46c38e3915c010b011ff91a7e34c194c195cf83fd9a18c385b21c5b781bfe900

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
Size

1.1MB
MD5

58df9882dd29217ba5b4336299d637f9
SHA1

ed1aa6ca60973aed5145411fcfcaaf24614da7b4
SHA256

46c38e3915c010b011ff91a7e34c194c195cf83fd9a18c385b21c5b781bfe900
SHA512

5280d467cbbc3e9eed422f6fd73d4ba3efcc66e2e18d63c9b558c9e03823d1d8144f525f2e6fc69ec25d2457d18cf87f62f953036c4c331b9538fc8a4e11caac
SSDEEP

24576:0Si1SoCU5qJSr1eWPSCsP0MugC6eTFMPQcGEdy22cbjW+F0VUreAa+EXBq:cS7PLjeTFMPQcGLtIrF0VUryXE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
468	Process not Found
2720	alg.exe
2976	aspnet_state.exe
2608	mscorsvw.exe
2652	mscorsvw.exe
1980	mscorsvw.exe
2884	mscorsvw.exe
1560	ehRecvr.exe
2160	ehsched.exe
1580	elevation_service.exe
3004	IEEtwCollector.exe
2416	dllhost.exe
1948	maintenanceservice.exe
1916	mscorsvw.exe
1440	OSE.EXE
1576	OSPPSVC.EXE
2812	mscorsvw.exe
2028	mscorsvw.exe
2340	mscorsvw.exe
1220	mscorsvw.exe
948	mscorsvw.exe
440	mscorsvw.exe
3068	mscorsvw.exe
1376	mscorsvw.exe
2716	mscorsvw.exe
1500	mscorsvw.exe
1956	mscorsvw.exe
1224	mscorsvw.exe
2824	mscorsvw.exe
2484	mscorsvw.exe
752	mscorsvw.exe
2448	mscorsvw.exe
1508	mscorsvw.exe
1756	mscorsvw.exe
1912	mscorsvw.exe
2692	mscorsvw.exe
1476	mscorsvw.exe
1652	mscorsvw.exe
2864	mscorsvw.exe
1744	mscorsvw.exe
2948	mscorsvw.exe
2716	msdtc.exe
2548	msiexec.exe
2164	perfhost.exe

Loads dropped DLL 9 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2548	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7a069eb693c0dc56.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	elevation_service.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D45ADB18-F03D-4816-A3E0-363C899563B2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D45ADB18-F03D-4816-A3E0-363C899563B2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	ehRec.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1364	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: 33	2308	EhTray.exe
Token: SeIncBasePriorityPrivilege	2308	EhTray.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeDebugPrivilege	3008	ehRec.exe
Token: 33	2308	EhTray.exe
Token: SeIncBasePriorityPrivilege	2308	EhTray.exe
Token: SeDebugPrivilege	2720	alg.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeDebugPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1580	elevation_service.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeSecurityPrivilege	2548	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2308	EhTray.exe
2308	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2308	EhTray.exe
2308	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1916	1980	mscorsvw.exe	42
PID 1980 wrote to memory of 1916	1980	mscorsvw.exe	42
PID 1980 wrote to memory of 1916	1980	mscorsvw.exe	42
PID 1980 wrote to memory of 1916	1980	mscorsvw.exe	42
PID 1980 wrote to memory of 2812	1980	mscorsvw.exe	45
PID 1980 wrote to memory of 2812	1980	mscorsvw.exe	45
PID 1980 wrote to memory of 2812	1980	mscorsvw.exe	45
PID 1980 wrote to memory of 2812	1980	mscorsvw.exe	45
PID 1980 wrote to memory of 2028	1980	mscorsvw.exe	46
PID 1980 wrote to memory of 2028	1980	mscorsvw.exe	46
PID 1980 wrote to memory of 2028	1980	mscorsvw.exe	46
PID 1980 wrote to memory of 2028	1980	mscorsvw.exe	46
PID 1980 wrote to memory of 2340	1980	mscorsvw.exe	47
PID 1980 wrote to memory of 2340	1980	mscorsvw.exe	47
PID 1980 wrote to memory of 2340	1980	mscorsvw.exe	47
PID 1980 wrote to memory of 2340	1980	mscorsvw.exe	47
PID 1980 wrote to memory of 1220	1980	mscorsvw.exe	50
PID 1980 wrote to memory of 1220	1980	mscorsvw.exe	50
PID 1980 wrote to memory of 1220	1980	mscorsvw.exe	50
PID 1980 wrote to memory of 1220	1980	mscorsvw.exe	50
PID 1980 wrote to memory of 948	1980	mscorsvw.exe	51
PID 1980 wrote to memory of 948	1980	mscorsvw.exe	51
PID 1980 wrote to memory of 948	1980	mscorsvw.exe	51
PID 1980 wrote to memory of 948	1980	mscorsvw.exe	51
PID 1980 wrote to memory of 440	1980	mscorsvw.exe	52
PID 1980 wrote to memory of 440	1980	mscorsvw.exe	52
PID 1980 wrote to memory of 440	1980	mscorsvw.exe	52
PID 1980 wrote to memory of 440	1980	mscorsvw.exe	52
PID 1980 wrote to memory of 3068	1980	mscorsvw.exe	53
PID 1980 wrote to memory of 3068	1980	mscorsvw.exe	53
PID 1980 wrote to memory of 3068	1980	mscorsvw.exe	53
PID 1980 wrote to memory of 3068	1980	mscorsvw.exe	53
PID 1980 wrote to memory of 1376	1980	mscorsvw.exe	54
PID 1980 wrote to memory of 1376	1980	mscorsvw.exe	54
PID 1980 wrote to memory of 1376	1980	mscorsvw.exe	54
PID 1980 wrote to memory of 1376	1980	mscorsvw.exe	54
PID 1980 wrote to memory of 2716	1980	mscorsvw.exe	55
PID 1980 wrote to memory of 2716	1980	mscorsvw.exe	55
PID 1980 wrote to memory of 2716	1980	mscorsvw.exe	55
PID 1980 wrote to memory of 2716	1980	mscorsvw.exe	55
PID 1980 wrote to memory of 1500	1980	mscorsvw.exe	56
PID 1980 wrote to memory of 1500	1980	mscorsvw.exe	56
PID 1980 wrote to memory of 1500	1980	mscorsvw.exe	56
PID 1980 wrote to memory of 1500	1980	mscorsvw.exe	56
PID 1980 wrote to memory of 1956	1980	mscorsvw.exe	57
PID 1980 wrote to memory of 1956	1980	mscorsvw.exe	57
PID 1980 wrote to memory of 1956	1980	mscorsvw.exe	57
PID 1980 wrote to memory of 1956	1980	mscorsvw.exe	57
PID 1980 wrote to memory of 1224	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 1224	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 1224	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 1224	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 2824	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2824	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2824	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2824	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2484	1980	mscorsvw.exe	60
PID 1980 wrote to memory of 2484	1980	mscorsvw.exe	60
PID 1980 wrote to memory of 2484	1980	mscorsvw.exe	60
PID 1980 wrote to memory of 2484	1980	mscorsvw.exe	60
PID 1980 wrote to memory of 752	1980	mscorsvw.exe	61
PID 1980 wrote to memory of 752	1980	mscorsvw.exe	61
PID 1980 wrote to memory of 752	1980	mscorsvw.exe	61
PID 1980 wrote to memory of 752	1980	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1dc -NGENProcess 1d8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1dc -NGENProcess 1d8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 26c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 254 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 1d8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 290 -NGENProcess 188 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2a0 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2416

