrote to memory of 2764	2544	mscorsvw.exe	67
PID 2544 wrote to memory of 2764	2544	mscorsvw.exe	67
PID 2544 wrote to memory of 2736	2544	mscorsvw.exe	68
PID 2544 wrote to memory of 2736	2544	mscorsvw.exe	68
PID 2544 wrote to memory of 2736	2544	mscorsvw.exe	68
PID 2544 wrote to memory of 2736	2544	mscorsvw.exe	68
PID 2544 wrote to memory of 2740	2544	mscorsvw.exe	69
PID 2544 wrote to memory of 2740	2544	mscorsvw.exe	69
PID 2544 wrote to memory of 2740	2544	mscorsvw.exe	69
PID 2544 wrote to memory of 2740	2544	mscorsvw.exe	69
PID 2544 wrote to memory of 2516	2544	mscorsvw.exe	70
PID 2544 wrote to memory of 2516	2544	mscorsvw.exe	70
PID 2544 wrote to memory of 2516	2544	mscorsvw.exe	70
PID 2544 wrote to memory of 2516	2544	mscorsvw.exe	70
PID 2544 wrote to memory of 320	2544	mscorsvw.exe	71
PID 2544 wrote to memory of 320	2544	mscorsvw.exe	71
PID 2544 wrote to memory of 320	2544	mscorsvw.exe	71
PID 2544 wrote to memory of 320	2544	mscorsvw.exe	71
PID 2544 wrote to memory of 2220	2544	mscorsvw.exe	72
PID 2544 wrote to memory of 2220	2544	mscorsvw.exe	72
PID 2544 wrote to memory of 2220	2544	mscorsvw.exe	72
PID 2544 wrote to memory of 2220	2544	mscorsvw.exe	72
PID 2544 wrote to memory of 2088	2544	mscorsvw.exe	73
PID 2544 wrote to memory of 2088	2544	mscorsvw.exe	73
PID 2544 wrote to memory of 2088	2544	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe
"C:\Users\Admin\AppData\Local\Temp\606fa8951d5ed3e948bcc5d3838bd2340a30eccbd1798837acc3eb2a912bb1f6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2696

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 258 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 254 -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 184 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 248 -NGENProcess 270 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 1dc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 1b0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 258 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 270 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 258 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 290 -NGENProcess 298 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 294 -NGENProcess 2ac -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 1dc -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1c0 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2184

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2320

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-452311807-3713411997-1028535425-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-452311807-3713411997-1028535425-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1408

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
173KB

MD5
3264ddea858a11383e487ac7a835c0b0

SHA1
c92a01529ee171114a06b4128f13d86acdf8207b

SHA256
3026b09f82468738e1e9be8479502b1129a15f32d53e308fddfc142978c74cc9

SHA512
2a52bf1eaa5fec8de6a8906e3293e0cf35b497dc3a81fa87f2decdcd181f904b669b0d2f95854c2b2cdcfc5ce426cc36b17af55b876c240a25c8ecb2458cb43e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
79KB

MD5
b19fa67627261bcc48eab653eb12ea1e

SHA1
acd1a3f989718eb3bdf829fd6f1026a2d1f27647

SHA256
0b4407a851a8f18859e4e2918ac7503b554df4b823b5fab810994b479e6af26d

SHA512
82967d7cf0e9278c3c51711589828da55150cf3b07604cd13707ce615246bafc8ac4887701ebb3bccfd132ec97f4ba13dfd3da39ce407179b5fabcec7cd58b7f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
35KB

MD5
42f6ef063259c75cff371f9bb7a2cb00

SHA1
1dbd0337ad7a695e07eecc7195ceac1dcba019c2

SHA256
d620955d7b1ff915a74fa00e588001f48fd87b24b158c896e71bdba6250b9f34

SHA512
a850ae97dcbe40e53c57fadabc3327b63c7eb76b720f3fc334ce102af20984d3183bd70201c6ef4d7e814ab50d0838e9ff4f503743d03e693bb80ce34d9af188

