2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af

Analysis

max time kernel
20s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
Size

1.8MB
MD5

e6b5624871d6a7f5b10caaa8188bbbd0
SHA1

84c97f87f5412d3aba727501b5f71c34d76b72b6
SHA256

2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af
SHA512

e2d496802f96cb27fac0f2e507c22570cc473d6daa1ce999bfe94d5ca3080d53df785d87382ca8bad4ea46c081432034b209e983e3d21505b05a6d7bab9bb547
SSDEEP

49152:nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAOgDUYmvFur31yAipQCtXxc0H:nvbjVkjjCAzJ4U7dG1yfpVBlH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
468	Process not Found
2516	alg.exe
2976	aspnet_state.exe
2640	mscorsvw.exe
1984	mscorsvw.exe
2740	mscorsvw.exe
2380	mscorsvw.exe
1140	dllhost.exe
2724	ehRecvr.exe
1144	ehsched.exe
1684	elevation_service.exe

Loads dropped DLL 5 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\665b39f87df8f25a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7464AA71-489E-48FB-8270-A146762C9BEF}.crmlog	dllhost.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7464AA71-489E-48FB-8270-A146762C9BEF}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2164	2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: 33	1052	EhTray.exe
Token: SeIncBasePriorityPrivilege	1052	EhTray.exe
Token: SeShutdownPrivilege	2380	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe
"C:\Users\Admin\AppData\Local\Temp\2352d85c2a3856c3a79d141d0a52de062816f79dd5b6d6c22e12d3173401b8af.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 22c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1204

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1140

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2724

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:280

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:1484

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2404

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2684

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2752

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2348

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1692
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:1776
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
31KB

MD5
a62e5a2a0ec028eea59998dca42297d0

SHA1
923c347094a9ace064a713db7cfd753c3f4156c7

SHA256
0ccd8ddcf21398671e92de708a4d490fb0b63295bd876a9aa1fe0f1b451c78ba

SHA512
67c69ce16c9761fefc81d858fb672913fd956df9936df2225a2364571ad046617c3b1564975ea2be5a97734639f09e25c70d32b132644d80ae9c0199d49b0d16

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.5MB

MD5
b6d6b9d4cc99c77c1e4cb850a17c8738

SHA1
e0d909eea4a62082714c8370ab5406a8aa13df14

SHA256
a9b1238b87f3c40781a0d44921f002684756601b25ac1fe79ccbac655320e0ec

SHA512
5c0bf333e38df9bb8662e7d9ca79a66b0b5afa506b60f223108f0575aedf0d22a8b708eb0c8783910ef93ca9387667ee2dad3818edc1ba7616771130029f63be

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
477bc8254ab1860765359433ffe9f72e

SHA1
45808d0a1754ea8d2c99a913d447b06d81eff8a5

SHA256
a8556e0e1ba68f68a09db9e458b6e2532a723c3917abf01945f3d1d711b1fcf5

SHA512
f89793c27acef695f0000847fbbbc7421bf8992fe79d837867471a95d23419878f5b3db6a7bb97a10e262a0d7e04071ea2188d1d70fc124fe6bc95ee71884e96

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6b043e11d40bfafa79e6a10934693dc3

SHA1
41219a2b8b3ee3eb6ba094bcb6c46958b4e6b6d5

SHA256
fad4af83cc110a78b461103f72ae20c2ada7c91f43bc6846cb982121c7bfa6a7

SHA512
1466541622e074a64f10bc51e5d115e24cc6666376fbf871a4539f470b18feb6f61d17c8cbd634b294b8305a7426a4a8d1f93da267918d9fc91ad4fee4094daf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
43e1353a9ca131a1acadd31925b83ead

SHA1
d7fb77f74d92f8f0e2165f9e63c19872b27940cd

SHA256
43901daeb9bec56b6eeb7cd4bf72cd54267e7f0df51d4f1e5e95458d3b8b4775

SHA512
1691aebeb3a53e5b74b5552fbffa0316d19aaa6770d5851610287aea5b9afa0b55c06e5a59f242f7430179f979bf71649e7c0251a79db6300ebde407bea8cb79

