Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
-
Size
1.5MB
-
MD5
5374045bd8c58a31f038138fdde0295a
-
SHA1
f29c58fae7ddc5ce8615c017603c79b33be78d27
-
SHA256
2069aba57b3589f2fcffd86133233d57cf622751f0cf45d092b882e0f896f101
-
SHA512
59ab0a03af99c9fa73bb4b6306d0139e266da5b671e0133a8a87ab021b804eda79659f31603a5e2fbd1d0375167a1d0bd26f77179ea9e801285ce007da077790
-
SSDEEP
24576:W5t2sWxEOtqZpp0YYtwlGhNsof2e7A+ebC:W5t2syHmpSK8hWomh
Malware Config
Signatures
-
Executes dropped EXE 40 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEdllhost.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exemscorsvw.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 464 2676 alg.exe 2688 aspnet_state.exe 2768 mscorsvw.exe 2428 mscorsvw.exe 624 mscorsvw.exe 2020 mscorsvw.exe 1876 ehRecvr.exe 556 ehsched.exe 2252 elevation_service.exe 1088 IEEtwCollector.exe 2008 GROOVE.EXE 2848 dllhost.exe 2380 maintenanceservice.exe 2816 OSE.EXE 2148 OSPPSVC.EXE 1340 mscorsvw.exe 1312 mscorsvw.exe 2832 mscorsvw.exe 2288 mscorsvw.exe 2664 mscorsvw.exe 2136 mscorsvw.exe 1388 mscorsvw.exe 1984 mscorsvw.exe 2920 msdtc.exe 1596 msiexec.exe 2612 perfhost.exe 3000 locator.exe 548 snmptrap.exe 1924 vds.exe 2712 mscorsvw.exe 2856 vssvc.exe 1644 wbengine.exe 2868 WmiApSrv.exe 1020 wmpnetwk.exe 2040 SearchIndexer.exe 2852 mscorsvw.exe 2808 mscorsvw.exe 2128 mscorsvw.exe 2888 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 464 464 464 464 464 464 464 464 1596 msiexec.exe 464 464 464 464 464 736 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
aspnet_state.exe2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exealg.exemsdtc.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\256fd487d795e6c9.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aspnet_state.exealg.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe -
Drops file in Windows directory 36 IoCs
Processes:
2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exealg.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemsdtc.exemscorsvw.exedescription ioc process File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F933256E-7631-489D-BD80-978757ED3B52}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F933256E-7631-489D-BD80-978757ED3B52}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 38 IoCs
Processes:
GROOVE.EXEehRec.exeehRecvr.exeOSPPSVC.EXEwmpnetwk.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A68B5038-E6D8-4EFB-B0FE-56910C65FB44} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 2120 ehRec.exe 2688 aspnet_state.exe 2688 aspnet_state.exe 2688 aspnet_state.exe 2688 aspnet_state.exe 2688 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 2168 2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe Token: SeShutdownPrivilege 624 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: 33 3000 EhTray.exe Token: SeIncBasePriorityPrivilege 3000 EhTray.exe Token: SeDebugPrivilege 2120 ehRec.exe Token: SeShutdownPrivilege 624 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 624 mscorsvw.exe Token: SeShutdownPrivilege 624 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: SeShutdownPrivilege 2020 mscorsvw.exe Token: 33 3000 EhTray.exe Token: SeIncBasePriorityPrivilege 3000 EhTray.exe Token: SeDebugPrivilege 2676 alg.exe Token: SeTakeOwnershipPrivilege 2688 aspnet_state.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeSecurityPrivilege 1596 msiexec.exe Token: SeBackupPrivilege 2856 vssvc.exe Token: SeRestorePrivilege 2856 vssvc.exe Token: SeAuditPrivilege 2856 vssvc.exe Token: SeBackupPrivilege 1644 wbengine.exe Token: SeRestorePrivilege 1644 wbengine.exe Token: SeSecurityPrivilege 1644 wbengine.exe Token: SeDebugPrivilege 2688 aspnet_state.exe Token: SeManageVolumePrivilege 2040 SearchIndexer.exe Token: 33 2040 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2040 SearchIndexer.exe Token: 33 1020 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1020 wmpnetwk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 3000 EhTray.exe 3000 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 3000 EhTray.exe 3000 EhTray.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