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1440

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:284

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
951KB

MD5
bbf8beb5ced7fb61d579d64010e0e8f5

SHA1
23668f2c485bdcbcd8f4c3fb9eab2cd907fe8b5c

SHA256
489705ca8dec65700f791cb9b183d855fae49c506832c2e51d77003a165dc5b5

SHA512
2e4fce122c7882186af7dbd5993ace16b1753fe83f5318e16768caef541cee5f0afcf4284b92b468e9024c666bd8f92317da97a7e58eeab1407b9c0598722327

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
22827e3ee4f0a3691c7b132a2d715d5d

SHA1
3e54d9b7e1afd83584bfb09be8633befb6196966

SHA256
7bca3f1d5d9e5264c799f69cf337a20cbf0762a6dc91f9ab2c92c1f873720f37

SHA512
3af358d9cd7d0fb6d594f8665903612866490a332ee954e19fcbdbe624cb53cd930ce37c3a40ebc1ef012ef22eee68ef6c7363dd27df6a9b6e99fd809946e99d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.0MB

MD5
1fc372cdb9e5dbc9d1ddef9e7ccd59c7

SHA1
7d5a2f41281cdb50ed70f20b9258fe39523ced8e

SHA256
5a7a466521ca4b8f4831b64b87ba32e1df8bc66b6424169d11913f6b4925939b

SHA512
d6171e8b4164a8434dd19fdc0929f0a0d7f60d47da6dc987e1d29eb87445200d12ee711dcfffcd5b98a588d79b1f62c913060cbb3021f8fdff55333dd43d12cc

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
752KB

MD5
61dc89e41633eb2914ffa018300832d6

SHA1
e5adfaa7e5bbea8451b0a3cd904068948248f73b

SHA256
807ee86204ce489ad6639a0f976ff2eae013b9e8e02e622a1ff323f72c4571f6

SHA512
df71b3eb9fd380c8ac8a8b26523e5e39bdac832a194caafa22972150f45c8252372fb72f1ff0d7a03ff36ba862eba46e20af09a93154b3d3444e4fdd907b9ba4

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
48KB

MD5
df36d495c4898257dd7153e226ef102d

SHA1
414877126cabfaf0b2dacd8014457f42fe96ad06

SHA256
865cd3ae7daca450f63bb8055c4557a1d689f23463548f0c6aa62e99d0599261

SHA512
0d480f75a03e5f35c9c07ba7db3d64df8a224d83b5aa0bd4962ac4cc68c653ba11d73b32382bda0e62a1c84927d15cee451a3bb01068a8d8805a4b60c8c415a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
40KB

