ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0

Analysis

max time kernel
12s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
Size

706KB
MD5

e8b9b3b481dc2830f0b49b673becb85b
SHA1

65bdcbe0233bffd1bb40417cbd470160fead37b4
SHA256

ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0
SHA512

6a0376f7b773d5dde3fc566feb2d16b6ab541ae2e4d271f368ecc955ff09fd5e5c8c458ea5f5596e53bac8243cb72c5f835cf12daf25eaf9541af98604d8683d
SSDEEP

12288:KWiB+tmPr9SsFNHsyT1C2y7FdTuZoh1FW2qNcWVHH67QwE8iso:KWiBvPrcKNHsyT1C24RuZ01FW1cwWDF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
480	Process not Found
2516	alg.exe
2912	aspnet_state.exe
2408	mscorsvw.exe
1744	mscorsvw.exe
2656	mscorsvw.exe
1948	mscorsvw.exe
1264	ehRecvr.exe
1208	ehsched.exe
532	elevation_service.exe
2152	IEEtwCollector.exe
1496	GROOVE.EXE

Loads dropped DLL 5 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\773d7653bfe435d8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1888	ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: 33	656	EhTray.exe
Token: SeIncBasePriorityPrivilege	656	EhTray.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
"C:\Users\Admin\AppData\Local\Temp\ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1264

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2916

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2868

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1572

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1752

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:1592

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2132

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1548

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2512
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:704

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
505ba4bb2bd2f52675c376c7204997c5

SHA1
861c9824edf300cf3956d6257633306b615fb9e6

SHA256
5fdda0f4b2d15f46ea685198be1d7b2aff86a5b50496ab0c6f4039a8d0a15c89

SHA512
dae2f8ac7f894fdab3dc5ca8e1c415ba3f20d358800338e961d5bced91fcfdc454b35cfb5a5997dd641bbc2837ee087fde8b789d63072911a149e05e6a77a81d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
5d22eb83a27d11f8bc0d68da336e461d

SHA1
e3d6a4b9f6f8733fe74a98ff73f4ae4ddda50b86

SHA256
73e0139dea2424c9ac1a3880652b6a2308ddda6f5c492bde5ff4e45622a68191

SHA512
677e837b39687ad5294670963a95b3ed9f64de38b4d588ecbd916975f26229e4410f443535b4b2831abb6f8b5bb64d7273576bfcea9992e24a752f21d61e481b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2021cc4eefcbe0556905b77a995e6a23

SHA1
32ad5fcddfbdc1698e16627fafbdf8e9b45e5940

SHA256
b626255062c53c37626bcb2e44116671df01705fec84cbd9cca103926322ae36

SHA512
294ba092ffa660d19272feefcacf771b1c8cb3e1f08c859b118a532576dff49cdad313614b03bed78f0d0c636efeab2772d0af8508dfbb657117c0b0de319ec0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
07c260d886e0368ca87ab70f87caf585

SHA1
1d43949f57e8d0ff70ce777f8f3118eff4d3fb30

SHA256
12f164fd6eccc94b32e93474e32812f86cb72b14ae5bd1af3df45306eab5e8d6

SHA512
6d879272c07c003447aaa843e13ecfe4714942a6ea7e92b682d14b071f4a8e3a4bcb2683d6f481eb4091fd645eee48680d06346a14c5a9e6688cf9eff958ae35

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
c7662ec33bdb9514e201c7535b89437c

SHA1
c41176909eaabf1ea03d501001870b7232209f0d

SHA256
dec8e58c8a167e18bf39f2a116579949998116e16ee0c679d935211b095f6c9c

SHA512
b12871be1cb5d4d2f44c8a3b466098e2ac6c7f19ce9c6bc17c9b787797d865d65442ec2ae0cb362b35d44385f79c439396c00e96c65a7884a2e4577507c30f4a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
0dd3971b9f94e290c6f83ee89273c7ea

SHA1
416fbbfb86c591a04b98c0801cfb048ba0ed0a0e

SHA256
4ab204c776f9cff855311cd66a1f44f0138533672153f9f46843f7ca012856a4

SHA512
de5c920605bc932445037c4d78967bfc2bfb96d54c4b1a80fb7bb397a05b7ccd83c0b86194e1f72b236220344f81a5870fc1a73ba8bbd8c7d6e6502c9b70cd80

