9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d

Analysis

max time kernel
118s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
Size

1.8MB
MD5

ea22453132bb6a89c993c7e7e0baf02e
SHA1

a9f53515001b94e2ffbd1622a0b25dc004545da6
SHA256

9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d
SHA512

5367f34fb68e6ec5f8456dadba5f57665252fc79c2ff5838de608127e4b14f7d5b8cb2d3cf20be1d047d1a946b56fc114d931c8c1c52dddff39379e9eec6c82d
SSDEEP

49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAV/snji6attJM:qvbjVkjjCAzJMEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

pid	Process
476	Process not Found
2728	alg.exe
1784	aspnet_state.exe
2964	mscorsvw.exe
1500	mscorsvw.exe
536	mscorsvw.exe
2172	mscorsvw.exe
940	ehRecvr.exe
280	elevation_service.exe
2776	GROOVE.EXE
1864	maintenanceservice.exe
2556	OSE.EXE
1568	mscorsvw.exe
2372	mscorsvw.exe
2360	mscorsvw.exe
620	mscorsvw.exe
1364	mscorsvw.exe
2772	mscorsvw.exe
2824	mscorsvw.exe
2972	mscorsvw.exe
2396	mscorsvw.exe
2208	mscorsvw.exe
1552	mscorsvw.exe
1324	mscorsvw.exe
1448	mscorsvw.exe
1748	mscorsvw.exe
2744	mscorsvw.exe
2712	mscorsvw.exe
892	mscorsvw.exe
2004	mscorsvw.exe
2692	mscorsvw.exe
372	mscorsvw.exe
780	mscorsvw.exe
2644	mscorsvw.exe
2156	mscorsvw.exe
548	mscorsvw.exe
1276	mscorsvw.exe
2576	ehsched.exe
1016	IEEtwCollector.exe
2956	msdtc.exe
2184	msiexec.exe
400	perfhost.exe
2028	locator.exe
1488	snmptrap.exe
2736	vds.exe
956	vssvc.exe
1524	wbengine.exe
2084	WmiApSrv.exe
1272	wmpnetwk.exe
2888	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2184	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a06202fb64d8c98a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_en.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_mr.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\GoogleCrashHandler64.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_kn.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_zh-TW.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\GoogleUpdateComRegisterShell64.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_et.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_ur.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_ja.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_no.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_pt-PT.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5754.tmp\goopdateres_uk.dll	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 35 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{EE1BA11C-455E-4CAB-8DB1-BA3141A7F8E6}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{EE1BA11C-455E-4CAB-8DB1-BA3141A7F8E6}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2940	ehRec.exe
1784	aspnet_state.exe
1784	aspnet_state.exe
1784	aspnet_state.exe
1784	aspnet_state.exe
1784	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1544	9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1784	aspnet_state.exe
Token: 33	2076	EhTray.exe
Token: SeIncBasePriorityPrivilege	2076	EhTray.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe
Token: SeDebugPrivilege	2940	ehRec.exe
Token: SeBackupPrivilege	956	vssvc.exe
Token: SeRestorePrivilege	956	vssvc.exe
Token: SeAuditPrivilege	956	vssvc.exe
Token: SeBackupPrivilege	1524	wbengine.exe
Token: SeRestorePrivilege	1524	wbengine.exe
Token: SeSecurityPrivilege	1524	wbengine.exe
Token: 33	2076	EhTray.exe
Token: SeIncBasePriorityPrivilege	2076	EhTray.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe
Token: SeDebugPrivilege	1784	aspnet_state.exe