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
95KB

MD5
cb3335d47273fd924a84fd557fb0d7b5

SHA1
b293f38ac235d82e6a94e3db2d9a7fbb197ed22c

SHA256
96b4b3c70d6f14a89d2f1a3de515842cf649e2538eabf90ca6dc20a5ea1b8ec1

SHA512
1c2e825626a20a26b5f3a52da47063c748cd11177973055fef6155205cff7d2b7fd8f948750646c2fab1cee743ecb3621b6fc44ad6a21e74b03d1e10c7d3e42e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
168KB

MD5
d3488c69ba1d6f8eccbaf38d33b9b7bd

SHA1
70f183f2ca5fb5e632e5e3728cfd5e0a9162bad3

SHA256
ebaecf334e7a4890ae0c7944fe3e2181aa783462f679b5466de2de489ef8025e

SHA512
5a278e8b97a24d420f32d079a9c9f8023d70fb8de850700f12e781256fd593909181e97c0e93d796ff90a5984b7dddc5c8307a2a852871d39195361ca8919bee

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
60KB

MD5
f6b117e8f964830d73ef8f24a1847d73

SHA1
2a9f00d9a149bfbf17db3f18d5b7a066332832f8

SHA256
f911c332ce5b003bf69410c244400193ecb2ca36310fb8cf12fb2ecb4467f284

SHA512
d17493ff4a90178f2df1332e1949d2b991d78f3c9924244931ce76c99871725680cffa68c419307da8dd0692fd319d6edab6eaa64ed79544c44a42ead489d5fc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
140KB

MD5
f5de7039c555f0a5edcebfcc51a5ae20

SHA1
426bebbd88cd89a85d2d9f4ae7c7a61c2d76c0af

SHA256
dca16abf582504c1aeeb8d1bbd07304acc501324109eb9a3af0849460e044025

SHA512
67d4a3ad6f34e34e8ca8cf34b95c3618783f3eaed0002d3330f8efcd40b7457b193f9e4f883370087a6272180480bbec726a6a7f260991abd5d19321672604ff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
169KB

MD5
25a9a958992538ad916e9b6dcbba4a76

SHA1
5048639b534d26ac8b9f1306e9e3effa01a8d32c

SHA256
8fa44667bfde5a8f28cf03c72b702f3e7148d075896e13d439f863b25ec2a6bd

SHA512
665db904f831b6fa15bdad1b8fafaf24c4f62e0a5600238dbbc932470931c864ad3ba01713e19bf45802392523ed4157681d0c6e9c4140e5eb77dc3b909f52db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
60KB

MD5
b8423d97c4d1bc74f6d5ba983097e672

SHA1
29152bdac754ea4f46a00cf6818bf9571e77c8cd

SHA256
c3cf1fa75f33018eefc7afe331df5dba85a0481b6e00f69a66f50e9087d76580

SHA512
4300aa0e019e6107e749580eb21a57a86317243e7cbe7290496c52cb583fa961ee8d4dbc04167a4be821ee1df2bbdcab6de905a27adf48ad184805f150c99af5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
24KB

MD5
1b6c06ea2231a58473f7ac74717441b2

SHA1
3de531d48064ceb489d2942cf7a9800ff475ab7e

SHA256
1ca7967d386b5ec84fd26db8fba76f4986d08086a08e9b7ddb36917c32b7eaa9

SHA512
df4aebfb372aab95e0afc5b814c48d473510c43754ff3d56a2ba3b5873cafb607808257546475898c226020fcf54948735b492ee2927a2335df6f8c856b65e95

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
970KB

MD5
c48f46e9210b1f018d8c49eeb261a96b

SHA1
9705414068f8f8e2687d7cbfb117dda91da6c851

SHA256
ad972478ac96aee375758a14a737ad5aee846f8cf38fb8c0090ab1ecd93f6001

SHA512
1d32b845bc16d24ed6ae5731602d8c876c2e62abd838aab978704965b4f1fdb9d8d8944880e2e1c92901e791f664184781a0c52b4036b65258a3ca7866c1fa9f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
16KB

MD5
7d9d9e0ad74c1a566d12887110bbe6c6

SHA1
f1a9e881ddc8f249bd341f0739d93afbab3f445c

SHA256
98a59e3ba89cbf1f2fa1d5a7b2550773e14adbebff3240624cbdf2216c0433ea

SHA512
3351326ea2d39b0800df983ee50195630385741054c4fea2af4405f64f45b14e5edd99ba74e7b2c2b465c311b86a0c239dbdf2e9670e25667a72cf43f4ee8145

