5d21d242605015dd319f8714aca2076dd5626e56a6241b8b801f272549229170

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 03:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d21d242605015dd319f8714aca2076dd5626e56a6241b8b801f272549229170.exe
Size

1.8MB
MD5

1367f1fac389f9171f95aa55ce7747a4
SHA1

88189bf4926aa4bfedafd99a0d9dffe9548bf917
SHA256

5d21d242605015dd319f8714aca2076dd5626e56a6241b8b801f272549229170
SHA512

7a535dc01c182dd5a25119b8e3323355f3ca806eaaba85cd07692dad222bfbb75cf9b995c11187db17710a63c95a5cb65fd25db31b2a8c0b738cc131bf45fb6a
SSDEEP

49152:Mx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAJgCD0hUdk:MvbjVkjjCAzJm0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
1552	alg.exe
2572	aspnet_state.exe
2964	mscorsvw.exe
2336	mscorsvw.exe
1452	mscorsvw.exe
1784	mscorsvw.exe
2260	ehRecvr.exe
2328	ehsched.exe
560	elevation_service.exe
1528	IEEtwCollector.exe
2956	GROOVE.EXE
1216	maintenanceservice.exe
1588	msdtc.exe
2868	msiexec.exe
2500	OSE.EXE
2180	OSPPSVC.EXE
1820	perfhost.exe
1184	locator.exe
1680	snmptrap.exe
1692	vds.exe
320	vssvc.exe
2712	wbengine.exe
1884	WmiApSrv.exe
2832	wmpnetwk.exe
1980	SearchIndexer.exe
3176	dllhost.exe
3352	mscorsvw.exe
3488	mscorsvw.exe
3648	mscorsvw.exe
3744	mscorsvw.exe
3848	mscorsvw.exe
3960	mscorsvw.exe
4052	mscorsvw.exe
2828	mscorsvw.exe
2068	mscorsvw.exe
2980	mscorsvw.exe
3432	mscorsvw.exe
3640	mscorsvw.exe
3904	mscorsvw.exe
3964	mscorsvw.exe
1144	mscorsvw.exe
1448	mscorsvw.exe
3124	mscorsvw.exe
3388	mscorsvw.exe
3556	mscorsvw.exe
2028	mscorsvw.exe
1600	mscorsvw.exe
3976	mscorsvw.exe
2684	mscorsvw.exe
3356	mscorsvw.exe
3080	mscorsvw.exe
2404	mscorsvw.exe
2008	mscorsvw.exe
3284	mscorsvw.exe
352	mscorsvw.exe
3936	mscorsvw.exe
3316	mscorsvw.exe
2544	mscorsvw.exe
3616	mscorsvw.exe
3488	mscorsvw.exe
4016	mscorsvw.exe
3088	mscorsvw.exe
2656	mscorsvw.exe

