blustealer | c376fe2391abf98b6da345abfa7ce5d51da5cbcd172423083da3dc83fbb9cdb1

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION _RFQ# 1043999.exe
Size

1.1MB
MD5

761e246fbdde33f37a9bd68fcc8286e7
SHA1

571eea7e2618ab05cb19bef6e9337855321d775c
SHA256

c376fe2391abf98b6da345abfa7ce5d51da5cbcd172423083da3dc83fbb9cdb1
SHA512

fe4ab08a13765c061c30cd3f6dfcbb34960f587b44f231eefcd736790fbe56788b4f1ec04ebf563644628c728d54d13ccd2aa1527cec05db5e3b664363b9f59b
SSDEEP

24576:/YtQ7AZ1RnHQjI9A4/wsf3Iz39pnvgey2UNupVchQXPA3:A1n5e4/wmItpnyJNwV2L

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 36 IoCs

pid	Process
556	vyjlolms.exe
1120	vyjlolms.exe
464	Process not Found
700	alg.exe
1956	aspnet_state.exe
1584	mscorsvw.exe
976	mscorsvw.exe
1740	mscorsvw.exe
868	mscorsvw.exe
900	dllhost.exe
872	ehRecvr.exe
2036	ehsched.exe
568	elevation_service.exe
1768	mscorsvw.exe
608	mscorsvw.exe
2072	mscorsvw.exe
2208	mscorsvw.exe
2328	mscorsvw.exe
2468	mscorsvw.exe
2548	IEEtwCollector.exe
2644	GROOVE.EXE
2728	maintenanceservice.exe
2824	msdtc.exe
2944	msiexec.exe
2056	OSE.EXE
2104	OSPPSVC.EXE
1580	perfhost.exe
2196	locator.exe
2308	snmptrap.exe
1536	vds.exe
2392	vssvc.exe
2500	wbengine.exe
2676	WmiApSrv.exe
2860	wmpnetwk.exe
1700	SearchIndexer.exe
304	mscorsvw.exe