Token: SeShutdownPrivilege	536	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1568	536	mscorsvw.exe	41
PID 536 wrote to memory of 1568	536	mscorsvw.exe	41
PID 536 wrote to memory of 1568	536	mscorsvw.exe	41
PID 536 wrote to memory of 1568	536	mscorsvw.exe	41
PID 536 wrote to memory of 2372	536	mscorsvw.exe	42
PID 536 wrote to memory of 2372	536	mscorsvw.exe	42
PID 536 wrote to memory of 2372	536	mscorsvw.exe	42
PID 536 wrote to memory of 2372	536	mscorsvw.exe	42
PID 536 wrote to memory of 2360	536	mscorsvw.exe	43
PID 536 wrote to memory of 2360	536	mscorsvw.exe	43
PID 536 wrote to memory of 2360	536	mscorsvw.exe	43
PID 536 wrote to memory of 2360	536	mscorsvw.exe	43
PID 536 wrote to memory of 620	536	mscorsvw.exe	44
PID 536 wrote to memory of 620	536	mscorsvw.exe	44
PID 536 wrote to memory of 620	536	mscorsvw.exe	44
PID 536 wrote to memory of 620	536	mscorsvw.exe	44
PID 536 wrote to memory of 1364	536	mscorsvw.exe	45
PID 536 wrote to memory of 1364	536	mscorsvw.exe	45
PID 536 wrote to memory of 1364	536	mscorsvw.exe	45
PID 536 wrote to memory of 1364	536	mscorsvw.exe	45
PID 536 wrote to memory of 2772	536	mscorsvw.exe	46
PID 536 wrote to memory of 2772	536	mscorsvw.exe	46
PID 536 wrote to memory of 2772	536	mscorsvw.exe	46
PID 536 wrote to memory of 2772	536	mscorsvw.exe	46
PID 536 wrote to memory of 2824	536	mscorsvw.exe	47
PID 536 wrote to memory of 2824	536	mscorsvw.exe	47
PID 536 wrote to memory of 2824	536	mscorsvw.exe	47
PID 536 wrote to memory of 2824	536	mscorsvw.exe	47
PID 536 wrote to memory of 2972	536	mscorsvw.exe	48
PID 536 wrote to memory of 2972	536	mscorsvw.exe	48
PID 536 wrote to memory of 2972	536	mscorsvw.exe	48
PID 536 wrote to memory of 2972	536	mscorsvw.exe	48
PID 536 wrote to memory of 2396	536	mscorsvw.exe	49
PID 536 wrote to memory of 2396	536	mscorsvw.exe	49
PID 536 wrote to memory of 2396	536	mscorsvw.exe	49
PID 536 wrote to memory of 2396	536	mscorsvw.exe	49
PID 536 wrote to memory of 2208	536	mscorsvw.exe	50
PID 536 wrote to memory of 2208	536	mscorsvw.exe	50
PID 536 wrote to memory of 2208	536	mscorsvw.exe	50
PID 536 wrote to memory of 2208	536	mscorsvw.exe	50
PID 536 wrote to memory of 1552	536	mscorsvw.exe	51
PID 536 wrote to memory of 1552	536	mscorsvw.exe	51
PID 536 wrote to memory of 1552	536	mscorsvw.exe	51
PID 536 wrote to memory of 1552	536	mscorsvw.exe	51
PID 536 wrote to memory of 1324	536	mscorsvw.exe	52
PID 536 wrote to memory of 1324	536	mscorsvw.exe	52
PID 536 wrote to memory of 1324	536	mscorsvw.exe	52
PID 536 wrote to memory of 1324	536	mscorsvw.exe	52
PID 536 wrote to memory of 1448	536	mscorsvw.exe	53
PID 536 wrote to memory of 1448	536	mscorsvw.exe	53
PID 536 wrote to memory of 1448	536	mscorsvw.exe	53
PID 536 wrote to memory of 1448	536	mscorsvw.exe	53
PID 536 wrote to memory of 1748	536	mscorsvw.exe	54
PID 536 wrote to memory of 1748	536	mscorsvw.exe	54
PID 536 wrote to memory of 1748	536	mscorsvw.exe	54
PID 536 wrote to memory of 1748	536	mscorsvw.exe	54
PID 536 wrote to memory of 2744	536	mscorsvw.exe	55
PID 536 wrote to memory of 2744	536	mscorsvw.exe	55
PID 536 wrote to memory of 2744	536	mscorsvw.exe	55
PID 536 wrote to memory of 2744	536	mscorsvw.exe	55
PID 536 wrote to memory of 2712	536	mscorsvw.exe	56
PID 536 wrote to memory of 2712	536	mscorsvw.exe	56
PID 536 wrote to memory of 2712	536	mscorsvw.exe	56
PID 536 wrote to memory of 2712	536	mscorsvw.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe
"C:\Users\Admin\AppData\Local\Temp\9d57ab693d9c3b6cfe58984bcc28e702e3f477c831dffebcd3726c1a1662ed3d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2964

