d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
Size

1.8MB
MD5

1192227cdb385c3048d8b266854e5344
SHA1

0ae1ba2aa5b8fee98f3ee3f3d28f3b4ae82f3216
SHA256

d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0
SHA512

b7ff086dd93224106aef0f77e697ae9e385c7e106daa58f3e21ddf88d4631153ae06ac6e1bbc0fdc8b4a9e9f53cc0d1aaf1d7666c1e89099bbedb55b2e632200
SSDEEP

49152:zKJ0WR7AFPyyiSruXKpk3WFDL9zxnST7DcMlQpRQQMKMZ:zKlBAFPydSS6W6X9lnu3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 43 IoCs

pid	Process
480	Process not Found
2636	alg.exe
2696	aspnet_state.exe
2972	mscorsvw.exe
1012	mscorsvw.exe
2868	mscorsvw.exe
1360	mscorsvw.exe
2184	ehRecvr.exe
2512	ehsched.exe
3012	elevation_service.exe
1872	IEEtwCollector.exe
2472	GROOVE.EXE
2856	maintenanceservice.exe
2244	msdtc.exe
2556	msiexec.exe
2564	mscorsvw.exe
2536	OSE.EXE
2888	dllhost.exe
2812	OSPPSVC.EXE
992	mscorsvw.exe
2560	perfhost.exe
2900	mscorsvw.exe
2000	locator.exe
2944	snmptrap.exe
1556	vds.exe
3064	vssvc.exe
1580	wbengine.exe
2504	WmiApSrv.exe
1396	mscorsvw.exe
1676	wmpnetwk.exe
2652	SearchIndexer.exe
1748	mscorsvw.exe
792	mscorsvw.exe
2708	mscorsvw.exe
2012	mscorsvw.exe
2332	mscorsvw.exe
1436	mscorsvw.exe
1068	mscorsvw.exe
2436	mscorsvw.exe
2352	mscorsvw.exe
856	mscorsvw.exe
2648	mscorsvw.exe
1132	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2556	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e49609118a0c1054.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdate.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdateres_fr.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdateres_gu.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{816A3475-9C83-4071-ADF3-DF13B538F008}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdateres_bn.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdateres_cs.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\GoogleUpdateBroker.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdateres_lt.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\goopdateres_nl.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM251D.tmp\GoogleUpdate.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5474B769-B776-453D-BF58-ED4870F49811}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5474B769-B776-453D-BF58-ED4870F49811}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{28B0E7F5-ABCB-4B3A-BA05-1316E6A4B71C}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{28B0E7F5-ABCB-4B3A-BA05-1316E6A4B71C}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
904	ehRec.exe
2696	aspnet_state.exe
2696	aspnet_state.exe
2696	aspnet_state.exe
2696	aspnet_state.exe
2696	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1572	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeShutdownPrivilege	2868	mscorsvw.exe
Token: SeDebugPrivilege	904	ehRec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeTakeOwnershipPrivilege	2696	aspnet_state.exe
Token: SeBackupPrivilege	3064	vssvc.exe
Token: SeRestorePrivilege	3064	vssvc.exe
Token: SeAuditPrivilege	3064	vssvc.exe
Token: SeBackupPrivilege	1580	wbengine.exe
Token: SeRestorePrivilege	1580	wbengine.exe
Token: SeSecurityPrivilege	1580	wbengine.exe
Token: 33	1676	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1676	wmpnetwk.exe
Token: SeDebugPrivilege	2696	aspnet_state.exe
Token: SeDebugPrivilege	2868	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2564	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 2564	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 2564	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 2564	2868	mscorsvw.exe	43
PID 2868 wrote to memory of 992	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 992	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 992	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 992	2868	mscorsvw.exe	48
PID 2868 wrote to memory of 2900	2868	mscorsvw.exe	59
PID 2868 wrote to memory of 2900	2868	mscorsvw.exe	59
PID 2868 wrote to memory of 2900	2868	mscorsvw.exe	59
PID 2868 wrote to memory of 2900	2868	mscorsvw.exe	59
PID 2868 wrote to memory of 1396	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 1396	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 1396	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 1396	2868	mscorsvw.exe	54
PID 2868 wrote to memory of 1748	2868	mscorsvw.exe	61
PID 2868 wrote to memory of 1748	2868	mscorsvw.exe	61
PID 2868 wrote to memory of 1748	2868	mscorsvw.exe	61
PID 2868 wrote to memory of 1748	2868	mscorsvw.exe	61
PID 2868 wrote to memory of 792	2868	mscorsvw.exe	62
PID 2868 wrote to memory of 792	2868	mscorsvw.exe	62
PID 2868 wrote to memory of 792	2868	mscorsvw.exe	62
PID 2868 wrote to memory of 792	2868	mscorsvw.exe	62
PID 2868 wrote to memory of 2708	2868	mscorsvw.exe	64
PID 2868 wrote to memory of 2708	2868	mscorsvw.exe	64
PID 2868 wrote to memory of 2708	2868	mscorsvw.exe	64
PID 2868 wrote to memory of 2708	2868	mscorsvw.exe	64
PID 2868 wrote to memory of 2012	2868	mscorsvw.exe	65
PID 2868 wrote to memory of 2012	2868	mscorsvw.exe	65
PID 2868 wrote to memory of 2012	2868	mscorsvw.exe	65
PID 2868 wrote to memory of 2012	2868	mscorsvw.exe	65
PID 2868 wrote to memory of 2332	2868	mscorsvw.exe	66
PID 2868 wrote to memory of 2332	2868	mscorsvw.exe	66
PID 2868 wrote to memory of 2332	2868	mscorsvw.exe	66
PID 2868 wrote to memory of 2332	2868	mscorsvw.exe	66
PID 2868 wrote to memory of 1436	2868	mscorsvw.exe	67
PID 2868 wrote to memory of 1436	2868	mscorsvw.exe	67
PID 2868 wrote to memory of 1436	2868	mscorsvw.exe	67
PID 2868 wrote to memory of 1436	2868	mscorsvw.exe	67
PID 2868 wrote to memory of 1068	2868	mscorsvw.exe	68
PID 2868 wrote to memory of 1068	2868	mscorsvw.exe	68
PID 2868 wrote to memory of 1068	2868	mscorsvw.exe	68
PID 2868 wrote to memory of 1068	2868	mscorsvw.exe	68
PID 2868 wrote to memory of 2436	2868	mscorsvw.exe	69
PID 2868 wrote to memory of 2436	2868	mscorsvw.exe	69
PID 2868 wrote to memory of 2436	2868	mscorsvw.exe	69
PID 2868 wrote to memory of 2436	2868	mscorsvw.exe	69
PID 2868 wrote to memory of 2352	2868	mscorsvw.exe	70
PID 2868 wrote to memory of 2352	2868	mscorsvw.exe	70
PID 2868 wrote to memory of 2352	2868	mscorsvw.exe	70
PID 2868 wrote to memory of 2352	2868	mscorsvw.exe	70
PID 2868 wrote to memory of 856	2868	mscorsvw.exe	71
PID 2868 wrote to memory of 856	2868	mscorsvw.exe	71
PID 2868 wrote to memory of 856	2868	mscorsvw.exe	71
PID 2868 wrote to memory of 856	2868	mscorsvw.exe	71
PID 2868 wrote to memory of 2648	2868	mscorsvw.exe	72
PID 2868 wrote to memory of 2648	2868	mscorsvw.exe	72
PID 2868 wrote to memory of 2648	2868	mscorsvw.exe	72
PID 2868 wrote to memory of 2648	2868	mscorsvw.exe	72
PID 2868 wrote to memory of 1132	2868	mscorsvw.exe	73
PID 2868 wrote to memory of 1132	2868	mscorsvw.exe	73
PID 2868 wrote to memory of 1132	2868	mscorsvw.exe	73
PID 2868 wrote to memory of 1132	2868	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
"C:\Users\Admin\AppData\Local\Temp\d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 254 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 24c -NGENProcess 23c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 22c -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 260 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 230 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 27c -NGENProcess 280 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 268 -NGENProcess 2ec -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e4 -NGENProcess 24c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e0 -NGENProcess 284 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 29c -NGENProcess 2a4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2e0 -NGENProcess 280 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 23c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2972