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
57KB

MD5
5c211ccaa40cb9cb82bcf7e2ce35e952

SHA1
5e9611968f265b8f0fe1e0e25d6440ae4481a18a

SHA256
f038b868b89b1b1259bd7ed6fc3d3b1772f925b055f8a2e14e4b89537681f9fa

SHA512
8bc61434a22483229750218ea27f8cfcbdac5223f7c925ba5774d64f60b40b61db95369cbaf79cd9adb2976e04fb8aaa919208c2c1c724460f867d85aec1b818

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
739KB

MD5
87fbc7047fd6cb4e66cf10d4d4f2264e

SHA1
639ecbcb329fb7edf41c6be4969b8d6e6d9f9c94

SHA256
82e0dc1cd33015972abf9ad7a999f746d783b45d379789e972c7a1a7fdcc4766

SHA512
175b95363800ceb99463676354fa5cafcd6ca0c5a11d189251d7b7daa82cf3a4c84192f5a65912e125416b4ac2bda0eb69cf61dac893ebbdf1922f1782b9666d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
30KB

MD5
dd9afc2121a482206fcc8092ea0fef37

SHA1
aa72c1c42ea2a5b50106a7bc19693932cf15db68

SHA256
a729640bcacd2e2a1626637255207c6ef0bbb80dbd104b43ee78ceafe61fb46f

SHA512
161397bbc76bed1820f21c92f1e660ab59d7435b1f2e685dd5eeec8cb71d6f7fe4168681cec06f93fb875dc6aa95f479a7c9d8c2d798850f7dfe50d55ae6d8d8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
14KB

MD5
5b930948ed2e8c05103f0801b8bdb702

SHA1
4651268c3226e195b5e72e2d14bd96f23f2c3caa

SHA256
b9878e9207f56f9dd22433d551c2a88384939def10eb82cc040d7d5feca49c2f

SHA512
e166850abece540f8c029cb28cd12e897c196be648c2ce57e41de4ee38cf4f88a22581892e39ef044261af90a020608c670f9a7b88dd3ecf675ff900c75f4cf7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
204KB

MD5
02e8866ec28491c67ab88cced6c93930

SHA1
a459b9d3dc47ca4f3038487ba6a63ef93b1b7851

SHA256
09e9ea238fea7ccde7c6fdaf0487385a041450707eaf53f28546e520f91eaa51

SHA512
15b57a8e4b3d8dff69e3b332fcadb83da7daac99d0641a8d409a817788d231010d8d8745726ba52cbfef6b6ae47905ee5a104ae05fc3d21674fdbf6be0395aa8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
55KB

MD5
3efaa24f5ea443602bfcd51590319b78

SHA1
f2d96c5a49f074e827f914e0730bddf90c9f9e30

SHA256
d1550e74fb10892ddda88c838756a933643133630c2cccd324e6ba5df2c3c6df

SHA512
3708fb6ecc28976f293bb8e1357ebcd87519725a24705c1fe53d1fc3382faf2edb7baf2288bba22541810bdbdff3f88181367f5722453325ce42e68b400100e6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
211ee6fb3e8b01bd6697b27cb00fad65

SHA1
5b53adcd2e1bd7161644063eb63bdf61da991c24

SHA256
0ef4bb3c1833a72d5f03286d6597a385a16ed7a583bcf5c3704866e064a3b3d4

SHA512
bafab5dad21ab05ff19af28ced5c0911d8b4838b7ebe54dee9f742a173548b41f961e026ee94e8470dc057457f51787313809f1af0b460e515ae548c85f944b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
8cc6ec3d17be64855fc21b34cc0e905e

SHA1
e958cad3a71e1243b7f4f86631e4fae01dcce5b6

SHA256
97267a3cfdd70a19aef685eceec40b1872c67261beb8937fc2dee1327a8c0ab7

SHA512
0f73f9c326b3f876c5d882ab80e063a9e191c4dfd3fc586d6e048391a28923a11fff6033af1e04b00098050cde581b68c51500154cf9189fe609355a0c8454cd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
1907183c3ef56032bcb0498dfc6629a1