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 254 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 25c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 1ec -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 1ec -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1ec -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1ec -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 27c -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 1ec -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 298 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 2a0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 228 -NGENProcess 244 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 278 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 220 -NGENProcess 240 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1cc -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 278 -NGENProcess 220 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 1d0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d0 -NGENProcess 1cc -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 290 -NGENProcess 220 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 220 -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 274 -NGENProcess 1cc -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1cc -NGENProcess 290 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1ec -NGENProcess 298 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 298 -NGENProcess 274 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 290 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 1ec -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 274 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 274 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b8 -NGENProcess 1ec -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1ec -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2c0 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 27c -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 254 -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 254 -NGENProcess 2d0 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2d0 -NGENProcess 2c0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2ec -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2c0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2fc -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2ec -NGENProcess 254 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 238 -NGENProcess 2d0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 318 -NGENProcess 2e0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 254 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2e0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 254 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2e0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 254 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2d0 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2e0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 254 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2d0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 254 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2d0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e0 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 254 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2d0 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2e0 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 254 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2d0 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2e0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:280

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2956

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1272

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1484
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
1d3de0ff9f68a6177fc30e5d81cd02b2

SHA1
2a1571fc5daeab74ecdc49b593efff75008f1016

SHA256
14e4371cad5be4efcd32b293bf818ac25c88f1c4a67fb135e4f88d1ae0d9c371

SHA512
8c05602b7ac5cea898f46453d395c4229032ac44c62f2d97cb141fd7cb440f0c2f25f09e9af8915e1b2455e07bc7cff1815eed3fab33714011f7dc44d13af6ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7b6844fee32ced6cfab7e77ebdda4bd2

SHA1
1d4792728864d89ce0ecba3d347418f45d67014c

SHA256
3a26aa194df24ba12e1ba95a84229487c5d1126f692feb60a8b6f9de6e15d9c0

SHA512
02c0ff5eab2896a721d06b1186f69b254fcfeb177a4627b29b79fc13f491fe68d6cee800d1068417aa8222b6f3669f286ce164cf82cd6ad1f1c4f6647d218ea5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
36868187ff396b66765a10698bb17289

SHA1
4313a0482cd333f70cfe02f588021ee13e7b4d6c

SHA256
cc0edd6771ac7cca4547d451c1c97a4cb4787fe7ec10eee7dc769e54b13731da

SHA512
adf9f36c9baa3dc3c2536eb6789292851dcecd01e3fa60d74baa8821a6b3191df22bfe6e649461600c08175ac48771c037d33ba4b02a908d7079a69e2241dbad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5aab1175255eff1a816422628f626163

SHA1
8748db0aea031e37691e5ab55a647c583ed44f1c

SHA256
99534fc6dd3610037f5c651f5cd93af5a63e9e21a4309b71f6f6299c449d4cc2

SHA512
dbd26c3285870e1610db7ef85fb74cd454719c574fce05079b71b02df23b007486b1e0e56cfa67a411b776196d5aed4eba8586fdd29966ab6a14689e82f5da7f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
05a5cc4f1e1e617e5b968d684a91fcc3