Loads dropped DLL 19 IoCs

pid	Process
1240	QUOTATION _RFQ# 1043999.exe
1240	QUOTATION _RFQ# 1043999.exe
556	vyjlolms.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2944	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
756	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ea553cf7decfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\vssvc.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\wbengine.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\dllhost.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\msdtc.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\msiexec.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	vyjlolms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\vds.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	vyjlolms.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 556 set thread context of 1120	556	vyjlolms.exe	29
PID 1120 set thread context of 1488	1120	vyjlolms.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	vyjlolms.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	vyjlolms.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	vyjlolms.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	vyjlolms.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	vyjlolms.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	vyjlolms.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	vyjlolms.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	vyjlolms.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	vyjlolms.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	vyjlolms.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	vyjlolms.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	vyjlolms.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	vyjlolms.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0D723F33-D2EF-4784-9E26-7F12B5963990}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	vyjlolms.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	vyjlolms.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	vyjlolms.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0D723F33-D2EF-4784-9E26-7F12B5963990}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	vyjlolms.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9F3F7E27-D76C-4D9C-A12E-491E3F3CD1EF}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{9F3F7E27-D76C-4D9C-A12E-491E3F3CD1EF}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1536	ehRec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
556	vyjlolms.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1120	vyjlolms.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	868	mscorsvw.exe
Token: 33	980	EhTray.exe
Token: SeIncBasePriorityPrivilege	980	EhTray.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	868	mscorsvw.exe
Token: SeDebugPrivilege	1536	ehRec.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	868	mscorsvw.exe
Token: SeShutdownPrivilege	868	mscorsvw.exe
Token: 33	980	EhTray.exe
Token: SeIncBasePriorityPrivilege	980	EhTray.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	2500	wbengine.exe
Token: SeRestorePrivilege	2500	wbengine.exe
Token: SeSecurityPrivilege	2500	wbengine.exe
Token: 33	2860	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2860	wmpnetwk.exe
Token: SeManageVolumePrivilege	1700	SearchIndexer.exe
Token: 33	1700	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1700	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
980	EhTray.exe
980	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
980	EhTray.exe
980	EhTray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1120	vyjlolms.exe
1768	SearchProtocolHost.exe
1768	SearchProtocolHost.exe
1768	SearchProtocolHost.exe
1768	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 556	1240	QUOTATION _RFQ# 1043999.exe	27
PID 1240 wrote to memory of 556	1240	QUOTATION _RFQ# 1043999.exe	27
PID 1240 wrote to memory of 556	1240	QUOTATION _RFQ# 1043999.exe	27
PID 1240 wrote to memory of 556	1240	QUOTATION _RFQ# 1043999.exe	27
PID 556 wrote to memory of 1120	556	vyjlolms.exe	29
PID 556 wrote to memory of 1120	556	vyjlolms.exe	29
PID 556 wrote to memory of 1120	556	vyjlolms.exe	29
PID 556 wrote to memory of 1120	556	vyjlolms.exe	29
PID 556 wrote to memory of 1120	556	vyjlolms.exe	29
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1120 wrote to memory of 1488	1120	vyjlolms.exe	32
PID 1740 wrote to memory of 1768	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1768	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1768	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1768	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 608	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 608	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 608	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 608	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 2072	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 2072	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 2072	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 2072	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 2208	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2208	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2208	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2208	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2328	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 2328	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 2328	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 2328	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 2468	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2468	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2468	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2468	1740	mscorsvw.exe	48
PID 1700 wrote to memory of 1768	1700	SearchIndexer.exe	65
PID 1700 wrote to memory of 1768	1700	SearchIndexer.exe	65
PID 1700 wrote to memory of 1768	1700	SearchIndexer.exe	65
PID 1700 wrote to memory of 2256	1700	SearchIndexer.exe	66
PID 1700 wrote to memory of 2256	1700	SearchIndexer.exe	66
PID 1700 wrote to memory of 2256	1700	SearchIndexer.exe	66
PID 1740 wrote to memory of 304	1740	mscorsvw.exe	67
PID 1740 wrote to memory of 304	1740	mscorsvw.exe	67
PID 1740 wrote to memory of 304	1740	mscorsvw.exe	67
PID 1740 wrote to memory of 304	1740	mscorsvw.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION _RFQ# 1043999.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION _RFQ# 1043999.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe
  "C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe" C:\Users\Admin\AppData\Local\Temp\octkeqdy.riv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe
    "C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1488

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 258 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 164 -NGENProcess 208 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:900

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:872

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:568

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2548

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2056

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4502f10690f7ac04362792c5c3b8582f

SHA1
b9e4201f61a62b64bff08e58e5dba2a0fa7c6f59

SHA256
9157948fc07246bd85b95ecce753e8dd44dc6fa9e8a55970499615fd62417055

SHA512
5a7ba278809342a0955e21ff73679ded9086a7269b1b397fa9fbe2d54b50b91b9b3fdf7081378522fd8e1d2864d03d04340a89a093e702bd03af370a2045f7bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f3eadd00b6b8d3be620fe6da9b6d0100

SHA1
a401cef65ac4060b212aa4a31b19026f099a2da3

SHA256
c8adb45a116fcb2fec242d3edbb71215d1ea60bc0f78d7982f996de352a33aae

SHA512
e5fb1d42c263516236edaeb22f86e5ff26885ceac8745c8c8e0a79acb2687d9289999f03cfe3b22c5b0031286ae2862a007fb493486c6779e3943183b66da6f9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
615df4a7f938cf1e5b4adbded4f4f282

SHA1
05d6878493c3bf1487cb9d8aabf6f21719093e54

SHA256
a123ecdf0c9c7b9d56d760757739ac0c0fe644559a7a99b0a3fdbb8a91f73495

SHA512
74658342e6ebc19bdfab0e16161399f2db33d2675d301c455fd4be937b90f16dd34c169df5ba776c4335b4a937941c89a766827af23a6ff7c42b2319a549edb7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
354540d73ca030dfc92e5c54451c3fba

SHA1
c096fc1b0bd4c864ec464e4a2b1d7f26a2dbe91a

SHA256
bd0254d156b8d897cb7a0a4955cc778bae399875a07099b1283a2d2caa08b1dd

SHA512
67f419700a293cbd3fd39117b8cbed67c95383c6173c3b9baaf6e1494c64955658852477012ec16c84e47289570e1edf17ddce4548360050beb21626ea1957c3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d795c5918c3ec39bf8bf028c2175975a