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1872

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2888

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
b5914059fd95868e0df047e8640528cf

SHA1
ae79bdb972516110d73cb249b9c05ca163e9a9e5

SHA256
686d658289fdaf9ca1b0b9bb61d4af11696b4941a8e213634840206f1a20c6da

SHA512
e8f6321af4985c3e72bbf02ee665129a85ec6f3503db13e051ef76d80c73b62b50d16cdf95676274166e47089e4b6e18404a195f6b5d0f94ff70e0594f4aa7ce

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
b0f1ad4925edc2b44a787d98a72989c3

SHA1
c5b3a57f190790f6d7adc021e25caf1bce27231e

SHA256
f15a27cb5a586465133af10e984b7df56985cf43eecac9ccf5ef35e8b002a28f

SHA512
7e5969d4cd872f3398d716287e0cb47935cb6ce2c6c756959ba8bbaac5b902e7c5f0fd22d9f4eeefb86a86b6523390977dacbba9ebe3e05fa6e1af58dff308cb

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
249KB

MD5
f691cb2d0870d4fbfb6ec287dae8d290

SHA1
b3869b80d936b33f7b2e69a67239014df33b7926

SHA256
313cd057eabe61eee3e309aef1eee32a1490f3e109b5641535fddf5787e61f83

SHA512
8d80def66b50409dae75acacef3d16d3d4d22ebec73d9f6cc3552927232467a96053485bbabc97fce9ff73aa63dbde7f8cac074c66f5c44c86ec11b25804d70e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
456KB

MD5
899afcdc68450bc2ef552dd4dddab7b2

SHA1
dd792474b4a458fda820b28299c00fb938499fbb

SHA256
4a0c1674772b7d97aead36fc82d5bdd241bc3eadf16dd35a2a3ff2d17a99d465

SHA512
7db754680822125a927f2ec20e0847d2493ceba9e698df6f793cd8d3d717fb9559d588a55e74d4c9fd3e66c7e9b23f8ef6af9b3bb50a4ab9732d14abba22eb4b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
353KB