Loads dropped DLL 47 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2868	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
744	Process not Found
480	Process not Found
3936	mscorsvw.exe
3936	mscorsvw.exe
2544	mscorsvw.exe
2544	mscorsvw.exe
3488	mscorsvw.exe
3488	mscorsvw.exe
3088	mscorsvw.exe
3088	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
332	mscorsvw.exe
332	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
3700	mscorsvw.exe
3700	mscorsvw.exe
3968	mscorsvw.exe
3968	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
3392	mscorsvw.exe
3392	mscorsvw.exe
3692	mscorsvw.exe
3692	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23493dbd323b6587.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\vds.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFBA.tmp\goopdateres_lt.dll	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFBA.tmp\goopdateres_hi.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFBA.tmp\goopdateres_te.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFBA.tmp\goopdateres_lv.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFBA.tmp\goopdateres_ru.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFBA.tmp\goopdateres_th.dll	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP30A2.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFB11.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP587C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE82.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA6C.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4B2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 01000000000000005008ac159b46da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001020f4049b46da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{E4CEFDF5-9803-441A-B5ED-B9D1A6E6B727}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{E4CEFDF5-9803-441A-B5ED-B9D1A6E6B727}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2888	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	1452	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: 33	1488	EhTray.exe
Token: SeIncBasePriorityPrivilege	1488	EhTray.exe
Token: SeDebugPrivilege	2888	ehRec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: 33	1488	EhTray.exe
Token: SeIncBasePriorityPrivilege	1488	EhTray.exe
Token: SeBackupPrivilege	320	vssvc.exe
Token: SeRestorePrivilege	320	vssvc.exe
Token: SeAuditPrivilege	320	vssvc.exe
Token: SeBackupPrivilege	2712	wbengine.exe
Token: SeRestorePrivilege	2712	wbengine.exe
Token: SeSecurityPrivilege	2712	wbengine.exe
Token: SeShutdownPrivilege	1452	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: 33	2832	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2832	wmpnetwk.exe
Token: SeManageVolumePrivilege	1980	SearchIndexer.exe
Token: 33	1980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1980	SearchIndexer.exe
Token: SeShutdownPrivilege	1452	mscorsvw.exe
Token: SeShutdownPrivilege	1452	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeDebugPrivilege	1552	alg.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeDebugPrivilege	1452	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1452	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1488	EhTray.exe
1488	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1488	EhTray.exe
1488	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
3372	SearchProtocolHost.exe
3372	SearchProtocolHost.exe
3372	SearchProtocolHost.exe
3372	SearchProtocolHost.exe
3372	SearchProtocolHost.exe
3372	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe
2412	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2412	1980	SearchIndexer.exe	44
PID 1980 wrote to memory of 2412	1980	SearchIndexer.exe	44
PID 1980 wrote to memory of 2412	1980	SearchIndexer.exe	44
PID 1980 wrote to memory of 3064	1980	SearchIndexer.exe	45
PID 1980 wrote to memory of 3064	1980	SearchIndexer.exe	45
PID 1980 wrote to memory of 3064	1980	SearchIndexer.exe	45
PID 1784 wrote to memory of 3352	1784	mscorsvw.exe	54
PID 1784 wrote to memory of 3352	1784	mscorsvw.exe	54
PID 1784 wrote to memory of 3352	1784	mscorsvw.exe	54
PID 1784 wrote to memory of 3488	1784	mscorsvw.exe	55
PID 1784 wrote to memory of 3488	1784	mscorsvw.exe	55
PID 1784 wrote to memory of 3488	1784	mscorsvw.exe	55
PID 1452 wrote to memory of 3648	1452	mscorsvw.exe	56
PID 1452 wrote to memory of 3648	1452	mscorsvw.exe	56
PID 1452 wrote to memory of 3648	1452	mscorsvw.exe	56
PID 1452 wrote to memory of 3648	1452	mscorsvw.exe	56
PID 1452 wrote to memory of 3744	1452	mscorsvw.exe	58
PID 1452 wrote to memory of 3744	1452	mscorsvw.exe	58
PID 1452 wrote to memory of 3744	1452	mscorsvw.exe	58
PID 1452 wrote to memory of 3744	1452	mscorsvw.exe	58
PID 1452 wrote to memory of 3848	1452	mscorsvw.exe	59
PID 1452 wrote to memory of 3848	1452	mscorsvw.exe	59
PID 1452 wrote to memory of 3848	1452	mscorsvw.exe	59
PID 1452 wrote to memory of 3848	1452	mscorsvw.exe	59
PID 1452 wrote to memory of 3960	1452	mscorsvw.exe	60
PID 1452 wrote to memory of 3960	1452	mscorsvw.exe	60
PID 1452 wrote to memory of 3960	1452	mscorsvw.exe	60
PID 1452 wrote to memory of 3960	1452	mscorsvw.exe	60
PID 1452 wrote to memory of 4052	1452	mscorsvw.exe	62
PID 1452 wrote to memory of 4052	1452	mscorsvw.exe	62
PID 1452 wrote to memory of 4052	1452	mscorsvw.exe	62
PID 1452 wrote to memory of 4052	1452	mscorsvw.exe	62
PID 1452 wrote to memory of 2828	1452	mscorsvw.exe	65
PID 1452 wrote to memory of 2828	1452	mscorsvw.exe	65
PID 1452 wrote to memory of 2828	1452	mscorsvw.exe	65
PID 1452 wrote to memory of 2828	1452	mscorsvw.exe	65
PID 1452 wrote to memory of 2068	1452	mscorsvw.exe	67
PID 1452 wrote to memory of 2068	1452	mscorsvw.exe	67
PID 1452 wrote to memory of 2068	1452	mscorsvw.exe	67
PID 1452 wrote to memory of 2068	1452	mscorsvw.exe	67
PID 1452 wrote to memory of 2980	1452	mscorsvw.exe	68
PID 1452 wrote to memory of 2980	1452	mscorsvw.exe	68
PID 1452 wrote to memory of 2980	1452	mscorsvw.exe	68
PID 1452 wrote to memory of 2980	1452	mscorsvw.exe	68
PID 1980 wrote to memory of 3372	1980	SearchIndexer.exe	69
PID 1980 wrote to memory of 3372	1980	SearchIndexer.exe	69
PID 1980 wrote to memory of 3372	1980	SearchIndexer.exe	69
PID 1452 wrote to memory of 3432	1452	mscorsvw.exe	70
PID 1452 wrote to memory of 3432	1452	mscorsvw.exe	70
PID 1452 wrote to memory of 3432	1452	mscorsvw.exe	70
PID 1452 wrote to memory of 3432	1452	mscorsvw.exe	70
PID 1452 wrote to memory of 3640	1452	mscorsvw.exe	71
PID 1452 wrote to memory of 3640	1452	mscorsvw.exe	71
PID 1452 wrote to memory of 3640	1452	mscorsvw.exe	71
PID 1452 wrote to memory of 3640	1452	mscorsvw.exe	71
PID 1452 wrote to memory of 3904	1452	mscorsvw.exe	73
PID 1452 wrote to memory of 3904	1452	mscorsvw.exe	73
PID 1452 wrote to memory of 3904	1452	mscorsvw.exe	73
PID 1452 wrote to memory of 3904	1452	mscorsvw.exe	73
PID 1452 wrote to memory of 3964	1452	mscorsvw.exe	74
PID 1452 wrote to memory of 3964	1452	mscorsvw.exe	74
PID 1452 wrote to memory of 3964	1452	mscorsvw.exe	74
PID 1452 wrote to memory of 3964	1452	mscorsvw.exe	74
PID 1452 wrote to memory of 1144	1452	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d21d242605015dd319f8714aca2076dd5626e56a6241b8b801f272549229170.exe
"C:\Users\Admin\AppData\Local\Temp\5d21d242605015dd319f8714aca2076dd5626e56a6241b8b801f272549229170.exe"
1⤵
PID:2980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2956

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2180

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:3064
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3470981204-343661084-3367201002-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3470981204-343661084-3367201002-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:540

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:560

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1488

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1b4 -NGENProcess 174 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 1f0 -NGENProcess 14c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1f8 -NGENProcess 170 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1b4 -NGENProcess 200 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1c4 -NGENProcess 180 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 1a0 -NGENProcess 204 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 14c -NGENProcess 210 -Pipe 160 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 1b4 -NGENProcess 210 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 174 -NGENProcess 218 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 214 -NGENProcess 21c -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 214 -NGENProcess 1f8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 20c -NGENProcess 224 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 21c -NGENProcess 228 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 228 -NGENProcess 1f8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:3196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 228 -NGENProcess 21c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 238 -NGENProcess 228 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:3292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 238 -NGENProcess 1f8 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 220 -NGENProcess 23c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 228 -NGENProcess 240 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1f8 -NGENProcess 244 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:3988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 248 -NGENProcess 240 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 22c -NGENProcess 250 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:3488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 254 -NGENProcess 240 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 25c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 240 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 220 -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:3756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 244 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 270 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 23c -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 280 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 1dc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 1ec -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 258 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 180 -NGENProcess 1a8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 1dc -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 118 -NGENProcess 11c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 118 -InterruptEvent 2e0 -NGENProcess 1a8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 1dc -NGENProcess 268 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 1dc -NGENProcess 1a8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2e0 -NGENProcess 268 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e0 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 11c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 304 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
33KB