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
429b506867e13a4ad23c2a4053e47e43

SHA1
bbc642d06ffdb049de54b9a3f0f242e87352b000

SHA256
b7e271afed98dff5356b476ce1b28f67f39de832a34078eb5b6b88fd226b917a

SHA512
59eb14bc923b9ece0fe06d7182f448176b0603a3529ae8c58331de8ebc6828254a2e3b216931f3ae9b4ba40766ac5fc9944a4f4ef8bd51268b9fa4eb72b834d3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
04d266179daa051486ef6e5e54be6a88

SHA1
26380a70a88242b08607cd13fa959a1daf34a6c2

SHA256
78818682adc788771c1fa7d95b0cc2e04f110d23060e4a09b8441d0608528735

SHA512
fce78449d1320bda40de3d91d6bfbe2707ef4328a09241a96c5fc1fc1dcfc411d12b0d2b7ca9b147a20bb2cb868fdb7ad441b788a215a2ab1450f5172399f027

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d81fb3aca453f4a28d3ee5a0671c4d19

SHA1
2996339e6fcf3ab34ca96c852216e4f252289d2f

SHA256
bba6cf7bb6c9dfcd2687230ee1dec5b2766607c0086c0b2582b5fd12b5e45cb9

SHA512
884fb5501bf48fa5e4686ee2f06a434d7319eba828cf3b1e601c7103961ae178f898e113553213f5e1be3709ee0c98144c79971928dd78b16ab1b77241267ce2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e0df5c270635702dd5791281110b1b1a

SHA1
b68fcc490b83c21889a685e53580de23a1589219

SHA256
6f6634c593c3d92f39998f80324bfe87b2addb2a45a188114910fdb761c55285

SHA512
c8f7ba3fce34b6d8006edcd343bdc6316083d562f07f4b031360a091f5dc15e17248f2cc6c9325526d8d3576a29ffe21e28ba360f5adfdd93ceffe9b6923cee6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b81e6a914a0ffbb0e6df3f0df5cfb510

SHA1
6d21be2097e63a01602074149d15fde57483545b

SHA256
05aafe9141c3ee6c90b21cdaa5e3ff3be4bcbd11c707d0c08886591b4ce77d2a

SHA512
239494b8c9cec6f29f5e98a92e07458b0dc84da91134aca04b6990344e3aad0af2f53f7466e661aec8252c26af26e8dbaa57f3cc669e5bdc3037f442eae73df9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6e09b212790765de32b0ac978a4b91de

SHA1
457a7942b3fc1de16b82c4c2fe0fa3253664aeca

SHA256
cd457560e328d4bf847c2ca4e7be8b2d8c155a7c40fee3669389a4349e9bb8cb

SHA512
3b0938fd995d87aea1ce578d4a1efa1e4e9bcb523ddcfd36625911eaaa5745dc9e21eeb8e94160cb78ba0056a65f27b33b41de640f49e96824ca5a68248450bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
567cef2c3a396e3544709b04c712e06e

SHA1
db363c3e6f2ce6689dafc864453b703415b49d0d

SHA256
b20eb207951531b6c18e9e16d368c0c254c19e45f3b2104c8502f28ed9feb0ca

SHA512
a6970b68d2471ead3c46097ae1a17c9f511eee8fdd7070361bc16d31961a26e0d7c23533fa4fd1062eadbe75b4dcecc556798a93d9805e666b42de136eb7f30d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6532a38d18d697532e730648be79ac1f

SHA1
ca5cef1a8f65b7230b9341ff07246718522c0f4b

SHA256
dc45da4488b8f1c9570264f0aba6a90241dc5dbebb06c333a08cfd6f6808d675

SHA512
fff904b838a93500b1c393277cc4a9e3aab1017f0d8b5e4516676860cd0569e9fe7aada30570f7448b7ae4d336f6e655923eb4f841436efb479155a7ccb142f5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
86f9ea1f543ed9ad5c957988a75bfca9

SHA1
cf70699e5d2d14385b9e194ed8e4d97ae9fae718

SHA256
fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001

SHA512
24066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
a063ea31ae70fd6b3cd6f8235916e1f6

