229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360

Analysis

max time kernel
7s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
Size

1.8MB
MD5

dede5d599abb26752596cae577ad86a7
SHA1

3e6eac4f7c38ff8af356577290cbd887ce92faaf
SHA256

229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360
SHA512

ae4bc4ee659b2e06add165633709004bf9d58591e6bb1216b5435ece2a0c99ad3b39b86ace78228e6c943320ebfec779aa5b2afc37241ee2d79acc0b7f6c82e1
SSDEEP

49152:Ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAK1DUg6J9wh6+w:OvbjVkjjCAzJhDU5J9ws+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
468	Process not Found
2524	alg.exe
2688	aspnet_state.exe
2708	mscorsvw.exe
2700	mscorsvw.exe
1784	mscorsvw.exe
2848	mscorsvw.exe
2784	ehRecvr.exe
2504	ehsched.exe
1684	elevation_service.exe

Loads dropped DLL 4 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\System32\alg.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\62a837f87df8f25a.bin	mscorsvw.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	620	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: 33	2796	EhTray.exe
Token: SeIncBasePriorityPrivilege	2796	EhTray.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
"C:\Users\Admin\AppData\Local\Temp\229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2708

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e0 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 184 -NGENProcess 20c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 258 -NGENProcess 23c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 374 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3dc -NGENProcess 3e0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2784

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:1980

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2300

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:1508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1824

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:3016

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2612

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1768

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:328
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10003_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10003 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1872

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
5fd28438985a33d76163cfa279e94d4f

SHA1
ab87485a0def855fc890a8df27c75372f2cdef74

SHA256
850dec1a8df508ab529aeb198689283683acb03e856e7c73538c0215c6263104

SHA512
77efd29034af21a16dbf58389ce7c0d829bbc143b234e7372bba7514f874d34621a6a723073fa1376306bb3f243f301549777620198b353d03f3ed304e91e601

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
7aae268cb6ad8cc9e6dbf72fd31770df

SHA1
e8503a2d5d72e9a76793b8ebc4102d08e51cb93b

SHA256
fcf535470930dd0da6dc03d3e877199947b759f7f94aa5a8dc0e09afb7c49b8e

SHA512
90c6e487b6ac49f6cd80de0b333723ec48d0e8b1e138f6705808088e303e3642b8185b646fbef9bcdad3dc2c8093df679d9c59dda5f143217c1c16fe9700a753

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2a3b3fdc0b1ec88d369a79dd74a1d667

SHA1
0abe6271931544f94480c2a96938f03bf64657bf

SHA256
6981513cab45edea759ccadf7d586e9e439e7a4001ff6a4d8cfff83692b2139e

SHA512
8f36d7a4427ebe33a20d289b6a0c4a619eb4468206a9ab21c471e7e6ecc22d3ef3015d11035d83b1e1938a787fa7c20417150dab6e8f9ce43f17dac9e7d33ff7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
7a6152325d3cf39ad8fa77ffa9cf9eb6

SHA1
1c83f4e9f6ddb393881f8d93febc366173f16abe

SHA256
f45a9249bdda02c227692216b67a8c4ec2a4db1380e09789680282d76ec4f474

SHA512
5d6634b9784ce0abb6b886261825433d17e5b9e337d74887ecc6b77c245b7371f42a0dec0e64fcec6aefc6a05e1eaf971cf6958700e9d3f2dc85f7edefb0416a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e4f551844fe8171b1e7b681a38303422

SHA1
f4b3785dc37b23e9765565941b50b65aa6cd0737

SHA256
74bc3e40fba3fc23710d88f538222e2eb7c43c7b21dbcf82e8a02745778113e8

SHA512
730ea7365a35ae341361781fbe1b087551f8d95777e4ae809587acf72046c4416b060017052a1d8d5c0dcae1da73d50b4f8a5526c59a98c530d6b4242f5092e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
8984566ce22a1d36c64ece67d2379539

SHA1
ef182406535070f68921c1617b6c0cb9cc601c25

SHA256
ad5057ea62982f584edbe38eee48e0f2a224a178dc105e686254132927b36ff0

SHA512
9a1c5184037f9b96c18c86fcd88399a4c332adab3552eada770beb3023ab69df642d8aed9732563054571c290762fa95914aab94b96839dce149602d0e12d20f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e19705d33dcc8c02ba943cc5c1f51934