MD5
3fc8a0f0fdf6130d03c39b767f0a8d8c

SHA1
9eff01aacbd5645ce9b9056dcd5b14b3344a899d

SHA256
757244321151842390848b096f2eb10263f48665a8a1024807364f7593564f63

SHA512
4aa0d10fea370e6422589073d70a1d0a55276dc205220416b668d28aa424bd77507f56aa48a27db69215b987aab42d9beabf298e5f885200173edd19bfc3f0fe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
234KB

MD5
c69471d9acf74bcffa462f699d959fcb

SHA1
8b12bb62319fce085c54b1723d4400b50004424d

SHA256
b582cde480b07bd7ea349257cc69c85c915312917fad2b749f8fc27cb3277b56

SHA512
7ac47b8f8dd8ff67aa6d5e83b5365921267f84da79b72685608c914af0995a6debfc0c936af85e3f9b09cc17fa253f29123a462e10ebc81941607185d637ce3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
957KB

MD5
a96db13f2bcc38978e1469b2fa952247

SHA1
9026304f1c5f1bf01cff21badf429ef12ab49fba

SHA256
e1e3392a92555e5b4ab46be4e327ea171d7b2f7500a8d8089e0b82902bd3996b

SHA512
ee75ad39e08c131eed166147dcd0ec406f65a78388cc2ea0c80c4245e2c8be2dd80bc97ed19ca657a4bc2b452ce69f62465737982df8209c39e23a8b0516fed5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
576KB

MD5
2458733abc5e8aa6147ea8bdb7507f3b

SHA1
02dac02e4f49f0d7e2a04cef858e52a9c732bbc5

SHA256
f42236b25743dd04821ed6d29fc60265320eaa9d9ed2e1651ade17d292bec405

SHA512
99a9243ce1ba1e751b409ab607d7783252f88144086844074409682826001852fe902899f87ea9a33b02cacdad579f4c368d5f4bcaf3147c1bf1fa4ea80e4746

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
648KB

MD5
678580e2a3fb8c6aa941348b250c27a9

SHA1
52717fd77e85851e898f05ceee0b8ddb30373290

SHA256
b2665e4569135ea8e6af279bbbf97652688150cdb435e3ef0c1eecfe93a9242d

SHA512
bcaed1a1ac3afe6df4ac18e502293af8a08a692ee4338453c0f9db0537e381e0e9c8f535cf9630e76b3235698156bc6c5c8e8b66bbe076e1159af58a62d72a4c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
702KB

MD5
f3253640218097dbaf423f0b0b24b444

SHA1
cbc8ec06dc4ef82b49aafc02404658f56f096821

SHA256
d4e059af72b7c9d0300dec2aceb7b13f051111c4fde3dce62a07a03a829fc245

SHA512
d83fd88c8e584907fec6ba0c0e65e8993714400ac2ffe06e85c0d64d64c96d8711f0f8b0a0236ba31ac8387fd7d92f8dc2e01e96022f2fb0fe54742a1d50b2d0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
64KB

MD5
48058678ec2d2b83816ef97508c8607c

SHA1
98373dbd909d816cb19a4d64aa649ded16129c2d

SHA256
eef914d2bc8d2c8d2e214ff398ae9981ae368e0ff50ced32aa08c62c8e439a1d

SHA512
0c3dee11d6793fff7bb99128acc7dbffe73264e363329ed61a495d8fb87a34c05d215197ec63782965d97f2031d5f5e96066cb81e0af2603d440047338a2654e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
41KB

MD5
d06aa599e9e07bc84e5341d8145cd159

SHA1
b7a6186dd3494222030e8eb7483fb6ab7db882af

SHA256
094cb557000410f66fbe09f201b5c5953f9f1e31665412bc5a89ad1a379a7579

SHA512
3a1c218eba35086575cdbaab8979b9580ff5b98f88452af82afc15a1b28c7ea20c83ed36c5192468fd8dc06a8027659bd01bf36b8e27b1a755337b7a9c80dbf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
158KB

MD5
09a649020c2f3c7a3a5d1cbe5b80c8e9

SHA1
5ab39225758d25c35b64681949fd8407bfb1f781

SHA256
3b6be1b7b3015a21a8b9d1cc9afcb80247472af1ccdae9cb1c102cb122ee1e30

SHA512
1c73468f0e4d98ca34a1e1c21192b90abee1d3ed0a13f897920208f58344004527fb1f4005b2f5ab2451d0fcd454e02750b34696638de721a9ca39908902213e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
215KB

MD5
f3f639b4a365fc31a1cbb1db5f2ca17a

SHA1
bac251c154648415078912152b1299042652076c

SHA256
480aa0ca006523e309d04dcaec27d0898bfae3f06e34b99b1de241e5c15d5d09

SHA512
21510864a588680933bf00eb8b7ef6afb9b7706185e0848bb7f5c8b50e05b484d27289dcf85439619cf99925ee6373b817130604a11f392e768c2f6429841fd6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
132KB