SHA1
2194d2e97be7b90764327d222abc5dbafe2a1fc4

SHA256
e9fcc50ea1217cdaff7bf29ad0fcdb27f596ef5a82f2f74214e8dd41c3e8605c

SHA512
1cb191b53d396880786cf7fd899859563d5769cc923764bdc60e80f93019a641206f8c0b9fb417dadfaafef02c5e2265f7c058b6154950ee7f21bd32d6d94513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4b812ffe68a60a198f224e00221978c4

SHA1
72a478cd1fb6e13604a4aaed549ca5b0e59225c3

SHA256
da814c3ba14792ce4602900f25e01d2c374938f67efbcbf711a9d08f983fee4e

SHA512
ccde4482b819972d1bf4d01823540d2f47eb6b16d2ec56e9d7a4d034c814b5fb9cb940bb30930c16c593af920fe61162d2663209e7269a11bb1a6779ff08833b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8fb5cf6ef3c4ce9143597a9395b87c05

SHA1
9014151984b552a932b465303fe68ccfce3c5ce2

SHA256
b21aebdc3d6f5d317060b34c9f3ebeb8fae520b050c7e825a4261c1ac0b34c51

SHA512
fa12d7d49820e76a86347ad61f61fe0f07db18aa366ce46462e78eaea94774ba826226d6669fea4a1f8e00316e6898e2dc0e5900c9de826e51233dc4acf62288

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
01df641884e18556a1dc7bcd1bc5f3cb

SHA1
ef86fd9a71072d1a7de283f1ecefc8cb8f1bb204

SHA256
0e22a688dc56f5b6bf403eede7c19ee4cdbe90a10d2f7148d2702d8d97e3455d

SHA512
94a190912927af0d00657de91bee187aa653f2c427013c0c2b771547f09eab90274e303f080ea264ee65f5ffc2a1e198b0bb0b634583557fb1212ebafa30e0af

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d5c0114ae97eca421a3e55f7b0cdbbd9

SHA1
2cac2533cfbe0e9b1459c3e19f4d359702fe6a78

SHA256
2c920ac626ab8d4f72c4d743b474d438ee312c709dc78bca64b6ba9671b41a6e

SHA512
f8394114a17b5a72f32df35d26156e507f66ed905cc4bd86531f294c2476378ade26ceec5461f1cb50fba0bacefec7f234c97712e24a1299ce41d1f697e3ca63

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3f43f4d93ca6456c2551939454f26124

SHA1
d2076ba834fc09e800e15b80645ab56b5ad80569

SHA256
0e949b797d4c715a9790d94aba1548ebdd96bc32ac991a91a1a06d6e5b51a2cd

SHA512
e8ff0b529fd9e555e74319bb28a7f1319a071aa895df58874ca03fa58edaa370742942d88d429a4a80d97b8d80e0a2ee68e41d2928d0417c42679309b479b7d2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
4154eba12f22a74c0fe6999322b51751

SHA1
61cb95e48e29a55f37abdb2d28228e4c6ea5a860

SHA256
b92b72b600f425ab5f185bc92340d98e109b00cc9f410bc1da585e3e66031344

SHA512
043ef5a7de6dda68c8bbc226ec545e3519ad8dbb778ed60e872fe12152b775d28926805d8c7bc939d4154aea64797f4bad37d72e2abfc7ece3682b2badd71bc2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f14abf57806455ff8c9b07aaf6839560

SHA1
f73b7fbbe281b0c41fede412ad3d32bd284b6cf6

SHA256
e30c7103f12861895ba0925fd1c92d039b375dd1e0df871818da442cb8204e9e

SHA512
832eb743c4e452404b778c3214a4e29ca952375b2dee84baeb1302094fb2162d2c5c5e4a3d45a99eb3f2c262a730ba718d68bb3e2fc64f0ab950e1c32a5df60c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
1af9c6b29748c6a8c7857f951c79ee7c

