2069aba57b3589f2fcffd86133233d57cf622751f0cf45d092b882e0f896f101

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
Size

1.5MB
MD5

5374045bd8c58a31f038138fdde0295a
SHA1

f29c58fae7ddc5ce8615c017603c79b33be78d27
SHA256

2069aba57b3589f2fcffd86133233d57cf622751f0cf45d092b882e0f896f101
SHA512

59ab0a03af99c9fa73bb4b6306d0139e266da5b671e0133a8a87ab021b804eda79659f31603a5e2fbd1d0375167a1d0bd26f77179ea9e801285ce007da077790
SSDEEP

24576:W5t2sWxEOtqZpp0YYtwlGhNsof2e7A+ebC:W5t2syHmpSK8hWomh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEdllhost.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exemscorsvw.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
2676	alg.exe
2688	aspnet_state.exe
2768	mscorsvw.exe
2428	mscorsvw.exe
624	mscorsvw.exe
2020	mscorsvw.exe
1876	ehRecvr.exe
556	ehsched.exe
2252	elevation_service.exe
1088	IEEtwCollector.exe
2008	GROOVE.EXE
2848	dllhost.exe
2380	maintenanceservice.exe
2816	OSE.EXE
2148	OSPPSVC.EXE
1340	mscorsvw.exe
1312	mscorsvw.exe
2832	mscorsvw.exe
2288	mscorsvw.exe
2664	mscorsvw.exe
2136	mscorsvw.exe
1388	mscorsvw.exe
1984	mscorsvw.exe
2920	msdtc.exe
1596	msiexec.exe
2612	perfhost.exe
3000	locator.exe
548	snmptrap.exe
1924	vds.exe
2712	mscorsvw.exe
2856	vssvc.exe
1644	wbengine.exe
2868	WmiApSrv.exe
1020	wmpnetwk.exe
2040	SearchIndexer.exe
2852	mscorsvw.exe
2808	mscorsvw.exe
2128	mscorsvw.exe
2888	mscorsvw.exe

Loads dropped DLL 15 IoCs

Processes:

msiexec.exe

pid process

464
464
464
464
464
464
464
464
1596 msiexec.exe
464
464
464
464
464
736
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

aspnet_state.exe2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exealg.exemsdtc.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\256fd487d795e6c9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 36 IoCs

Processes:

2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exealg.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemsdtc.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F933256E-7631-489D-BD80-978757ED3B52}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F933256E-7631-489D-BD80-978757ED3B52}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 38 IoCs

Processes:

GROOVE.EXEehRec.exeehRecvr.exeOSPPSVC.EXEwmpnetwk.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A68B5038-E6D8-4EFB-B0FE-56910C65FB44}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2120 ehRec.exe
2688 aspnet_state.exe
2688 aspnet_state.exe
2688 aspnet_state.exe
2688 aspnet_state.exe
2688 aspnet_state.exe

pid	process
2120	ehRec.exe
2688	aspnet_state.exe
2688	aspnet_state.exe
2688	aspnet_state.exe
2688	aspnet_state.exe
2688	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2168	2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
Token: SeShutdownPrivilege	624	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: 33	3000	EhTray.exe
Token: SeIncBasePriorityPrivilege	3000	EhTray.exe
Token: SeDebugPrivilege	2120	ehRec.exe
Token: SeShutdownPrivilege	624	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	624	mscorsvw.exe
Token: SeShutdownPrivilege	624	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: 33	3000	EhTray.exe
Token: SeIncBasePriorityPrivilege	3000	EhTray.exe
Token: SeDebugPrivilege	2676	alg.exe
Token: SeTakeOwnershipPrivilege	2688	aspnet_state.exe
Token: SeRestorePrivilege	1596	msiexec.exe
Token: SeTakeOwnershipPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1596	msiexec.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe
Token: SeBackupPrivilege	1644	wbengine.exe
Token: SeRestorePrivilege	1644	wbengine.exe
Token: SeSecurityPrivilege	1644	wbengine.exe
Token: SeDebugPrivilege	2688	aspnet_state.exe
Token: SeManageVolumePrivilege	2040	SearchIndexer.exe
Token: 33	2040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2040	SearchIndexer.exe
Token: 33	1020	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1020	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

3000 EhTray.exe
3000 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

3000 EhTray.exe
3000 EhTray.exe

pid	process
3000	EhTray.exe
3000	EhTray.exe

pid	process
3000	EhTray.exe
3000	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