MD5
0ba3b06da821173a2e9a92391cdb9b7e

SHA1
27b82ad7395872bb3debc2e4367efd5232a4ade0

SHA256
4fabd27c3f653e635067352d2b237f7e8db0955c4c9b23a0c8b15d0a033142b7

SHA512
fee8861674f505289dac4a2260ff482abfff8ecc9b9ac6474d706eca9ae6d47cafa1e4d43765464e7c324bfb358e73f38ed72cbe7085887c8d3ba33530e6fbd8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
661KB

MD5
99db9a7c85ae2159a78cd11a753efa49

SHA1
877f37757da93a756346410b85d943eab31c2a98

SHA256
3d603089ec1ac2a6c692ec333edccad461b1513fb4e26727069fcd836fc09084

SHA512
8873d5843b26d8cfeee0696df2a3a2b08a46a1047e8af15203b341b1d79f7ad0f4d237021be4cb42c95482cbb8e7bd4aaceee8bc95ac34156fb8b933dc6736db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
354KB

MD5
6cf35e1de21e52b8fd494d2c9d180b79

SHA1
1381cbcf6fbe6fe1c3baf8568ef3d9c675d2b127

SHA256
0c91211e29e8277d6cf69c0b21fb2cac256d1f01045f3b7e8f358262c6905e99

SHA512
b25cffbf9b1469159fa2b1d5983c5fb5908cdc3fd5c3e823d3191d33849cd3f18b48f649d5eb5909d4dc7e706b6e7fbaaa48763a9be637adfde39474fdd0d064

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
fc5eef42617c0c6a591e01f832a10784

SHA1
bf5cced37b525e9e404c2074385f1b0f3c94fda6

SHA256
aa1d7f70bcd0680aa34456f64b139960709c15209b35b4d59638ca51670fe79c

SHA512
956b298a4b0771bb86619187b7d18fb75da1f2a6595810a94cbdd3fb808bcc538d8fe94a49f01c23ccb780fe7a188a5ed8d21d0cd1abb2263708e804fd17fdcd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
46KB

MD5
3da3d2ca089b3da3ed4ec94f36831fa9

SHA1
f99507e984b8008633da05ff37336d7bee4d4ce5

SHA256
21ead07633080e0ff613efaa765ac7d64c392a8ad1c3308f139e3a40d0eb3be2

SHA512
75e4ac792ae42b5ddf466e539710602b21055797ec19bd00ca285c6f11951b04cace656acf3f749ae451059647591eab4458f67c7b7783793e6b360c92897b14

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
300KB

MD5
b61919f3e5f21c789ae6a94eb9705b87

SHA1
384f0df09888d8193c5b182a52c8c5f3e85e082f

SHA256
c9d9963f07e49821d0af88288282d2b7c2ab174b9fbfef08b866adeaadc04ea0

SHA512
cf61eee763e88c0350a3b856a35bc10b77c55901fd0562a837ee2afb79666d04808b652406f2a9c5242b3df2ccc2fd7cfd202f0e91533e60bf32bba8a57fcf4e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
217KB

MD5
78c9aef5aebbe28f2c2e4bf04ab1b30a

SHA1
89e1466fc3cece6bfd25292a7ad9a3fa9ec8b25b

SHA256
86b230c3c384f402ded5d7d3a870c80c8fb17a8d3a4f6149102551e7cc1e0f3e

SHA512
7216e29e0fb9a45566c518958239fd4260d2f4fdd0258d75344a934d30f143df3ec0055702be446d9f21cdd21dd848b50ff21190afe780fdf2dab5a7a40f3242

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
316KB

MD5
373c6d52269d98eec3f55d6480830157

SHA1
41bc74ddd99ef4798263cdb59adeb80dc970306a

SHA256
c471cc851de6a9b5c6f1868b127af7a87976b8f4712f49c8a84bee8fc8edb3cf

SHA512
73c87446958322cb255a55132ae3e2216ab10c9ff70901eccfffbe6aa977d3fc645bbc8cd7e7541199a14cdafed43ec23d3051fcdfdb49d0a2fc8e188fab258b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
108KB

MD5
ec30e7902bf8f4d16307338d08a15966

SHA1
3d7ab5d27ba321173b38e3c9ae13f67c00e16b57

SHA256
a5bf4d70e28143713ad2ca7f3ebc66267119f1af6f6732f704b3923f7fc18947

SHA512
11d9c8f0c47e7603cb24162adcdc24e5098152c74aa01f9b023c859e8d374393d4146943e7993a42d200280e92429ea366f873685f951f3286b50b2d3120e1e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
48KB

MD5
48d0769c975085ba5b5551bafdf314c3

SHA1
a451ae1f3c93297f7410315c4809d2862a56fbe4

SHA256
ee447453fec07068e80d8e1f3216e51737fb0fd860a599c40ac3a5545a6bad3c

SHA512
66eeea10d17929d7900d50b4a5042c43f888247d10006bca0f4a4d4e5c25db982a901f4a1ac38423cd7f84519c4188b544655181462b26720caa27719881b8f5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
43KB