SHA1
80b3d829eeff13807a78d148a204e3ab989e59f5

SHA256
42af7362d4b066eedc1377113e907597c4bc734508387fa42bdbadcb646b22e0

SHA512
9fe46e9d9aa031fd6f6ec5d24c4171bcdec2313a4cd023ea46726589273918d1cfc5e89f9cc5cd0ad5c0445e346be523efeffad4999bcb3ec5a8859a5ffa0ca8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9580608a2aa05801b0fddc4218ca4be2

SHA1
6674a73ac37bea5320c4a247846dd3bfbca7a5a2

SHA256
ef53ffb945ab6638868adaff56861203abea97241cd7d058d34381033a97312c

SHA512
7aea6a4ad155d66159b4d32e2890fd57c78d39075169cf6eb17d179558fe91573d7b4a6180d998cdacbb51ce0966cc80aff9c3d76d06a543958a012af0e2fd1f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
de82aa90bf9e99741388299138fa9650

SHA1
49ab2170cce2ab92c8cdf1732825c8b9f47a550d

SHA256
1a6c845708e1a073d2655a25f469cbbeef4f313beed5bd432f512715ca998017

SHA512
a03bbf34acfd927b5fcba7690dadf3ae5e44404b5b9d5a3796a1667b59b931c925516207efbdbe11366d5b5bc06777db3ab7a305c267adb0dd566a5b8af51c1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
ad5e5ce22e61d998893559a0b04025fb

SHA1
8eb4edba9473fc890b7163101113f61d33f19d92

SHA256
9fb9b243aafb469bddc889f5a6634b6ef5d2b25bd0f16c3b893b13091a9c6b9d

SHA512
d67369e9342d46b6ec9a64ec40280139c6187a6d94001db2ce427941de75a9b0c917cfcaa988747e7de639ef22eae2d438a2ef3f275181948d0da9765357d2ab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9fee83ec722dba4f2b3a02a35a9ef4c0

SHA1
89e9c7091d80aaaaec2a2997c8a50ece4ebb2d42

SHA256
84bab0bb071f50a8356b19ebefb19c2f1e40bd9f5651eb33334feea56ccd7423

SHA512
589c64574ddd54c6615583b9f2c5b50a55828296b48664e3f0700eddbc24878352a633b65acfdfa3b3f304a0ce169bf8760ebef5b9500482590392840e1f877d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
41ca6b00e1b514ed06670bef1af2d720

SHA1
6da1aba9b1b5f84ec610b97f9dfc17abf007c882

SHA256
274962584c45d8dd62f806f63fb02a00e51b9431f6b903ee02c4abb4b2139b61

SHA512
60a163f1492b5d30d0171c835c52d6693da8192edee258c12e7ba323b59826794a658728265935829d882f12363e12f9bd9d50d328298b248375052c1d8077d1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
11326563abb2954b3288023621282d08

SHA1
cc9f9fe56f97796723fb7d5e783be48cde895f5f

SHA256
428d78014240b3d0910e01e0ba6a1ca25e92fe949aa95c2051be27e2d7f8c85f

SHA512
5cb9749846a6de6e55c5126d212fdfdf51e74f47bf8a1e816ab902ccc25daf741fbdec8389a0e3fa58515e74537158368b564a3be5b7a91da9dd2bcd8b7dc8bc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
aa79c3e46af5aad8173338a62ca465e4

SHA1
042c0de065f2c24d000eb2c46c1666365e6ccaf0

SHA256
25fd180e1e7a6095c9af7bbfde538ae071535a53983b8e1690a2d1922348ef7d

SHA512
0cd167e4990dc7f8d34c9cb4ca3c7aa4bec2927242fdb72e77c60a5179dca24b9a25bf0883663e83dc95d7cfeeb118fffd64f6083035af67cfd83e91bee54ad1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
54e1e48b67856d495a1daefdcda79165

SHA1
e8f36270c0240ca91cd7026a7549fdd714c302a6

SHA256
8d6f73bb762ba0c8ef5e274eec93071487c3a027f39aed288ced07ec77646be4

SHA512
8c6192f3eef5638a2a26d81f172ec70de8e8952aa60ef20612050d111e1b3cd7e33f9c4f962047dbe136421651bae8957d1defa774ec834116eacf468d116532

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
c74397f9592f70d33102474eb459417f