SearchProtocolHost.exepid process 1952 SearchProtocolHost.exe 1952 SearchProtocolHost.exe 1952 SearchProtocolHost.exe 1952 SearchProtocolHost.exe 1952 SearchProtocolHost.exe 1952 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 624 wrote to memory of 1340 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1340 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1340 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1340 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1312 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1312 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1312 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1312 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2832 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2832 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2832 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2832 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2288 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2288 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2288 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2288 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2664 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2664 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2664 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2664 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2136 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2136 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2136 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2136 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1388 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1388 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1388 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1388 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1984 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1984 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1984 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 1984 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2712 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2712 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2712 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2712 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2852 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2852 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2852 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2852 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2808 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2808 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2808 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2808 624 mscorsvw.exe mscorsvw.exe PID 2040 wrote to memory of 1952 2040 SearchIndexer.exe SearchProtocolHost.exe PID 2040 wrote to memory of 1952 2040 SearchIndexer.exe SearchProtocolHost.exe PID 2040 wrote to memory of 1952 2040 SearchIndexer.exe SearchProtocolHost.exe PID 624 wrote to memory of 2128 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2128 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2128 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2128 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2888 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2888 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2888 624 mscorsvw.exe mscorsvw.exe PID 624 wrote to memory of 2888 624 mscorsvw.exe mscorsvw.exe PID 2040 wrote to memory of 2468 2040 SearchIndexer.exe SearchFilterHost.exe PID 2040 wrote to memory of 2468 2040 SearchIndexer.exe SearchFilterHost.exe PID 2040 wrote to memory of 2468 2040 SearchIndexer.exe SearchFilterHost.exe PID 2040 wrote to memory of 1348 2040 SearchIndexer.exe SearchProtocolHost.exe PID 2040 wrote to memory of 1348 2040 SearchIndexer.exe SearchProtocolHost.exe PID 2040 wrote to memory of 1348 2040 SearchIndexer.exe SearchProtocolHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 264 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 250 -Pipe 184 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1876
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:556
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2252
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1088
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2008
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2848
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2380
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2148
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2816
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2920
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2612