SearchProtocolHost.exe

pid	process
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 624 wrote to memory of 1340	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1340	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1340	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1340	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1312	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1312	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1312	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1312	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2832	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2832	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2832	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2832	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2288	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2288	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2288	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2288	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2664	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2664	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2664	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2664	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2136	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2136	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2136	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2136	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1388	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1388	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1388	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1388	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1984	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1984	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1984	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 1984	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2712	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2712	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2712	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2712	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2852	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2852	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2852	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2852	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2808	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2808	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2808	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2808	624	mscorsvw.exe	mscorsvw.exe
PID 2040 wrote to memory of 1952	2040	SearchIndexer.exe	SearchProtocolHost.exe
PID 2040 wrote to memory of 1952	2040	SearchIndexer.exe	SearchProtocolHost.exe
PID 2040 wrote to memory of 1952	2040	SearchIndexer.exe	SearchProtocolHost.exe
PID 624 wrote to memory of 2128	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2128	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2128	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2128	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2888	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2888	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2888	624	mscorsvw.exe	mscorsvw.exe
PID 624 wrote to memory of 2888	624	mscorsvw.exe	mscorsvw.exe
PID 2040 wrote to memory of 2468	2040	SearchIndexer.exe	SearchFilterHost.exe
PID 2040 wrote to memory of 2468	2040	SearchIndexer.exe	SearchFilterHost.exe
PID 2040 wrote to memory of 2468	2040	SearchIndexer.exe	SearchFilterHost.exe
PID 2040 wrote to memory of 1348	2040	SearchIndexer.exe	SearchProtocolHost.exe
PID 2040 wrote to memory of 1348	2040	SearchIndexer.exe	SearchProtocolHost.exe
PID 2040 wrote to memory of 1348	2040	SearchIndexer.exe	SearchProtocolHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_5374045bd8c58a31f038138fdde0295a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 264 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 250 -Pipe 184 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1876

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1088

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2008

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2380

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2148

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-928733405-3780110381-2966456290-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-928733405-3780110381-2966456290-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:2468

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
960KB

MD5
61943ed15b8c0a34a212ed9bf155a295

SHA1
b5d0fe98fb4c241971c969170097c7f9e60cdcd4

SHA256
819fe3524fd5c7c02fb900b2030a6ba14d810c8919fbb50b8a026de8cc5d53bb

SHA512
f8777c3fc95822f59bd5728c164d83258b89f4b50aaad586a8f997ad53646db5fccc70b0872e7155085613e23ab7c1bab0c561ac92a9c6ae52a1cdf58e587834

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
736KB

MD5
64e6d152e0a0439e2521a4ed01ff837f

SHA1
aa404d6e1c181bf8a6efc4b0385312e971b15270

SHA256
726b1005dd762491c38a7a5a1c28025317f780d7206a82f300b0802fa4dfb2cc

SHA512
884e85b35aaab573d229eaab34a2416c9833bdb1f5b20e0bc1ade12c6c646456af13c8dd4d9ee0a6a04cd09baa5b7c6985cd4ed9412288e4bcf0be8d22c10401

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
709KB

MD5
b0805608b0d2a227e31c4cddc3efc285

SHA1
657cafde5d00648042b5ddd9d0512563d34997a3

SHA256
efbacaa9b4c203a5bbd198c7b1439bd3dce086b54169aab6c036bf51aacf9c9e

SHA512
3cbc9fc293ffbe1a11d0a07e204197ee751b86917d66e4cf9fe96dd925fe7a540068fbe528fddc8454b1123cde12faf3bdbab01ce8e24e485b7160b951034c5c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
42KB

MD5
02debeb0021b019aa05e29e341f9effd

SHA1
0ea10a92c264f4231a6539f1c7873a339f0e9b37

SHA256
3073be693460ccbcec6624e61bb5522516d1374d4a11b773a324f4078fc2472c

SHA512
7e9eb86099aa580833910600127fcdbb8d16f22eb70d31ba8587b6f2cf6c759a05a4b8ac57e25c2f4d275d2b0d8d7c23039be09b2541ac8dfef79fc8e3c667af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
120KB

MD5
baeaa9aeb251c4129c115d1b8f2ed29e

SHA1
34bb22eb5e4dbf73451fb6f6693790e00f63f6fb

SHA256
0a9cc44580f32a8ff1c81b5e2c6a786f26d1031e2f517b7eb6aef2a2619a4e29

SHA512
1e71c2867779991ce40bf8b56934570c28e13d88ba39f8284b8674444f54075e17621338a73add21b2cc5e5926f27c8e01c1d5c2236f95e57a3915adcbdc1663

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
9KB

MD5
d80a20f1e41820d691dc3a1577d748cd

SHA1
9ce5806a57a32a0c1dc09b64e3d837209de3ff27

SHA256
5b938491f3df2a0be4f5de3a00c9ee0424de9ba6ef5a346c90b9f4e6f6ff4ff5

SHA512
27e4c3283a7e6355feeac8f41b4686c48bd52a19f6613227b810969768c2c25f02545780240d16336fb7d08e994145eb12b7b417b237ba6f8116712ca08f8605

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
512KB

MD5
5a917adf648bece4b575c24f08c2fc61

SHA1
f279d51472c4f6c3c62b11547d717b3a88e93bd1

SHA256
e3e31b88366373cf19cf15356a8b37dd5cb8d50375c6d2a32278b2d89cc43417

SHA512
4e3cb30845cbfce62d0fc6c619b1070ec5213568851517b3b2c4267171dce966831f44b67acb3c801200f06fd24cb2ef20f1fb485976768155c09bac95176553