SHA1
2935dbaf4ce4e1773b15dfa292bcdab8310c1447

SHA256
fe07023064371c1b0dbff233d91107c2715121257468627728ab1faac199c931

SHA512
21b8a72c9e6ffec2ea2da6423645d1ee743469e4a2c42459884266afbac0bb003f59887e516acf52e87ee73e84ebc46480b2b6068a0b578703399b8f4f5d7fed

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
82db1d029e9bc2e83eed257cbdd7b962

SHA1
5ddf064174191add861a86b58fb46258698e7943

SHA256
b6b6fec9fad2f406055dabddd758534d072ddcb714147fd89c53ad5aa6e18487

SHA512
6e528285924ffcef5ce1acf4c1030a733c8e3c0067ec31e535bfa82b59dba4961869ee41a219ff7b97021e593c593f19378c30f98f96e4f3954591d2d4727c19

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iemuq.f

Filesize
1.7MB

MD5
1140e0ab5c6766629efcd09940ef76bd

SHA1
dbc2b06e30b3fad81dd5961f5f233391446e87ed

SHA256
ce0e0cdc76adc6ef5cd7a2f59255e98a65461ec6f1ebc91f9d01f8d0d4ead5a7

SHA512
58abddc8b7511e9b3621a280f790631f05ae661d5aa107a8437733e3dc3f9492a657b6b819253de62fea37f4af679477b59358796b564e3db5ea6c5ab4ce153f

Download Submit
C:\Users\Admin\AppData\Local\Temp\octkeqdy.riv

Filesize
5KB

MD5
aec7affe4d9f705f31877d5cd359ca9d

SHA1
feb8bec37e3b762e09f288e2ed2dca1b102ce503

SHA256
5523ada4c712d23e28a5785cd99c3a245532e6683510d3e10cfa6ed18003c84e

SHA512
32abc8e8a793cf7dae96b3ea5e813ade061abb3a96fd30f6fb6b8bbf0fc9034689361a209ed2064c5e78402a5d7642f4e49485525adb0d7b0870ddb68493a4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7805051f62d0039a33975828dc757b42

SHA1
6fe87ed8d003919d5d010d09e46b9f333df6e4ac

SHA256
d7d4247e56693af7cfec06881ff04e221f8dfb4b7a5244ba5f04ed7741803e16

SHA512
d695b2c7021dec4c6484b993cf9f5d7181ae0b92fe01550394c51935c312b8636b9b6fc36b711fbad0c01ed0cfa026c47915fbd6cdb2f962330e6a7b7375da61

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7805051f62d0039a33975828dc757b42

SHA1
6fe87ed8d003919d5d010d09e46b9f333df6e4ac

SHA256
d7d4247e56693af7cfec06881ff04e221f8dfb4b7a5244ba5f04ed7741803e16

SHA512
d695b2c7021dec4c6484b993cf9f5d7181ae0b92fe01550394c51935c312b8636b9b6fc36b711fbad0c01ed0cfa026c47915fbd6cdb2f962330e6a7b7375da61

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3bcbbb8929f0407271e337a787c85c59

SHA1
8fa2d47f8c15c09f22f32e8cc1335bf664fedcc8

SHA256
6458642104275151e13f073ec69ad5feca3d4208a079f35529f4e0af94cf2f78

SHA512
395843ed58683892e257ac88bd7b1348448eb25c5d79535a7b743c338555d31bb42e24877d6d29935a59bf44d72b717b532f388799ecf22308bfcd5998819c51

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
3588ea0c9e7b0e2fa498ff2a82b936ff

SHA1
ac427901acb7fd7ffdac8933a6a893de7b109501

SHA256
58b5a93882e94ba2c374db5591fc555d7bb12f41b55e23a98c16c4fe879bd66c

SHA512
45b09307aee598ba1a62afeeff7f7d7b8b950ee035746c95cdd00820e00d0a64587092f98527a1c89d9c9df5ce5c4a763efe441dc26044b4046bdd3de200e490

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
aef4967fd0a11f7eb68304d0cd36692b