MD5
5007571207b6f0e4e52c92f60f512ac5

SHA1
034fb16805cbe5f8139004bceed4f038b3db6e66

SHA256
46ea444c1f4afe936c039f7448e4d2457f86d723f0ba17cf7e2e728ee2980335

SHA512
bb81e8c1bb9cf10a8e6685ef12ea4b243bcf63fc950b6dabdc49237b2f485e12d38cc12f9507458fff77b7d108b0e39f709b2829bf93f381c8eda3dd60f94f20

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
54KB

MD5
93c495f5839924a64c164b9dd7470178

SHA1
37eb109d5669e61e8f91321224a6714c6dc9bf2a

SHA256
df083aa4e4c56c786a8e06f037df250aac08f98eae0de2d767bfcd640c6b9b87

SHA512
bd81460e7aeb18a6d99f3ef8c44fefdb8e4a511f342d0b90ac031fbbcd857ef32ba64ca3005737028ab1f3774e981c4b543c59803e0e8e126dee09902f422d31

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
223KB

MD5
f9dc64ce90d3dbadd85e92636371edf8

SHA1
5bf24094f69a46056613222329378cb1129b1f27

SHA256
5c391a29a968f2ae138b1c189b9fa4cb31a337aa3ad37112d55ad8c5d68dbb37

SHA512
46a932c00dfddfa99cabe30065a43d01f611a9ec4347cffce6e5e5a72049d24bde146843931aded17ac462365f5d71606d1db00576cff3de4c6842acaec0b049

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.7MB

MD5
c24b987c45f285446220982f6e535a6e

SHA1
10441ca2429a3b888b6be7186fc38f1f43563af3

SHA256
fba5d629ce3acf68775e9c509f5845d4ab7368ee372954a85f429d76ccf84914

SHA512
4ea6af07af906ed3674c7ec7e365abe7254cc6c9ebb67b962404ed46279408f52183302ed01fe7266cadaac3e8cbd092a96d612b9657d7ac6e7291d67be61e2a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
45KB

MD5
7657d81c6d5f1395e9c31b530cda11cf

SHA1
2a2a1fed8d40e831c7f1902a6afb91f3e1228650

SHA256
c4c9474c67c15256aa18bf83bd683f7815e467c5dd84cef4f93f31524fad6a86

SHA512
c865e31b8156edf8e3dc773e7a452db6df23bcc9b8c4931e50c7d19bf003fdaf0581227a72782ed2735af8c5bc049e07c417e8beb395ed23b15e1c24b471f975

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
43KB

MD5
1ff0317f8cc340732e992e8668701a3c

SHA1
0403817e091ed935c4c6eebdf1fdf5e2c5f80591

SHA256
dd8be3960aaf40600c173ba49f1db8c15d799a35e1d052cdb9c2fe9c03948c37

SHA512
0afbb5e07e8fe32d3cc34adce12b6a12f6041e9bd6a7bd711c7af2024c01e53e0779893dc0f5472cec7d11c12ac27732066cec1fd441ece709504ee3231defa0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
166KB

MD5
9fb19919e2fe38400e5802524ff3bf61

SHA1
c3b5468781676876024bd51a3aa758e928e848dc

SHA256
bc2be4944b467f7d8c108faf70e8915c60be05ac760e49d964bb5a17170d4d2f

SHA512
c13196b4ec282fb76113031f7bf4c97f220cb5ee9f9f57a4a2073a39f3fff287ef29471b877e31279f9a703f076c2d9c221aabbb9c166e347a98ab78552c45b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
172KB

MD5
599fa95555b86f5cca004672723cfe3a

SHA1
549a1286a280851492d68eb66102a0132c9c23fb

SHA256
c4fbd0d18cb4d87b5d8966ed1f0a4136bb6a26e7785a523e4e0e93ff4f7aadc1

SHA512
72b435e042d2aa2b8c24bc8e541a10a3a3a56c585f595e73211a416818f26993283129ccc6f8b20cf2ee94a0bf1c4fe2b1392440b129d5b56090b22986011235

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
66KB

MD5
6b4f9d33356ede915eb2a6b0d2751b8e

SHA1
c0ecc0841232a8ee8dcd52bc8239e1246a12c4ea

SHA256
b64186d02b36d3fc6bc2adc6f357fb6f808139bb4ca7aa1103e411d885d12535

SHA512
a5e4d2e56638ddbe26a03676f44f12c7c6cd64c7e52eec3cdf2bd56f30402bdf7980a173d809b395f196a87617ac0df1bb8dccf3a2221fb61a4a57d618469264

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
229KB

MD5
78db86dc3ee8e27815920eebc4f7f2dd

SHA1
a386e42dd81920891055f6e8b125da2b317b85fc

SHA256
9cbcaa5107ef40bf653fe50a1b5b64c642709b0aaac9b630bae1f38b0a8c669f

SHA512
9ed2300d26c0f349d2dd33c369eb263b378f6d98305dc6ae3e6f4b0098986c79128cdbaa5a20278d7bdba8e4f314d2afd44d8aca7cd65f3524815e3aca5d3ff3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
145KB