MD5
a61418ae1d713ed55cc54297f2c8fb75

SHA1
917808c588bafbb146034420d62d58315ac89dce

SHA256
9177193d79ae4e80dcd936bc3abfe08a51e16bad31be3db83566994bb73ab46a

SHA512
19cbef5fecd6fd4a99345d9272e7728f0ea66af827855709bf63032db4b9209a16083a74bbee33d5d7c614edc738ac7e2f5d25d46eb6ecee9294fb430f3515da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
16KB

MD5
190a7b8137f185fd115042674972fb0f

SHA1
10641b105284874a41655f0c937eab02b0891b05

SHA256
94288b96135c7ea73fd899ea938ef4f2c5510001168b29ce036b6a3d1e9064d5

SHA512
6ca854ed452f1d4d45a95366b8d5796f1c9fb5aa662799332d0f2c26c1c6f1351e1a7e6839906311f5a41ce9c4e51fc2f968d56e2a2f7152fafa20f341d97744

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
8KB

MD5
cc0473efd8d3f87bf499148a47fe961f

SHA1
a653e0d0b7f817b04b4a0a385304c97f58859bc8

SHA256
e360486ae10d533c20d8fd67632ee181e67fee2c8583d906f3de5f11d4d1102a

SHA512
a978b2e4b040fefbabef2430f08fefe57bdd3c8771f4b6abec9e0e817bc40d5c0e5f469c56825dbb4de209b4ecdc19935f51ab304ae559b1da7f8dcf49088139

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
18KB

MD5
c062d99e0513250791a766b289e742cc

SHA1
dcf4b03e8c7a72de9899ae777df524e506cd402b

SHA256
a54b9d20efc8caec0d3b2b6cd89383d33012f1ee35164c01d26e8a0421f188ea

SHA512
92eb0e097b48ff3d836e23c540104079fc0fd73526aaceaa0e2cf05d7dbac1176f7927151d927416c3ee6a7095c8b89f834d47ff2c16cebf072520f949ceaad5

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
34KB

MD5
135e6225434d5404d47a9d4fd05f5973

SHA1
1420eadd83339020ecc030be2aced45befd9d3c3

SHA256
08a053237f79434ef29a5318984e01f06f460efaebf2454ddabfba3a12334775

SHA512
30d047a4a99bea67e4b218e8a33554c84f5037f847abcc1313cf02f7ffdefdde81ee246444c74910ecfaf727dd1c0f45780516980963b6c34191a58ca51ccfa3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
109KB

MD5
4743072118922fe42c691aa797f4c59c

SHA1
d2da9d672ad1ecdfb0d302ad471797e49ab0ac23

SHA256
7049c5cc17a3c11fb3a67ba42a143343967084e05dba8ad83432de73028d8c49

SHA512
b38e229b57308345ee3cf4b1763b5720d374937209d7a06137cf56fb87df2eb0e12c74ca118b0932d93ddff0031b82c5185600e588655d32b33062f75ef67f27

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
17KB

MD5
0c3adf7fd30dae374a8ba028a81d1b86

SHA1
bd812eca94d6fc7c143be9c90b3e514338372c2e

SHA256
d498db5dcba78681b8795f633b37d626899e3358426c93d7915b1d7cd822e669

SHA512
ec4b714734e84d52ff277da7ad40b0223dd39ab990ba7efe6e35a74ec0aa055ad6fc637710e176ac0e3a5c7ca361b2be7b509ddbca80783bd499db11a2be1a94

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
25KB

MD5
e63877caac51478435422ed73c954088

SHA1
12c7839932eeccc50548ba65412152cbe5ade9fe

SHA256
5d0a7aa453b408329cd2b271a43db713bf3d58b9a8314d912968db7266926263

SHA512
e4dc1df5ee2a742e4c504d04a6552de3941df84ba338b14b865ae12ce3116d9504c4fba993fd3080b2d3618fe3564ac43fdb752d9ee520ae23c3463271a0f625

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
41KB

MD5
f6ab924a9d45e70a854eacd6aba89758

SHA1
c2144014c6c9ede6bb1960f3581d560aa3e5c27c

SHA256
8f5bfa5d34ade3b6c5d82b6604518de1f4b0ef40f460c269638a3b9d1a5415c6

SHA512
0148a61f46c06100346daf3c63d6872384028c0070ad6294b1d1b6647bd9be66c769eb79b80ea57c2aaa2040e7d6991f2ba833fb0033c989663d34794ab19cbb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
33KB

MD5
9ed5b0949a0f97bf393ab560763a98a2

SHA1
5e2dce6da5f51a7617d88b4f3db18f2a352dc888

SHA256
3e0db543a2f7afc091632203f0de70af541d563bf1ffb7fb800034453c031540

SHA512
a5656232076f3490f7f088aac793a4568dc09ce018478e460cb1dfaad8f86e6140f5db6d51a85dd37ea712670f7deb735b3b7ab70864eeb73532455f42518105

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
67KB

MD5
e7cd4416785b0b281c56adc06c3fe8ae

SHA1
d1eb6364d03e1f321505017f07610888a5e0dadf

SHA256
9e6f23f3990b9759e0796fb1147424014023ff61a1e8878601ac93ab5e158140

SHA512
8104e1b64ac9f650748fd203e6a7ce0e5fd421a0ac016c380f9398357a6acc4079ed17518cac53948c1efdee3423aab41340f20eafb09f7d3eb96f0f20e2a6fa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
11KB

MD5
efe4fa5d83bd92b03c369693cb11605c

SHA1
ad6e6a528b9d92cd97e0e071a4a3bff3e141d6d2

SHA256
fee371bca05628aa6baca07db534721e9e94552d62319e51e0d8ed9f797eb0c3

SHA512
db70dae2812d35792bdb2187de379de96b638b602713289c42ca53cca8d95107c810e0209e2dda9561c17a712a439d214091d880de09520ed5ae497b288413d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
8KB

MD5
169e8651925446ac02dbfb084ef49601

SHA1
da9589a9f6488035e4214ddc2120040cda167888

SHA256
2939eaffbdff6cb285965ced3a9bdc7ec791b6928dc6088ece4b511c7166b8c2

SHA512
28ba3c4955ad7d8463df26116d39a6335a778d4c2824c6c4909c7298f8df7db79fd5667b289fa292dae88759748d265066a5515bd7e750b0ed48a48ad8da7399