SHA1
8a2e71bf1853c4e84bb7095985cdef8bf3fcd419

SHA256
6a5491330a2a77d8828392f6417f1b464318b28c6cd9c80789026750b41a7935

SHA512
a1152401a97471198ecefa3b4e2eabf36ed7d02cd314551b4c415faa8e40582f4420a263528b9ce012a570073d1d5595c05e1f1ce59ad7b527d202543131b2d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
113KB

MD5
33a60ebf1e5e0e94c96028cc70b997ab

SHA1
1104b158fffaa7c1c9f391a85381e3b06fb9fd5b

SHA256
06a736506193994dddc3748cef032b0eead9c0c608aa94b97b0d716ece2be473

SHA512
8e166edf0b8d5885fec015d877d0a219cc6947260b1fea7a8371bd4585c4e59841833ac243614f8d66659cd3891990c596845ab7deb06bb9b04eb959c238ba66

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
3628fc8668cf3eb10869fc8f2a3fcf12

SHA1
5b8f69dc11e058f102a46dae22768a93f1837a1e

SHA256
4f373a484427ecccc1474e42d8b36ee4bc428806b152da7af3a1cc9b0bbddac5

SHA512
523dc6870d8cb167d0ecde86ed28e78998625954c78feec438eb358407df4df47c48bffaeb5b84ecda708f6050624c4983846f70fb54122965fbe331d04232e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
a8ff995ad96e66e77405b06299b5e0bb

SHA1
f5ed7537c3039fd4f22f76664fe8bc18a9cd5e19

SHA256
4c38d701a8d707a856d2c706d899619d3b2fa2b7eab966cea4c2296472f2850d

SHA512
b3510b20986033667a0ebb72bc61e6fcdd8d0e12f450453f9c03c86c715b601cb60712922dc3a1b1ba2c0f9e7b23e8677adc641f152b2bcd6c893f5ae80abc48

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
3d82aabe07f8d3b35ab0d77faec46e25

SHA1
4b6c2fe3a0430a3aa10a82a3a759d91f5d904cda

SHA256
07614a591402f35ea93c9bdba729db234192638c580a599d90d60fd93dc12926

SHA512
57b9e7853779acbaeb372fb7da7b8ea25d45a72ed91ed1eb9619ec05214c329efd20b30b4da1fb1974b904aaa807aa7764f1ba0747b622f950c6c43e4f73b284

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
4b9c86c4fcb7f23fe1c5ccc59f31a4b6

SHA1
45db186cec61892936abb0b17ba8b805e0fd6bb1

SHA256
844d932fb84df0d53fba1130bd4f87e1f79316aa84fb8064fa5f3811f89e1b99

SHA512
788c02bb07827197b5136dd83da220f107e87c39c019a4310efaeee41eb3849305aa337ef8e44e0cd8362962ad848da6e71943d3ba476293567c08bdb9ed1aef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
45KB

MD5
332ea2315eac613b998d74bfa7c8fe97

SHA1
5164c42d68bec47af71ed9281034cb00d1142201

SHA256
ea1ae02a8e863743631ed74adc17a7fbfa3cb146f6ad75e06ed5be9d3da1aa9a

SHA512
d52a03b44cf9a465a696b2d480c4d2c2fc432c6778415371408659d58782733e6b85d87dfbf410487b4b6bef92ef29277870a74d7162bd27341cbd37d0909d45

Download Submit
C:\Windows\System32\Locator.exe

Filesize
105KB

MD5
baf44806e5be4f4747ca1709fe78f9f7

SHA1
0d1411077dc53d415530f93b84042e76636ff776

SHA256
ad5085af48cdbee5e3ecce2b00430c24b7ec80351179da30924ee453b351a4d7

SHA512
ad0bc7cf8d26c23d7ad45dbf4a5542dcacedcd23a707e43a00e2f87aaf44ea5164a813b933579224970f45311af7660b48c5ad39b6a046cddbabdbfe4223fb0f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
76KB