MD5
d829b5453ca52983f302343d84adff6d

SHA1
f44d7c6293bf5311fddbbef8ab43ff9781bb1fd8

SHA256
c37e3264bfb2d7b3ca97037e71ee328989fc34947c4c980acaa8012b2a15295f

SHA512
9993fdec15b180416c982ecb3569a8e07e6094c336d03fb42dcd487d6a587c2254280447790a925921d484fba50372a7f4373d4697c3bd08fb07c9b334013fcf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
199KB

MD5
b763d56c3cb5cc6138d4d3285d7ba57e

SHA1
e96ee46793e5633e80b9134b699eec3387f56f51

SHA256
4ec81edf0195ee796c7045b0daeeeaf9982ccdf4e6853f32bb498f52fee9c309

SHA512
65135b8c95d93c08c0d71917a72c50169e089ec23e171fde2f6e5fdcc8620743fa6da9e5f652fdc2f17b7b8738295fffaf6a5d9844cf6d8347e1a02886a0ff3b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
75KB

MD5
fc9dea9f6b888a8b0fa9f89faf9d7123

SHA1
1454cfc0188b5c6dd6bb22066dfc912309ffffb7

SHA256
fb091a96c1a9a073e122a3eecf969b39f2d89277616b7838aa6eb41f61390f43

SHA512
af04cd06feabe6b045619ce4488c26d2b9311dbbc3cbed44592570c238e8b3ba26cb2041571c2292dc5e6479f5c88c5b640363852dcdd9e0d5d79103fcd0f9e6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
164KB

MD5
8b991d23880da2504f8e78fe267e2626

SHA1
77845e5037276a750e8a419df8bce83b06b1243e

SHA256
be0a48f4696c61a6b44f75d7a8202fabc9608aab829724d6b6c2e5337363fde8

SHA512
8255bd1729cefcff96193cb203e402d3c57523297f9e37c8575891295bf67732472acd2d45d921ff2a51447a2503c0eb40cc13eb1ae7613b9233102f508ad21f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
228KB

MD5
74afacca1c1eda07bf72b3f0e109a9cf

SHA1
13f222e27d57076fc54d7d0aa07789dd2761d3eb

SHA256
3776494b8f1c2d6c9660924862600f5b1005ab87bd82bc37c28614d77b99302d

SHA512
c0ad99514e713f4cc5a017d8c4322a1a046c6df64f6899fcbf124a358119bae85056d649b4584971ce6537dd9319eb217269fddeb1d0f338c765831e8d82a55b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
142KB

MD5
57983eeec1ab77c1b844dc9f0f5beb12

SHA1
d6ff73751dd3cf09b8281a446919dd4f95f38392

SHA256
8f48d2365407d008c55d79ed2318ee953bb6945365673a21b049c3d5c232847b

SHA512
26ba622ca023198148b13d3d83058e26c0d1f64afd57c7e18ef15134f6f130a7cbc58fd764b0bc016984267508094805840c60e1992945794cd1c79b13275d11

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
52KB

MD5
cd00883321096bd6856566d275bca210

SHA1
f854ec6cbbc815dcc17a5c5855dc238e7704268e

SHA256
29db5c68c31cf284874fa5fc34ce9be316c3d51c19c22301002e17db5e619360

SHA512
aafe86fd224c700b985f8667bdad32b9db17084d99f7ea6c413760747d4a0d81b356c739f8fe6c95a722c50bd7dd0b3125414c914293756a20a3c10a761581cc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
29KB

MD5
e684586e8ce066d1e878f89944c69384

SHA1
86949ce3e982da9f477902d7194d874de98599d2

SHA256
b68e9c94b8f6461d17c3b0e076c71a21f6dd785e9fd926ce9a895202492c6e1b

SHA512
f07c56f56d044933da0aa91ce18be67dd873af8f6501b5bf5df6c4dc09f97fbf9ea57082f31c4edd052116ba5da7e564609d1735a900a0dabc73cd91df7fdd30

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
113KB

MD5
f0d820a7032113799e914308c3f2c223

SHA1
18d3391f8ea980ba81fdafb9ed77388a225a38b2

SHA256
5fe003ebbca5c0c73a456c8b65ccb9ff902268bb5c1aebea376cf5e998c2594e

SHA512
63f45f856501a85501744452253d5e0d404b25e0fc58ffa1668c1033da01c17888053b2de8cf42c92ac121f3d6f02dd2d1a8a7286b0abf7fe67332594696aecf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
32KB

MD5
381b082b6b23677bfa1c5733a9b042a2

SHA1
e0eb1beb4b1ee0a5d235011cd622b01d4c2dcd1d

SHA256
5cbf0b7598e577f450587a7cc66d664e14779a8b8b10a051f2f857a085ecd962

SHA512
a40c88cd2cba3cbdccb167661fe8ebc9e20204758d62e7e6500f538789632089392b5e99323e5861617291b73269f8f3f29154012631e05bc92d2e2abb7c51b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
54KB