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3000
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:548
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1924
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2868
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-928733405-3780110381-2966456290-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-928733405-3780110381-2966456290-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2468
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exeFilesize
960KB
MD561943ed15b8c0a34a212ed9bf155a295
SHA1b5d0fe98fb4c241971c969170097c7f9e60cdcd4
SHA256819fe3524fd5c7c02fb900b2030a6ba14d810c8919fbb50b8a026de8cc5d53bb
SHA512f8777c3fc95822f59bd5728c164d83258b89f4b50aaad586a8f997ad53646db5fccc70b0872e7155085613e23ab7c1bab0c561ac92a9c6ae52a1cdf58e587834
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exeFilesize
736KB
MD564e6d152e0a0439e2521a4ed01ff837f
SHA1aa404d6e1c181bf8a6efc4b0385312e971b15270
SHA256726b1005dd762491c38a7a5a1c28025317f780d7206a82f300b0802fa4dfb2cc
SHA512884e85b35aaab573d229eaab34a2416c9833bdb1f5b20e0bc1ade12c6c646456af13c8dd4d9ee0a6a04cd09baa5b7c6985cd4ed9412288e4bcf0be8d22c10401
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXEFilesize
709KB
MD5b0805608b0d2a227e31c4cddc3efc285
SHA1657cafde5d00648042b5ddd9d0512563d34997a3
SHA256efbacaa9b4c203a5bbd198c7b1439bd3dce086b54169aab6c036bf51aacf9c9e
SHA5123cbc9fc293ffbe1a11d0a07e204197ee751b86917d66e4cf9fe96dd925fe7a540068fbe528fddc8454b1123cde12faf3bdbab01ce8e24e485b7160b951034c5c
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
42KB
MD502debeb0021b019aa05e29e341f9effd
SHA10ea10a92c264f4231a6539f1c7873a339f0e9b37
SHA2563073be693460ccbcec6624e61bb5522516d1374d4a11b773a324f4078fc2472c
SHA5127e9eb86099aa580833910600127fcdbb8d16f22eb70d31ba8587b6f2cf6c759a05a4b8ac57e25c2f4d275d2b0d8d7c23039be09b2541ac8dfef79fc8e3c667af
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
120KB
MD5baeaa9aeb251c4129c115d1b8f2ed29e
SHA134bb22eb5e4dbf73451fb6f6693790e00f63f6fb
SHA2560a9cc44580f32a8ff1c81b5e2c6a786f26d1031e2f517b7eb6aef2a2619a4e29
SHA5121e71c2867779991ce40bf8b56934570c28e13d88ba39f8284b8674444f54075e17621338a73add21b2cc5e5926f27c8e01c1d5c2236f95e57a3915adcbdc1663
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
9KB
MD5d80a20f1e41820d691dc3a1577d748cd
SHA19ce5806a57a32a0c1dc09b64e3d837209de3ff27
SHA2565b938491f3df2a0be4f5de3a00c9ee0424de9ba6ef5a346c90b9f4e6f6ff4ff5
SHA51227e4c3283a7e6355feeac8f41b4686c48bd52a19f6613227b810969768c2c25f02545780240d16336fb7d08e994145eb12b7b417b237ba6f8116712ca08f8605
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
512KB
MD55a917adf648bece4b575c24f08c2fc61
SHA1f279d51472c4f6c3c62b11547d717b3a88e93bd1
SHA256e3e31b88366373cf19cf15356a8b37dd5cb8d50375c6d2a32278b2d89cc43417
SHA5124e3cb30845cbfce62d0fc6c619b1070ec5213568851517b3b2c4267171dce966831f44b67acb3c801200f06fd24cb2ef20f1fb485976768155c09bac95176553
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
116KB
MD5cead69f221cb9a563dbdb5afb4252a6d
SHA10df6f4a46a24a12edfd59c7eae700648c4f20341
SHA256f6ad9ba4a79b58b826afc1e36d406c211cebea2fe6616c73bb3493243631be36
SHA5121735da97e9ce84f3215654a3f47e139765497bf8349be2f11f7b01a027d8e72c25e7165d3be058e04049ff20ceaa23f6cdd4ffa809671d96640db96df1aa73a0
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
52KB
MD5f52b97475a4cdaa76c69dda04bc28adc
SHA1ac83e9f9ed64f3d656ff974a2cb3ae5a8f885a43
SHA256787bd0e8b67f176b026496f3cac7953135ed008e231bc4b1bc1ecbf23ec00467
SHA5120aa65447e14448cfc0f75f0878a61769792429d0cc8863490c23134f22d089e3c775f416ac76fc3638770fd201ddbe705b2ba8939f2283306113bd5ab973dff7
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
529KB
MD501c1f59a35a4998d32cfba7b9bb7ba82
SHA1bde1c5372184d851b60e1ac641a6f7228db96bb4
SHA256d8ba3351a6017f800685c21037ad9fd7be621c341eab307f4a07fae4126858d5
SHA512533856358bfa4be5607f6c9f6d1aa97fb2e07f52aecc87aa23ea8bd2ea6b652072759faa4c5b67812c8c86810a849b27ffb13adc9763feb06b37341a441438fd
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD59e9d72969d965c1615f09faa73ab76df
SHA123a7710c4ec37dbdce7d60d42ee9abd465cdf271
SHA25677d9cc94276255e232b2073405878f98b611a4c34a181a3627c8b234d54b88eb
SHA5120487107e9ddb85f752837779dd1ffef89a079064179d05afeaea1bf0e633ef9e418d1a76d7dedf2711a53e932f7f180a7163f9d0688291c59b5aa9d6488f7a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-msFilesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
111KB