MD5
687cb424445f5ddde05e5532cf4e5925

SHA1
d8ac0cdb8291d6e13268dab3901f1ac9b488bb5b

SHA256
b625fa5b4cfb1e378671c000cb7b414228a02aeb729fad12ed87e7b81c942459

SHA512
fddf0ce9c6b456bf386120dc810519fa163c7b401ece6ddf8cd4509e31ca6c263531319f387d1f9f276965f32337f8912d8798e7a3720db3356e7c89fbc4f6d5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
146KB

MD5
ae489c3b56ec05cecf5580d76e23f516

SHA1
e81665f7ce040ad0faa41f216a697b5b7aa93777

SHA256
30b7278a43fb2cd125c9e17731c069a1bd0b2f2768c35c218c215afd9b73abfb

SHA512
70d4b0195156bca96a6dd2e41fc3be81a473f0d9e4ef2d61cf39ce64e623c716f763868d9a2160fbc51950b8646d7c51914c8e886de791c2d94fdc6239b205fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
286KB

MD5
664156313654064726cb2a43b174271c

SHA1
fc262c7ffce0f8427011d348cbefd783048ed6b0

SHA256
97eb123ce9714d1d3e5f387bab1983160b8d356fdd31a587ab6b48b6be360808

SHA512
79e617f1a788f892f85e06a33340789ad37d234c3d3d018b6e3fa9d88de9920b6cd8fb4625bd512e275783d7c6cedcc9f705d6d0682e99b668117e5e03dc0e8d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
46KB

MD5
9883924a1e6640bc15522fdd279d1cb6

SHA1
f3f0d60762008c803c48dda0344f4ed8108f3af3

SHA256
3812098f50ac37dab1b2635d752f5e34b6a3db68008779f7197b5a4cdfe1ec00

SHA512
a2251dd80e692d66c754ad3be9b0b43eb0919129fd13d09b65bf3a537d6b6b946958101d10f43481b545ada7f0db820b35297935460502ffdb73eb4be373f565

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
308KB

MD5
5c300300b62864328673bf242b9be3e2

SHA1
40187bbb8c158d806c3c48b2b1c4e94d1c8a7065

SHA256
173fff203863152a00d6a6f284d4760c41b5f04458b57414b6eac2187381131c

SHA512
9a8106c30c724d6470ba0ec83ef653f0f03b75669b8e46494da5cfead0dfa6bdd3b56138c7096d6de2d83b76044e523dccd3ad5f3c2acb0a48a96de4fac11913

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
221KB

MD5
870e29342bf64668c40c3443a36772f0

SHA1
c8b19240605c4730204263349ff22346b8d072b2

SHA256
2fba15c7bb0f785037565f2050ecf0d3241e08a60556ae0ff0db6127cdf47c8f

SHA512
f769e39d1f0966ca4033b21998117ece8c0527dee3de9444ff36ba73d60b3dd4eb608e1b42f9a198c418772471aaf746c4414c57bab71526a550de6a53fa920e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
549KB

MD5
6c20aa21f805494a961efd84f6028eeb

SHA1
d5cb23cdb33f39b2f7fbbf77c7a615dba0934248

SHA256
aeeff5d7d7d5fdacf9b9d7bfcc784e4054e15d7ef011d3a218434f5aa6dd60d4

SHA512
d1c09753aa1d756c14e65a70312bb9797d9d575db146ab009eab068c5e58537c246233466861ccf7c31d4d33f9b14da0cfa42c5a86a7d6d099f5c8ea8b37b664

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
308KB

MD5
87410e80a873f51a87d1cd92bc88db5c

SHA1
3029a3ac095f3a7dae98cb850d3e28c0b99f5fb6

SHA256
c75f27b7ecbfdc9bd198586845c9a2887e5e38fde4d2d50262daef48189d6054

SHA512
d530eba983e6d9560c8ac34af800a36358b1a70fbca5f9e235b809be37ab201dd89b0f43723f79a365db9a285b56b0f0ed9fdcdebc25c9e0725101c9c2c1e800

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
191KB

MD5
ce15cde3f3bdb219c7401e888fde3fd1

SHA1
009c2d118643d868e90b8af7d59c16dbf08732b5

SHA256
4c63e39074e03d0a0d54c9e02f6223c1ec6dde29ec48dab73bdc10f544118c4f

SHA512
fbd35c7daf49f4051f24a77cb870c398b14e2f41ad707886d9e0bb519afc940329b0a994f54cb590289c04b77769d4549ee37cc6344b1f66cf622143ea885b82

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
483KB

MD5
eb2b3eba42764ff78f6f1e39c16a092c

SHA1
21762326853e7a8e443be7ae5755206452992594

SHA256
44c38ebf548fd09993bf9f685c92244527c0e0cbeed9a058fac2dbb23747d6fa

SHA512
06c53d02c13a1376059cf8806a453a2b9f29b3040e78d8e745f8550a26288f83bd571086aefb3120e4783e4a09e293350e3f5304e2c4cc263a96d3a5acea6862