SHA1
5ca5aae8f697c28e3a7f08475c33e68bdc7dd66e

SHA256
76df50908de870e090ebcea68d6720c1de2145d0d0581fcd5a480f025fc4f17b

SHA512
3809e66df833005235c671a26be33321741efd290d63f440d103351f720c6c93b92cd7e73d9d23e4a2684ab8ed45cd40a4bb236905358f4d42954e05bd289c69

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
aef4967fd0a11f7eb68304d0cd36692b

SHA1
5ca5aae8f697c28e3a7f08475c33e68bdc7dd66e

SHA256
76df50908de870e090ebcea68d6720c1de2145d0d0581fcd5a480f025fc4f17b

SHA512
3809e66df833005235c671a26be33321741efd290d63f440d103351f720c6c93b92cd7e73d9d23e4a2684ab8ed45cd40a4bb236905358f4d42954e05bd289c69

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e26cdb52d5ac30df8d73fba1d00efc63

SHA1
b7f8f5ea27d97f09d0fd122d61882b8df4c2a258

SHA256
2fbf432b70a06fa126a1c787bb73ee031a3e76e8295015960bb8780fe9725386

SHA512
bec482bcd8a6e4be02c78b35bb5689ff728b54db32927634323da52aa604147cd60c4e87ccdcdd7af828b6b2d74522dddb958abec088f43082a968020d73f2f5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e26cdb52d5ac30df8d73fba1d00efc63

SHA1
b7f8f5ea27d97f09d0fd122d61882b8df4c2a258

SHA256
2fbf432b70a06fa126a1c787bb73ee031a3e76e8295015960bb8780fe9725386

SHA512
bec482bcd8a6e4be02c78b35bb5689ff728b54db32927634323da52aa604147cd60c4e87ccdcdd7af828b6b2d74522dddb958abec088f43082a968020d73f2f5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4c80836755d77adee078f64d05cc53d8

SHA1
1089e125093b5d6127a5b37e8156acdeb33e4d89

SHA256
240a79d78d96a6eb09fec9f02cd20190912facb6f73613d4eed54f29d140c1c3

SHA512
ea251d712bf6dbfdd1dfa4eb0a10aa6397868832637ddf3075457a2ca656fefab271ce2d2df4c45b2d1d8cf1b8ca0b7a6afaba7276021f545c24c6666d692e48

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8acd89f5aa820b060bf8297775cc933

SHA1
cebd943d713647c558073d3a5ac6f60fa706d734

SHA256
f62a22bdeeab0681bc821d97d41e700e0a361c04653c25100957d53e0eb805d7

SHA512
4e9cae2ba3054897351feaeb50cbad63c72d68219e0448d27a87b1d7ccc24788e809353dec00b86ad43bf18af649edf3f43d2e86ff38559bb19ee3b0134cf1a2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
183f353033c7954603f21ec163ae4033

SHA1
ed3b948c0c73dc47896881e71c72df500f733bd0

SHA256
f25013a3d513b9355e2e90a6cb231ed466bd6e922537c305df3f94616e0f57b9

SHA512
1eb58b5e716158ca830682823d91ce9fe45de51f716ada4378aee58361c205156a802503d576296bc6427754c20c199c19f978ead47bb022915fae6cc58aaa2e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a76f3bb82ac86b338e8b2cfb270a51db

SHA1
325ca3a2119d13ba64f8529a921e1a3d5822c5cb

SHA256
499d09177a1db3ee3b5696c3204e53acf438e73603efc863275bebb4224444cb

SHA512
b18fac00715f58ae3aff9fefa4b95ff8bcf1e1e7eb59506fe520ed1ae587c7e28ee36518e3bface98b003f0176c3ab19d2bf087adb9d1bd043623c7d7e8cedf1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
94640c42e5da1137c4dc5cfb620a58fc

SHA1
e9f9583e410f43df59f5b8e6b015f17826911e4b

SHA256
86df3ef39c017efaf157872c6f00a0917d4b02c965588e49de274b5ce6d60dfc

SHA512
9e4145655579279301454b7245c484f7b09cd1cbaddabaaa500b2239dd4ac8bdb547ff7b7fc76ee3145a833f4c4c84b955b54df5fe350bf74b48515ee3fda885