SHA1
aee566ad70c2ca2b18bbb2a923638859a2733569

SHA256
c82d72083e345a070f43df44c6d675eb2d0a1ddce78b1591dd80ff4f94e72a68

SHA512
e3f1a8336d486124cf4ccb7eb07825848ca941fe2b292327b6afca488d7f3065f860da2fbd80044f45d9179f4c0576051088b641c40118536693fb8107f9a125

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b2ce537aae1aff9f47b9b80a356faec9

SHA1
173ae837c0438a5609fcea80976910a508841a94

SHA256
46dae12237ab882c4f741771228c46f2c2681e39c1d46c05a73fb895c3fb5c7d

SHA512
506702c5dd1063bd68c15bcd8dd3b8848f611dabadd26c6f135542630523d2ff7e2d9dcec1309b89049182c78199be60248ecf5540fae08dc29e723854add506

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4b6c946a8f959bd5d06a0abb463e3d55

SHA1
735f62eca29e82413e7fecef2e56f0d868acf138

SHA256
d5f1c6af04091e58ae2da25a3a01711757fffcaa3d6f1cf8d7de13b99da0d8b4

SHA512
025ef3c97990ccba99c21f2d8d843b20e3268ec1b83c57e59e2b3cb5ea3b3ef03d999b24f5db4d5aa5c515f18c64c37bc0e64a16f7b9cef883180d0e9d701616

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
49ba7f43626ec1bc18165d03a4af3417

SHA1
add69e0baca64444081a5fcb50267effebb82ec2

SHA256
9a8769a6e44ba4200ba8182cdc50923888bb5d14dcd72b43ddb87de1450ce3c3

SHA512
b5629c3a6bf821b3ebccba89ce72737e45cac6fa355d850d3ab2e93f9e144987284d956807e962687e3e2f684ad13938e2bdf6236dbe0fb16fc58ac86305230f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
687e55a76eb35447dfae189279422de5

SHA1
6d1b11619d20dec695c3d7c7c594e4b0baca5210

SHA256
8799bc15f16fe343c9bdd066aee5035ccf00950b65d1874dcde40c507363a7fd

SHA512
f627c4aa12708ec4534f73a63e164f90e63f8b806f417440b2945264fc3323a5b7c314a3165980b6ec8e746e69c4e6f7e3ce529a6644c4bce6ba9dec2fbfb175

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b21e2025e37fa04e08d09d95e1fbe820

SHA1
72bdf33167455bda7268d955bf76fdf89e8f304a

SHA256
be60b04f2a81c148c6b28a6689c5762c203437dc8e4a8994ddb8f726c30a6151

SHA512
1c7f25c100d5bee94341b779b7cb3b6da338e2e2bc2053e68c7f7baab2d8129d5beecdfaca0ab30c35692ddc9c927a30e1bc0049f47c737bb7f6bb9e2d22edd7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
e11bfd0f80287e4bef8b270927a52e35

SHA1
3777b86e937afc4296a9a32794625676d5b0bc93

SHA256
f4b78f0a5ae5fbb75759019c0c3f5243befc7e523e0af77cc71d01a4795aa477

SHA512
be8442bd826037b0180f302c7facd71adc5ac480ee08c6c986f203a63062cc9a107ec8fe2e5a06ff4608e3cde5487842827052d8b12d3326744eb8657f3bf22a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
e1559a95beaf769d76c9ffda7a1e4f1f

SHA1
c13ee4f1ac00e0320acca36c841462735700d6f2

SHA256
74b2220b25bfc7ff41e6af553ba5cee34b587b0010f26a9d365c6213992c5763

SHA512
d9d10a55cd9d3fe7d896930658aed7fa7fb4cf0d2ea8c3f68d48756c64465b3668dc7fd91140024965eb3c3d1f6e320ddc6b88021e80f8cf9db9e2352d9fd584

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
0ee1bb7e8c167b5c445a8285058e271b