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
394KB

MD5
d8cd211094029deb1b9af6354e65895a

SHA1
c7a88ea8634db922a395590a5178220ba2b13a14

SHA256
31f6e32ea914a22d5416da443e06eaf21dcea9a9e69f51b7624a40be578afa8c

SHA512
958dd1bf04271d02dee6af25ce36c26dea1aeccbfe41ca56489871a433accf763244f22aeb061ea4a7282585606b231d400cc7adb9257e9d8ff6284060e152d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
169KB

MD5
77b9186613cf0188fbf5d8d5d2c38c0e

SHA1
58bc77feeea90d478303a08b3607239c6eec690f

SHA256
797170ed1fd6c94b491a41d70a80239b77b7e5dafd85a2bfc838e4605525fff1

SHA512
0a44d1b8116afdf2a5c77ac83b081c319725df58e624ab365eb072dc9f2b222e745adc303f5b1cbedae92f8476ecaa423e52a4ad0e0e7ec1e315b7b4fcbb8466

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
293KB

MD5
fc912ef1bd2d657cc7365090a123b572

SHA1
b12d68a15d9d4ea3c21824cd22ef723701b79252

SHA256
2dd2d72c8d9ed76cbc7a5a45e7458e81c86975d6868cc4e41118c55efde6c6f9

SHA512
a5230e8ca963e51bf7ff7697f472094468e30a9a14004cf292717cd07c23a066af9e36823e7110c6f6bf0e8edf92cdff78d3d6b40d315a39872ff2c7aa21ac62

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
30KB

MD5
e17629bb573c74d8557702e1e6cf40a2

SHA1
c63b3405daa842b3aff1f11ff2e71b5c460dbbd8

SHA256
40a44ce0a07d29eec811418a532fbbfbf73c05a30bb75ec677aae4a793948697

SHA512
d7ac120e941d862863364a25eb66d63a648eb5a74eb6216609f67f5c02383c8db5e02f4a7865bedb6bf1d20f9c856f150b3f1bc6756b09d2e67c7cf4320f64c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
266KB

MD5
4c18232133e86cec943a802d6a11741b

SHA1
397016b8ca9a019872ce892a8293d636490765a5

SHA256
356be00954edda1ad620a4674a819d2fa8c0beafe3a3aab478b02ca1b9971b76

SHA512
90d60b5a675c0e61977790074cc211eb951f8f9b076c3ca1a26f2028df074169007540775d86884275fcf92778473bd6835669f3640ff55dc1af81c588bbc716

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
191KB

MD5
2aa16dfb729ac7bde144065c8a6f708b

SHA1
01d8b4f6940102bb9211589c2f42d80f80ae53d0

SHA256
c96a843b3280e03533f05ddb35f1e8917e5c469a2acb3a332a728d1557b6062f

SHA512
79703f8373c7b098c7db7850fa0c27ab858e1f6c1d49bc1b615872b804d311082bea63b811e6ee2f07f0b9d45a96ddeaade0aa6cd200aa44b54da58aac93e4b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
9e72499df345ac3579c75a49ebcb31ce

SHA1
acfc758e8936cfd30382ec92a86e0e3b9e1599dc

SHA256
addbbcd101e9c912557c965bf45ba39ed6e7d4ee4e973a829bf9aaaae2a8b164

SHA512
c5a9591ca2e21580a547e6d47a134699654cba4b9c6225d911ea04a4c6a0febfb2c707c06ffaf5e1d43ecc1ada05731a5d9c30aaaf72be6dd58912cf83004293

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
6390812777b36397948331ef9d552870

SHA1
93871b697b8e8b2f250fd377d91dd5f8e87f6980

SHA256
25545afd59b54cd6c96d390d3e84f9257a726fb9be3c0db6a1812307d121ab12

SHA512
41982f964e801795220d3041d6bfecfb68bff3bf2a721aac1202b70d313fbd77bb61e68948b558421a5f1be7ee916c31c5b952255f9f8046a5945c5214deda62

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
135KB

MD5
11c13f393d34537851e00cb127a47d33

SHA1
9f8dca8638a0e9085433799074eb3113fdb130a9

SHA256
74fecd6af243e2fb0259c3f244b54b1190f07df89c44579c47c2049d43b3dd91

SHA512
e0f5f4247481086dc3d61ed8bbc9426b7a8719557f1f1b84d4b2c284ce715662dd0011cfe3c1b1fc43b17c3114d4d3ad4806a7bf4f56441a068d9f01561afff2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1006KB

MD5
4587acfeb00480c0db8f36e2234df7ef

SHA1
cde6eb9cde38d7810bb333f692d9d36d81055359

SHA256
6cb1810d3ad0ed46f515aaa51c84f62d5bb14bdd91d0472e4c543f1c01eb0885

SHA512
cf5df35829ce036e421d104015da19b0702dfa64d897f945feac829298a9ef43444edcfed8cda2714d44165c7adaff7e0f9c7e03e87aef6c40cb426821cb32ed