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
8c7a3f21e0e7c0905f9b6dc78a0d48bc

SHA1
932b3d4f6ffdf66e2027bad8526ea24c06386f4f

SHA256
90195b9c33c0fa0a3249706e864ebe3aff11fba687f7cfa3e5c5b0230331b142

SHA512
fe3715957db27d1ddf0c2a8678e68d43938d83c7e87e4e98f32fa109d808e762fbe216ac041d793b5cf4a146bcd71139ed0ae6a56351e93135b25b4ac523eb0d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
86010b92ec5b84bcbe96f43ac2b04760

SHA1
c31c9455029d3aa26db9904277ff9260c8a71152

SHA256
d7265f254b024e6f9cefb04662ed98da514351dc6fef383f69ebb267fc67c043

SHA512
21aa2795269fc95fe78c176e4132defef74b816afc8bd74bfc5a610c35752c19c8706040bac3cba4e7e0b109eb5cfebcd9384b5392d0d4d45a0cb6e5dd876a3f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
f2ca945205ab72eae694f4fb8adffa2d

SHA1
a5da779bde9d9f24f5742b1665efaa92cd17be75

SHA256
35ef68c271e09686df89d4fe420b52feb3b21403ce4204e4d32b916ff99ff658

SHA512
76c37d67f3564668c29254bcb7fb09d3c27f7629ddef3945bb5f353f053e52f556ecff7e218eba28e91978f6c2dbac151b8d8a14d48ede220564ed87dc52e446

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c3a56c7ceb99133498cd2e625cb25a30

SHA1
a327b70b2cf49f80aefeb6cf1ed576bc1e4afc92

SHA256
d2fefcfc5a441ff9c7cbb618874e7cd783b0e83756739ff9192442fe063e7465

SHA512
086b6f485078a2e1ad66f58e47bacbc67e1c2e90747165512e8ceb57716f46d44041eedf71f277f35d95d2955d65b619aa41c3f1b9ddc6e4b47ab13aedddd27a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9141214b5e13e0acb11de50a009d12b0

SHA1
c9e750ff4343d48c217caf8a1670b3195312b605

SHA256
ad61ddac7b4e7e98fec6868f7176ba1728e26827aae6a6eb63e5bd9897187c31

SHA512
1e804e063e9206fa2495006357ab4252ce14fc13805d79f3552a3de750b25e1efe1e3e4f26a083fcd4b3325bb00711473bcfa52763bf5c01cc9aa4a568be3c4c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d5acedca780a0c9912686fd0e5035074

SHA1
4750f00e8758760f8cc76acd3d4d03e09ea0c258

SHA256
094e5eb20cfb55c7d389593618507a232c73099bd1a030fb93676a1947f6568e

SHA512
0ccd6d6bcaeb8351057fd0b8cbada96a5505901b10d95c4a5d9dbb7a485733fb8dae44f982284880e5acb926ddcb0bf8c9185e4b953f179f2f14c487394910a0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5fcc33fc744460125587c2ab5bb07dc2

SHA1
802671bbbab592f6499d5e07d68e8eecb38eb0de

SHA256
ef95cec0f4683c1d6f0bb556fafa834f29f1523fcf276f23cab7fb6b09969ee6

SHA512
f519b66aac6febc5df44f24cebfd08ba8ddcd301c53151811dc772ebc99c9377240301de0d2b66f7d3939e0387abadddc7aa8ec7317fce1daf618e9d9889499d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
8f3120811d1c31a1de3f30dfe6d60557

SHA1
9fb0339f7ef8f2a220f4d8463f14bcf91907efbe

SHA256
8f21de5ac55a0f092182e05f50b408f10efec8b63345a2117c8f32d1db4b22c7

SHA512
dd1364555155ae4455ab0cef177f3e89fc7f5afbfda901a2937133739f7812792f3cd8d480256eab1277e52727fd0f867675ed82f106bfe5891d4d47ee482998

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a55636cd5525911cfe1b3262c7c40c54

SHA1
bca38807ab18b6c484f23bbe90e55e6d4e23a67d

SHA256
fc922dc01c7b6df5ba78531fad385f85b222bcdbffb50d9614d0035eefb827c1

SHA512
b5f45c7bf4bba6fc589fef716a712a4d6ec24c6975d221ed2b19a4e51599fb254ca1af881f53d2b152d90aadac6eabaa199922d9edcf5994748051f9012420a3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6577387921f59be46d815decd0632c4c