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
42KB

MD5
ef695470112286b3382c6013fb01634b

SHA1
323b5ba1621b35014c8c9816452da888d8f4e0ec

SHA256
c26c7ab9541b15dc8a02b56a640c8a9638a00c5bab9986f2be4c5006bd925309

SHA512
a4d83e308d3446f2678c2939e4b062eb7e8006717875615f7a4e8655d9d55f5012d571e8787e91ea586f0c25e6d1c7d6a48fb2aad83083b6d2389d06fb4c5389

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
42KB

MD5
37789aff7dd1e14518294c2d9540c0e2

SHA1
918625ebb908ed7d54fb7af78698eef8842c71ac

SHA256
e058680a4a7fa352b445ffb66bfb5565eaf8672a83993a6f9b4fe70cf545da6d

SHA512
96995cf68938b6fda14168cbc1927860c0e631bfbdaba1bec7bd238abcd12ce6d51dd0d61530ab3ead71ba9bc0e3586df849c281dc3459b4c054e55b45005e1c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
393KB

MD5
c8a6c1becd94f01089481130662534b5

SHA1
f47427e43b4ed0d24c782fd4f6115749f47096a7

SHA256
b4682e1da51039412de362f1a8a694a3bfbea12ad0e2d68fd22d4c6647765d6b

SHA512
18d1d90bfb6121b751697df534e371447a0a603ff4299416f9463e148ebb8fa7464ca164a048c4500675a39c600e64e009f870086a72a23e0616ffe68c3e7ae9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
52KB

MD5
0dc9c7a094c4412e122aaf74739887a4

SHA1
cec42eac924c9c370cca5593dc28d90593c2453b

SHA256
390840376e3b5bfbbe1b4cd0ed63ea2dede7543bb6b21b8a3720f380983b314f

SHA512
6691b0a68b9827e85dc5988b59dd4bbba53d59ea891c2469355adb79d2fd7e0da1953f74d3fa6ccc38b2e8ea1754a5c609d45fffdf580ce9a7f897b275c7248c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
56KB

MD5
2fb1b70f0b69968b57a69ab24cff7b89

SHA1
4e0d150ca0a5ced36cf035c8c413b1d18cc7a8ef

SHA256
83019c35fd97554e6247e5508fc832de5f1ab79c64e4c37f7313d640cf63a83c

SHA512
13a8a02f5b53ec653900dafbaedbf2156d78e283522cec24fda3c9554293d97bd75f951cbbe0ffff85e1ee128a969bbea28f59ef96edac6561bf97ffe1f15129

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
36KB

MD5
fe7b096b63f09a7958337ac576655e27

SHA1
fe930c493669a64ed4149c17ff327262ef34c717

SHA256
7f254bee0ee00830b0a1ec29d65392ef00beaf24c80941000c6480d74b2e7cdd

SHA512
a886a17a732bb5419bbc8c66e579f8880838c59e655f4557cb1f58f8366c5d17b07bcfd88ce33969965496de131ad58a5fca5548b3862ad8a98cb126c88d0b7d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
63KB

MD5
310669d383c8e81e2f18453aeefd7de6

SHA1
348c5dc83a97be471cf01028348f3af526133ed8

SHA256
0255a09aa833f5841385df82db1f3434d892f300afc88ca6782aa4b1ada48c48

SHA512
6d8b045c58f5282fd86875ff481e272abb5194ef651f68dba7d4189fc879dace6a06d1326055bad83a7f57be714f98b44eb3e1c733d106a9b034aaa7c0944c8d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
103KB

MD5
17594ce02c1d348a9c3579847cfa65af

SHA1
8a24159102cc1a843d5a2ad314188d4eac68df7c

SHA256
786f06e73218707e8107562bd101cb605efc5b6fecb211f5409eb39aa39a341a

SHA512
34e9ab74437d91fed63416627572593dfd500f73d4e26a07e035c548fab0fef51f2771c4ce6e526567c3a9ae96a5b6eedf8747bec91ca8642214b30fbf1df9e6

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
70KB

MD5
fa854b3d573c39ab1c77764fb128b292

SHA1
28654fae03fc27452be71e1c509d931deadf27bf

SHA256
4e495fb712d4eeb0344f5900cc0e559cd895071505ffd540803087b1fa02cfed

SHA512
96172856bb5cc05bd1511ae57eb151b126e7243cbc6dad2713f44a0e9a8094778d1579e2e948a2720c0361bacdcd93fd4fe13f1f8b1679283f64646f4fc20e51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
303KB

MD5
bfc0a18ffd0901cf2d2fae1de826ff43

SHA1
52ab06fdec6ee488aa2773d29defb1d83730c50e

SHA256
8953e5b193e9682e4eec899e62f94666fc22dfa23bbdfa2c97208bb5d8c5f7dc

SHA512
cae5a8cb7142e10a9571b5552d0e5c140bb274521210cc0a0d27b0d2b6fcfd3e5284d17f89d4fd20ebae4d681014a5400ae52d70e9cd7e330b08d125c4ad64bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
290KB

MD5
bbd9ddffc172b27f8e639147b7e5e564

SHA1
96de2e4f92a7220c41eb065c1cf0968eec790b05

SHA256
528be644fae25c892e15aea191ba1c22efbbf05fe8e5f2637d4e75a8fbac29d8

SHA512
b8983011e9620016d291e54e2ebc7545b7a52bafb6c63094ee9c1c927a81f15920e2134f79d75c0107acff2e93d73e4948ff5b046ec209c40fde4fcaf2e5fea9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
323KB

MD5
dc430a69a45f2aa8f033584d7253cac8

SHA1
795fc58da30c2eed4ec46ca4d3da3250c9a7f771

SHA256
c1a80d389430e48f62ce93784ba00ee44476012bcc2f009a16eab6e503420c70

SHA512
f753627bf894ea9dcefa543a9f751a8dead14da9205dd863232bf5e1abe0855b86fceebc352fa1b2be17886401416f66caae556428d1b760c27cbbb582bf6650

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
212KB

MD5
560b1bde2396b0784eab6abd3ecbb964

SHA1
db114fed75d0ce4b1e7f72a570273e574cb81c81

SHA256
2d8e88a6cfaea5cdcbcefe0ec547f210a077fa2ce570fd8bc036316393fe2121

SHA512
eea032c93aea48c0cc5a7279454d63fac4c3589734c47d36f9799ae727c7fc0c5e4d4bb59c51b98e3912e38084fd4defb3deef26712f1279dcc108d2589e41f5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
54KB