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
43KB

MD5
66078f4a2c2070132127253a2a6bd761

SHA1
272d3cbb6daecfbf67e61a4522509450e3bed734

SHA256
8704a099aea55f7fb9d5ca39979847e250e62b7afc61eb226f45517acd62fb2e

SHA512
12983f4ef48eda477ba57a6e190740ed27cb1dc46ece72830991e87e3c7a0185c465aa6f7e68beb8d1df192682d12cb51c24c55d1d89cd5f06d103a238c71c34

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
71KB

MD5
9d7ec79ba1f724545d1500addfa3461b

SHA1
125c6a61886bab42e86611e48b32fb1430c43483

SHA256
20d6156ea96586863b2230676f6e1cf15ccd6dc1ccea483b32acad285ea0cd72

SHA512
711bf33332e6cc42eb80a4227e3b8743a29d1cfd2930a62e5c315e29b6757bb5e9ccef360bd614e06d085020f99b0eac8a5e3a9523e84d951d3bc13157834388

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
9eb2d854c19e1247d25257471c4f8c76

SHA1
de76f7dc667e65ca9ce7f6cfcfd22fea4c627ac7

SHA256
5a04b20a9a67186a52f504c44c41718280f914fea653fb1399ec8a3229fd3460

SHA512
00620417af4bd2553da4bfb3d6ab034d7ff0440e54f60bfb402583e2f47286b47a0c851af8c3f8818edad3341f65dc20898c93aa6ff89162ce55deac31a63257

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
38KB

MD5
8ebf7bfafc6fdca5dc599f2a9505a2b6

SHA1
9c4f12f80a446002f24687e21bb6a70a3f7c8810

SHA256
98dbe209a1681158b08bca21897d954ec504d1a8e85e21ab2779de0a52096369

SHA512
5ffd6c178e01c3b1f83b97cae20311b1b34a1e14ead98b59fe8004632f1b061b3380398f71564e6af76f15cc76b9a3b6395e4483175dc591520ab6fce7b37a64

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
645b5c5f16d9f3a7c0926a8792044945

SHA1
61d57e973f91b5f2a31bf9965675a32ae0c32429

SHA256
4461226708fdd7cad46cecbc6720c2fc4204cac973fc7605eee3031469c41dfa

SHA512
31aae7fba232221b7279fb7736e100c97878f3c2240170f8db1ab80259947fa168a430aff69c3c2f39af1492cb14497dedaffe1d7836ec371ca03a13553cd822

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
33KB

MD5
97466703ae1a221dab5334011c354e0b

SHA1
a85abd6eb1b5f5fd5a178e70f64f14d37e626cd2

SHA256
d4e4f431c4e77d674643c938ec8cb0a85969eedcf1ea0adc2382da021f460e90

SHA512
9bac1014741d92bb9efb43e157ef2c84bba925ee58ea775d960302c5e099e2f7fe55ff569d401f466cc1bf238ad180a3ec0d68725157587ce8783f0007eb7152

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1006KB

MD5
6277fbb1528704a02133a3b851b773c4

SHA1
f3a8c372b6b38b24dd1acef313aa8ba76b63fff3

SHA256
f792f2b48212c0496997b4480ebf473f09c714c452334b62020e3f355fe867b8

SHA512
73ab245ef1056b3316896ef794a27b9d0751dc69acd707e7517af72beaf8129a504e2caa6a33e2fad3eb1a7f556f9b32698f0c813153b67e7cffdf7125fd0ba7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
45KB

MD5
dae2e083b81a21a2641b13b40f452071

SHA1
88637f535c761d52ebe17f3c453b1af4ff663bf7

SHA256
b9626b71ebb8f393ac7c2609c9cef3e66fab6a8c194071662f56b5d7cddc24fa

SHA512
a49ef3ebbe68e70ef65ab73527e01d04f7a501a5d839a205b4957c42cc3eabfdab0a43f530e39cf4de6e0a82a6472f1654d3d0446105095cc5bc4e6ff9d9a135

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
138KB

MD5
839e6b02dd49ea913dcc37c198cf256a

SHA1
23638bdef4203bd574c3d1480c0458399d365d2e

SHA256
a26d66d104ff3648acfbb2910a909e74125461df4095a3b68c18b91dbe23d94c

SHA512
3aab66bfab4486d2e560801de72cbc289e9088c5b2f4d4f5869f05250d8fe8c209f7e946bb0f8283e139a94cc1a1ec6d3b4d27f766fe179641dea195a1bf17d3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
734KB

MD5
be890961bd16b0a2ec849559705823a1

SHA1
19b81d14cb6ac6bf68dab30cd39a4c336237aa12

SHA256
3e5f0ffc994bef91335d49e65b35f879a3cece36a0c0406bd2327d29894bd85b

SHA512
c33eb8b198853aac8dd52ea7e6f958507a654065751076c675e9bc65f7593317bc3094746ccfc16f5be0d9c44f17bd74881c8c77a94be066296d12cbca3a4803