MD5ad5087c19a39cae7a857d4d07f62cbb5
SHA1c6716d1f3717dedfc0bd6a8dcacaa79849e058cf
SHA256b9935b258927125a8d381339c6f1fa701002250126944d2d8546f01f8ce51ba8
SHA51201f2dbf1ea1bf22f0e0720525118e8a349f6bf6b00eaf6a181190a30f96ad5fefd26846c662a71856ecae1940d4446a3a8f01b5dd2d02897580a652a5cc0ad91
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
125KB
MD5ba62b28f44c97e4eb8ca4f54d58a8d97
SHA1054dfdbec6576600313c94637c5e19ccf5fb3f13
SHA256cb2347c3233886657212a06bc1da062ce6acc0dfe75605a85e6a65b74d2520c3
SHA512834cc4d47e6fd43ee58f0d4de81b6ecdf85f841b6399e122c30c60fb0db23294879cd08a501e3851e51e995eabb47c3b80b1f93dac0fa1fbc2f9a1e87975b5d1
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
335KB
MD54d5a1bb3e85850161f9da07afd810ad5
SHA19b954138fcb0de8c0c30867c4cbe8a78b3293c0c
SHA256f1c96d4c28e6f54732567d8bb99132b1e319c0d5a17cd5caeb15146c7ae9fe3b
SHA512e013c82867d911da78cc4e4dde63520e62761795ea64d6fd34aa6c066133e58babf3a4be514d06505f7e2dc2920ad2b7942ffbc757403d0ec1a35e34342c54ef
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
455KB
MD57d229e72bcf7d500083dd65ce3d8336d
SHA175a41f917d6c147815ae7bed329bfb548e3c89fc
SHA256a9c303662c0f5af98d1cdeae389faf431fcbdc75434968a239c5cffd978f837f
SHA512c753c75b31e3dc23a25bcd4b457784fe77b314bcf4cd6b82c3701dc2c1ad9f441372199961a7bfb0a71f93a74166464e14791e31d172731f93a08d0d90c18e2c
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
134KB
MD595dee30be121899482dee0b7eb563b9a
SHA13f5c663cb821ad3a058fc549a0e96fae9b57a9c9
SHA25643176a2e23c4557986ade2ae54b3cb6acd5866a2491809797b4a947ab489289a
SHA51265429ef3e41a3be6f41c3e739b942857a177a539a05f741ee9dbe05ce19ba98d291b7c9c64f724b2d89bde92a2c21f8112355a9d478ff50847d38f03eb4f23de
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
225KB
MD5b1767eea1781d501cdd532a8dd6921cb
SHA1b8bb476d166f628faa4d7730f72ea958cc80c64f
SHA256556b0b245a63814eec783a0768b1a41016486e98158c1781837447b225f4024c
SHA512c0304cc0850db04e8c35a0c53e6d4c47cdd67f0130e5c137ecab9110fdf6bba49cf2c673204a9f1262283f4db30f8620da466ee6cbf3b70acf90a96855e486be
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
259KB
MD502c98c0fad64c79e5aeafa3a8ac4edd8
SHA15f5df9e4dc9ebc9447040d48f91a68dee74510db
SHA2564393cf7be39d3e5a70701e5af9023f29a293a2e012e51673cd374f6d623c6455
SHA5121cf9f006ef55dbdd2ab433ba76c0f25f7f343c9b163a6bc0aa3dbbab4ba03d2be8d3f18f16a29e26041294e721337850c27f70fd1fee18e5b5bb12ecb9b1126c
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
199KB
MD532c168d41f867443b9bf81390f38ba28
SHA16d884b7175f6bfb071ca60e7081a9b097fbd2f76
SHA25685fc05050b4fa138b613eb4a15a9807d7bdd6e9f5ee9d3d82088a0977d6fdeb4
SHA512d38c2556c9d3ebb078927cd68d79e5bccb56d47dac35b153551eb73dc8a554489e641a38457cc2868f26118bc917f1a5b524dd597408d455b172264cc6ef3f94
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
288KB
MD5e43dcfade11fd1f688057c87cceabe81
SHA14f87cafe65375c3b344dc32300e0811ffa0a8fcb
SHA256fe884ede59af5ed71db57e73d9cd7bcc8f1c3f24f95f942e9ee4ce87cf492fde
SHA512ba9b93e0f8a8d957449095c0a1f9d5ac27305725a995c3f861fe3bc385227a2b0af8d3ef7ca99ad210782e03beb2f02221ae450e29bce22aad069173c44445b1
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
45KB
MD53ccfd5c76a477a9ec7dc516ff8e9cec4
SHA1fb6946eb9fc6771dfdfe854b59ef3102cea36819
SHA256bab9ced84dc072982ed73ef91bcd5911875b449dcedc201d823207e8c5a3c56b
SHA512c4f40a92048a62592e13bafa8ce82c399a357a5542a8f22ec325980ab2bdce3ff6a3b6aa8237b803df6f843406ef7e68ccd6f64e7575ba27be02e453ab7e7942
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
7KB
MD5b04614e12d23a909aabd575e126e91ba
SHA1c8dd1db4064f5f8ad4d2674bb1bca5fb2086ba60
SHA2569ce721d1cc6ef494fe3cd867e5b80ea284433d2b980d1a42f94de24973839e08
SHA5123a9c38b7cc92a3d42f6d14a1786ee222aee7a0746f9ddb01a643f33594652d1233993ae2f20eaa4e5ce3b7565073341b7dd2ae37ae8785c4eb9d2595b355677e
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
59KB
MD5868ed420d273779f738f076cdd94d795
SHA1e7f750e895a2b18c3556d86536e89a0ea2d06592
SHA256baa3dde22222623513f5eb63af40d78a5cc7fab48adecfe7f269fb4ed0cf7bcc
SHA5120b05e4298441b76b3bd658c93b07e2c95323ce8568b8cee9aa7adaf79fce7ae0fbaa803ac5f830b625af07f7b2e318d7dfafc21dba03a82e30e50e5a08b02a88
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
1.5MB
MD5873d9393d41d7eb5080537cdc1a04fba
SHA1922d78d6a05a069ab8eb743afce429884650087d
SHA2561b8f13b1287cd0c0627859e7aac5f8deb9058160a1b42665a93cc46d34206dda
SHA512cc5b251cba9047f99865e9f97b91889d6250c057bdcd616311b79dbffa3ebdbc5ac76ee4f9980b1edcd00d70549440c5cb80e08af39deec8ac40cedfde11a9ef