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
64KB

MD5
1ed5e8e999c56221993ca9806ae42cb5

SHA1
4ae0f0481cf87b8bdb82dbeb92b3b804e129a267

SHA256
69c36ac7c5dffaaec834a2eae58a14fa51dc64a1cf4603d63486d43e7109e0ac

SHA512
6fd9f5ba20618fd5662cd8bbb46d78576d19ca7846c95ef998c6027fef979bad85c5a7e43a615513b2dcc8965f1d17f9bde9fdf85ac7a3b1b8b1060e149c4f3b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e22937f6523c3010554a404022693de1

SHA1
414ab69ba4b2381a10e03f12985debe0271058a5

SHA256
7b6d64a7bae9880c6daa8cbe1771e2f63baa92c97a578dbef1f6479c4a55d0ae

SHA512
2946ec54226719225e153aa92f4b8fd3ced05ddc0ad5b9368ff5b310976c5f301af12d5bef4416123b9581b03dabb02749e7d96d966b5e011ae0669d8a68eb8d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
587c156ea2371b3bd56883fd041c07d5

SHA1
a4c39beac53653fd8aaa84707c5ebff40f5a56bf

SHA256
2f389823720d540b226fe592d8e3142e0c9308b06e874ac591d88286ac337a5a

SHA512
6a43d9f377d69df1ff1c91481ad44c5d947c5e4a5d68fd587f57c06a33d0bbfd1466638b85a4569487a8c5739e8294eba8312792f1db0d9f4819b0acdd4ef1a1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
2aeb32937c54d60a539694e701486247

SHA1
b49d72e908a6344ed39e68f17783c9fe6bb33df3

SHA256
394a57701309f02671d33d446e23bea0e0b53b982db96f8ee573e782ff4a3b85

SHA512
9370ee9622734c7af50be27e824f525537609f03be1e275dbe33783403b44944e11c5bc5700f6916c1ff32283190dbe428f8680d9c4096511eaf6b25d5404235

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
71e103c9050c06efb7b936693a474ff8

SHA1
1538e063b6edcfbefabe5b2959f950f05642e600

SHA256
a83dce17b5a2ededac1b56410e058c00ca07ded28978b6637dcbccc087f42a78

SHA512
dd855102a39fccef9ed8bc5af81864c552281007716791c4e6b26cf97c1d9cede988c8d2b9fd5a602c620f865cc6a44da1e1970228d9df600717fb53507dabc2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
82ea7a9fe12fabd5e2646f5e63208547

SHA1
9f3ba689007af85c4a207766b767e8ba13a3793e

SHA256
a2465a883d32b3e9c506a0d68e6c6104e316ebcea641c4856574470418b1f725

SHA512
b144c8d985ae291866767b296e3366ebfee8778ee514a9f19e90e6643330441b742064d92cdcd15d44cb37a29427e30c70ff11f31346b22e27472c75eb109901

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
73e1c1b18d1b49912660543c1c06dd12

SHA1
76ce29203dcb4450ec6e384c4f3d88a022ebd7cb

SHA256
319879286dff4686d896a774235b24d55a956e8c8185fc6055257b2a13eea27d

SHA512
e1bc5552cd16c949a7ca94b047ac61d58679e0e0ff92f1bbe93fdd28727ce63856325070aa6d3dee43bf37149bf3f0ee6f8052c99c4a2d9ad74c655088e96557

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
576KB

MD5
3f990810cb8ff3e4077994fe217d2853

SHA1
209024d341f1f2f53361e69d7fb91440258fe634

SHA256
bf89bdee131e1bb9544ca697b97aa2c415f35818860947ff434054a3368e2f14

SHA512
ef4dc7a6e9fe4670db11e6a1dd76366bd79c4c7e54751e7e05dd77ca2f3b9d65d9aea47aaa9daa57edda97a523781f3dd6373428d77f3c6fcb775dcaa2343d07