MD5
23199e6ee1893e578a774625f8c554b8

SHA1
908531aba1e7ec61a877b1ffd4b9568638a52eed

SHA256
f6f26694b5f5df5f9b613e14fee7e686916ca53833e6a5c70ff098d5546695cd

SHA512
3be198c875fd3a9f7b6a682c2fdcff520b1058f8547194a6c9ed30aaa1d6b569a6b6fae95ef40656633d3081bb35773e445506e7d6880573202cf55089bd2321

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
366KB

MD5
390e72bef3129dfa6954aae892b08894

SHA1
821acc6a78c63164860fc14a3d098b657ab6fe71

SHA256
139fdeccf56009d6a6399a78bfd4fc57443391369480e0c5dbc02bdc80fe780d

SHA512
7bd1a655fc1828bdbd43aa0746f7819f4a48b3c2da8c993f0fb0039d09b8a972edc409d1cc4a8f5f4aec8fa265be9343316e5f05b91017ee57bd5eb9899ab7d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
397bf80677b447dafeff67c9a041d0ae

SHA1
9f9a155f3fa681a796dc896f047c843fae9bd27c

SHA256
e24f6efede82afcb067422884a7ef8b6d7a98eb1f847763d0fdbd45079c1143f

SHA512
351d9939d8bab5c9caa188908b4f7ff572963641eea98aa4627233bc67a7f58c3ad254e57e0233331e9e6c0146c305856f175dc304e5de6c4ff313a4e804d58a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
45KB

MD5
8942a3464ac520443b9ebac43395bb1b

SHA1
a04e67ff86c974e84084e42205fea058b7a14c58

SHA256
9a062fadfe6b7c51f896042e1824676c5f95873bb957883b2057a89703786818

SHA512
a585ada23d325584c56dc9f0f6866a7cba80eaa71cedca6e8e6730c6e2cf6d72302f2be534ae3e6bfb7dccf508a9861e2da2e2ebefa32afe09a4e93a26a9ddda

Download Submit
C:\Windows\System32\Locator.exe

Filesize
246KB

MD5
48f46bd75b04b4458124d68045c0d4e9

SHA1
c5ea42a5ca22ac1e115a04edd9b4f18201316d3a

SHA256
1cd933d2a426f83a44ab71916159ff3f0b3c124ecbfd0d34872b4057ba029aff

SHA512
f3e56d7b1db4a5a3a66738a5355abd0119bedef44d5834c842707f81ca6f6a3021ff51fee194224f842a9a606c7865cecca89285ac7ba62107da7beb4d31756b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
45KB

MD5
382b6d2e1851f38f491bcde9f5e8a87b

SHA1
fe1da28f383b26c726975155564b4a521af49d80

SHA256
008d764967a9779deb78dd044b6610f63409ff7ffa0ab90534c74f84c37d37ef

SHA512
2585f58f83af3fccc51709ebd7c2d6f6947115b3e8318253202ceec6e440b4313312676fd2c2b6b6856126afc9625fcd936f52527ed79f415cbf3192c2112de8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
80KB

MD5
f144e1c12f2fc3533fc84dc4e1d81372

SHA1
edf900bc7c973b51d7ebb97ab7869d284cda210b

SHA256
3c048033aa7a157c5cba156748581517e3ea5462f8904e0a8a331657091ced09

SHA512
6351129dd0f7e35986e0d8673a9eec72ec5e7f41d8b38e9a8e6bc31147c3762429cb73a52b12ad477a2fe3ca7197a39b0a0d2a9ee48583e232a216e4ad9985bb

Download Submit
C:\Windows\System32\alg.exe

Filesize
174KB

MD5
256bcc95ea62e11da0c3af8cb8fb6c4a

SHA1
6d4d73000166302ad75f799ca168c08956992aee

SHA256
3fa28374850d5bf051c26473b23864189b256795a8047abe08a952a84e6078e0

SHA512
0a50756e3377bbf90d77e6d33810aa2bcc65269c0bfb29150711921b66b95883bde5397ec54150bf408a39ebe54f93b9f4c176872cf2daa2795c7bc3c7701ef3

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
123KB

MD5
eb0650f1b0a65594e95c61264931ea78

SHA1
2a18a5b4e8382bb80c1a5b3f46185f04899db7d1

SHA256
60a76fdb0645fa5341c9695bab24d5616963f422f841ab30d8066c9af09735f7

SHA512
abbf92ee986b868fd33fecb101c2c5d09d94595e99d8509480ca311a95f70fe24d3553b4b93b4eaccac063f2452864a52aef6296567511c62bb2c1a75f1e29b7

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
2e54a470c15c809e0a021d959cb60512

SHA1
75132f19928b98fdce7e0e5e4b37433f5dd18e47

SHA256
8f33cff517d275387f1e03854ce1ce25c94769870240ac1f2426013a9785b69a

SHA512
cbc44557d4d01e6e88d548807296b08710fe8cf367f28bcced95771925256e023ddfa0c0ff39745f2fbaf94463e6f68b66e4a119d392dd09f757baae450015a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
437KB