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
374KB
MD5ad7b47ad886ea83cec5ccbbd6fc43352
SHA171097d595509fc9beb7154ceaa30056c701b24ce
SHA2569f5b4bdc864be4b194caf37134e41c8aa46088551d123b2f726b0bcb276d3b05
SHA5129550dc0d96549634e101d5eef09a38b15729f605b6cf2c4a38e338c5c4d2a655df320904d278abfe121800fb6a65a900075cb3649e59fe6a5aefdace0e3f2fc6
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
243KB
MD543d5f80da9e4c58e99826b0cefedf8fb
SHA15f1056328c30bf3cd943add62dd4f53a7b5ee852
SHA256e3464274e9a6897909d18f488a74d0390335b1da716897343f6bb6768640b960
SHA512af25752bee3ad59ecb651850cdaa7a920d80acdfb46b45cb8fb49603a70ed06419f148805b557d734084458b6fd5d8dc677fa707d9161fd3b35d6ea539248907
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.4MB
MD5c3f14f51546ea4e7a3b28a566f878181
SHA1d06f4ddf271090014905de4b9395cb61954764ef
SHA256ee3dbb0baecc4a3a00f5483604afdebf4f97ebcf4e30c65fd9cb480f77c3a1cd
SHA5120c4e3fe4295bfa1f8acf2e56a36c07d0ec1abbb301508a5e89ffefb117eaa0052c589571c5dd636240b5d8dcbbeb160ea7c63567493611feb84d47d8066255ff
-
C:\Windows\System32\SearchIndexer.exeFilesize
743KB
MD5734e21c71e79b3d23ce713c42a098353
SHA13f1cfdc03916111f5e7442d79cf9d6e57c9ba0c3
SHA25670a8a8de0a54c5a30f9e65d4d2cc22d1c58ccb8a551a53c1a72c74940877ea4a
SHA512d021de1a62c57404428a5ffb62c3397cb1e048cf25b4022005891ea40f0cc10567259c0f3c36afe9b88840adbdb7332a9b3ee15b4561c14ce6c68130b70abfc7
-
C:\Windows\System32\VSSVC.exeFilesize
2.1MB
MD5d982ce4025c3605324dd5e8109c33295
SHA133041d19493bbd201e58336bef713d07f02f13eb
SHA2563d007b5dfb6c961a1e1459d819c0e1bc83cce64a8b98eff084e8c20d30a6765d
SHA51266e778745e20b9d0938a9f4dddb6585b7c2fb4c19b670d99bd87f81f57b7d2e6858774bbea57ac01d6f6b0de4af8f83495348a352d263679690a8e1eedf64944
-
C:\Windows\System32\alg.exeFilesize
1.0MB
MD58cede14fb1d05d32246da2bfb2b3fcfe
SHA14e601285daca454255a65162113dc2c21f8e3e9d
SHA2568496426f5906ee2c407754f713fb0c894c50473c9700ef42431dc40f1480e4f8
SHA512f0a0bce31f8cc95f742db8ef564c5d1da7d79c27fbede595a31308f3c54a0e67240032d3895fd806091adb7a37ac7ce337d2a8424be13e30e77d92d880e4b672
-
C:\Windows\System32\dllhost.exeFilesize
79KB
MD513ddfd4949b8fc944a220be33cc63d90
SHA170de3e4c874b826082225dae16287f2528d6383b
SHA25607efb0f89b5509c6b04566edfe4e737e1d3dc9d498e37dad5e5e044f4c7cdadf
SHA512fac57ae4ac8af4598bc0ce2a3a8c9086fa1a1f56f17c7964de02e68f10a66ff0f2c3381f24830cb6bc88f0ef07bea9cc7b8a06190aa392c4106edee4d277594c
-
C:\Windows\System32\ieetwcollector.exeFilesize
44KB
MD5f308c0c01b56225a66200e21675e4c2d
SHA1335058627df4a101fbf707e604a2c1fc012b98e7
SHA2562fccb802e05c9ddfc49c01e1cf0249f1ea7eda7277d439dc31e07c87e5746567
SHA512d85a970f3b24f0f9d63f704003342c4d9621e71d6b039daf671d76fe594a881a8a3de2aeb7b5ccabd75f598eb490171baf04457dd757b8c5570b89ad2f439c9f
-
C:\Windows\System32\msdtc.exeFilesize
1.1MB
MD5e82471b60e4e73ecd92d452a29d2c9ed
SHA108813198256aac34fea2254ea968fa2475565288
SHA256df7dbff91e70f200c08b3018dccbeee0df5e26f509cfbc3c79d0286a18476789
SHA512f1ddc13ee7ee8785b3668fdefc04b089025dfb7e970fed5e8bc58642a65cfa4d0d79fd9c2b42c561fb7a35a989fec23959e5442de60d9a27a5ab139b85f19852
-
C:\Windows\System32\msiexec.exeFilesize
1.4MB
MD52a6a2decad198bb4e9c890f96073b6eb
SHA1046af148ba983f786c0a0bad9b85c7007dbc50d0
SHA25602094bcc592f83b06367c070f87d0a20232b9e2555301626852833f545832ee5
SHA512bb91841d4732e1e703fad4143decd8761de4ea2b4fdae8c5bb0009fb3e4da42dd42824925f491cbc0a0b32f8dbd6efd767eeacba257030c1fc5b644a135c40ff
-
C:\Windows\System32\snmptrap.exeFilesize
561KB
MD5c744700f0806803ab3269c40eb5d4fd3
SHA11e90bb677ad1d3162fac33e7b772cc8d785a1b24
SHA256ff9f1537af5b96abf0026989e50f2b051d22fac6c8df275babbdd574ca128260
SHA512b0462ecaffc8daec1bbff3585cf08f6b4fd4615aecf02561e3da01a83d28470a44b92de69d05bd2bbf95206649e3b06ce12aee7427d9301e7326b0b65de77fda
-
C:\Windows\System32\vds.exeFilesize
1.9MB
MD50dcadb12632031136ffc5250cac01e99
SHA182df493ce796eb1a48f79542ea38c1da0897a5e2
SHA2566b54a9bb311cd77fa1c7d24ba1cd2e6a792fa293494dfc7139725a6b525ad3b0
SHA51298f159d2360e1fd34fd74e9aee17c335967d2f30b4ae9751416f16bc31254c510daf191f1d6d1d268039534c7362dcacd2bd20b0a99105a14ae3102575607c79
-
C:\Windows\System32\wbengine.exeFilesize
128KB
MD51fc64117e025aebe431962747c60f344
SHA1354acb8ca2b5664306ef731c1257622389d9a756
SHA256f4463117c76e5023733ea5d11055403c9e21fdbc0173831e2c3f8148f9021770
SHA512eacf53f046e611465f00632c7b667565219f1ecb4b65650d949b1a8b88369bda51613bb32cba8e1bf9d07c4f17d7ad571cdb450541ff53db7c200982f9a1bafa
-
C:\Windows\ehome\ehRecvr.exeFilesize