SHA1
073af97a4078693e41d912a6802f8dc44c9df48b

SHA256
6795896bf66e57c5d1cbd1ebabb936ec0ed66be7a59f97dc8418d13101db39d8

SHA512
545f311d48744c1590faa5c01c7edc6daf13dcbd7a15bbd7799faa28fde367fcaf4746b8ea18d116de1da7972b7cdfd696c4ca01bd828a0ae7256a51a2fd9d16

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f5e792a8bfd7cc554e1558953905aceb

SHA1
e4f840227ff2d51f8df6edbab28ccd4b0e43f368

SHA256
c1e6e7420038f52f0470fbeec68cdf7adc0dad35ac6ed9a730e0e5052e9b4a51

SHA512
9a114fcdc7f2edfa38d240a72be5b0edf75945da31103784495718544fb493440c6cbb064ffa3d2b3f08d817321046d975fbdfbf98d1588d7c7e7741c7315139

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f83db6332973ff4f87cd06a9878b804b

SHA1
71cd2d043f12ad40e6c555134f6167e52e884fb4

SHA256
08c6b085dc33b76cd9e455be7a65057dc20397cc258ac5e558512f204af04c0e

SHA512
75f51cda3c4acdc1721b9eda462ac2b097ee5c421349b810cbae76ffb2ca91fe3c7eac79ea52f46a9214b260af05598371484615cc376c2b42463194125a0157

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
ec21bafa2c2f47c2db35bfd93b9bfd69

SHA1
63a4f1ec9a1c62db316ddcbac6ce5bdaf998eab1

SHA256
61eec3ea7f4e087a41b1a2d2caf6d7a4456c6c5c81d70e43e1ae28dd3ffdacac

SHA512
2e857eba0aa6ee058ee9d8ef729ed41b095e63de356436de77bebfd3d16295ba458af72e7bb890f61b637b566938480eb3806297a071a7fa8eb26cad56736f0d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\42c9ec318c5983de6c7d9d323728056f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
16ee4dbbb9e12b6d8139506bd6ef5509

SHA1
c0e5b8c3be646951148b6d9e5e6d85f9a19c396a

SHA256
722e15f428fdc0e1e338a64fea93dd738c736c8215ba2ae576d920bcc90ea39f

SHA512
6d8cd5f2d05e8a68f65b04a7ba5db5d1cfb38762e6cbaadec049bf67565955d4b95d236f43223061c3a01fb08438edf2d7dd66c5c718a3d33df31ab0fdd0f556

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a2e7a84738e93c014f2d5d5751bced55\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
848dfd0934875d509b534463f9f36ec1

SHA1
bc1f07f735b6486c3cdb2c2e10e76a791f32ad6c

SHA256
326bff7d64274368a4f10cb48600846aa4adfadf76858525ee56acfcdd49ddfe

SHA512
79b29daff54b0d05a4bff0b3a9219f0f827e3e8f93b774f4f1079e2cc0ae56464a28d65083f6c5acf426379858dc59a283f6b8ff546f2f950c0dd3ed08b6f8ae

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e9238f6ee5a2947cbc66acb4da4e21fa\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
e0a3b5850d123bce6f35a79e2b2988b7

SHA1
20b851971afd71bd7c57a8c1f670912eb30f684c

SHA256
04f5db6c208edbcdf43ad877f6d84a4c4b0dd039c862450ca55414e0771d1226

SHA512
d6774fc067311604a0ea07de9e991bd400100fc60fc90eb4f9fd8842e2cb654b165b67c2c8edef63e326b7fc47cf7575d3ba7cef62a1e690822758fba3ef817f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
9c43a8f1be0bfff75a6c6b982a019c04