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
116KB

MD5
cead69f221cb9a563dbdb5afb4252a6d

SHA1
0df6f4a46a24a12edfd59c7eae700648c4f20341

SHA256
f6ad9ba4a79b58b826afc1e36d406c211cebea2fe6616c73bb3493243631be36

SHA512
1735da97e9ce84f3215654a3f47e139765497bf8349be2f11f7b01a027d8e72c25e7165d3be058e04049ff20ceaa23f6cdd4ffa809671d96640db96df1aa73a0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
52KB

MD5
f52b97475a4cdaa76c69dda04bc28adc

SHA1
ac83e9f9ed64f3d656ff974a2cb3ae5a8f885a43

SHA256
787bd0e8b67f176b026496f3cac7953135ed008e231bc4b1bc1ecbf23ec00467

SHA512
0aa65447e14448cfc0f75f0878a61769792429d0cc8863490c23134f22d089e3c775f416ac76fc3638770fd201ddbe705b2ba8939f2283306113bd5ab973dff7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
529KB

MD5
01c1f59a35a4998d32cfba7b9bb7ba82

SHA1
bde1c5372184d851b60e1ac641a6f7228db96bb4

SHA256
d8ba3351a6017f800685c21037ad9fd7be621c341eab307f4a07fae4126858d5

SHA512
533856358bfa4be5607f6c9f6d1aa97fb2e07f52aecc87aa23ea8bd2ea6b652072759faa4c5b67812c8c86810a849b27ffb13adc9763feb06b37341a441438fd

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
9e9d72969d965c1615f09faa73ab76df

SHA1
23a7710c4ec37dbdce7d60d42ee9abd465cdf271

SHA256
77d9cc94276255e232b2073405878f98b611a4c34a181a3627c8b234d54b88eb

SHA512
0487107e9ddb85f752837779dd1ffef89a079064179d05afeaea1bf0e633ef9e418d1a76d7dedf2711a53e932f7f180a7163f9d0688291c59b5aa9d6488f7a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
111KB

MD5
ad5087c19a39cae7a857d4d07f62cbb5

SHA1
c6716d1f3717dedfc0bd6a8dcacaa79849e058cf

SHA256
b9935b258927125a8d381339c6f1fa701002250126944d2d8546f01f8ce51ba8

SHA512
01f2dbf1ea1bf22f0e0720525118e8a349f6bf6b00eaf6a181190a30f96ad5fefd26846c662a71856ecae1940d4446a3a8f01b5dd2d02897580a652a5cc0ad91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
125KB

MD5
ba62b28f44c97e4eb8ca4f54d58a8d97

SHA1
054dfdbec6576600313c94637c5e19ccf5fb3f13

SHA256
cb2347c3233886657212a06bc1da062ce6acc0dfe75605a85e6a65b74d2520c3

SHA512
834cc4d47e6fd43ee58f0d4de81b6ecdf85f841b6399e122c30c60fb0db23294879cd08a501e3851e51e995eabb47c3b80b1f93dac0fa1fbc2f9a1e87975b5d1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
335KB

MD5
4d5a1bb3e85850161f9da07afd810ad5

SHA1
9b954138fcb0de8c0c30867c4cbe8a78b3293c0c

SHA256
f1c96d4c28e6f54732567d8bb99132b1e319c0d5a17cd5caeb15146c7ae9fe3b

SHA512
e013c82867d911da78cc4e4dde63520e62761795ea64d6fd34aa6c066133e58babf3a4be514d06505f7e2dc2920ad2b7942ffbc757403d0ec1a35e34342c54ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
455KB

MD5
7d229e72bcf7d500083dd65ce3d8336d

SHA1
75a41f917d6c147815ae7bed329bfb548e3c89fc

SHA256
a9c303662c0f5af98d1cdeae389faf431fcbdc75434968a239c5cffd978f837f

SHA512
c753c75b31e3dc23a25bcd4b457784fe77b314bcf4cd6b82c3701dc2c1ad9f441372199961a7bfb0a71f93a74166464e14791e31d172731f93a08d0d90c18e2c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
134KB

MD5
95dee30be121899482dee0b7eb563b9a

SHA1
3f5c663cb821ad3a058fc549a0e96fae9b57a9c9

SHA256
43176a2e23c4557986ade2ae54b3cb6acd5866a2491809797b4a947ab489289a

SHA512
65429ef3e41a3be6f41c3e739b942857a177a539a05f741ee9dbe05ce19ba98d291b7c9c64f724b2d89bde92a2c21f8112355a9d478ff50847d38f03eb4f23de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
225KB

MD5
b1767eea1781d501cdd532a8dd6921cb

SHA1
b8bb476d166f628faa4d7730f72ea958cc80c64f

SHA256
556b0b245a63814eec783a0768b1a41016486e98158c1781837447b225f4024c

SHA512
c0304cc0850db04e8c35a0c53e6d4c47cdd67f0130e5c137ecab9110fdf6bba49cf2c673204a9f1262283f4db30f8620da466ee6cbf3b70acf90a96855e486be