1.2MB
MD5437e900dbb87b5e89a67914c3d7c8c66
SHA172aaa82d8ead5f9e700746f65615508e3f236080
SHA256875071b1e9edc08f47dc95913f375422047f7d52a9243674b3b82007c49b62b7
SHA512728654e0bc6cde87ab2f13f8fefea4e6f80ca71dd4b3af6c0b8b9ffb69ae5dc14eb8dc1fe6b547d2d835f06b7c5c4ecb0eaa59296a905497a4e642e129a10f0a
-
C:\Windows\ehome\ehrecvr.exeFilesize
161KB
MD5585b51962164599b8168d55cc6f1f959
SHA1e220989d891a8c2682b3316f7b910a3ac1c363c7
SHA256fb5b38bbf9f7e4eec55e8e447f61919b914b0c8bc39a8578687a4ced3634add7
SHA512db9dc579e74226c28ae542121f141f97a1ccc61e2736b6aa5fa66096ba9b6d12726ebc9c80d6ae238a5d49d82405e963669522a8acf96ae07cfafa8c967a4649
-
C:\Windows\ehome\ehsched.exeFilesize
63KB
MD5e98e13c661ad1306963b1726ebf806b5
SHA139eb6572ec1e0d7bca49f2e7c8efa018c1cf237f
SHA256c327eb6042618d6cdd0a873e030cfa7179d08df2da82053ebaec5aa6dc055eba
SHA5121f3fea68d53885355b92c810e439205084ba65143dbb1ba779b9835159e30df4f9d38a050fc54bdcbddeee5239ba7ef24cb41102c9be68d5097ed57204a01473
-
C:\Windows\ehome\ehsched.exeFilesize
1.5MB
MD59674e5f5ba9b4192dd33ea2f9a85fe6c
SHA1bf98bc31f0bcfab16dee9806c2c8ef7a94051979
SHA256e3f48e84c10cd6d91555a5164dbfcc760de396540f0fdc6673b164ca52bbea51
SHA5124a100085717e6db746cfd67de4b6177bcbb46d7c4aabc9e6e420137b1a207c59584ad66ff872f855171c524b67feaa67782778939c8eb61c330e29af14a36cbc
-
C:\Windows\system32\IEEtwCollector.exeFilesize
823KB
MD540b1ea6b1176573a65097b57ba41d79f
SHA15ed899a44f4a0f13b6ac780e8ef2a8165956622c
SHA256e5e128c720fc5f202e54b8439476dc0d7124490133f3aa83e3438cc51ecb6e3e
SHA512f4e763341cfd3469b5d16f6d9aef12ebcc59cc9743b38cc60d23110b8a501d945e3677a02d0f1ec978da4b9a6686f3297afa3954221307658c5b3a7082b3dacd
-
C:\Windows\system32\fxssvc.exeFilesize
43KB
MD543f1d6159d7ea84096a30d73ee105ad6
SHA114077eca9a79ca9c7a45785f1a4d82358b729d33
SHA256c17c3fddf341af9c5eb0afddc72c95819b4f33791815492172b45b00e0834620
SHA512367a4682080e346d16309f42998d67aec608cde4e30983230ac9de233c7129804b86a682b4f11f3a8357b3c12e783a7bc5724abb3e7874bda8dd95e3364d51e3
-
C:\Windows\system32\msiexec.exeFilesize
1.2MB
MD5bed751c107d4d8bb2566aff943dbd9d7
SHA1f33963501fec4d58cc2aded6fd8ee62e6fb16a9d
SHA2567210d2f1c89c62ed55c93552bb8f58af50c565bff9dcf1cb1f5184da8b446ee1
SHA512eb40fb3a35a0d69b68c0297e835eaf3b368de44b227173e160fa7b2c4622b09700d75122b713de8778ed60a7d0e7e4fa48a5e45b1d9a581ae656f96218c48e87
-
\Program Files\Windows Media Player\wmpnetwk.exeFilesize
482KB
MD50e750ce612977232bebd83d55fd386fd
SHA1447ced070bb07e502957c22f37e180f71ac2bccf
SHA25647e84c3453554da2ba60a4c8891360a27452773d6ae6d5bb01bbc2acd1681637
SHA512a6c1f800de69299a6a29e23587f5f2609cdf494d02dcc46b66b89bc8f7e7d1a0ee1a466d70ff66c97823a88b38b7fe47195f122ff22dc04f46146b81047f1b71
-
\Program Files\Windows Media Player\wmpnetwk.exeFilesize
209KB
MD58560b005d1cda781f8e0c68b087461d5
SHA1d281929475ca3e7e234009f7c39004231e68384b
SHA2560f1254754fe3b610575e8a2ad7735354dc86121ff9289891b5c93d1795b5000b
SHA51227fc7bf311c0edcfaaa845bbf57f6c596252bfade4894afa5eeaba045aad1c0e9c8ad49981fe91112e344dc44e5594b880095fe58f78bf66c0f8fd4e0cce63af
-
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
27KB
MD5adf7ac2446b33b6d2ff061b1d2c5b82f
SHA155dd35e7a25a2b147516703cb4c77923f03db538
SHA256905e0dfb7288d3e5360270a470507cf7a0b950eb48be79b088e2e282acb6067b
SHA512545b52ddf7726f5c5005fed5a7e84e99f2d7b4a0eeef6306a29ff21f7f6e92e53d3351167e7a4f3555b145bad6ee16f12356d906866721195630875476daef34
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
395KB
MD558b083905438d8c13c0c8a59e4af5072
SHA12f8043bb3a44823a4022080a65b1d7dac196d065
SHA2562da5846a91d8c4a93a7a872209f53b7bd7d91266d28e4f5e89ec6814958839ab
SHA512a843021a96a3e1207986c55992ce97ee47d113f784bfb45039d2e12137d70935e06651f8367cddc19fc311ab08defc88d31fcb70dacfb6ec45c0e3bac945abbb
-
\Windows\System32\Locator.exeFilesize
1.4MB
MD589267d09b5f6e4d9f04b38da3a3b4d0b
SHA1dfeada326cfa46db62fc8ccdb803c3791bbdc048
SHA25687a50f7048ccddb6866ad362b02655c36f10866a6208f3746919ae88cea2015d
SHA5120e4e5ae5d7036916c45dd610aa68f3d3c128b6f71d25b7e22ff8466c652948a726c9cebea1d67d6e2598a2979e4c3db8da6d827c4fc097cb508bcde7d218854e
-
\Windows\System32\alg.exeFilesize
86KB
MD581c1fd25620999a05dac4e13d568e93e
SHA15b15844b0d76d177781e2ad2e29e7eb7534e17f5
SHA256e3e98d65e45d713fece8e6ad04d9a489fce5675271d5df88eb517142de67e1c3
SHA5128ed02182cf23bddf16d7df04502b84037fbba9616e8bf5331113d23b6bee19ddf1acce5740b0c88376ab69f2f162f746ddad552148c8db80b4c96238905e9722
-
\Windows\System32\dllhost.exeFilesize
5KB