SHA1
83cf9403f137ac62695574a99b6014e7ac3f2079

SHA256
1253c1c47c2c0436aa994d97e5095d6631e0fa3d820f34a0feef346370f4f5c1

SHA512
7e9b94c5c9dd43b3ec7d97a3d395e950d59138601257479aedaea06930e346f8dd90baf6cd6f6f000bba5a9b5ec5deda85be57ba7fa3ad0268a50dbf6f2e3243

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3106bc1227a42452a9c24cd1177fdaed

SHA1
d6b02f96ac83b852cde75a8d23d526fcc3edbec2

SHA256
595d6bfb2ea952872abf62b756740157e1003997b7d1cca80efe5e16fa6fc383

SHA512
8c379d92004190629bbdcf10d30e99155bb8da353955d90158cb0e9798005c76ebb62674485782fe3ae366c661b50b74d0b84675698e9817039f4f6ed694c12f

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
13dc2b7818749f4c37536215a364552e

SHA1
26937c0aafd8cb58d397980714f91ed9dcac5dff

SHA256
0011c4a39ad622488af1e344e383a490e518146913944052cb3e6a58e6abcad0

SHA512
562e82ca1cb3ef2d8dd50ee1fe572b6cccf6dbeb94b8d9f7b61773c90a522f3671354f7ef82305ff5afe963459f575eb6e9fa077b03aa78f1ba32ac2ca6ad8ef

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d5acedca780a0c9912686fd0e5035074

SHA1
4750f00e8758760f8cc76acd3d4d03e09ea0c258

SHA256
094e5eb20cfb55c7d389593618507a232c73099bd1a030fb93676a1947f6568e

SHA512
0ccd6d6bcaeb8351057fd0b8cbada96a5505901b10d95c4a5d9dbb7a485733fb8dae44f982284880e5acb926ddcb0bf8c9185e4b953f179f2f14c487394910a0

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
82db1d029e9bc2e83eed257cbdd7b962

SHA1
5ddf064174191add861a86b58fb46258698e7943

SHA256
b6b6fec9fad2f406055dabddd758534d072ddcb714147fd89c53ad5aa6e18487

SHA512
6e528285924ffcef5ce1acf4c1030a733c8e3c0067ec31e535bfa82b59dba4961869ee41a219ff7b97021e593c593f19378c30f98f96e4f3954591d2d4727c19

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
82db1d029e9bc2e83eed257cbdd7b962

SHA1
5ddf064174191add861a86b58fb46258698e7943

SHA256
b6b6fec9fad2f406055dabddd758534d072ddcb714147fd89c53ad5aa6e18487

SHA512
6e528285924ffcef5ce1acf4c1030a733c8e3c0067ec31e535bfa82b59dba4961869ee41a219ff7b97021e593c593f19378c30f98f96e4f3954591d2d4727c19

Download Submit
\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7805051f62d0039a33975828dc757b42

SHA1
6fe87ed8d003919d5d010d09e46b9f333df6e4ac

SHA256
d7d4247e56693af7cfec06881ff04e221f8dfb4b7a5244ba5f04ed7741803e16

SHA512
d695b2c7021dec4c6484b993cf9f5d7181ae0b92fe01550394c51935c312b8636b9b6fc36b711fbad0c01ed0cfa026c47915fbd6cdb2f962330e6a7b7375da61

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
3588ea0c9e7b0e2fa498ff2a82b936ff

SHA1
ac427901acb7fd7ffdac8933a6a893de7b109501

SHA256
58b5a93882e94ba2c374db5591fc555d7bb12f41b55e23a98c16c4fe879bd66c

SHA512
45b09307aee598ba1a62afeeff7f7d7b8b950ee035746c95cdd00820e00d0a64587092f98527a1c89d9c9df5ce5c4a763efe441dc26044b4046bdd3de200e490

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a76f3bb82ac86b338e8b2cfb270a51db