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
c4a505350455c8cd75ed707f6faac37c

SHA1
f72091a8005ec824d2c3f97b5799ee6fd4098753

SHA256
a79a6d498b2e78a677df9112e11f23634fa62022b427a1fdd3036cbf2f46ed1b

SHA512
59661127b5431f1b8565018d4fee08bc181a0aefb51c276b169d26a4768d8c504b4d2cfd5fdfcf22c7d092ac014966d6020c57400b3cc5764dbe6c050c1d00af

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
a43fbde48a348b5634ab2b6e3758cc3a

SHA1
3c1f4d2f8cdc54a0099d42c18d2c4f8371576c22

SHA256
d5fdf7a5df6365e6cf013e286cc0acae635fc00e4c1b61c00b5032984ae40b02

SHA512
5a592a2d08b57457d44795340de887e99ccabde98f247297b2d45932ab1b913f3dd7d419496c4a490af3596875286ce2ae1db62bede9edbf6ca2427fe19cb144

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
e3a69803f5acadf64c7e615f8d1b05a6

SHA1
174eb065ea0651c30b3bd9952b26506e0d8d3e50

SHA256
358479b646e3fcfbe012d1ded28920f90746bb014d3a5e548501771257a98774

SHA512
de351d0babd90f768947e74bfd5c9450e30dbd26da3e336895efb49d5aab5fc04dff8aade9f0aeeebda896ee8a2e44ead986e3106bd93cc0cb5dd89f53ded334

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
58e91b53a3e448b6c68929e6a7dc1cb2

SHA1
9d03a9d437174917fc26ba3a7119e38016ed6b8d

SHA256
83c769ec102892181c6c7ea90f6b60728d459eb525076211ba0e14495fe3ff46

SHA512
7f07f49017ff5319290f8248fbcdbc32e8566cdedfb7fc778a24e3a7d1851e65172d94370af277b811e46655e18701d5e3524ded9a9652cb959d6cd38ae729c0

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
256KB

MD5
c746536a95c74d21ee21f569a5ed94c3

SHA1
bcdf3c4ba01310b729f63a6256e4e12a508d8888

SHA256
86c3aa6fc78e5bd33fcd096f70a9d0205472cd5b368b90dc520ee83f2e21d197

SHA512
56b218c0842d853fbe96078026999575b7e969dc85331e359177a9ec9b24e04371abce4f3b6887bbdce0711dbcbd463070293bfead4ca42b191dd9f6f3eecab8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
384KB

MD5
c1ad10084f195f219d0aa2f589bda7a3

SHA1
10bfe81039790b74b1a89f7d7c73c5352a449845

SHA256
52af25f6c1d65492c28216c24a5f15c116f7e72f8e06aafecbec14eeb9b6cf29

SHA512
2ff6b7a5c975513c97cf63db010bc719cc7c82a0f35a44f9489566ba8e4b81a39c664efcaa1cfe1ee36f4de8aaeb0818f786c0c6ea46d0b986ccc7e2ab4c9efd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
7a49d947201e3a7679dc6d878f9d7e4c

SHA1
6727d40797a65fd465e0d9f4af96916bc163550d

SHA256
69c2aaab074fd16bac6260b9c6dc8e2c10b5fccad2f1acea56f3c5b5ce84d9c2

SHA512
19ed53fd8e30fcdce0b7055e5ad098d7f054b0b16f7eaa4f7ef835fcbc77e8b7e153fef64a284be9c1c58642e393f606c049d41c2871f2c5110549b525d3004c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
d8ab434ed41463fb39b52f1905517ef3

SHA1
a24716ae26a554e3cdc859d72d6fcbb7dd265c7b

SHA256
4bf0f80d1de7c358fb4338042997212471374ea809d7007cc89883c0ec89758b

SHA512
c9d213f6cf2dd8344e8adb1b9a415af6e144ff85e53fe7e65630ee011b753f11b360e310313630c10675a745d8ced9b21aa8702f8e5139fbf1d29e6cd21e46b5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.2MB