MD5d48d8b88fcdefeeabce57df5a4130748
SHA1da1e98a693996ece604b82547ace8ef62153eaf8
SHA256e51083fa189833117b4128bcab1df8453f106c011bba5e17532eff2c293afe22
SHA512e638d629d95eaa2f77b55b0ca9de41a6c078e32b9f74fed5b8878441c1419424a06081faaa6e49ebecf4fcaa8a86a040933a023b7fd951f4f797ad74949e990e
-
\Windows\System32\ieetwcollector.exeFilesize
44KB
MD5f7718b623aa3848ff2a1b50514a4b214
SHA1440b94bef9e55f2e27ec7c48896774113e04be9f
SHA25609751cb24d1eaf66ede0ff5d3a9bcd13cf181696d458fac11874d459783ea6e4
SHA51289d4e07474b09a6b82b4ac8a9006e3a708fd97bf2192c142a7f1ac55422798237cf09ce705a4592438ecbb7f667daabade4eefd9297fe452b55b4a903c235858
-
\Windows\System32\msdtc.exeFilesize
896KB
MD53aa5d892a5d3114001d7752694495600
SHA15dae10f350055120ef6bf95795898a57ca9325e8
SHA2563dfb4c97b8bb6079f576ddf035900884962b812fcfda9d6667f8de645be82bf3
SHA512695c7091758b33f494d058effbb99a5cfa893300632cd0a6eee8afac298cb5c57cbac24f9dee9cec05ac064c07acf37baec8a631e76499bec1993287975a5c07
-
\Windows\System32\msiexec.exeFilesize
1.3MB
MD5ef3f3d285355ecb603e1008f87a9d566
SHA1beff6d89468d3d19ac2286f12917a2628ce68709
SHA25699075d6ce441b73dd5b734603dd5d9a68fbf2ce77bd4342803773e0b3d8f9bed
SHA51257f5d28a65ecdd81a38a09c620f255e1415400ea1997fef700ae567ccf1d868259b3e3908b01218c2df64d3f66530954eb05088f480f3776711fafc101aa1804
-
\Windows\System32\msiexec.exeFilesize
1.4MB
MD5152f1e2517b4cd483e1962011f499e82
SHA1f7cfd4d5fc9855e514435898fc4b6e2fc530d828
SHA256008b413d66f9700f9c1d44f0a6dc061dda5957980f7aa8f54a7d88e9157127ea
SHA5124946dced4df05bad4fc2150269fac705f3d3dbda69d502b9a649e3b6b55446a4d1af1b9698bf936201e6d900fd566f995b59d974d9e6ec7edb7b3a8115a61c0c
-
\Windows\System32\snmptrap.exeFilesize
584KB
MD58efcf0ddbe84b4de03f0fff995ffc822
SHA1476f02747ea0a066462c73b459985a43b3c20dc3
SHA256ab8ba2c058231497eea95b93e7f71aa7aa90e9aed2497b81e9f45e3b25e5a7c9
SHA512f999ac02b948fd1bf126416ae32144f0e0e34c7afcb216e0130e96f68f661af4cb44a3d2bb8b4cabf74992d8dc8a152a24ea46a9ff001deaf4236e3f7e3e1b05
-
\Windows\System32\wbem\WmiApSrv.exeFilesize
1.6MB
MD571db6199d6c82a4b4d4f23d5a8776ad9
SHA1c2115416a66e6ca6f23e23e17aac0e5d8f19702d
SHA2566c11c00b7a63041e0e350b949991f48df6eb46eeeca351390cb874f453fe8762
SHA512a8ba2a692ea79d2a91272bfd6c7d0db0f6e829ce3e3677f9f0e74fa5851a9b2c2a02665929c5ccf14c0d8e525cdf3453a8d29d2496aed2442863b9b1bb3d79a0
-
\Windows\System32\wbengine.exeFilesize
256KB
MD5c50c5651af88b12ffe0b7231cf054a08
SHA1354733e9dd0b86c45715f10c62a7d6e9dd450fd2
SHA2566e4a270d7de73118a40d4ce303d7e876ba18d84c55ec3b59320f54bd0090ad4b
SHA512de3752653c30d542d4343e80ea54a268763cd672d11a4cf2547dcff11e2b75d7ef46d6ed3acfc49ecdb73afe2d50036ddcf7a68df66965b17f7e43affd8b10e9
-
\Windows\ehome\ehrecvr.exeFilesize
173KB
MD5e91781297e6339b5146ec066918bbe92
SHA1e568e300e4528b3d6219f6dc40e7b53d3116dfcd
SHA256907261446383876aceb6e6cd870fabd35b3e27c6dadd638c4673d50863288d22
SHA51218d6c5ba8943395f772b022518966600ecfab4e9c351c22edec74f4f974b56c7baf73992b477ad4bd6ac2df549fa8b878ce1fdef2fa0e70a36b91f8d79c5369c
-
\Windows\ehome\ehsched.exeFilesize
37KB
MD5515f709ced1419e17ced5cef18336681
SHA1b878cc29a215863135ce6a65a91a04963c9ece6d
SHA256480d4bdbc235facd205f73e4190846bb72d6a79f239d389a9ca8666663a3e0f4
SHA5123c5848e81cffe7b4f3986f4c48aae155bf283bb5eb55af3c381f197414f32a7bae2f5d596b5dd16b8f49e2f79587a15601d4b8cd48eaf8f0e9ec05ad1a737d13
-
memory/556-132-0x0000000140000000-0x0000000140187000-memory.dmpFilesize
1.5MB
-
memory/556-141-0x0000000000820000-0x0000000000880000-memory.dmpFilesize
384KB
-
memory/556-215-0x0000000140000000-0x0000000140187000-memory.dmpFilesize
1.5MB
-
memory/624-76-0x0000000000640000-0x00000000006A7000-memory.dmpFilesize
412KB
-
memory/624-75-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/624-171-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/624-82-0x0000000000640000-0x00000000006A7000-memory.dmpFilesize
412KB
-
memory/1088-170-0x00000000001B0000-0x0000000000210000-memory.dmpFilesize
384KB
-
memory/1088-172-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/1312-385-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/1312-368-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1340-321-0x0000000000580000-0x00000000005E7000-memory.dmpFilesize
412KB
-
memory/1340-352-0x0000000072FF0000-0x00000000736DE000-memory.dmpFilesize
6.9MB
-
memory/1340-307-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/1876-199-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1876-205-0x0000000000290000-0x00000000002F0000-memory.dmpFilesize