SHA1
a7c12d385f4c3f67de88afe1b411f4834fd734c7

SHA256
d22945e8d84fdb0d3d8771fb9efce9e2c3a1afb3fc5ff4188df952ee79dbb22a

SHA512
96954ba931c18ebabbd417097315c5716242d4e41078ca954a07876d52110e72f1a64b72ac513294fff0c47c9b2bb6f232711e87ff091f118c222511f7d7ac92

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0ee46f19482397623f0b48dd20070d0c

SHA1
b43985de0839f1179e5ae07d889a6987eb954431

SHA256
6fb487d87cd9b5bcf22e1fce09ac66734a9389c7dcc1d9cfe50670389734a832

SHA512
aaa46a939c06bac33ccc98fd353b5dcdbd3a851341bfb196834e8a6bf6f68518d891610945590784f87f26d1d39d90b7329deb9976907d12da1a182f816b239b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
2c82aa63f610b20a4283cb182d056f40

SHA1
0a720df9623f6df8946fbc5a8e3322d933b1b44e

SHA256
1a0ce40c701ef0cdad0ee2ebe32a573f85d51b46d1db97eadad0ca19bf112bbd

SHA512
78775f263a27ca9e2bd0a8a5851ca842df97a130ac416e4939d3365579ea277eb05a4b3acc864824334ec0ccb3b9541871ed78b24e7c94ca6ce467cf1006fc97

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
367611cc609823828a743ea8afc9e58f

SHA1
fd21e0ad2b3c6fdbb32621920e4dbfb470cf5124

SHA256
79919d354ba20aec12a219a769995aeb56b436f779feb42adb55d4f45b5b7580

SHA512
32c5c77d9021c310e3a4467f1ab057794ff164c6b9c0e49e4d91ae5bbd368ca0a3416c31a8809da284adf0c18e8265ab26e6d8ee87197a82f2f009eeb29984db

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
152743092c22717c64a1f69394181129

SHA1
fbe22fce208939d6c8f126bd0256efe261833327

SHA256
13fe54afb02f4367716f964db85c3be338041adf7261cc53707a779b0cffc1b9

SHA512
15cc4e2891ffbc277391261086221ce1d0eb8883acbf88f222d08829e7d84ecf6c902fd74c186fa9020441adc5f65b2d68e838cd3c07e3a17a0f5243836625e2

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8a5ebd835076a0873fe8c9b049d6bb76

SHA1
19a5732ecff06f945a967583f4044920e71822d0

SHA256
26bacab6c7dee45fc003dc5ebe219b21302410dd8b031a05e8dcabc5f3bb0cbf

SHA512
13f6c8169518a55a00a5863d9063d5827a4feb88949b861e35ac5642c0efbcf8aa5242292836ca6af7e555c716275fc2e492baf836fb2fb0f762dbd84ea6ffbb

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b535f2c3a897d62645a91a25bc5469b9

SHA1
864c21a9f6f738adf13c80d67437f82f74e38641

SHA256
a6f1f9d6142c1abf7dbf69266bba0df8ba06bf0e71e0249c81b5cdb2122544e8

SHA512
eead277293c0aad7d03ab1794ce205d91b0b192b35c71311d71468fc8ae6e711c45bd230019488b5c4ea0f4167847af0e7291fe7f1978058e86e82dd1d7dde7c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
899350790d5afcddf502d352de021f84

SHA1
563650e9bda1aa7d778a2ddbe4cbac575d6157cf

SHA256
34f14abf9f0c920a9a68db890862241ab3d070de53e39b48abd50c57c36fc1d5

SHA512
f30c4fe462e1d004130f5df7f94c9958f20d3275b6234c0ee6a524fbdfcb255f2aa3d940c290b9dd4c4131e41eb7d6233a7443be790ab628458d18ea3a1d5ede

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
9193255a077cee2753daf0fa185f05a6