SHA1
481f2736a96757e6baa7dc4eb24388eec17f33d3

SHA256
0a3d909a72839ba3fac08455c80f187f40f276154fffd918d6b171fe05b16a03

SHA512
123124a242172be8758f10179dbebdbb0e16ef442548e2f3c083d6d5252eaf6823f60970096ebf4e112fbe7bbd64c21e4c9f6073ed2c556277ceb9f233b6132e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
e839e0d8a8521df9ce1e5dd73109e0d7

SHA1
d84c9bc8b6d86a063641abc8833117db02154933

SHA256
5b0b83923e3f2507e1b4b48336f73e6f35a4d5bf2fd3733fa0f698f3d8f7ea67

SHA512
6cc749e1ea70e1d14ca4972010c712d0f9715f303c1405fe0fd13f13a1fb6909770b77a4ab3e2b8823a6e1e74a5054f20dac96ab9d72e609745fa4942f4de969

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
9ba785e172206815f20444143bde02f7

SHA1
07eec7ffbf43e9e9fe632e6b7dcde15c9c45508a

SHA256
cd13249a22935d5e2465d30d8dfc297549c1226ab0a3b8a6937b6b7cb89c37ae

SHA512
58c4f1f5c54daff20bc490355e7f2113d0c22be927f71d31b149b13a8e2db6597779ee161762192a496c9dbf108f3d3bd3eb920afb1c9b30620a2d476a77264e

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3f113043017deb08b7f6c66b6f009f67

SHA1
ced261158182277e1519bb2acaf276c3a2469b10

SHA256
47d66840f6ec751b8d6380b121871eb48c8fae08ed60ed8416055125e1ef65aa

SHA512
9e975761c045ea17a94880b574dee918cbdbf6a706357c57cf123df17db67f58dcc0a09155a3283f5488a1ac35fef54ce2d7431c7b3069c7dbe6897707305030

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3f50aa6fca8443adf5e4e55fb56c1ee1

SHA1
62e785eeb358fa449a2267a142c353753d2bbe48

SHA256
ade91806afcb98f549679e704f52b655f52a7d9ff04d8b58f0c92f58406f5375

SHA512
e7b7173ae9ce16a2cca0cf5f581b42c60ff17f7b2137b75d69b8ba4896bba2eb5a4c67413f48126a3fed28e4c3a29c9314fb8f0e97c152f21c5393d78a0cdb16

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
f77ee7167a9973c0030c315048dd10e2

SHA1
af3f734f021aad924ed2cac269fa6f0a52c93c57

SHA256
67dd93970ed247f46a1a75215b49fa0e7ec1e2f3831aba22bbaddd4134c2d7a7

SHA512
e35ecf4209541715318d047c73ab21fb0b8639a5de69680a5fd1274346c6af3af763b3abeb5c4a7b7d778c7a5873cb9043386a109806507b27d6eaad231e02dc

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
73a7c28ff218d363f08e18e55cb49a99

SHA1
1a4bb98e18750384a8dba49888863dfb1fd71f1f

SHA256
07f0b00fc9ffec65acf7bc6ed8815f4b8b2012ba2daefef64f087ad2ed04aa9d

SHA512
47b67e6b5ab520b617d689ed49a946e8536fa93e0c837e2339e660e088cc4b859a5075eb704d47225bca94d8e402af919279930134b83ead6af048f2e0915583

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
fe4dbcd3d6a66691a38c3a1cb43e9023

SHA1
f18e14d35b55539b7f5209af06a72041de159fe0

SHA256
74ca5067ebc4eee2b904c6d2e5841c651cdd743eb5510d0c5d6c222f76ed8943

SHA512
bf1fe8bd7b849db65aa4c07df89cb0b961d60b3c03baf30d68bce94c81ff6ab7ae77c8d940a576684ec8f3fa5097c6627092d267b8b8eba3f1d4d7c3e6c4f912

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
c52a78bd2a467e3a1919960c8b2ba6fd

SHA1
2a04f25707b0c2c26f08c62537a4ca6d6e3d6edb

SHA256
e1782d220e725238dd2292ddce19dd8bdf94d2a379b30456204a191c3bec006e

SHA512
445207a06be2e9da013c3b2f36079356800cfb75bf14b717a430a35fc50591b9dee1bc5a7587ff3f26843d1e6efa2b2b5bfc92eff7ef91212246350293a7578c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
0c4a32fca83a7d53a2c7fa33d3da54f4