384KB
-
memory/1876-123-0x0000000000290000-0x00000000002F0000-memory.dmpFilesize
384KB
-
memory/1876-139-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/1876-116-0x0000000000290000-0x00000000002F0000-memory.dmpFilesize
384KB
-
memory/1876-220-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/1876-117-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/2008-182-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/2008-186-0x0000000000600000-0x0000000000667000-memory.dmpFilesize
412KB
-
memory/2008-256-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/2020-98-0x0000000000520000-0x0000000000580000-memory.dmpFilesize
384KB
-
memory/2020-106-0x0000000000520000-0x0000000000580000-memory.dmpFilesize
384KB
-
memory/2020-101-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/2020-188-0x0000000140000000-0x0000000140183000-memory.dmpFilesize
1.5MB
-
memory/2120-261-0x0000000000CB0000-0x0000000000D30000-memory.dmpFilesize
512KB
-
memory/2120-240-0x0000000000CB0000-0x0000000000D30000-memory.dmpFilesize
512KB
-
memory/2120-236-0x000007FEF4890000-0x000007FEF522D000-memory.dmpFilesize
9.6MB
-
memory/2120-167-0x0000000000CB0000-0x0000000000D30000-memory.dmpFilesize
512KB
-
memory/2120-169-0x000007FEF4890000-0x000007FEF522D000-memory.dmpFilesize
9.6MB
-
memory/2120-166-0x000007FEF4890000-0x000007FEF522D000-memory.dmpFilesize
9.6MB
-
memory/2148-248-0x0000000000170000-0x00000000001D0000-memory.dmpFilesize
384KB
-
memory/2148-260-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2148-244-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2148-267-0x00000000744D8000-0x00000000744ED000-memory.dmpFilesize
84KB
-
memory/2168-181-0x0000000000420000-0x0000000000480000-memory.dmpFilesize
384KB
-
memory/2168-178-0x0000000140000000-0x000000014017E000-memory.dmpFilesize
1.5MB
-
memory/2168-74-0x0000000140000000-0x000000014017E000-memory.dmpFilesize
1.5MB
-
memory/2168-0-0x0000000000420000-0x0000000000480000-memory.dmpFilesize
384KB
-
memory/2168-2-0x0000000140000000-0x000000014017E000-memory.dmpFilesize
1.5MB
-
memory/2168-8-0x0000000000420000-0x0000000000480000-memory.dmpFilesize
384KB
-
memory/2252-154-0x0000000000220000-0x0000000000280000-memory.dmpFilesize
384KB
-
memory/2252-230-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/2252-146-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/2380-234-0x0000000140000000-0x000000014019F000-memory.dmpFilesize
1.6MB
-
memory/2380-235-0x0000000000FE0000-0x0000000001040000-memory.dmpFilesize
384KB
-
memory/2380-216-0x0000000000FE0000-0x0000000001040000-memory.dmpFilesize
384KB
-
memory/2380-209-0x0000000140000000-0x000000014019F000-memory.dmpFilesize
1.6MB
-
memory/2428-55-0x0000000010000000-0x000000001017C000-memory.dmpFilesize
1.5MB
-
memory/2428-63-0x0000000000420000-0x0000000000480000-memory.dmpFilesize
384KB
-
memory/2428-96-0x0000000010000000-0x000000001017C000-memory.dmpFilesize
1.5MB
-
memory/2676-15-0x0000000000170000-0x00000000001D0000-memory.dmpFilesize
384KB
-
memory/2676-22-0x0000000000170000-0x00000000001D0000-memory.dmpFilesize
384KB
-
memory/2676-99-0x0000000100000000-0x0000000100179000-memory.dmpFilesize
1.5MB
-
memory/2676-14-0x0000000100000000-0x0000000100179000-memory.dmpFilesize
1.5MB
-
memory/2688-28-0x0000000140000000-0x0000000140172000-memory.dmpFilesize
1.4MB
-
memory/2688-29-0x00000000009F0000-0x0000000000A50000-memory.dmpFilesize
384KB
-
memory/2688-115-0x0000000140000000-0x0000000140172000-memory.dmpFilesize
1.4MB
-
memory/2688-36-0x00000000009F0000-0x0000000000A50000-memory.dmpFilesize
384KB
-
memory/2768-46-0x00000000004E0000-0x0000000000547000-memory.dmpFilesize
412KB
-
memory/2768-41-0x00000000004E0000-0x0000000000547000-memory.dmpFilesize
412KB
-
memory/2768-40-0x0000000010000000-0x0000000010174000-memory.dmpFilesize
1.5MB
-
memory/2768-47-0x00000000004E0000-0x0000000000547000-memory.dmpFilesize
412KB
-
memory/2768-95-0x0000000010000000-0x0000000010174000-memory.dmpFilesize
1.5MB
-
memory/2816-360-0x000000002E000000-0x000000002E18A000-memory.dmpFilesize
1.5MB
-
memory/2816-222-0x000000002E000000-0x000000002E18A000-memory.dmpFilesize
1.5MB
-
memory/2816-237-0x0000000000270000-0x00000000002D7000-memory.dmpFilesize
412KB
-
memory/2848-193-0x0000000100000000-0x000000010016A000-memory.dmpFilesize
1.4MB
-
memory/2848-201-0x00000000001D0000-0x0000000000230000-memory.dmpFilesize
384KB
-
memory/2848-264-0x0000000100000000-0x000000010016A000-memory.dmpFilesize
1.4MB