MD5
053e99669a257f290ab7d5642210f75c

SHA1
d8f87c053ce62ac1660b85742d425f9a33c9c194

SHA256
d7a4af27fbac55054f2052af7c5598cfbe17867112bae1965928a9968179658d

SHA512
d1814cb7dc5efb94b985d651ed7b009bb4a1dd8adfb897767ee344d52f0eeb7a6635e35f9cc8cff9410307073bc8cad363bf1776afe2472bfd1ffad40cb2a61d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
135KB

MD5
ec2dd1530d05311c7b8467770208a71d

SHA1
e3291cbae22be60a40fea68b0a3a7cf3798ab083

SHA256
ba3a056a00b3f61f78b74dbd0088fccd2ebaca2ef5a73e767c4d30e18093b5d5

SHA512
26888340d48b0916231c1e639ef452747f93d7e14028cb681035756d5ce2392e622f1c4173005e647ebfa2f52d16444c6e4c50bee55d7eb51ab588120557d965

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
96KB

MD5
0b4a175ee4c7f15ad621ad5575ab5e85

SHA1
204ffa4b929c6275dd52ef58789f55d45e27dbf1

SHA256
4bf187c90e5a236a1c6304cb7a8fa82df00fc2a2027469cce66031a309e2cbc8

SHA512
928110c77cdc101dc861351f9720203f83beef2c243744cd0cabf73348b94f7971c3dba0474157da44afdf6aad89fba9a5b3a0721f979fd5861807888ec255e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
40KB

MD5
928fb04d4b88077c78c929c2c5e26a6d

SHA1
8b413c344ce054186d05bdc0f1c39405cf565a09

SHA256
42d631bc26dc820c5c43f6a41b6faf3eac07a740f402e241428739d308d38c1e

SHA512
89fb868adee1e8b4b9f22f22dbcc9d0e65d146e6ff5f0131456bae6db11da9fc0fbe9081d4823b0fe32fe30e8826729ba89ce779de2147a135c7af82da381494

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
80KB

MD5
00783dd49a71c99b28457b70508954c1

SHA1
bb21e0b35cb6c417067f90ba4c9aaceaef76896d

SHA256
7087a612ffa2bab919ce6ac4ecfd226e192303b02692e4de66611a2768b933ad

SHA512
6355a19a46123ff098ebd016edf222548684dc7e403fa52a348fe6a01ad83ae2912ed153f2f3a598a3582372f32875b1ec24b8954e0a1cd6a6560e1dc4b151e6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
24KB

MD5
cd86a00443c70e0fb50af5e94cc772ec

SHA1
cbbf9cc7c574196babdf2eac76abe9169f02cd1a

SHA256
062683cc01cd5ad04edcf4c5cc17a534c14262d1b0a8777089a9fe89f3b51acb

SHA512
9ae410fac062b660d603abb01bae5832cabb38046e46a1e58cba941c28bf9576ad2f38966f8c650fd711b3cd9c268327fb09bd93d0f7ed9c337a19c0a693e99e

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
9798528f64c07b06b137c9168ed0722e

SHA1
e49925a50a6760727509eed523b5fb9e401915f4

SHA256
1efed373f4209d66c21b5107d91de74c8f1dcf91778923b1b311c9fc712bb85a

SHA512
a0d7a9fecb46962757a4e665ee3d88c007772f0bb1cc6c43d086020bc97b4daf8cc851d5f0fc2d0a531a5e39f32a630666b64d8422cf0fb49795ee1aab9a3626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
103KB

MD5
e7cf0ffb7c9e358851844f12c735f84a

SHA1
1951220704ff192e0f7331611d600110fceb2fc8

SHA256
ab03811f9d9346b2ed12c40a59172f865ca390dba121939876e54c1d4cbfb539

SHA512
0dbe8c8e21b180ac6176a89a9bab341c361b08cc68d22a303e0e49caf648c77d09dc18efe8c025a81ff415f9a8a6efb0fbebf08e73f8229df89df4a23e6bfb4f

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
4744a0190003209a509c73102b9bf9b3

SHA1
4bff000378a87415dcc5ec259f45e40e34909560

SHA256
fed4974fbfcc2021aa271ed8a1317b7806423115fdee77be1f9337651d61bbc9

SHA512
827dc8b81a385b0f1c342250abe0fad06e0cc2c9dd39e7959fcfdad269a479be0178cea0ed4a4ec2dc04f61cc0132dda97c88c09492f3d5c5c1f8b88e8f0dd0c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
c6cdd059786dcd43681a43a6fd3be7ff

SHA1
935a5c609d93e9ac51603774f90409ac60d05b01

SHA256
5515029c0714e11cb9528a257fb98e54b70bcca21b72b20eb5ee0e671b69c57a

SHA512
fd97655c4cdd1f65ed9cd253ad98d46d4d1b72b4d6060995d059cd92f10ecbd844246f41f7e9e7e9830923008140143e918926a63c316b86fac1815b3a59d44b