MD5
e5e418b56f9b4c2cc2ffeadbb56b7185

SHA1
2843ac4725102aace4bb78009713d834af199236

SHA256
d90274bf51b0afe0403b12c18f5d36903f6aa7df6341d042432e0c6dd3949139

SHA512
9cdebb17d97b1eef6651d4346cc9c7a7190f949fb38e98085a279ff163fab01b324488d22adf2e79ec33e89b5875b7884d29a626ff9d2c7d3b9f061f7724aecb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
70KB

MD5
ae16d50e0b3e09ba23fc790675684053

SHA1
197b429040c406ab3c28cd103d0cce9732910e99

SHA256
f119ab2c1c568186c9bfb71935c2fcbc0e4591d500e0d97daaac9fcc6c4c21e6

SHA512
8ce68b209cbdc144c6884e4689564521582ef997dee6845d1764d1c4fb4b076f24f953597f6b41d81219df9a810a1a6ea65e9308f94210d149fddfea7590522d

Download Submit
C:\Windows\System32\alg.exe

Filesize
66KB

MD5
bc2eb8225482362636cdad335c85da3b

SHA1
277ce40be1301e4ca7316d36cff73b1284404a90

SHA256
b3dd77acf62fb3a17bb8d221d3fc0210eda5ccf649cddbf0f9a77713d2be1503

SHA512
520102d31e5577d07739de45e24b18bec481b3c109c077cbeecf049f0603edff89620fb0bfde2b7449245e65aa03cada9b7a5e7b4fd7edbf8048038497b29b5c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
105KB

MD5
991b39885047bcfdb5ffaa2faaf2cbc3

SHA1
1455c2199efd261ece1548fddfcce6f5af361f1b

SHA256
44e21b8dd4389b8d2b7f41684bfa74822a103335a1709606605ef55271d93ef3

SHA512
12f51337a011393271ebcd1eba96fcfeffd2a716d556f3b9d96b335ffca10513da1632604150cab0831152a39c0403ff00e2f674a78b98e38bce88d23848ed75

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
175KB

MD5
83269e895f5f6a8b266a1ec55e6cf36d

SHA1
cdb9c9b4a3421298e62fb46651a5c3282044d912

SHA256
089b76cabe178b8d0a8a4940e22d1545a686a2c887061b6e014d5ba654ee28f3

SHA512
9618a544ad6817abf40b627c916e863eb6fa3adec0f803c52787b49875918b00d22aa42b310ef92521a163d62dfd2d814c3412fadaf0bbc0348cc3694ddd9627

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
119KB

MD5
0f4c3e79f2176f55067d80d7611469a2

SHA1
677bf923ceb5eece320603404097469691c62434

SHA256
bb74a85b38acfb9284902ad1da2484ab11dc053fe4df8474ce242ec6827c3537

SHA512
55d51c5f436f9301d669b317eff93f3ad857962f34d955055ad1506f9a20bbdb66dcdd820a3e192516fb6338beb7dbc7ed3132bed292b2b16d57a9ce34b42a97

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
36KB

MD5
00c7f39c93cd6e978c5633429df3f9e0

SHA1
6f53be700ace118b6e4c4367c820fead0b190a61

SHA256
11aefac218ec8edd2ec4abcc87541f973ee3bf52e348cee427e5f687b1a6424d

SHA512
cf3b7fb313dbc99da76bbb9adb8e9dd986f4dd283d4f8f5030242e5661865a22e0c03826d2a492d9e8ed3d8ad26046e83f78ee324697010f2dbe02f9d5f09706

Download Submit
C:\Windows\System32\vds.exe

Filesize
67KB

MD5
c725c589a5797b45faee5ee05d8e8e76

SHA1
4ab301f1baaa1c1e400b29008ce3a13c606a1b5e

SHA256
ed6348d1f875dee0b1f3634f9acbb3f36935b61383ae7f53bd0da8ad9cf1841a

SHA512
0b71bbf50edabbac76560cc42090a94a265ecee487e3cba2e995d4256027b6389ef27a90b6248b0c883ac8391ed9f9aba8ab308c4a4ce7b8ca79ffdb1aa5e6ab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
127KB

MD5
3ba8f59fbb3e3d6da88f0a14d1de0ff7

SHA1
614101cddf4cecb330290fecd6d30d4b1f357590

SHA256
07a2e38879a294f8cc56fd7718d67a8002374250a4b0ef95b667fa57e8385bec

SHA512
e4431426b736c1422cb1fd7e3a34c7da254358e9b2e0c3e5b30be12218277096953c60cf3d9bf3180db176ca5eb7e75a21540be101845fa1407dbae94dcd3258