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
31686623d70c0e88d80a701588dd417f

SHA1
8246ad492d79453ab8a35425a1b045372a226b88

SHA256
a4a0b955f937cfc42e1b38a53bcd3e3b7d3dc6a44f6eb33e536b27b0cdc33f73

SHA512
a0e0b46760a55341401d2b52b09f3042eceb9d61fddec9077da3623a0291bcd69557353ff87c442b6373f8a63d8efa2ccd22c8fcc64e58e0eb8e5474331e6a45

Download Submit
\Windows\System32\dllhost.exe

Filesize
21KB

MD5
94559224e7935ce59c8eeeb2d3c71539

SHA1
1ee83218499eeb1086eb97614765849295772f11

SHA256
7cc79311181fc913442b5c9fbec0641e7c690658d217d42b24bd555cadf49e7c

SHA512
95684f55887da826129e590729053d196b422152f3928241ff5460e51434a96306819e28192747d1a6e392ca6a2f04c9039e3978ff986c2b375cde045a4c690e

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
173KB

MD5
a929c2a5da00bb2f4537dfb6a512bd26

SHA1
d7215f0cbee985cda98a5233676a1146564eb634

SHA256
5f73af8883442d0a630f03b02ecc10ce7e71aa84bdd682aa7f8d6f676ae53ceb

SHA512
e71d784c99e08cc7a00a3bee142f168431106a220df4354ea8cad84cce944135026af6b225cf64aec775daefaee51500369d3e66039a233b27e0fd2a6b098c2b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
73KB

MD5
20b20d9f8fa4af3ce21a88a825e95632

SHA1
b094eddb8b4d736ead6a043cea328d7f368b49cc

SHA256
9b66d53f925e257f6e829ed7490435d3e6f8e47dfc509b211cc7fb070bedd48c

SHA512
f0a9fb1f8acc1c450cd08c2619024c4ce4567a6a1ad4559df7e3848d899f5eff1010db1499ff46ffe581b1ca087e04b537eb47a3ebb9b0b34a9da843aaff110d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
68KB

MD5
457db9d7a89aa546dc170534cb65f582

SHA1
2055404429c4268a4e80fd95ac25e7db831b8c7d

SHA256
f7beb80be2a9904281afcb86d1f146a825479e684b497c9db65971434b8ec7e7

SHA512
17f1c3e2f55868a38476454beed47fda3229f607c547a4419d2ae7f8f68dde1026f363319188077c7281dd2bfaefe23fbb6a04c6838a138f0e74b40e62c06203

Download Submit
memory/1364-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1364-8-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/1364-141-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/1364-7-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/1364-75-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1364-0-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/1364-140-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1440-203-0x000000002E000000-0x000000002E24C000-memory.dmp

Filesize
2.3MB

Download
memory/1560-158-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1560-91-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1560-84-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1560-102-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1560-101-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1560-110-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1560-85-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1576-357-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1576-328-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1576-241-0x0000000073CE8000-0x0000000073CFD000-memory.dmp

Filesize
84KB

Download
memory/1576-214-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1576-211-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1576-201-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1580-115-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1580-207-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1580-121-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1580-114-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1916-197-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1916-175-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1916-183-0x0000000000CB0000-0x0000000000D17000-memory.dmp

Filesize
412KB

Download
memory/1916-233-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1916-235-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-191-0x0000000140000000-0x0000000140261000-memory.dmp

Filesize
2.4MB

Download
memory/1948-190-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1948-172-0x0000000140000000-0x0000000140261000-memory.dmp

Filesize
2.4MB

Download
memory/1948-185-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1980-60-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1980-59-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1980-66-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1980-127-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/2028-294-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2028-307-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-180-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2160-107-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2160-99-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2340-347-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/2340-361-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2416-152-0x0000000100000000-0x000000010022C000-memory.dmp

Filesize
2.2MB

Download
memory/2416-159-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2416-240-0x0000000100000000-0x000000010022C000-memory.dmp

Filesize
2.2MB

Download
memory/2608-37-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/2608-31-0x0000000010000000-0x0000000010236000-memory.dmp

Filesize
2.2MB

Download
memory/2608-32-0x00000000003D0000-0x0000000000437000-memory.dmp

Filesize
412KB

Download
memory/2608-57-0x0000000010000000-0x0000000010236000-memory.dmp

Filesize
2.2MB

Download
memory/2652-77-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2652-46-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2720-15-0x0000000100000000-0x000000010023B000-memory.dmp

Filesize
2.2MB

Download
memory/2720-14-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2720-22-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2720-93-0x0000000100000000-0x000000010023B000-memory.dmp

Filesize
2.2MB

Download
memory/2812-245-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-302-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-232-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2812-268-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/2812-226-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/2884-78-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2976-28-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2976-109-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3004-142-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3004-126-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/3004-146-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/3008-205-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/3008-330-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/3008-231-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-208-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-223-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/3008-344-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/3008-138-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/3008-135-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-143-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download