MD5
a6feb78e4d4d9e5ae2231563605cdec6

SHA1
327b84974e4715300cc5d2ad89ef905ea2d4419b

SHA256
12b08ecf669f9e5f63b1cb0032176d6c4f12b3f6133a7054bc76ec87cf418bc4

SHA512
cd7de104fd16894bf9ba8932d9b4cfeee5677832b2b0f0d9501027d2895e4dad16033517ab1dcc8e31aead8637b268b252ffcbf0de514042fb683e65ac963d46

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
317KB

MD5
448f909d81034550374579a10961bbb8

SHA1
daf8d201ad1da3677d5ce2ac5e34601f4c1e56b7

SHA256
9c7a15847c707d2557a310e05dd54b5213df62510eb6a5a59b5714233e07a040

SHA512
a0a9c252398aa65a0dfb4faf7ecead97a0a22de95798543e33af505ede91fe96ce0d65f9a39198683970ffedd173a599f6de01e724db5f3c5e045cc6b99fc0e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0cd5efae917c2f27f50bc22e9b3c3968

SHA1
cfdc74ecd1848f0501e181379c087cfe321062c1

SHA256
12d6b09e04cb32a63da98801bbec829d53b66365a506fda5d037c73668249fb5

SHA512
d211beef24e84cbec6a720a526b1b8aceb30e79c31c2b2d47d25d69971f9e31bca51b5d9761e7dc47c26f2f579fc8f91831c13ece3cf62801064275f0c37d4f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
343KB

MD5
682c158d7bb78db56ce0b4fe2dcbac2c

SHA1
0948ccd8d9d3cb3ec75dc91ed284c71eaacd69c6

SHA256
f01e994336efd6dc200e86a3b5649f99d61c02b34069b1ed40474db691efd050

SHA512
dc943eaf83cc5d40f9692b5a6433ddcd7593daff8ab328c598ec2cd2d554e36308a8225be51eee81e9ca6b633d58a15f0795e763c0755fbee478b4657fb52bf3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
389KB

MD5
fb6a2fcdc22e39e28f0374d69e6c1c69

SHA1
c86805e232c51ac5d4e703b3555fd3594be19085

SHA256
cde442b3f4caa980cdcc7b6f329c38e75c33292715c05f41a53405d4afeb0ad5

SHA512
fd816cdbcafd364bdc9db4544eb18f6a47781df9eaec6b3b58203c113d91439abd5936d8ce68b43bf6822a7901773e0115abe94ec24b353106940c07d3cf9480

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
49KB

MD5
8160455919cd6bfd6c28400bdbb9c6c7

SHA1
3dbc611a74341da13fb21f92ce31b63075a9261b

SHA256
74851c0544352b358cb3f082596eae62c12157728740eb0678afc6c713131ebd

SHA512
232fbea1d6fca144db876c68a676eca7d559757038611d04b9d2f3489a0848cae2d09ef5982303edf36f4ee55bf87ffc02a94645acce88e490ca1966d6804fba

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
10KB

MD5
00164589b0a2aa6e27483c7c1da78248

SHA1
f31e2f1b38cc20105a56bf4fa9785c6dd9cbec49

SHA256
7b1d3135842ae2569d4b4b51921fda7bf6132dd8565e39a0961e61c4bfccfe83

SHA512
3973aa4d0796b23e0d89dc2a3c86d90742dc63b1da098e3825d64b13c47c02ac35e2d679afa7269b4b9e60acc7e4f38297fe7ec287ee7f2f8d38c3870ca2ab25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
328KB

MD5
b1395828887d0937659d1e7555b7480b

SHA1
8137616a8f051d6b032dc431f78033975051793c

SHA256
4e060a1948aa7331d181fd9267044e8cf14b037ae3b2b53a43389397304f2a51

SHA512
504314b31a3ef8134385fc53d208804932c89145fea28001229031e91d6325f4ffd7aafdc4857e6918ffe76901ca3c8abcb1489566a1418a61cda1a00c818c69

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
77KB

MD5
812ddffa0cd600b4a7043a4db26672e6

SHA1
5dbc9013adcaf69491676065efa995522546b23f

SHA256
703b9ab38d21c8539255088d633eec3e331dd6d252d472406f7775a4e9c2f2d7

SHA512
ab87002c9be46d40ca0f4053923f27ae3febdcda89573c99b9fbad50499d015e3faab9d3210c3fac82460ba17dffcac65cb03cd2028bef8bd62cdfeea1522bd4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
50KB

MD5
0cd0424687cb582e6e1978c6f25f957c

SHA1
9ef340d591e99d87e65064c7081191047d6cbe5c

SHA256
c4ff7cc1bc3d59c085209e10cd1c4d0a84ac2bd6c4879a53544bffc39f14ecec

SHA512
707a2e58540858b8c515d15bdb46fc31c81a871125db996cad8bd7dc911999dcd7d58c9627c7583abcab080178e462adcb2f8a6e11801b23bd5b7913d31fefde

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
12KB

MD5
9bb4e26249c5d4c7d6533553e4b9e0e8

SHA1
9bd5a43b4f3d20a03477b52821612f50b50bcdc3

SHA256
948a0c2de7863fd5f6880ba9ee6fde4543abd66e885fdd74e3fd059dd6289415

SHA512
5238654ee61e0c526b0299dce4e055d0118657488d00cf70f938e54922e1005a10e5b637fbbff566c6e9ec0410e06f2e11a645fd350c3632cc3db9e0d45b198d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
22KB

MD5
533c232ac8c4ccc05464c2e208139954

SHA1
2596f730b2081482c26ea80ef73dc4de1cd98c7b

SHA256
1016d4f3490c7a3c60215b4ddfc40fb8fecb7e3b0336b39fdc9c28bddff46ef1

SHA512
455ac841c16e587d5ab7941792efe7fc7a7b556e1b0a51601e2fc856fac6072b22312a8adc41a355bfe619b81638b049930d8e38a653a24b9db24cd876a7a1ca