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
93KB

MD5
acb2fe1b5b2b845e3b096658ae24fb3b

SHA1
8e7db0ec35bd1ca7f328d8d3bcea6474be3cb237

SHA256
54decb136ae77b3fa8092394e143934d597a3b9d84586f96a413a7247c58f06c

SHA512
d824314d2910233457a3a6433d5a616b162df6a94f4d4c9ab7e7baf92f8a60414c8e79c118cae2d9b2d502b0877390eb2e8af46d7ff0eac0418ab37fba3dd369

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
25KB

MD5
616223a9a428f1343ac4c5f176d62aaa

SHA1
c4cd32cdc6244e05faea9c809bd4be6933e0a297

SHA256
295821ec86267d8d8fe8e6299e55c69a08679838f7efdcc543e406b36c3947f2

SHA512
88eb6cbb180e87bd5d7dc3152bf0184006a45f3523864f6052d051bcceb8a2cd524472549f8d03bd76335b6ec8ad57d2cbab96cc0f2c0847b472abd2f39ae164

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
28KB

MD5
056123606c3f7def0ec8f925abf14948

SHA1
f85ccfbd94c0488006618fa036d636e29e9a1a41

SHA256
e3f341cd349346b35facb9be8b7418a8aa1741e5de00bbd926d8d8e1ce638a48

SHA512
1cf0c46c6fae2d0dae066f887a6c74a46cad59c3daf663b2eab47871c16c4c1fcb59f93251c88064cb77a3e427cd5f8f7b753aefa895ca3a10ebbcfa1bd6eb6a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1KB

MD5
1e0126f08f1fd72b6192ee9dbfc65561

SHA1
5fc191f75304510d63206628c8a7fccc11e2c960

SHA256
8924cbee0b0e546ada61d82c99baee3b627e019cc2d2775f4a0e8e1668278ce7

SHA512
ca948e5a00ee676584022d601f391a00813b9d236e10586b983b1e974a973ad5f3561d048fa563fb41bf60cee297e9cb768bdec25c084e22614fc1447d6eb5e9

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
254KB

MD5
8362840efb50fbc6f47085da32bb01a5

SHA1
dc24438966d72b7a603f9c18369e17f37c6fc0da

SHA256
045084b590cd5ede250dc55640042c5c742a1661501cc9cd82090335187bc5c7

SHA512
b30d0d190d8deea3e9d11e156b9b39d1768d2eed6cb4de1b8fd38c9a0acb4348a055e5fbdd4b459feb61649e6324c17197fc1db16fdbba4f24ef247a42489683

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
68KB

MD5
9c9fe79954a3ba344600d86edd13394a

SHA1
6d305d4b6c1edc9ce0feebf7aa45be71423f703b

SHA256
d5aedd6d62db52001e6d66fdb77b53ec66ea87a984388accb2a3b9274f43c81f

SHA512
2707ea66621e2eb5d100f358235b6140afdfdc4f76c7691168717b93a19c3878a51077866e2250a6b898244d2a7933b78b47d2c029b6dcd90021f31875c5691a

Download Submit
\Windows\System32\Locator.exe

Filesize
140KB

MD5
5375e1f291514f39249357684cdd6c92

SHA1
f54fb8ac0d3ed8a0342ed73e8050b6c0902edcec

SHA256
b00b9d205ed87af80797a36f1cb8dfc18e41c4585694617d004711af4e02d879

SHA512
34e436f8f38e9210255d7449787230798681f5afad919f2722d085e37fca5e03b5c7d1fff184a75da621f834c908eaab99e81f471396f8549bef791db95842e9

Download Submit
\Windows\System32\alg.exe

Filesize
160KB

MD5
cd656f60e3bc38e9fbbaab93ab62cb57

SHA1
4d727fb8f108b255d19439569a8875ffcc4fc06b

SHA256
07d07e64eb40ed9187dca7675e4f72d05b89e5ecf0023eafc322deef3ff1ec82

SHA512
fe80c4cb4f3462e6d1650154503055e39ee90bebc320cf0179d257b60579bef7b8346fd12d600287169dd34ed725040975ccb8456a9ca009635b524bd9037638

Download Submit
\Windows\System32\dllhost.exe

Filesize
165KB

MD5
2ef2affe5775c17a756a52ed9a17b15f

SHA1
0f036aef0ccc425803f16d502921b1dc584cad39

SHA256
4cddc6d75941ae01d58252f6649354e3265a214c6dceb11572cf29b764a55428

SHA512
d2c4f314a7bbd08e077ff716c71dcb5e7b70615e556e98b216d0ef6ddf7ba9c17db548381172c89700a6624029c04374119685c97749d2d8587f00d478340517

Download Submit
\Windows\System32\msdtc.exe

Filesize
502KB

MD5
7cf173f7e7a4ab4803d32f7fcf5863a8

SHA1
c092712669fb8f5daad4eeb5c685829f33fc84ac

SHA256
5f66d1711f5297d3def945dc2b86addb46895b3defddc9f56d63c6ad17decfae

SHA512
bf282e3c3cbed0e718884b19ba7ce0e28be892905b8ec830d3449ee9282dd7525ef11b740466eaf0d6fd6a7105957af0cf8e46483552d8b0693f960ad066763d