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
259KB

MD5
02c98c0fad64c79e5aeafa3a8ac4edd8

SHA1
5f5df9e4dc9ebc9447040d48f91a68dee74510db

SHA256
4393cf7be39d3e5a70701e5af9023f29a293a2e012e51673cd374f6d623c6455

SHA512
1cf9f006ef55dbdd2ab433ba76c0f25f7f343c9b163a6bc0aa3dbbab4ba03d2be8d3f18f16a29e26041294e721337850c27f70fd1fee18e5b5bb12ecb9b1126c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
199KB

MD5
32c168d41f867443b9bf81390f38ba28

SHA1
6d884b7175f6bfb071ca60e7081a9b097fbd2f76

SHA256
85fc05050b4fa138b613eb4a15a9807d7bdd6e9f5ee9d3d82088a0977d6fdeb4

SHA512
d38c2556c9d3ebb078927cd68d79e5bccb56d47dac35b153551eb73dc8a554489e641a38457cc2868f26118bc917f1a5b524dd597408d455b172264cc6ef3f94

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
288KB

MD5
e43dcfade11fd1f688057c87cceabe81

SHA1
4f87cafe65375c3b344dc32300e0811ffa0a8fcb

SHA256
fe884ede59af5ed71db57e73d9cd7bcc8f1c3f24f95f942e9ee4ce87cf492fde

SHA512
ba9b93e0f8a8d957449095c0a1f9d5ac27305725a995c3f861fe3bc385227a2b0af8d3ef7ca99ad210782e03beb2f02221ae450e29bce22aad069173c44445b1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
45KB

MD5
3ccfd5c76a477a9ec7dc516ff8e9cec4

SHA1
fb6946eb9fc6771dfdfe854b59ef3102cea36819

SHA256
bab9ced84dc072982ed73ef91bcd5911875b449dcedc201d823207e8c5a3c56b

SHA512
c4f40a92048a62592e13bafa8ce82c399a357a5542a8f22ec325980ab2bdce3ff6a3b6aa8237b803df6f843406ef7e68ccd6f64e7575ba27be02e453ab7e7942

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
7KB

MD5
b04614e12d23a909aabd575e126e91ba

SHA1
c8dd1db4064f5f8ad4d2674bb1bca5fb2086ba60

SHA256
9ce721d1cc6ef494fe3cd867e5b80ea284433d2b980d1a42f94de24973839e08

SHA512
3a9c38b7cc92a3d42f6d14a1786ee222aee7a0746f9ddb01a643f33594652d1233993ae2f20eaa4e5ce3b7565073341b7dd2ae37ae8785c4eb9d2595b355677e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
59KB

MD5
868ed420d273779f738f076cdd94d795

SHA1
e7f750e895a2b18c3556d86536e89a0ea2d06592

SHA256
baa3dde22222623513f5eb63af40d78a5cc7fab48adecfe7f269fb4ed0cf7bcc

SHA512
0b05e4298441b76b3bd658c93b07e2c95323ce8568b8cee9aa7adaf79fce7ae0fbaa803ac5f830b625af07f7b2e318d7dfafc21dba03a82e30e50e5a08b02a88

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
873d9393d41d7eb5080537cdc1a04fba

SHA1
922d78d6a05a069ab8eb743afce429884650087d

SHA256
1b8f13b1287cd0c0627859e7aac5f8deb9058160a1b42665a93cc46d34206dda

SHA512
cc5b251cba9047f99865e9f97b91889d6250c057bdcd616311b79dbffa3ebdbc5ac76ee4f9980b1edcd00d70549440c5cb80e08af39deec8ac40cedfde11a9ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
374KB

MD5
ad7b47ad886ea83cec5ccbbd6fc43352

SHA1
71097d595509fc9beb7154ceaa30056c701b24ce

SHA256
9f5b4bdc864be4b194caf37134e41c8aa46088551d123b2f726b0bcb276d3b05

SHA512
9550dc0d96549634e101d5eef09a38b15729f605b6cf2c4a38e338c5c4d2a655df320904d278abfe121800fb6a65a900075cb3649e59fe6a5aefdace0e3f2fc6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
243KB

MD5
43d5f80da9e4c58e99826b0cefedf8fb

SHA1
5f1056328c30bf3cd943add62dd4f53a7b5ee852

SHA256
e3464274e9a6897909d18f488a74d0390335b1da716897343f6bb6768640b960

SHA512
af25752bee3ad59ecb651850cdaa7a920d80acdfb46b45cb8fb49603a70ed06419f148805b557d734084458b6fd5d8dc677fa707d9161fd3b35d6ea539248907

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
c3f14f51546ea4e7a3b28a566f878181

SHA1
d06f4ddf271090014905de4b9395cb61954764ef

SHA256
ee3dbb0baecc4a3a00f5483604afdebf4f97ebcf4e30c65fd9cb480f77c3a1cd

SHA512
0c4e3fe4295bfa1f8acf2e56a36c07d0ec1abbb301508a5e89ffefb117eaa0052c589571c5dd636240b5d8dcbbeb160ea7c63567493611feb84d47d8066255ff