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
19KB

MD5
10f13cb37730bcddcfc08d6a41ce1eb4

SHA1
7c320058d8228983475a4e443233625fea223ea3

SHA256
ef7c4cf8a79a6279d21027394a73d46617bc0ca2a5d2415acc415c7c9215f969

SHA512
6eff411dbf71ece305ebbfb367b42663aeb1f6576a8f38a81abfcf0f3a49bd09389169e11c01f197cf92285b32a2faed5a136b73ee06f74b0b3443b555530d53

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
8KB

MD5
3e805809dba77294423cd49b0a5f71c3

SHA1
357914692d5b1b6c326095b8d6dd9e5bcade9dc1

SHA256
1c64e1463b5f4580e325d6a9a7b3614b55b6da58b01a31b15de79866e4315f2a

SHA512
4b849a2e41101eb4dd2d16ee347c1a62b2d8bdde76324cba005fc2099336a5e09643477661d940e281a1788c1951e7fb2f65db5a8a2c533c65d063e69bc00a3a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
45KB

MD5
eb7ac099b9afabbdaf8966bc15a2b1e2

SHA1
f77c337edfee1371e5ffb34e6ffc3948c09218da

SHA256
dd32365649ec28c77a28e6950ad11086b1b528fe3955d216d2b3da04dba2f70f

SHA512
94b445823a300f73367311295965fb3d4b94397f0bf1aa374f6f93a421ce94cfc7dcab14a5903f0c46454decc6f49f8ad9ba83faab289120c13560cdaf0ad061

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
103KB

MD5
36df651bfa3c7f8b7d3c27863dfd2c90

SHA1
ede3629b6174040fec5e1d299a21c541fbcb6888

SHA256
d9c42eb2ee9592e795252a6186363a1e17aa60ad5806cf52f3655f10b1605f5f

SHA512
8307b132d499a3daeff0206d4f6ff103a86d0d729d1b787be7c4c862210841b498626b82ae1ad361418fe854c5a5b53a0292e153d1db2eb46163e612e32f578d

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
45KB

MD5
d8a92228760cfe9956de5e7b2bc84ddc

SHA1
3b355a6132aa6c933bd77261faa0dd998aa61700

SHA256
2427aef2d5d28abb8e5a529a5fd6921171bab1230874382fd30303e27fde7949

SHA512
581e7f71fe56f65e27ae608add5f7572a6c3d7dd4ca24c2eb21aa2dc9ed63218335a3b6d68803b1e272998b0caabbec802a55ecf48729c34bfd169afc4055f6e

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
77KB

MD5
115bec7e27049ff24afb3a99a4d7beb8

SHA1
a797157b6700de718e0b6d9289de41aa7705631a

SHA256
5dd9587366e86975de0ea9486e5742dd40e599dabb003d1a9cc23f470aea8dee

SHA512
7565d6c0c909e3557aec5ddcc580e995f8ddb80cd193c6b3205635969cd6b1f1e212e53c648c7a7972ece1b966221ced4a88c77b2160456121883eb5520eb752

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
121KB

MD5
abc38f95cbce264cab7f801c132c6fa2

SHA1
43623e749590ad2fa4f04bca0147efa2d9e84b55

SHA256
a23cbd09e60c7ee016984edac46a48d417be53af90945aebbfcca590bea30253

SHA512
628369f7cfbeae8f9c389ad9e7d2c458b0ae443683a2453db6d590e0b82b6dd57e106ebb292ec9d4450f5b9814beff993ecb9c7a857931c86796c12363ceb7bc

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.0MB

MD5
bb1e8f22c61cac958b294002412b1916

SHA1
fb687f3e7d6a7f12be376815d2d9a23fc9afe4ed

SHA256
179c438e834726d3d4c02448d00e6624e9f42fb8b1c1511779ef7ae071e5e714

SHA512
42301d5ad07e363b5648e406549992914f7ffcc3aae4b56226a6260c851f03dde6c311a987a8d044e4eb33fb89f15b096f7a7214a008783f5d67c5413b5aedf4