MD5
89d81f86511580921cde80c5687d84ee

SHA1
69b5977592845fd637a187972bbe1a44b3b39ef0

SHA256
d4e791cd9f35024f410d494a3c674e43ef488aaf6ec69869a4a95ed706395672

SHA512
8ca9672c5c29b827aa6101f2aae38300d8178f2e705629e9486504b586ff2556c960be59afc962a458d6cf3ae17eb2764933c9e7f8866d6707d662210f0635e9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
acf8c7b4812d37b25a7050ffd52d1315

SHA1
627bd9332bf2032a9517d42643eb3951e47d316f

SHA256
d1a04854e8b41bf15a1e9d74fd9811a2f1280334feeb4e7022839083856e6426

SHA512
319fd0faa8b4a88a3a00284b7b9d1ecf0eca3dd7fba5b97e3bdd82ba268dbb5f6044cee2bbd3989305d6b2fff362cf8c6b2a60a3f5416073daeff6ab6c45ec93

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
128KB

MD5
391723f7f27af5febfbe771a20eedfc0

SHA1
cd83975f40343dd001877ac9344f038c85b2b429

SHA256
c965dff96525349bfd92cc5ab20a2ace0bc373d2116465bc3f867e599c63435b

SHA512
f61b4d4a3c7b36ab9eefac870276bbd927b536a6f4a137d37bae43fcfb5ccc41e6d1fac32f84367dc277e56db7c8610645f7c5618611c0d686eb79068f52cfc0

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
832KB

MD5
72c8169ab9c86b75320b22b9f50f149d

SHA1
5d2615f0508108c52c252416c6365efcf4c62cbe

SHA256
988e967747812694f9c0f45f61d8d1820fee17f54bd3d29e04d9025faf4c5beb

SHA512
77fd40315c53649c3d123e1ab038261394d92a3bbefe268231903534025f5e5ba47ce721098be7401e4c87afe7f9bfbb992bd9f98078e72d3ea954f8e9658810

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
3996e73814573ca12dbf5bf8b8350795

SHA1
d2e9812cdcd8863a4ac5111a5e8c3de9eec8725a

SHA256
b5aebff33305cffa148f3eca323865d4d8a2c8c246488bc1579d01916160b3a7

SHA512
6729df7f2780dbd56e2c362a1fbda0b41099aec69d2f1deba99f620bba9f9e8e1c96f8f97636a8417e2181462c9faf77b167a24a2d1b673836ca983f6374dd6b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
4a0be1bff5312a2afc6302ae1db77bb9

SHA1
ef5caf6fc5330145bd4531e2bd16eae50c9e2a5e

SHA256
4dd825f02bc5040753536c7c187584d23e47cb127d7f4fa8e9b248bdb50c7c91

SHA512
ff97a206deb12b2f0204ae1683a355d1ff6241794eb98b30bdfb69d8b6c0582034140ea1cce965b6bf29b6bb83876371a90a85f3645984c9aacb1683b30c777d

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
67b552d3b6b8175e7df315413d6a59ee

SHA1
21f0cb9276eb1b18dee27e3d6cb3382245edb360

SHA256
3489d246e1eedfc58f90a35fa81a3e5558e84bc30a6d2dcde8a464c8b7492900

SHA512
b5c76a59a016365c561a798046ea7fd05faf8c2e12d6de42df5c37166e4fdab0f7a8ed1ac9c4e8ae72d51d0d06290912f0d633e24786723c01d928b08cf0f945

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
d75f437c9d31e80946178beff4ec619f

SHA1
a485ad09bf88f787768789b83585ef8efe39f756

SHA256
20545b8573ae16c29564ab6628df4c212172c82353f48c4aa5b32458e29d4ec6

SHA512
0fb3604fc7af61e572d9e2f3c306807138a399981b534857d3c15fa97bc8c6dbf6f2f8a0304e6ce60148caaa5c69828c9656e70f7147c86ad201098ec72c6ae8