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
743KB

MD5
734e21c71e79b3d23ce713c42a098353

SHA1
3f1cfdc03916111f5e7442d79cf9d6e57c9ba0c3

SHA256
70a8a8de0a54c5a30f9e65d4d2cc22d1c58ccb8a551a53c1a72c74940877ea4a

SHA512
d021de1a62c57404428a5ffb62c3397cb1e048cf25b4022005891ea40f0cc10567259c0f3c36afe9b88840adbdb7332a9b3ee15b4561c14ce6c68130b70abfc7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
d982ce4025c3605324dd5e8109c33295

SHA1
33041d19493bbd201e58336bef713d07f02f13eb

SHA256
3d007b5dfb6c961a1e1459d819c0e1bc83cce64a8b98eff084e8c20d30a6765d

SHA512
66e778745e20b9d0938a9f4dddb6585b7c2fb4c19b670d99bd87f81f57b7d2e6858774bbea57ac01d6f6b0de4af8f83495348a352d263679690a8e1eedf64944

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.0MB

MD5
8cede14fb1d05d32246da2bfb2b3fcfe

SHA1
4e601285daca454255a65162113dc2c21f8e3e9d

SHA256
8496426f5906ee2c407754f713fb0c894c50473c9700ef42431dc40f1480e4f8

SHA512
f0a0bce31f8cc95f742db8ef564c5d1da7d79c27fbede595a31308f3c54a0e67240032d3895fd806091adb7a37ac7ce337d2a8424be13e30e77d92d880e4b672

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
79KB

MD5
13ddfd4949b8fc944a220be33cc63d90

SHA1
70de3e4c874b826082225dae16287f2528d6383b

SHA256
07efb0f89b5509c6b04566edfe4e737e1d3dc9d498e37dad5e5e044f4c7cdadf

SHA512
fac57ae4ac8af4598bc0ce2a3a8c9086fa1a1f56f17c7964de02e68f10a66ff0f2c3381f24830cb6bc88f0ef07bea9cc7b8a06190aa392c4106edee4d277594c

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
44KB

MD5
f308c0c01b56225a66200e21675e4c2d

SHA1
335058627df4a101fbf707e604a2c1fc012b98e7

SHA256
2fccb802e05c9ddfc49c01e1cf0249f1ea7eda7277d439dc31e07c87e5746567

SHA512
d85a970f3b24f0f9d63f704003342c4d9621e71d6b039daf671d76fe594a881a8a3de2aeb7b5ccabd75f598eb490171baf04457dd757b8c5570b89ad2f439c9f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.1MB

MD5
e82471b60e4e73ecd92d452a29d2c9ed

SHA1
08813198256aac34fea2254ea968fa2475565288

SHA256
df7dbff91e70f200c08b3018dccbeee0df5e26f509cfbc3c79d0286a18476789

SHA512
f1ddc13ee7ee8785b3668fdefc04b089025dfb7e970fed5e8bc58642a65cfa4d0d79fd9c2b42c561fb7a35a989fec23959e5442de60d9a27a5ab139b85f19852

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
1.4MB

MD5
2a6a2decad198bb4e9c890f96073b6eb

SHA1
046af148ba983f786c0a0bad9b85c7007dbc50d0

SHA256
02094bcc592f83b06367c070f87d0a20232b9e2555301626852833f545832ee5

SHA512
bb91841d4732e1e703fad4143decd8761de4ea2b4fdae8c5bb0009fb3e4da42dd42824925f491cbc0a0b32f8dbd6efd767eeacba257030c1fc5b644a135c40ff

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
561KB

MD5
c744700f0806803ab3269c40eb5d4fd3

SHA1
1e90bb677ad1d3162fac33e7b772cc8d785a1b24

SHA256
ff9f1537af5b96abf0026989e50f2b051d22fac6c8df275babbdd574ca128260

SHA512
b0462ecaffc8daec1bbff3585cf08f6b4fd4615aecf02561e3da01a83d28470a44b92de69d05bd2bbf95206649e3b06ce12aee7427d9301e7326b0b65de77fda

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.9MB

MD5
0dcadb12632031136ffc5250cac01e99

SHA1
82df493ce796eb1a48f79542ea38c1da0897a5e2

SHA256
6b54a9bb311cd77fa1c7d24ba1cd2e6a792fa293494dfc7139725a6b525ad3b0

SHA512
98f159d2360e1fd34fd74e9aee17c335967d2f30b4ae9751416f16bc31254c510daf191f1d6d1d268039534c7362dcacd2bd20b0a99105a14ae3102575607c79

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
128KB

MD5
1fc64117e025aebe431962747c60f344

SHA1
354acb8ca2b5664306ef731c1257622389d9a756

SHA256
f4463117c76e5023733ea5d11055403c9e21fdbc0173831e2c3f8148f9021770

SHA512
eacf53f046e611465f00632c7b667565219f1ecb4b65650d949b1a8b88369bda51613bb32cba8e1bf9d07c4f17d7ad571cdb450541ff53db7c200982f9a1bafa