Download Submit
C:\Windows\System32\alg.exe

Filesize
126KB

MD5
204d9280287937cda406101d64a56093

SHA1
a554c595ff4f3f53236ad8909b2e47e3f78e3fa4

SHA256
77cc6ad23c5e0365f230b7effb4acaa9e953e7376bb8d0dffaf90d4676f7d5af

SHA512
67775d7f6152f9db64e519ca86ceb594a647b590070046fac58b7cad7d9a99bde493ec61b8095b38dee144585a1c0f624b918e2863282fb99fdb254400f3fd16

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1KB

MD5
f51726aa1f83ef935f214ad8e4d64cab

SHA1
e01bcb4ed5066ed8ea5651e89b1dc1fc113f76ff

SHA256
65fa0975588d9dee80d78af34a71f999324f9b052ba5e140afd608c7e650d149

SHA512
7f1bf34829484fe7ab25e04ce2a1fc81081337311fa47730c39d1a3ef9d14b65ee134c4e5cb659793903bb7b48214ad4453f7f17bfdc33bce45cbc5e4dfc0f9e

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
35KB

MD5
feb825b6af7ce3f4f6302579a80bfd89

SHA1
eab88ce1310caea9835131fd9507ac261466a530

SHA256
51ec3297113895a61baf7bdbed5873a9e366c0e8234ba7681e2ddb8546a3eee8

SHA512
33aff8e9dc1e47499dc85765d0116f0d9bd8c090712c7d9e258e9aad3a99d2d97e280df7c73b0da35337281ba0843e97dadc890559851bb0f6ba68d871095a90

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
14KB

MD5
a4769adc372f307579e5e4161489cf31

SHA1
7acd49e3dbf9551f89dc223b5bd8f3b77f4283aa

SHA256
befb82dd1e99a847f4fcd09b350ba0b10b487f71f57a228e68c6b83ee1e6a7f7

SHA512
3a0e543b3476c2951c51b0baf8ae9c79f8d3eababd02b0c9f015ba5f7cf86beaa7712e04f80a85a769a4f8e81a13c8af916c56d4895467efe073428d538cb67a

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
27KB

MD5
1525f032127cce625b51cbaf7c93ab9a

SHA1
f0578ea93da424e5795d94aa1f7d4e82edb0b2b2

SHA256
37d0148ae8b6335ed2a0cfee20fdf4d88df989cabe06c255f0fd11691eb016f0

SHA512
806de4fb3abaaa76c33df05169cc4490aebaa27dfe7de6124a710f775b9afbf9e8007823c32453129217eb05cc9eecec3fdeb92e4949245e09379efd62648ac0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
54KB

MD5
79ffc624692ef1ad8bb8e83a5e69ffe1

SHA1
df7027c20a4838703c2642f09fd009ce1a7b9bea

SHA256
d0bcd2fd9131f65ffc4dc5c948c6170c48b89975f45d94be1faa9a148a72d4e5

SHA512
d394bff6f089d6e56d68a952f3cdd47472846b68d0c1378eaf1543c0e837bb59f061fb5d59af8a28c6bf0433509613fb59fc75f3dd90d830334667617e3cb826

Download Submit
C:\Windows\System32\vds.exe

Filesize
44KB

MD5
34c126ce14b7d4c8f8e8bab93e69e6d8

SHA1
7a0ff6634f9be72ca89ed5fa4b928702001a4a26

SHA256
b580809b1822b50bf168847c3377b1cb33b37f4f486737426cf8cc0af95889c6

SHA512
dbcf8ef458a65715e9afb26c1001919248c856e41845885c0152359b74b7f51bf53e6265fe0f0e80fab166a9012ad3dddc5b53c5ee548750a446b8c1e68e781e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
31KB

MD5
57bc0e81542c9972b8852a2b3e0fdfc8

SHA1
5a3c9f322d59782cb548637bdeba3aaf99b85eb2

SHA256
2dd3653618b08ebdf7c308348f405c816d90e696ab309b16d71b8c0a8ee669b6

SHA512
5c370ff8f720467442aecdeb011007bc0599c95238b6bc06d4214007e1e3714ba6e9f24e8f8ddb3376842e0071ba79fccd788949436f7e4cb6dcd1bc30e6d6cb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
56KB

MD5
b58c4aed0e41f513a407df6c38be7c68

SHA1
a61d5e6d82e5bfa4b22177e1a80bdaa8585a89f1

SHA256
33c7e68fa109a1da75efdcb20273d16b5dda0c002def466edd39907f6a96e9e6

SHA512
dc2c535dfd8b457b1b3534c9aef6b04deb4fc3ec18c6eb315eada3ba31ff7ea5c83ff2807f148e31c6fec5e47a7491e74a421c580144800e1c30b46aa9397511

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\450a5ee96cd90404c0458f25f36829ef\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
34bcdcab404fdaa0df297d64487e4b78

SHA1
94c53fc3ba0794e10ee70b71ec435f459de51f7e

SHA256
873348d6e89861f4b9ed4cc77e20cbf807dfac38e0be0f3ea6e0443218cb1829

SHA512
980310042837fc4117c8845fee56d45abb4e0a9b82ec0943bd439128f48e3665350eeaa8ab4d085bdd51414d0363943ca4e5bdbd14b6d17ff459a708e96713b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b5eed2d103db2ac4dd94f642a348740\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
e2ffcc136acbed811c4e6e49970e4ab2

SHA1
5e432299902e3a6e34b4c5a1616cb9a7a5273e4a

SHA256
6bdaf31872fceb8c226d9e80dd71472d12763d803e9148a6b27837860dd49d5c

SHA512
e4d3f8c4f684e56342feb4f5821c70f054904cc23ed368362631d816fb4a78b1a248aa3094b08f0102aa394889d4770e08b9904521b35e6dcc1e32dc72463a0d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9d8e567b0d391d32838be769558c9117\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
dba1b4efacdf9e0a7f68a0c491e07187

SHA1
c393205568a12a9088301586eb3b59bf77921761

SHA256
bb6bb4530a924124a5441ba28e4a5a7ad7cb865a3a96456288b971d871e701a4

SHA512
f61d889958cc1847dc22e34e493e5c5e1a1ae168aed10db22726245bacb3af9909202431af7e0e032e69c026e2f042d05b178df286f4bdf093bdd666c79ac738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a0d1e59a1ca7d0840f0a5b656b048c07\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
f7f0577f8c8a59d41fd9c243595b9ecc