SHA1
325ca3a2119d13ba64f8529a921e1a3d5822c5cb

SHA256
499d09177a1db3ee3b5696c3204e53acf438e73603efc863275bebb4224444cb

SHA512
b18fac00715f58ae3aff9fefa4b95ff8bcf1e1e7eb59506fe520ed1ae587c7e28ee36518e3bface98b003f0176c3ab19d2bf087adb9d1bd043623c7d7e8cedf1

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
86010b92ec5b84bcbe96f43ac2b04760

SHA1
c31c9455029d3aa26db9904277ff9260c8a71152

SHA256
d7265f254b024e6f9cefb04662ed98da514351dc6fef383f69ebb267fc67c043

SHA512
21aa2795269fc95fe78c176e4132defef74b816afc8bd74bfc5a610c35752c19c8706040bac3cba4e7e0b109eb5cfebcd9384b5392d0d4d45a0cb6e5dd876a3f

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
f2ca945205ab72eae694f4fb8adffa2d

SHA1
a5da779bde9d9f24f5742b1665efaa92cd17be75

SHA256
35ef68c271e09686df89d4fe420b52feb3b21403ce4204e4d32b916ff99ff658

SHA512
76c37d67f3564668c29254bcb7fb09d3c27f7629ddef3945bb5f353f053e52f556ecff7e218eba28e91978f6c2dbac151b8d8a14d48ede220564ed87dc52e446

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c3a56c7ceb99133498cd2e625cb25a30

SHA1
a327b70b2cf49f80aefeb6cf1ed576bc1e4afc92

SHA256
d2fefcfc5a441ff9c7cbb618874e7cd783b0e83756739ff9192442fe063e7465

SHA512
086b6f485078a2e1ad66f58e47bacbc67e1c2e90747165512e8ceb57716f46d44041eedf71f277f35d95d2955d65b619aa41c3f1b9ddc6e4b47ab13aedddd27a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9141214b5e13e0acb11de50a009d12b0

SHA1
c9e750ff4343d48c217caf8a1670b3195312b605

SHA256
ad61ddac7b4e7e98fec6868f7176ba1728e26827aae6a6eb63e5bd9897187c31

SHA512
1e804e063e9206fa2495006357ab4252ce14fc13805d79f3552a3de750b25e1efe1e3e4f26a083fcd4b3325bb00711473bcfa52763bf5c01cc9aa4a568be3c4c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d5acedca780a0c9912686fd0e5035074

SHA1
4750f00e8758760f8cc76acd3d4d03e09ea0c258

SHA256
094e5eb20cfb55c7d389593618507a232c73099bd1a030fb93676a1947f6568e

SHA512
0ccd6d6bcaeb8351057fd0b8cbada96a5505901b10d95c4a5d9dbb7a485733fb8dae44f982284880e5acb926ddcb0bf8c9185e4b953f179f2f14c487394910a0

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d5acedca780a0c9912686fd0e5035074

SHA1
4750f00e8758760f8cc76acd3d4d03e09ea0c258

SHA256
094e5eb20cfb55c7d389593618507a232c73099bd1a030fb93676a1947f6568e

SHA512
0ccd6d6bcaeb8351057fd0b8cbada96a5505901b10d95c4a5d9dbb7a485733fb8dae44f982284880e5acb926ddcb0bf8c9185e4b953f179f2f14c487394910a0

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5fcc33fc744460125587c2ab5bb07dc2

SHA1
802671bbbab592f6499d5e07d68e8eecb38eb0de

SHA256
ef95cec0f4683c1d6f0bb556fafa834f29f1523fcf276f23cab7fb6b09969ee6

SHA512
f519b66aac6febc5df44f24cebfd08ba8ddcd301c53151811dc772ebc99c9377240301de0d2b66f7d3939e0387abadddc7aa8ec7317fce1daf618e9d9889499d

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
8f3120811d1c31a1de3f30dfe6d60557

SHA1
9fb0339f7ef8f2a220f4d8463f14bcf91907efbe

SHA256
8f21de5ac55a0f092182e05f50b408f10efec8b63345a2117c8f32d1db4b22c7

SHA512
dd1364555155ae4455ab0cef177f3e89fc7f5afbfda901a2937133739f7812792f3cd8d480256eab1277e52727fd0f867675ed82f106bfe5891d4d47ee482998