Download Submit
C:\Windows\ehome\ehRecvr.exe
Filesize
1.2MB

MD5
437e900dbb87b5e89a67914c3d7c8c66

SHA1
72aaa82d8ead5f9e700746f65615508e3f236080

SHA256
875071b1e9edc08f47dc95913f375422047f7d52a9243674b3b82007c49b62b7

SHA512
728654e0bc6cde87ab2f13f8fefea4e6f80ca71dd4b3af6c0b8b9ffb69ae5dc14eb8dc1fe6b547d2d835f06b7c5c4ecb0eaa59296a905497a4e642e129a10f0a

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
161KB

MD5
585b51962164599b8168d55cc6f1f959

SHA1
e220989d891a8c2682b3316f7b910a3ac1c363c7

SHA256
fb5b38bbf9f7e4eec55e8e447f61919b914b0c8bc39a8578687a4ced3634add7

SHA512
db9dc579e74226c28ae542121f141f97a1ccc61e2736b6aa5fa66096ba9b6d12726ebc9c80d6ae238a5d49d82405e963669522a8acf96ae07cfafa8c967a4649

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
63KB

MD5
e98e13c661ad1306963b1726ebf806b5

SHA1
39eb6572ec1e0d7bca49f2e7c8efa018c1cf237f

SHA256
c327eb6042618d6cdd0a873e030cfa7179d08df2da82053ebaec5aa6dc055eba

SHA512
1f3fea68d53885355b92c810e439205084ba65143dbb1ba779b9835159e30df4f9d38a050fc54bdcbddeee5239ba7ef24cb41102c9be68d5097ed57204a01473

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.5MB

MD5
9674e5f5ba9b4192dd33ea2f9a85fe6c

SHA1
bf98bc31f0bcfab16dee9806c2c8ef7a94051979

SHA256
e3f48e84c10cd6d91555a5164dbfcc760de396540f0fdc6673b164ca52bbea51

SHA512
4a100085717e6db746cfd67de4b6177bcbb46d7c4aabc9e6e420137b1a207c59584ad66ff872f855171c524b67feaa67782778939c8eb61c330e29af14a36cbc

Download Submit
C:\Windows\system32\IEEtwCollector.exe
Filesize
823KB

MD5
40b1ea6b1176573a65097b57ba41d79f

SHA1
5ed899a44f4a0f13b6ac780e8ef2a8165956622c

SHA256
e5e128c720fc5f202e54b8439476dc0d7124490133f3aa83e3438cc51ecb6e3e

SHA512
f4e763341cfd3469b5d16f6d9aef12ebcc59cc9743b38cc60d23110b8a501d945e3677a02d0f1ec978da4b9a6686f3297afa3954221307658c5b3a7082b3dacd

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
43KB

MD5
43f1d6159d7ea84096a30d73ee105ad6

SHA1
14077eca9a79ca9c7a45785f1a4d82358b729d33

SHA256
c17c3fddf341af9c5eb0afddc72c95819b4f33791815492172b45b00e0834620

SHA512
367a4682080e346d16309f42998d67aec608cde4e30983230ac9de233c7129804b86a682b4f11f3a8357b3c12e783a7bc5724abb3e7874bda8dd95e3364d51e3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
bed751c107d4d8bb2566aff943dbd9d7

SHA1
f33963501fec4d58cc2aded6fd8ee62e6fb16a9d

SHA256
7210d2f1c89c62ed55c93552bb8f58af50c565bff9dcf1cb1f5184da8b446ee1

SHA512
eb40fb3a35a0d69b68c0297e835eaf3b368de44b227173e160fa7b2c4622b09700d75122b713de8778ed60a7d0e7e4fa48a5e45b1d9a581ae656f96218c48e87

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
482KB

MD5
0e750ce612977232bebd83d55fd386fd

SHA1
447ced070bb07e502957c22f37e180f71ac2bccf

SHA256
47e84c3453554da2ba60a4c8891360a27452773d6ae6d5bb01bbc2acd1681637

SHA512
a6c1f800de69299a6a29e23587f5f2609cdf494d02dcc46b66b89bc8f7e7d1a0ee1a466d70ff66c97823a88b38b7fe47195f122ff22dc04f46146b81047f1b71

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
209KB

MD5
8560b005d1cda781f8e0c68b087461d5

SHA1
d281929475ca3e7e234009f7c39004231e68384b

SHA256
0f1254754fe3b610575e8a2ad7735354dc86121ff9289891b5c93d1795b5000b

SHA512
27fc7bf311c0edcfaaa845bbf57f6c596252bfade4894afa5eeaba045aad1c0e9c8ad49981fe91112e344dc44e5594b880095fe58f78bf66c0f8fd4e0cce63af