SHA1
9221d262f90348d8938488b530b158a0bf5d5530

SHA256
7f81480469972759edaa45ad15de2d91cdad3f895bfb811a6453b7a353decd72

SHA512
68ff16d6cfc28612b1f9031a31c5f623b09041f16049dcaac7d57a743274de9ec2878c0b329d878ddfe5c69e5d11c8e7321f94ed932f96ec0fdd4cc34cbb2a20

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
177KB

MD5
2f78c4ac462d42bea294db4929023fc7

SHA1
7170dc22e20bf40821f07f011f2e7f2ed636b790

SHA256
e217f899db028b7f9639c3b42b8f25266e1c9c10a29bfe453631bc90d83f8c76

SHA512
c75c357b377f7d8a30af371a34f9096caf37d4052c1cd7b39f4f5077ed737b2dd1fdd004383d75001c0c675b3fdb285cd22dfc43ae1765fbb6d37403e2e5bcdc

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
268KB

MD5
937e9719286ff5766f72642a29d80582

SHA1
5e3242cb28a83b5aa6b29113b03d067046f400f2

SHA256
8da04fcd16db2a156445c9ac51fda6c8ca2eaba5975b0472b52952b325e8feaf

SHA512
1364f1128d241a7d25b576460b78beeded74e9be343354284f95a090e9f7608966421a94d6c7e7283b11a8c54c4c595cdfb26904d81866425e4aab370c628a10

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
4KB

MD5
76c5121d5058eab86bc951dadccc72b1

SHA1
8a5711a00c9ea11f2d5bd2cb5c78fb7f47d96ef3

SHA256
f19676b2938fad70460f659322d22215e0d004794bd0b89ab2cfef3c95e70f6b

SHA512
da5f099772701a3d4f484c84e815534e572f68bed4ee6d85e62653cce2f917694b5a30f3a7d47513d153587c8a94ed4fe048551e39b2d611661394eab4721044

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
27KB

MD5
6bdebdb03a0729a0492074d6d1bdbac2

SHA1
3c3ce30afa4ad38a85715f940c7886771844475e

SHA256
d8ed81bd67a5b4e3fc86083e168682a566ad91d96c690927a394069839a81458

SHA512
f43603a5c70f758d762751d92cc759db423615991b94b7d465317a51e843593be755be39cf048ed0fc5f4e625e0b64102f6c1264fcf4f738b95f80b8d4ecbcd6

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
11KB

MD5
871f1d1c1b385eda4df183593786f3d5

SHA1
7f072ae52680ca71e98d7b1ea387105023454727

SHA256
aa66eaf05683af663729afe025eae45fd68bdf7a578865125725295714c3e067

SHA512
306752772fcc0d026380ed386688c4190833b3ce9515b0b8a20b61505303704c700312e3333bb47c43d72d50eec31f71760f32b1165529d22af3949400224ab2

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
72KB

MD5
fa976f5b58f9ea88faa78d84b7acf2f3

SHA1
addd8669392b3148d2fd6aafa70d3597b8cec507

SHA256
1bac0f296a1f72b43ef3242420431e68d3edb4422287fe9400f3246b8b3924b4

SHA512
1d9a2646e44b8305702cab48d16748483e7b1a7598f760f773d84c544b1fbc2bf6a1429f22efbfa7bd99ac2dce8c19f96016bcd72d6c9248d191737cd61080d0

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
466KB

MD5
47937abc298c918dda5d16227e73161b

SHA1
7b009f0104e9782a7c13844ea5d45951f6f60901

SHA256
859a8727cbe70bebaf15f55485ac558a1755a3427491db60536879da006cf922

SHA512
927c98124f128b2bff70539f27fb760e07fe7395a58e1cc7b9ad4c8f9a0cc6e45d0ce9e10d36756e1849dd1c3c767b626de441575dd5c94c247ac276be3d5676

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
115KB

MD5
8aee5924533a8f2a2b345a052d371dcf

SHA1
d303736f17d4fbfb9b33b1be984a9da03ffa9391

SHA256
61b4603a2b18157091c8fb439167aa2c16d7d4f63c351d9d5d6effc1fd77a551

SHA512
ddd1986616bc26a640815b39bc65df6d4a0ae1263b9e89dcdd10ab6fc11580e9862844713fa848cc500a4bd8ad5c0040a506817067f045fac7d8c5c101760560

Download Submit
\Windows\System32\Locator.exe

Filesize
105KB

MD5
2a933b44587ff188c2aebfbbaff8b1ee

SHA1
61e91e8172806b0dac929380119567e08f0d87ac

SHA256
b21107954f99915e79b26d3a47ccc0ed18ac348666d1be1a87538b94cb02ddd6

SHA512
8e3ff8c5a73566d8eebb93063ea2ddc9b06159df5bc2a40ae1f73be80c791347fcde8bf6b8789d2e51a10ac039e202508cce013fc022beb92fae8c7763b93a2a

Download Submit
\Windows\System32\alg.exe

Filesize
145KB

MD5
2b7fa8c08127bef92ce837f695745b56

SHA1
57390ab70e89a54fb89d01c63ebfa19c08ee7d6b

SHA256
911080b8d144838444dd3c12e18d8ef90e11f0a4b28843301459b8eb1ecac517

SHA512
68e9fadab0646fb2f01656565de5e7995352ae87b8e3680486a3fd7841263618ea2b6f81d59548ec174e63aa57dcf44fb162e46e17181ba9e3a674b144172ee8

Download Submit
\Windows\System32\dllhost.exe

Filesize
61KB

MD5
ccbbb0c37ba2365cfb3e8a5f73939dd3

SHA1
986000b5507639a04e4cee31d242107734bc6915

SHA256
789cd6318e39e34d97c28019917f0e5b58bbf52ebb07c3062bfcf3f8288dd831

SHA512
23517e35c0f0b028587bf4e04949bffde53d987e3102f26abf41f82cdbff19a7d5e81893d4a5682797413d85e3ee66f492eb4057235c0dc93048aacd44acceda