SHA1
1715ebef64dbf82e1b555c935d9a6507eeb0b416

SHA256
fc9d0df8a56e4b21d3e7f475d15a9b039dd0b97be9c6887b63a1e94ee610831a

SHA512
461aaee2f2914813e03d24b486fab51d85bc7f01ab875bf7925e7ac5c773a70313e7b11d882f34ad38836bcda1716e0cb2683c5997878d265a19c58eea6c1d98

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
43f5c2dfbeb6e2bbd3b57c22f561b864

SHA1
afd25a46118ffb7034d7512f1f22706eef655f2f

SHA256
4084b7aef7ec6a83409f91c01b77018c6f3afef2cf2930d903ddcd55ff4f39b9

SHA512
8c758718c14d0d2f9ecb5d7473b216592ef36a9ef0f43ea7cc35e1335c67a7bbac68b89749c4b0fe06c1326abd222d5e7b99d971025500981aeda271b6385fed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2027da36df717882c31c6d088de3581c

SHA1
d1055db53586ff3686b06a2b53fa78859a89ad7f

SHA256
1a3fbc661f771358ba584f182bf15b71f1e0906660ad94c407e7d65a5dbb5a22

SHA512
647fb51d3516a8b0c4e65852a62e7f6a7afb3d9956ab6d6b91b4ba9fcc46716c9b0abae66957cf8eb1ea195389d4b4b25f9698ce42277a031a7d2f5289cb6ff9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\62a837f87df8f25a.bin

Filesize
12KB

MD5
a8924ac15c37f8f0f6ccf9a3e56e56f3

SHA1
3c1472158abca1275254b5cacb1017414f7f8314

SHA256
61c7ebb140195595b7df50407e5bc8185d6afaabe3f15c76c0880bee9f66dae7

SHA512
8e246118940d8a830dfb1eb75ce23575f3aff4830100f463b35639796e5e48d90263d466d53a4afdaab8cb29d2eec676b494c298b42bbfa6cbf05e4d3e0cf72c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
85979b397cb0c1324e02621cc6546aae

SHA1
b9ce11d4c0442eeedc614cadd8958ad828014095

SHA256
2afca3d2cde050004fa0eaec4f67c229b1d5e4fe3ce4de3f77faec040812269e

SHA512
9d28131a6d614ec025517cb5c939eb7c9158c213857ecb888bf010cf0c317333d8ab31b684fa56771021348a54338d7581f39468804e2724a905401659f0cd9a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
766db34e2fa0615c8aa5c54685e88371

SHA1
717e3d3f115588cc7db0e9c54cd0f0df5e1e9538

SHA256
2e1394b3566e9910eb81c60788c55d7a7fc23edc3b1e9a2c632bb7e4745f172d

SHA512
ad8099c968211df7d9bd8d1a9c5911ebef42bd11f0ebd67a0f943df43939d3ed0156547349eb7f6e8305b4d8a3e4676a2530b2b64c217b3aa6a8f0061d0eebfb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
ca210e8605e59bf1aba2424ed0d6f5d2

SHA1
f1ee8b0c9857585088d8aa2b3594dd6ba133e44f

SHA256
5b285b2834dce799db6597eafadeda70b16367a9418e0970b63ab54e5c0626d7

SHA512
5c476ce6d768003aaf6bdc0fdf9dee4f3637eae21c8b19db99cefe8a02dff48e2ce54b6942b1a59798a10eee57dc8b4b43ba6b3d79cca545799f785c72f0dea1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
98275a15e7a594298c08d7ee69bd7453

SHA1
ded246fb15f8261f4b0c3c8bec21885ad897f723

SHA256
a66c1cea2ab40b451a56cbad296afb7ac659f2e7c74cd6efed13bf3f361b65cf

SHA512
0122130b970a6e9df47d4d67ff1a28e4894e6d53b84e491c5bc0f25324cb08bda6e3bf8acf85a53b35a47c328815c8805a5307fd3d0e77feadf8bde9cbe6456a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
07e828683406ec0d57dbff35dfa3f3cb

SHA1
1d48996592ab5ef87ffb337d0b442a356fc8bd30

SHA256
d6f106a5917784ff8047c7b4ba550dc1b6293209a4528a5c3d0aec6c77573726

SHA512
653df4cc34f8738ff7e186b8c6767e6bda0ed4e07d6875e57e6f8ee55ff0927d05321e6066a1cc91c4b40d8db57662a5b4dc6029d10f7ef1f6b9a5bc909f7d4b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
55a9379b90c92039853c1d9b5c479128