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a55636cd5525911cfe1b3262c7c40c54

SHA1
bca38807ab18b6c484f23bbe90e55e6d4e23a67d

SHA256
fc922dc01c7b6df5ba78531fad385f85b222bcdbffb50d9614d0035eefb827c1

SHA512
b5f45c7bf4bba6fc589fef716a712a4d6ec24c6975d221ed2b19a4e51599fb254ca1af881f53d2b152d90aadac6eabaa199922d9edcf5994748051f9012420a3

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6577387921f59be46d815decd0632c4c

SHA1
83cf9403f137ac62695574a99b6014e7ac3f2079

SHA256
1253c1c47c2c0436aa994d97e5095d6631e0fa3d820f34a0feef346370f4f5c1

SHA512
7e9b94c5c9dd43b3ec7d97a3d395e950d59138601257479aedaea06930e346f8dd90baf6cd6f6f000bba5a9b5ec5deda85be57ba7fa3ad0268a50dbf6f2e3243

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3106bc1227a42452a9c24cd1177fdaed

SHA1
d6b02f96ac83b852cde75a8d23d526fcc3edbec2

SHA256
595d6bfb2ea952872abf62b756740157e1003997b7d1cca80efe5e16fa6fc383

SHA512
8c379d92004190629bbdcf10d30e99155bb8da353955d90158cb0e9798005c76ebb62674485782fe3ae366c661b50b74d0b84675698e9817039f4f6ed694c12f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
13dc2b7818749f4c37536215a364552e

SHA1
26937c0aafd8cb58d397980714f91ed9dcac5dff

SHA256
0011c4a39ad622488af1e344e383a490e518146913944052cb3e6a58e6abcad0

SHA512
562e82ca1cb3ef2d8dd50ee1fe572b6cccf6dbeb94b8d9f7b61773c90a522f3671354f7ef82305ff5afe963459f575eb6e9fa077b03aa78f1ba32ac2ca6ad8ef

Download Submit
memory/556-66-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/568-184-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/568-254-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/568-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/608-233-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/700-93-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/700-87-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/700-98-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/868-149-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/872-186-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/872-157-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/872-178-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/872-177-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/872-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/872-163-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/900-180-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/976-143-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1120-73-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1120-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1120-193-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1120-97-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1120-207-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1120-79-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1120-74-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1488-135-0x0000000004B80000-0x0000000004C3C000-memory.dmp

Filesize
752KB

Download
memory/1488-105-0x00000000000E0000-0x0000000000146000-memory.dmp

Filesize
408KB

Download
memory/1488-102-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1488-151-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1488-107-0x00000000000E0000-0x0000000000146000-memory.dmp

Filesize
408KB

Download
memory/1488-103-0x00000000000E0000-0x0000000000146000-memory.dmp

Filesize
408KB

Download
memory/1488-101-0x00000000000E0000-0x0000000000146000-memory.dmp

Filesize
408KB

Download
memory/1536-255-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/1536-409-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1536-633-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1536-197-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/1536-192-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/1536-251-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/1580-372-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1584-112-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1700-472-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1700-645-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1740-128-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/1740-152-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1740-133-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/1768-220-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1768-206-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1768-204-0x0000000000330000-0x0000000000396000-memory.dmp

Filesize
408KB

Download
memory/1768-199-0x0000000000330000-0x0000000000396000-memory.dmp

Filesize
408KB

Download
memory/1956-110-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2036-168-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2036-253-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2036-181-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2036-174-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2036-337-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2056-358-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2072-263-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2072-232-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2104-371-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2104-609-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2196-395-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2208-294-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2208-252-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2308-628-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2308-396-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2328-329-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2328-269-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2392-425-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2392-634-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2468-443-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2468-276-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2500-635-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2500-427-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2548-295-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2548-631-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2644-317-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2676-636-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2676-445-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2728-318-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2728-336-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2824-330-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2860-457-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2860-638-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2944-527-0x0000000000520000-0x0000000000729000-memory.dmp

Filesize
2.0MB

Download
memory/2944-347-0x0000000000520000-0x0000000000729000-memory.dmp

Filesize
2.0MB

Download
memory/2944-525-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2944-344-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download