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
104KB

MD5
18adb575e464146cbfaaeef39b3d0408

SHA1
24644e34bcc15cb2712b4e8288ef0fb58f5d6c16

SHA256
a015036cebe35542d2650f33b8ed2d29d7ddb228d310a5711f5c0fc985d6ee6d

SHA512
cb30035d017b004d5c93f64c211fc720d6e356c2e7fe70431ec22392940e935d30676c32776863dead5ab13a82f88b348dec069ff8c27ba782e90ff25df28e3a

Download Submit
\Windows\System32\msdtc.exe

Filesize
94KB

MD5
a5bf0351b7480b6e09afefc93013d1cc

SHA1
c3bbaa84b0e39b9a586b0504a55eb1407c428d22

SHA256
28f1e03c82e5097d41c26456ad2eb6ed2809eb34d162aa75f60c9c21605ad230

SHA512
18a0875460216ab34f335192840ed367070212fd1cc5cff81a0f2a026bc8d2fa2946afc97263e65059f56b8c72fd01f3b2d680edb916cf757f2e698da3caabc6

Download Submit
\Windows\System32\msiexec.exe

Filesize
77KB

MD5
f24b554313a98da13fa027c0e6373f23

SHA1
d22e88d9592ae1bd36fa4b16e0127d16e09e843b

SHA256
2613479e1d4af89123c4d7d876f2dd6f80d70f5381245cfff3b8049552ca4978

SHA512
d8e8e02635be0bf8c8c91c8c0f1079cad0336c6b7ae1590436373975ac7aa8d3c6377ce6fae4bc3ca1739a889d8bb1c37410fc925d1e6e6cdf57c21f5592855c

Download Submit
\Windows\System32\msiexec.exe

Filesize
5KB

MD5
7968aa5c275800d43f4bc8255a97913f

SHA1
5468c44d33e804645ece3e6daec4e54916e9a055

SHA256
25fa1a67f8d15696b31d77be43569edb4a47b64d4ab7bd434e4b4ffdb0bce06e

SHA512
c017c8359976a06ff0cf01650464795611d5eb31e324b76c0fd798bb22f2850d34fc29d875e4b716ba55b7f40368965b48a33aa75644c1616995aa33e982402e

Download Submit
\Windows\System32\snmptrap.exe

Filesize
78KB

MD5
34384a7694deb8fd41cbabf3dbc314d7

SHA1
24af871cbdff87e6b5b5c61844c20174ada454c0

SHA256
4aa3369233660e0a1cb7f01257d9adf41f32eed166ae303f104ab3e1f159b82e

SHA512
a0c70218f09606b6228d88ec891160fae31eb47a6bf48eb7fbd6eade9137a904e3240bd46fbe8099263385b1049f87f2f0fc122cf61d933e534b51526e0b6a56

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
69KB

MD5
2d2c557677ebc94063264ff64469e541

SHA1
341d4cc69d187cbb68d437cb05b57fbffa3392e9

SHA256
3efdcf0185fb220627039e550e6e8cf145c2295fc404acb65b692a858aab7b69

SHA512
9f8a8881c1d2851de886514bf619b7970cc07f2825b75ae7fa81e10097fad41349057737a2268af65bd4ed65df5d0ef590fc6dc5d88cabc5a2472ad9401ee73a

Download Submit
\Windows\System32\wbengine.exe

Filesize
22KB

MD5
81f040200f0711f369011f7ccc89eb32

SHA1
5e5cc2893c9193ee1ff005d565d396a0656130e2

SHA256
d9cfcecf03961d4fb86620d623c1404c076f1e8a6955a4c35c6d81d900da4f59

SHA512
4336dd4ae78be17372b7341c3099a6835559b9cc2d5e8adf0cd2c717bb379d946e017736f477179c5dce99f84c570d20838f060caf317f9545979c1af29dafaf

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
380KB

MD5
289f507149216ac7e126cfd9801e4839

SHA1
66135ccd3da5cb355e74ed9c5afd317f55e53763

SHA256
79615ec21906de5d7966b931cbd88e1d313059d0e3a7a8e5973312bc87453108

SHA512
6c402000d06a12909e6fc6dc6799d9174cab9a0847f2e6e3dffd5a1158e5583ef89f24a6c494fcd095695f1ff7175e68ca8492dc2c7dfa8d83875932678b03f7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
18KB

MD5
2481482eaa3376868b2b2110ff388060

SHA1
025c6dbfedbb6b089dd73343c618e1fd49e20bec

SHA256
810a45961354ae3d9c1a2acfa002de64f23497b9faa02429daefad1187f93eb4

SHA512
cb1e8ce2187c2ee20585bfe526ae6fb349937957b188b7f7ab16224f4ef2dc3b975209488c254afc9945c27e471697e258e05573b8f732f051aef50cea039c31

Download Submit
memory/320-352-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/320-360-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/560-179-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/560-254-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/560-186-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/560-183-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1184-311-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1184-320-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1216-250-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1216-248-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1216-228-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1216-220-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1452-126-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1452-193-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1452-132-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1452-127-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1528-202-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1528-198-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1528-191-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1552-25-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1552-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1552-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1552-13-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1588-302-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1588-235-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1588-247-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1680-332-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1680-325-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1692-339-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1692-346-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1784-142-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1820-304-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1820-295-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1820-358-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2180-282-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2180-350-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2180-337-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2180-309-0x0000000074878000-0x000000007488D000-memory.dmp

Filesize
84KB

Download
memory/2180-292-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2180-287-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2260-156-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2260-154-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2260-243-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2260-149-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2260-214-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2260-176-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2260-175-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2260-174-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2328-163-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2328-170-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2328-226-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2328-164-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2336-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2500-280-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2572-66-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2572-172-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2868-313-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2868-271-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/2868-260-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2868-319-0x00000000002D0000-0x0000000000382000-memory.dmp

Filesize
712KB

Download
memory/2868-261-0x00000000002D0000-0x0000000000382000-memory.dmp

Filesize
712KB

Download
memory/2888-258-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-200-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-267-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2888-249-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2888-201-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2888-204-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-268-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-306-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2956-212-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2956-215-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2956-278-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2964-98-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2964-104-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2964-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2964-124-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2980-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2980-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2980-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2980-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2980-2-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download