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
27KB

MD5
adf7ac2446b33b6d2ff061b1d2c5b82f

SHA1
55dd35e7a25a2b147516703cb4c77923f03db538

SHA256
905e0dfb7288d3e5360270a470507cf7a0b950eb48be79b088e2e282acb6067b

SHA512
545b52ddf7726f5c5005fed5a7e84e99f2d7b4a0eeef6306a29ff21f7f6e92e53d3351167e7a4f3555b145bad6ee16f12356d906866721195630875476daef34

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
395KB

MD5
58b083905438d8c13c0c8a59e4af5072

SHA1
2f8043bb3a44823a4022080a65b1d7dac196d065

SHA256
2da5846a91d8c4a93a7a872209f53b7bd7d91266d28e4f5e89ec6814958839ab

SHA512
a843021a96a3e1207986c55992ce97ee47d113f784bfb45039d2e12137d70935e06651f8367cddc19fc311ab08defc88d31fcb70dacfb6ec45c0e3bac945abbb

Download Submit
\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
89267d09b5f6e4d9f04b38da3a3b4d0b

SHA1
dfeada326cfa46db62fc8ccdb803c3791bbdc048

SHA256
87a50f7048ccddb6866ad362b02655c36f10866a6208f3746919ae88cea2015d

SHA512
0e4e5ae5d7036916c45dd610aa68f3d3c128b6f71d25b7e22ff8466c652948a726c9cebea1d67d6e2598a2979e4c3db8da6d827c4fc097cb508bcde7d218854e

Download Submit
\Windows\System32\alg.exe
Filesize
86KB

MD5
81c1fd25620999a05dac4e13d568e93e

SHA1
5b15844b0d76d177781e2ad2e29e7eb7534e17f5

SHA256
e3e98d65e45d713fece8e6ad04d9a489fce5675271d5df88eb517142de67e1c3

SHA512
8ed02182cf23bddf16d7df04502b84037fbba9616e8bf5331113d23b6bee19ddf1acce5740b0c88376ab69f2f162f746ddad552148c8db80b4c96238905e9722

Download Submit
\Windows\System32\dllhost.exe
Filesize
5KB

MD5
d48d8b88fcdefeeabce57df5a4130748

SHA1
da1e98a693996ece604b82547ace8ef62153eaf8

SHA256
e51083fa189833117b4128bcab1df8453f106c011bba5e17532eff2c293afe22

SHA512
e638d629d95eaa2f77b55b0ca9de41a6c078e32b9f74fed5b8878441c1419424a06081faaa6e49ebecf4fcaa8a86a040933a023b7fd951f4f797ad74949e990e

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
44KB

MD5
f7718b623aa3848ff2a1b50514a4b214

SHA1
440b94bef9e55f2e27ec7c48896774113e04be9f

SHA256
09751cb24d1eaf66ede0ff5d3a9bcd13cf181696d458fac11874d459783ea6e4

SHA512
89d4e07474b09a6b82b4ac8a9006e3a708fd97bf2192c142a7f1ac55422798237cf09ce705a4592438ecbb7f667daabade4eefd9297fe452b55b4a903c235858

Download Submit
\Windows\System32\msdtc.exe
Filesize
896KB

MD5
3aa5d892a5d3114001d7752694495600

SHA1
5dae10f350055120ef6bf95795898a57ca9325e8

SHA256
3dfb4c97b8bb6079f576ddf035900884962b812fcfda9d6667f8de645be82bf3

SHA512
695c7091758b33f494d058effbb99a5cfa893300632cd0a6eee8afac298cb5c57cbac24f9dee9cec05ac064c07acf37baec8a631e76499bec1993287975a5c07

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.3MB

MD5
ef3f3d285355ecb603e1008f87a9d566

SHA1
beff6d89468d3d19ac2286f12917a2628ce68709

SHA256
99075d6ce441b73dd5b734603dd5d9a68fbf2ce77bd4342803773e0b3d8f9bed

SHA512
57f5d28a65ecdd81a38a09c620f255e1415400ea1997fef700ae567ccf1d868259b3e3908b01218c2df64d3f66530954eb05088f480f3776711fafc101aa1804

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.4MB

MD5
152f1e2517b4cd483e1962011f499e82

SHA1
f7cfd4d5fc9855e514435898fc4b6e2fc530d828

SHA256
008b413d66f9700f9c1d44f0a6dc061dda5957980f7aa8f54a7d88e9157127ea

SHA512
4946dced4df05bad4fc2150269fac705f3d3dbda69d502b9a649e3b6b55446a4d1af1b9698bf936201e6d900fd566f995b59d974d9e6ec7edb7b3a8115a61c0c

Download Submit
\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
8efcf0ddbe84b4de03f0fff995ffc822

SHA1
476f02747ea0a066462c73b459985a43b3c20dc3

SHA256
ab8ba2c058231497eea95b93e7f71aa7aa90e9aed2497b81e9f45e3b25e5a7c9

SHA512
f999ac02b948fd1bf126416ae32144f0e0e34c7afcb216e0130e96f68f661af4cb44a3d2bb8b4cabf74992d8dc8a152a24ea46a9ff001deaf4236e3f7e3e1b05