Download Submit
\Windows\System32\Locator.exe

Filesize
173KB

MD5
ebe399539df118962bcd07ce235edfc2

SHA1
86db716e7c568965b9cfd028f04c58dcd4e6419b

SHA256
c3a92037d2d9251cee5025fb36d538753c190115aed3039083e731c6b38d68ac

SHA512
24bf91aabd832d8ccd97aacb94e5a0512f43b0614cad087961dc8a1de3f4c1c22721fab7db378b77f3912e5210cca13fbcab703ec0accf8add28c998424275d6

Download Submit
\Windows\System32\alg.exe

Filesize
320KB

MD5
9f195eb8bcd6217d89c3e00324256f76

SHA1
cd913202c546e90bad3d93098443d23fcc9c3e80

SHA256
19d94d49ca9b02db4cdd1b36daec666d93d49d562f098d7b4bfa73b231d7f317

SHA512
d3c56c48319a5e8c78b1c4cb6244b7ba5bc6326157f1255ab78201bc55167fb4bd861a964868bb69c6ecea1534f396853f5175a3086f5429bef6ed0dc4af5557

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
87KB

MD5
b645df789111bdcd87067902d7c053ca

SHA1
f6beef191de7da2738d8913da8329639c0c3e2bd

SHA256
cf7926b6d22eb5c081ee6809cf93e82c26a66a841d5ef503a8c0a1be533e17a7

SHA512
86cff3b1c7fd20e8d9bb44a996c25f99b328ff521388a622de2367c6856e4a5b5ff4dad838c31e7afee94dcf1e00ca27a51af050209d3cf49b471c078a19de2f

Download Submit
\Windows\System32\msdtc.exe

Filesize
132KB

MD5
a0b15381951ed6343b4e6944db03c35a

SHA1
854c22767c31bcebe0af6b511ef373647a364b4b

SHA256
547856fb358d8743b89a6e6355a2766ba84f084ad686911565b6dc90522b1d09

SHA512
9b7fa28103a4fa6f5352231ae6036a2013c69ecad859e3510efaabd642f52c5b72fbe1436cb60ddb98b20e4e95b1d643268c70d07c508cf597bd5314bdbfc99e

Download Submit
\Windows\System32\msiexec.exe

Filesize
105KB

MD5
d1ef6353c2fa801de757f72c7efc922a

SHA1
bd5c0938148776d2bf5b76dfc7b42ebd7e436d4a

SHA256
d05db290ad0267b6128cf1f0bcff736e0b15a7c5c67b08cb60af35ea598be0a5

SHA512
0e71ebb2809780bc551331603c5fd726e602a21dacff472c60e373d1f38db3f98b68914defb756eab44e4668c2170153a7369ed328358e9e511acc940d6f82a4

Download Submit
\Windows\System32\msiexec.exe

Filesize
37KB

MD5
224f0ac3cae8b80d75e909c9b80f47b0

SHA1
8fb67e82b5991cc5f3da3195b92827cb73655a43

SHA256
f5e3ac56eb2704f367cc2276209caa33d95341802178436cea857d7993317adc

SHA512
cc44de04ff4d79db77bad56a005c4c0b911221d3932aac5c95c85024f513af2e7993230b3a82b3e2b0e9f948a83ac7f336f12390e7c1ebff03efbe941d0a5c69

Download Submit
\Windows\System32\snmptrap.exe

Filesize
25KB

MD5
23ca47bce49f13fb1ac7fd3d53ea76b6

SHA1
d06763825b16923aa0a99f1daa1c11618388fb83

SHA256
7f7ab9f7e74cae98c794ee2da6e75d04902cb12657be766066f1349038b96d58

SHA512
81e2e657d356fac466038cdd22dcec32883f01f34dfecc7bb7078e50a386c655a7e049ebf0751fd054f2947797964dd60dd9ba6426da5715ca6c1a597832b3bd