Download Submit
\Windows\System32\msdtc.exe

Filesize
448KB

MD5
91f1405d71001466ac32ecf886ecdfdd

SHA1
a87a893799a06c4a87387b4bed2d089e1e51aaa9

SHA256
daaa1052771cf226edce9b63b7f6b0d1a0881dddfafdd7b7e42864f52aa3660b

SHA512
2698deaedaeea752b79e4e99877f308ea5ea3bf6b1eace71901d3fb32b8f8086aa1e40947f1f8df3e69c5bc812ffd4dc5fdc721b4c3c74a96db2faecc4936d15

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
1d1f6b04208e43c6b4cf7b76250f8a2f

SHA1
e26c99f23b7847e3963ef1490474edac542fdc0d

SHA256
8ad0f138589537a546f55092621770e6e161519032644746dc0597a7c849baa3

SHA512
45a3fbd5deb011be0957c7c3ca752ce94659f4251c46f163d4327df2898ef939177324184f4f70675e66dd9166750a2ce75d8acbc6dabffa3c7b9640c369835f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
65d3932d5395272249202fe3642e489a

SHA1
3aaa707c75898c794715eb1d05bfab547c11233d

SHA256
47930f1704acd05292e4cb330f3a3c71f897c76730c83bebe03037d9e97dc1aa

SHA512
52d4e7750787cc1adef6c822124c975c256412271aedc5d579afbb7841ff36265c0f94a11a8b6b6d7c7738ea460564e15f4f34049faddae99082cbb8af75d0e1

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.4MB

MD5
c60aba7f5844b54ce2114dbf61dec6b4

SHA1
78533904dc1ff161ee38b1ae372ddc5b451ae543

SHA256
d1a1a402fb2ab7fb5eaad690d8417bcd43bb2abe4c8bef0cd365ed6b11441f9d

SHA512
05612502643accfa89796a23ee701cb03a786f0ebf417a7142950f4293acbe05e51a4fd425cec01cc3e03fdf8b38131aec301e4783bbe803524230392dd49076

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
498e5103342fb06665a07ecf6f655a43

SHA1
a5ef5a352baa3d31ac84e927b267b70fee713eff

SHA256
93b97ddbb5bfed087939e9bc75ebbc02b123450243f168998841c9531d910989

SHA512
22daf9b26a550abf88a4f5f896764ea9a074208a9e295449568babf27de4397af64f69e2e311df597c236e0b95b6b788161301b3372a321511307bcb30fef00a

Download Submit
memory/280-298-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/280-169-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/280-178-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/852-295-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/928-340-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/928-200-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1140-108-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1140-116-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1140-177-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1140-111-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1144-137-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1144-148-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1144-204-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1204-352-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1204-358-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/1208-284-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1208-283-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1208-348-0x0000000074848000-0x000000007485D000-memory.dmp

Filesize
84KB

Download
memory/1484-199-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1484-196-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1540-349-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1540-350-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1684-161-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1684-153-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1684-286-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1760-353-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1760-360-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1984-51-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1984-52-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1984-58-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1984-86-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2092-274-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-269-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-271-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2112-234-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2112-214-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2112-230-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2112-208-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2164-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2164-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2164-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2164-72-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2164-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2380-160-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2380-93-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2380-99-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2380-92-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2404-287-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2404-278-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2404-288-0x00000000003A0000-0x0000000000452000-memory.dmp

Filesize
712KB

Download
memory/2516-12-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2516-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2516-19-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2516-91-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2568-285-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2568-293-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2640-38-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/2640-43-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/2640-85-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2640-37-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2684-279-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2684-281-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2724-123-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2724-144-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2724-130-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2724-206-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2724-185-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2740-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-71-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/2740-78-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/2740-74-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2824-290-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2824-276-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2888-344-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2888-346-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/2976-109-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2976-25-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2976-26-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2976-33-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download