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
71db6199d6c82a4b4d4f23d5a8776ad9

SHA1
c2115416a66e6ca6f23e23e17aac0e5d8f19702d

SHA256
6c11c00b7a63041e0e350b949991f48df6eb46eeeca351390cb874f453fe8762

SHA512
a8ba2a692ea79d2a91272bfd6c7d0db0f6e829ce3e3677f9f0e74fa5851a9b2c2a02665929c5ccf14c0d8e525cdf3453a8d29d2496aed2442863b9b1bb3d79a0

Download Submit
\Windows\System32\wbengine.exe
Filesize
256KB

MD5
c50c5651af88b12ffe0b7231cf054a08

SHA1
354733e9dd0b86c45715f10c62a7d6e9dd450fd2

SHA256
6e4a270d7de73118a40d4ce303d7e876ba18d84c55ec3b59320f54bd0090ad4b

SHA512
de3752653c30d542d4343e80ea54a268763cd672d11a4cf2547dcff11e2b75d7ef46d6ed3acfc49ecdb73afe2d50036ddcf7a68df66965b17f7e43affd8b10e9

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
173KB

MD5
e91781297e6339b5146ec066918bbe92

SHA1
e568e300e4528b3d6219f6dc40e7b53d3116dfcd

SHA256
907261446383876aceb6e6cd870fabd35b3e27c6dadd638c4673d50863288d22

SHA512
18d6c5ba8943395f772b022518966600ecfab4e9c351c22edec74f4f974b56c7baf73992b477ad4bd6ac2df549fa8b878ce1fdef2fa0e70a36b91f8d79c5369c

Download Submit
\Windows\ehome\ehsched.exe
Filesize
37KB

MD5
515f709ced1419e17ced5cef18336681

SHA1
b878cc29a215863135ce6a65a91a04963c9ece6d

SHA256
480d4bdbc235facd205f73e4190846bb72d6a79f239d389a9ca8666663a3e0f4

SHA512
3c5848e81cffe7b4f3986f4c48aae155bf283bb5eb55af3c381f197414f32a7bae2f5d596b5dd16b8f49e2f79587a15601d4b8cd48eaf8f0e9ec05ad1a737d13

Download Submit
memory/556-132-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/556-141-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/556-215-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/624-76-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/624-75-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/624-171-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/624-82-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1088-170-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1088-172-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1312-385-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1312-368-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1340-321-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1340-352-0x0000000072FF0000-0x00000000736DE000-memory.dmp

Filesize
6.9MB

Download
memory/1340-307-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1876-199-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1876-205-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1876-123-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1876-139-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1876-116-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1876-220-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1876-117-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2008-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2008-186-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2008-256-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2020-98-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2020-106-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2020-101-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2020-188-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2120-261-0x0000000000CB0000-0x0000000000D30000-memory.dmp

Filesize
512KB

Download
memory/2120-240-0x0000000000CB0000-0x0000000000D30000-memory.dmp

Filesize
512KB

Download
memory/2120-236-0x000007FEF4890000-0x000007FEF522D000-memory.dmp

Filesize
9.6MB

Download
memory/2120-167-0x0000000000CB0000-0x0000000000D30000-memory.dmp

Filesize
512KB

Download
memory/2120-169-0x000007FEF4890000-0x000007FEF522D000-memory.dmp

Filesize
9.6MB

Download
memory/2120-166-0x000007FEF4890000-0x000007FEF522D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-248-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2148-260-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2148-244-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2148-267-0x00000000744D8000-0x00000000744ED000-memory.dmp

Filesize
84KB

Download
memory/2168-181-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2168-178-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2168-74-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2168-0-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2168-2-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2168-8-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2252-154-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2252-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2252-146-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2380-234-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2380-235-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2380-216-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2380-209-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2428-55-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2428-63-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2428-96-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2676-15-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2676-22-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2676-99-0x0000000100000000-0x0000000100179000-memory.dmp

Filesize
1.5MB

Download
memory/2676-14-0x0000000100000000-0x0000000100179000-memory.dmp

Filesize
1.5MB

Download
memory/2688-28-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2688-29-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2688-115-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2688-36-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2768-46-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2768-41-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2768-40-0x0000000010000000-0x0000000010174000-memory.dmp

Filesize
1.5MB

Download
memory/2768-47-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2768-95-0x0000000010000000-0x0000000010174000-memory.dmp

Filesize
1.5MB

Download
memory/2816-360-0x000000002E000000-0x000000002E18A000-memory.dmp

Filesize
1.5MB

Download
memory/2816-222-0x000000002E000000-0x000000002E18A000-memory.dmp

Filesize
1.5MB

Download
memory/2816-237-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2848-193-0x0000000100000000-0x000000010016A000-memory.dmp

Filesize
1.4MB

Download
memory/2848-201-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2848-264-0x0000000100000000-0x000000010016A000-memory.dmp

Filesize
1.4MB

Download