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
144KB

MD5
5ffe605b44f7297beef740ddb5d4d93c

SHA1
bce0a9b0b98fcd4ee6e1d39c17d8865a96bbbc8e

SHA256
90c7a000ba38016cd64f717b3d37a57612aa5d4395badf8c02ae07217a7f9dc9

SHA512
af9fc7c1bc18a7dcef7d9d0ecbedcd4a52d79c84b12b047eb61a16e3b003f012e9bca5a27528f1d7cfe0c5619a3f9a5df653af62dfe6581e7895d67781ed32f3

Download Submit
\Windows\System32\wbengine.exe

Filesize
15KB

MD5
8d583a12f3e42626ca643e77e6a33871

SHA1
1d52f261025e05447ec3b6eae1d34420da4332d1

SHA256
bc4a0d588cb0b69b836e7b621cc60be6d97270593a3b8a12248ac2ab583e7439

SHA512
65785c4f3fe6b85656732028fafb22e7ef57d59d872b08f27b52c80f8d5227bede42170bc7e4c10d07ebdf6671c08f341196eaba023c715eb355d44cc4c5b2bf

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
20KB

MD5
619ebaaa378564703ebaa4683fd03e2c

SHA1
35438bc33365e829aded2fa332d4af08ea8d846a

SHA256
9d4ade7024283bbdd89282f2391188c4cf8ac8ece446c7cd2ab65c4b847720fe

SHA512
602d08e9c782d4b5c39061ab6ca167716d2e2f104146f8b23dc81c24e97c25da3d24e898709e80e2e89a0dd70d0606953f2e1c333114f4eebc8d60d541ed5640

Download Submit
\Windows\ehome\ehsched.exe

Filesize
60KB

MD5
863c0279f9c53dca200bd666ae544d77

SHA1
2807db515e3ca950a390d092bbecf15416e8f699

SHA256
3d0b22d03c6e2c9a67839f71cc3a8bb33873c242d2ffa5f2d34e20440c39410f

SHA512
9904729279d968e63724bd26571fa40a88b45cf53af0ca3f25e462faca6cb6974c7d2c096c0b55cb6c5e6a1f70238074d20c42967e2b3141d7648761095f0ed9

Download Submit
memory/656-264-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/656-278-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1052-236-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1052-165-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1052-163-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1192-83-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1192-74-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1192-78-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1192-167-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1280-168-0x000007FEF4670000-0x000007FEF500D000-memory.dmp

Filesize
9.6MB

Download
memory/1280-239-0x0000000000820000-0x00000000008A0000-memory.dmp

Filesize
512KB

Download
memory/1280-284-0x0000000000820000-0x00000000008A0000-memory.dmp

Filesize
512KB

Download
memory/1280-230-0x000007FEF4670000-0x000007FEF500D000-memory.dmp

Filesize
9.6MB

Download
memory/1280-247-0x000007FEF4670000-0x000007FEF500D000-memory.dmp

Filesize
9.6MB

Download
memory/1280-153-0x000007FEF4670000-0x000007FEF500D000-memory.dmp

Filesize
9.6MB

Download
memory/1280-154-0x0000000000820000-0x00000000008A0000-memory.dmp

Filesize
512KB

Download
memory/2184-99-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2184-186-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2184-115-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2184-91-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2184-108-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2184-94-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2184-110-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2184-201-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2208-197-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2208-117-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2208-109-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2208-105-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2320-170-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2320-155-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2328-204-0x0000000000680000-0x0000000000813000-memory.dmp

Filesize
1.6MB

Download
memory/2328-198-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2328-209-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2328-275-0x0000000000680000-0x0000000000813000-memory.dmp

Filesize
1.6MB

Download
memory/2328-259-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2384-287-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2384-240-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2384-238-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2384-241-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2392-282-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2392-225-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/2392-219-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2404-92-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2404-20-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2404-19-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2404-12-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2404-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2544-58-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2544-130-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2544-59-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2544-52-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2544-53-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2688-255-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2688-249-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2696-30-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2696-29-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2696-36-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2696-72-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2792-129-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2792-223-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2792-122-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2792-126-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2852-280-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2852-266-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2904-192-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2904-171-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2904-172-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2904-193-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2960-106-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2960-26-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2992-253-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2992-180-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2992-188-0x0000000000F70000-0x0000000000FD0000-memory.dmp

Filesize
384KB

Download
memory/3052-75-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3052-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3052-7-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/3052-1-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/3068-44-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download