SHA1
6c2b9057fabbb322b789347d826979c60952b4ff

SHA256
1b794faf4e08018021085f3b7e43f9422cc7fdfee64872c6da7e0e4d5acb85d1

SHA512
fd61588a7a1bd44e5df3927c4d53545c32986835ee286ed78c54c9eeab4f94f06ba2cbfc1bcd5d83d2d508503e76e01a0d40af74971f7b4cb81972efc960703f

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4dbc7fa741d7657b548551fe0c2d4ce7

SHA1
bb95a17fb28becb8923754471a77e348ea519f26

SHA256
f83ab0d436d89d11e9a6156cd0949086314bb2ae56dc56c47ec0095cc6b8c7f4

SHA512
d33044e2d8a0933f202661809f73288ad2e0c2414d482d5de80c24343fbfa34c84b5a9857bba4d15228ac1fe75e6036dc666f5e85c7b0e59c53e7eb23be57a21

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
8967b06c6b466e2fbdfe4245a32512ca

SHA1
a3100a92096348fac4f2afa0e49a80413657f44c

SHA256
fdd0b537ae4a687bd828e43628c4f9417b45a70126473eebd8f4f436c912367d

SHA512
c355952c89c81805bdcb40c647518adb9bc4e4318577820c04575bc9ebb888a8687e00922640dfa86a68c8cb00b7e51834f205409bf023b850d2ffc39cd2e3c5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d0c77fa998246c48d914222d94448052

SHA1
95b76652a8a888d2f0ffa863c38ebb46a622b1c0

SHA256
144e7319c4a9802c181f651de0dc56f8362f8285392bb144bb6f930473d3c0eb

SHA512
103da62dd77e40ddaf8b0edfd0a3b8341536b0463b3790ca2d5cecd87a132b463ed5ed03062c04d0700b86498c6d7775431021c0088522dab09262a9a507016b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
da89b2589d26f57edf508fd9fd3ced23

SHA1
fcd330cb45bdec6b291843b95f8bae885dedbf30

SHA256
0941f8d3ff0a3037854da1565bb6c8b9233ac9b2b2eaa6795a488e047c6e96e6

SHA512
e34a67e7f3d48cd1f255f282c4af8cbb561ae6115d2d08bc645fcaf7928debc250baae996af10ec9a8730dc968e35172e705daefaf47bb5aab87a267808926f8

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
f96cb30a05c1c3a30b2cb0619e98e250

SHA1
926e393c55df09ca1293bd3281f865b6530b28af

SHA256
b2a427c9fb57d2d59883fb3b84804de26644245a67570c860de1238eca6e4eb7

SHA512
3ecf5306a3e195da8b8beeab2c702b73652ffa83496c3814e0fb21549a0c230a02c6b5cc4c60d447cf9d9b193b954126cc14d72190a3b972c9a70dc26e382fd6

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
0d610ebde8434dd1bf0016398fad6529

SHA1
d68dce717ebf28f0a701c02a7d4830c7a4a76baa

SHA256
4a414dd06508a5df43d467a1384d44864f4f8edf19d2ba1f51b271172a2d092e

SHA512
d7d50b577610ccb7845e1b1a6cd74c14bf2d171dad3fcdfdffb96686d26978b2ae694b40e90c28c59d91d0e3cb77dba2bf64352581ca20b379b90889c2c96db1

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
64c7b6ffe9bbff1f8a5c1f85dac723a1

SHA1
d626826ea9631f642ac22a2bd81a8d4435b36d32

SHA256
7c28ecd7ae4235ec6044659c395457deccb60551ce9fd1a6b070cfc531a0e7af

SHA512
32284c878f886cedc6f9567f0fd81f5c88f0063d266d32c0c019461f032f43fe2dbafd0e61eb5e02f09dae5612bb2a32f70a07e3f2f18ba9e1816a2ad71475f5

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ca7f260d0dbb3ed7ef78a387d4ab704c