Download Submit
\Windows\System32\msiexec.exe

Filesize
606KB

MD5
739732b80d75bc9f591a64e6d568b0a8

SHA1
d575a621713790733b4576b06e3eecd016928b02

SHA256
d9cd7d5ed793d9d18b9c1565968e43aa0ee9c30208b3fade9b9f1de7f9460409

SHA512
438a78cf24597e88f06fe33e31078aa245afd4c75b4bb116cbbd55ba1095744446876e42e7febe6b2707657bf0b22b57ba7183b86eee60a92a3abaa66cd90e68

Download Submit
\Windows\System32\msiexec.exe

Filesize
335KB

MD5
bcf572593300b7fabce3bab2c0fbe682

SHA1
046532479611cbebd70663b2021b9871b6697399

SHA256
98075b0d59f50cf9059260b45cc81b1b011cf060045a8af4b963d784f8d2e855

SHA512
cd52740fd2946b0c32344784f45d487660581480f500f03d928dad7044351d657336554a4b703fc2646c5e1bc81ef71969b1cf0167879079d474b7b94027524d

Download Submit
\Windows\System32\snmptrap.exe

Filesize
92KB

MD5
e25b9acf7ef6dbd03b77b4c82f06b37f

SHA1
d001cf1aaa4b86041fa60430b491b2e258cc97ff

SHA256
a319b677119fcdf70b40ee3bef9040b57240bbb2320fc2214ba676e56af1f6fa

SHA512
07e024a05f0ea2f7a6a4f99a282ca220ca0658e520a43b9c4409c563c7e64fc58d5c317627bf791c5287e39fb43bedb148e219eb114c2a1c881d3b71e48bdee2

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
9KB

MD5
1aa9666abc1cec096a6805c02e71556f

SHA1
7748fd90dcbc46a291662ef1b18d5b1e99856b23

SHA256
16f4c740891413503fa70a048e5f06a383d5fe45ad4726fed7dded1d0c4ce8e4

SHA512
2c2ec36764341e908a85caf26f8785a81b39d1830a32b7f4ef5dceb97e6d69814a7a554c9894730a0d690294c686967bb08715eeed187c999ab3c427b6430bea

Download Submit
\Windows\System32\wbengine.exe

Filesize
42KB

MD5
a9dda15c3d3e0e4580c719a6e361a551

SHA1
75454aa2b2a6d1b31e24204aac72fee0e6d80b17

SHA256
0474c31f51f794cf5269012172c27baa9c35350fa79cdb2c70d00a8fcde31ed1

SHA512
0d6db8ef5131c55444eccfb0d61e8bca1a455e4ea6800a5ba9aebc78774871586784a17e362f5645e80ee74f98b867514336a744bfe7c2043a402905e9b5bb8d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
153KB

MD5
79930449aa4267eec399278aa6caaca8

SHA1
57e7da4f121459d16dc562438e92ea76028cb698

SHA256
7b1bb23a9b9ac8fb4e11c458174ee93673aed86cfb37e1ba77252b5a7fd585cb

SHA512
0252644fe8ff6a0de04cbcca0f3fae7d92a1b9c98260ceaba8b27668f5d98b90abf9b4254ced7a5890f7cf1de65893b0fb6ba3253c153bd0d70fa699ab49befc

Download Submit
memory/904-214-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/904-265-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/904-213-0x0000000000C20000-0x0000000000CA0000-memory.dmp

Filesize
512KB

Download
memory/904-212-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/904-235-0x0000000000C20000-0x0000000000CA0000-memory.dmp

Filesize
512KB

Download
memory/904-358-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/904-398-0x0000000000C20000-0x0000000000CA0000-memory.dmp

Filesize
512KB

Download
memory/904-352-0x0000000000C20000-0x0000000000CA0000-memory.dmp

Filesize
512KB

Download
memory/992-411-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/992-396-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/992-404-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1012-161-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1012-116-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1012-113-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1012-120-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1360-150-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1360-149-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1360-215-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1360-156-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1572-355-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1572-138-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1572-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1572-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1572-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1572-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1872-216-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2000-435-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2184-170-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2184-195-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2184-169-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2184-229-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2184-176-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2184-184-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2184-185-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2244-253-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2472-227-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2472-231-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2472-369-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2512-237-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2512-182-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2512-183-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2512-193-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2536-430-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2536-365-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2536-271-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2556-426-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2556-269-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2556-274-0x0000000000320000-0x00000000003D2000-memory.dmp

Filesize
712KB

Download
memory/2560-419-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2560-413-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2564-408-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2564-422-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-359-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2564-391-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-277-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2636-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2636-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2696-92-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2696-74-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2696-168-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2696-86-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2812-400-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2812-394-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2856-245-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2856-239-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2856-260-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2856-257-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2868-132-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2868-131-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-206-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-137-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2888-374-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2888-371-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2900-433-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2972-129-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2972-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2972-98-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2972-103-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/3012-259-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3012-208-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/3012-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download