SHA1
cc37e10e12dd0ca3fb950a6c7fb1471f83f9a323

SHA256
0d7b0a7b2beaa7053062d5463c0603d2729e5bc328663aae9e7e51069d98a470

SHA512
4613f5b8bf736a4fbc7ce8dc1903a61b994cc946f0b519ba7c61f7a1561863ff36145ffc157e502e4c7805a51b4e0525490e203219dd3e71b1efc1b03b2ed605

Download Submit
memory/280-510-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/280-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/372-704-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/400-1478-0x0000000001000000-0x0000000001177000-memory.dmp

Filesize
1.5MB

Download
memory/400-835-0x0000000001000000-0x0000000001177000-memory.dmp

Filesize
1.5MB

Download
memory/536-1021-0x00000000020D0000-0x00000000020F4000-memory.dmp

Filesize
144KB

Download
memory/536-1024-0x00000000020D0000-0x0000000002136000-memory.dmp

Filesize
408KB

Download
memory/536-986-0x00000000020D0000-0x00000000020EA000-memory.dmp

Filesize
104KB

Download
memory/536-940-0x00000000020D0000-0x00000000020DA000-memory.dmp

Filesize
40KB

Download
memory/536-995-0x00000000020D0000-0x000000000215C000-memory.dmp

Filesize
560KB

Download
memory/536-450-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/536-145-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/536-1002-0x00000000020D0000-0x0000000002174000-memory.dmp

Filesize
656KB

Download
memory/536-1017-0x00000000020D0000-0x000000000226E000-memory.dmp

Filesize
1.6MB

Download
memory/536-151-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/536-1018-0x00000000020D0000-0x00000000021BC000-memory.dmp

Filesize
944KB

Download
memory/536-1019-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/536-1020-0x00000000020D0000-0x0000000002158000-memory.dmp

Filesize
544KB

Download
memory/536-146-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/536-1022-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/536-1023-0x00000000020D0000-0x00000000020FA000-memory.dmp

Filesize
168KB

Download
memory/536-981-0x00000000020D0000-0x00000000020EE000-memory.dmp

Filesize
120KB

Download
memory/548-757-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/548-743-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/620-483-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/620-470-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/780-709-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/892-662-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/892-763-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/940-252-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/940-481-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/940-179-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/940-768-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1016-1061-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1016-796-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1276-752-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1276-760-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1324-607-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1364-514-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1364-484-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1448-625-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1488-859-0x0000000100000000-0x0000000100177000-memory.dmp

Filesize
1.5MB

Download
memory/1500-130-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1500-155-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1500-124-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1500-123-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1544-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1544-258-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1544-7-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1544-0-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1544-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1552-596-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1552-584-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1568-407-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1568-378-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1748-636-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1784-96-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1784-95-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1784-102-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1784-286-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1864-299-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1864-298-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2004-683-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2028-845-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2028-1585-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2156-733-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2172-162-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2172-170-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2172-168-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2184-1129-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2184-1369-0x0000000000530000-0x00000000006C3000-memory.dmp

Filesize
1.6MB

Download
memory/2184-820-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2184-826-0x0000000000530000-0x00000000006C3000-memory.dmp

Filesize
1.6MB

Download
memory/2208-573-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2208-592-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2360-426-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2360-471-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2372-427-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2372-415-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2396-571-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2556-309-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2556-565-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2576-775-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2576-1025-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2576-1454-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2644-728-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2692-676-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2692-688-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2712-661-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2728-178-0x0000000100000000-0x0000000100185000-memory.dmp

Filesize
1.5MB

Download
memory/2728-56-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2728-59-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2728-55-0x0000000100000000-0x0000000100185000-memory.dmp

Filesize
1.5MB

Download
memory/2728-49-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2744-639-0x0000000003CC0000-0x0000000003D7A000-memory.dmp

Filesize
744KB

Download
memory/2744-643-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2772-538-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2772-512-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2776-546-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2776-284-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2824-555-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2956-801-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2956-1128-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2964-138-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2964-106-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2964-107-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2964-113-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2964-112-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2972-556-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2972-568-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download