SHA1
85f1716b8c5114e91f1098dc9fca162a198534eb

SHA256
a0ab5ceaab9e7b2ff5dab31a4c80888c0c8f1310d10134a43e431f223c65ca5e

SHA512
5b9f3fe81845fe26f7dfd34f3aa1df7f69dc3072451dd06077cbd270d105012772cdbf6783de132125563de7f697ba9ff7ed9af3a166671a13a2fff8a02f1713

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
e61e98773d69a7f6cce50992ce52048a

SHA1
a7d807c990dd166bd9d5f67696d813c8b332bad3

SHA256
6040548e902acc951c19b7583a76c82ec6d571e41de3582cfd334bc30fe6477b

SHA512
ee5ce78e5676494b0d59bb4afd368861a6b5ad3bcf39ca0357be9112644f9807bc3cd91b71dac2e8c2831b0a7d0c805e881bab80e888c37a3dbb8c6587d118f0

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
035c63b88a4ad1daeb43c3909cc933a7

SHA1
1155d383aef68aedd1b01fc6707588b200c076e0

SHA256
c6795f458afcc81e65238740e25730c41b6bcd9076e2ba0d91d634e620f3669e

SHA512
e05e5a64b6d6c4b9a3745df7595881c3d3d6efdc89d211f7bc4b86d353914978444f96e651b99a3094d72acfb6b1ec86e74999b273f2d0c02cd01a9ea6a4e18e

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
267c63cb6a35c6f308f462e7fd8c069d

SHA1
6c2ae628eeba0d7b4f6d5952a40a0ea61a193945

SHA256
e806b7ed0bd202ee258719d6fccf447f61f22245b3d88f03faec0c540dfab2fb

SHA512
a7972ff9fa038b103e57afdad2d1c32368af6462c81b20048c1ed21b7c563bead66b6f37403009dcc07d69d4733ed66675616df7eaa9a3067aa0bf2c7a0707e0

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
e850dcd0e524c2759f57ad4112f613d7

SHA1
f589e680a53dabf18ebd2bdb78b9056bed48d8f7

SHA256
de71c55e68220cc86978fb5c5ede03c28a9e87def098cb33bf150cff2a87aecd

SHA512
38e5c2665c1380f61319cd6608158b47a4ecf1d8ea81e67c9d60bc08a22647cd33de196c9cf6adf30dc269c4b01eef8015918eb66ad685e89528a5813ca197c4

Download Submit
memory/328-285-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/620-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/620-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/620-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/620-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/620-75-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/872-284-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/872-283-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/872-286-0x000007FEEFA10000-0x000007FEEFAAE000-memory.dmp

Filesize
632KB

Download
memory/988-152-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1312-131-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1312-143-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1312-144-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1312-137-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1508-122-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/1508-127-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/1508-148-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1684-182-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1684-113-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1684-105-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1684-106-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1784-49-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1784-118-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1784-50-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1784-43-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1784-44-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1824-208-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1824-161-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1824-162-0x00000000003D0000-0x0000000000482000-memory.dmp

Filesize
712KB

Download
memory/1980-119-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1980-193-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1992-231-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2244-197-0x00000000001F0000-0x0000000000257000-memory.dmp

Filesize
412KB

Download
memory/2244-188-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2244-282-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2300-146-0x0000000000CB0000-0x0000000000D30000-memory.dmp

Filesize
512KB

Download
memory/2300-151-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-145-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-234-0x0000000000CB0000-0x0000000000D30000-memory.dmp

Filesize
512KB

Download
memory/2300-195-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-206-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-200-0x0000000000CB0000-0x0000000000D30000-memory.dmp

Filesize
512KB

Download
memory/2492-216-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2504-91-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2504-164-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2504-88-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2504-96-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2524-89-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2524-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2536-214-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2536-281-0x0000000073240000-0x000000007392E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-223-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/2576-207-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2612-202-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2688-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2688-97-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2700-62-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2700-227-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2700-35-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2708-68-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2708-19-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2708-20-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2708-26-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2708-25-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2784-178-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2784-102-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2784-103-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2784-156-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2784-82-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2784-74-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2784-77-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2784-100-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2848-61-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2896-226-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2896-233-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2896-181-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2896-184-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2896-210-0x0000000074678000-0x000000007468D000-memory.dmp

Filesize
84KB

Download
memory/2896-175-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3016-165-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/3016-220-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download