SHA1
20ee519ff1ea79bc325f55d503cdd7d51e163cbb

SHA256
94db515e87c7871d4e172acc98e7d0427d1cd4882fa7be092c5e1f18f905043a

SHA512
925ee72eb8e44f0aafc59a6e81ba5803a4c0c25d65ba2e55c12c80a39a64a88216ea0f9c0ec8f1991da94aa3a30bb5fc02507ba6328ab1efe346e348e320da6a

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
fd7953a3a2cde5e783f72f6b90a91f41

SHA1
d8f55751c4a047a6ae1f43d1ebcadbde2e54a37d

SHA256
fa277f2db903f41717964030545f09e04a2dba6c1f921ca7797d58f2735a3bbe

SHA512
98a6a80bc92e46bb3a93c4a8cc1d2fb043da9142797dc31884d1230b037f628f42ea77e3fa04c370128dc0fcb96dd1c5b6f3ab5a7cb11e17a6edcef0a66167a8

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
d87b7806baf843930d0bcc885ca528b6

SHA1
94e2be405cc82d352c18ae8822fbfa67e63ff420

SHA256
15468667a53fbf7d3bd3692a4ac91dacb1d2c88a1750aa847cb1b12b2a6dd748

SHA512
4181b766e05dbcf1a28753f9a7d838b53fd361a223f1d030819b822593c120c5474685104d47e228674b5736fa1af1d71c1edce2b496665092f14c2d79c05b83

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
f95a4a618f58ab8fb4f80023d0443a02

SHA1
0014d274d6d0f6bd579aee30d946971925f94365

SHA256
58b2af540db19b4c720738bf7f046963f36a7f430ed443a6d0d67c23b70abf6a

SHA512
fd1df8f398a89be177f194492dfba52c1eb38e0f204d2be1605f92e3b388ed6e41735f8f8619e9d62f156b2afc097ae84a9792d1046ae203d8fb36e5232d7c49

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4170f8e8330b2ce206995ea10a379530

SHA1
a299edff6470dd8a51bb5b1448ddee3592ad699c

SHA256
a58b1bb46f6e9599c9491781e9c4023588a533dcda78041732ea58d746923950

SHA512
a07577e0645c3f051b9e6dac5189c22343fed55bf35df99f7fe3a528526587de4e106acbfa4063ada3ff517fb88355f70110236f4bef3977f457feb316ffb63b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e12b374574a2d37a022b800aae18fc06

SHA1
7f217514a60c32c4a67af834b021c1eb81e9f244

SHA256
3d75b9c5bac424b1afb974a6b7baccd9ab711bc82a086712e5f6055fa1d8e716

SHA512
f5d0af8ade8c56788ae07a3e0a7c3e9d8d2b746c3f428a4430512ea429d6f7e5c42a3ecee050448107f865e6ab509114996f81ce87f2872070e6f253bee27f35

Download Submit
memory/532-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/532-148-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/532-141-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1208-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1208-134-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1208-218-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1264-205-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1264-120-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1264-119-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1264-114-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1264-112-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1264-153-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1496-265-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1496-207-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/1496-172-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1572-259-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1572-249-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1744-53-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1744-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1744-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1744-108-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1752-276-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1752-273-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1752-274-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1888-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1888-1-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/1888-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1888-6-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/1888-7-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/1948-164-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1948-95-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1948-100-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1948-92-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2000-238-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2000-244-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-277-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-166-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2152-157-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2152-247-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2232-201-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2232-199-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2232-215-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2232-214-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2408-37-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2408-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2408-43-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2408-44-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2408-90-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2516-19-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2516-93-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2516-13-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2516-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2656-152-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-79-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2656-74-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-72-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2656-78-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2868-227-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2868-241-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2868-229-0x00000000003D0000-0x0000000000482000-memory.dmp

Filesize
712KB

Download
memory/2868-284-0x00000000003D0000-0x0000000000482000-memory.dmp

Filesize
712KB

Download
memory/2868-282-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2912-33-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2912-25-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2912-26-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2912-111-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2916-192-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-279-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2916-278-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2916-269-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-267-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2916-257-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-232-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2916-197-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-194-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2976-271-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2976-209-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2976-203-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download