blustealer | f101138228ca15bebf19e1802f716601ed0094373bac649e9e0d9f1bfb2e74c3

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-04-2023 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Size

1.5MB
MD5

76a953005611843cca8ba94dc2ffbfcf
SHA1

af634f838961dbeb328c9fb09ab23cb1aca2affe
SHA256

8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135
SHA512

06095412d5fe83e4741ab31a4fe890283c0b8b659ea7fc2289dc52e1ed2c07cd8619e8fdbc9368a4980c6e8b43161472d55d96552df2b57759e84c9a85a16a3b
SSDEEP

24576:8r1voTP6JZs4KoxhV2EiP0Av/1IZwA7dTej7Tz5IDuvkuwV7GkeoAu2j7NiznXBy:8r1voTP67sJoxTiP00/OH1eHVSJXT281

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 40 IoCs

pid	Process
464	Process not Found
852	alg.exe
1320	aspnet_state.exe
1696	mscorsvw.exe
1808	mscorsvw.exe
1724	mscorsvw.exe
1580	mscorsvw.exe
2012	dllhost.exe
664	ehRecvr.exe
1712	ehsched.exe
960	elevation_service.exe
1924	IEEtwCollector.exe
1760	GROOVE.EXE
1424	maintenanceservice.exe
2192	msdtc.exe
2212	mscorsvw.exe
2340	msiexec.exe
2440	OSE.EXE
2480	OSPPSVC.EXE
2644	perfhost.exe
2680	locator.exe
2780	mscorsvw.exe
2880	snmptrap.exe
2960	mscorsvw.exe
2072	vds.exe
2136	mscorsvw.exe
2244	vssvc.exe
2424	mscorsvw.exe
2708	wbengine.exe
2744	mscorsvw.exe
2920	mscorsvw.exe
2600	WmiApSrv.exe
2132	wmpnetwk.exe
2104	SearchIndexer.exe
2276	mscorsvw.exe
304	mscorsvw.exe
2120	mscorsvw.exe
2876	mscorsvw.exe
2332	mscorsvw.exe
1708	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2340	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\locator.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\vds.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\45bcbbe9decfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\alg.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 648 set thread context of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{58614C39-A2D4-4387-8439-923824D92D00}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{58614C39-A2D4-4387-8439-923824D92D00}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9D6608C8-2B45-42B3-857F-7522F1B5FA24}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
896	ehRec.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeTakeOwnershipPrivilege	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: 33	1608	EhTray.exe
Token: SeIncBasePriorityPrivilege	1608	EhTray.exe
Token: SeDebugPrivilege	896	ehRec.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	1724	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeSecurityPrivilege	2340	msiexec.exe
Token: 33	1608	EhTray.exe
Token: SeIncBasePriorityPrivilege	1608	EhTray.exe
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeBackupPrivilege	2708	wbengine.exe
Token: SeRestorePrivilege	2708	wbengine.exe
Token: SeSecurityPrivilege	2708	wbengine.exe
Token: 33	2132	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2132	wmpnetwk.exe
Token: SeManageVolumePrivilege	2104	SearchIndexer.exe
Token: 33	2104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2104	SearchIndexer.exe
Token: SeDebugPrivilege	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1608	EhTray.exe
1608	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1608	EhTray.exe
1608	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
1420	SearchProtocolHost.exe
1420	SearchProtocolHost.exe
1420	SearchProtocolHost.exe
1420	SearchProtocolHost.exe
1420	SearchProtocolHost.exe
1420	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 812	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	28
PID 2044 wrote to memory of 812	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	28
PID 2044 wrote to memory of 812	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	28
PID 2044 wrote to memory of 812	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	28
PID 2044 wrote to memory of 560	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	29
PID 2044 wrote to memory of 560	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	29
PID 2044 wrote to memory of 560	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	29
PID 2044 wrote to memory of 560	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	29
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 2044 wrote to memory of 648	2044	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	30
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 648 wrote to memory of 1788	648	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	34
PID 1724 wrote to memory of 2212	1724	mscorsvw.exe	47
PID 1724 wrote to memory of 2212	1724	mscorsvw.exe	47
PID 1724 wrote to memory of 2212	1724	mscorsvw.exe	47
PID 1724 wrote to memory of 2212	1724	mscorsvw.exe	47
PID 1724 wrote to memory of 2780	1724	mscorsvw.exe	54
PID 1724 wrote to memory of 2780	1724	mscorsvw.exe	54
PID 1724 wrote to memory of 2780	1724	mscorsvw.exe	54
PID 1724 wrote to memory of 2780	1724	mscorsvw.exe	54
PID 1724 wrote to memory of 2960	1724	mscorsvw.exe	56
PID 1724 wrote to memory of 2960	1724	mscorsvw.exe	56
PID 1724 wrote to memory of 2960	1724	mscorsvw.exe	56
PID 1724 wrote to memory of 2960	1724	mscorsvw.exe	56
PID 1724 wrote to memory of 2136	1724	mscorsvw.exe	58
PID 1724 wrote to memory of 2136	1724	mscorsvw.exe	58
PID 1724 wrote to memory of 2136	1724	mscorsvw.exe	58
PID 1724 wrote to memory of 2136	1724	mscorsvw.exe	58
PID 1724 wrote to memory of 2424	1724	mscorsvw.exe	60
PID 1724 wrote to memory of 2424	1724	mscorsvw.exe	60
PID 1724 wrote to memory of 2424	1724	mscorsvw.exe	60
PID 1724 wrote to memory of 2424	1724	mscorsvw.exe	60
PID 1724 wrote to memory of 2744	1724	mscorsvw.exe	62
PID 1724 wrote to memory of 2744	1724	mscorsvw.exe	62
PID 1724 wrote to memory of 2744	1724	mscorsvw.exe	62
PID 1724 wrote to memory of 2744	1724	mscorsvw.exe	62
PID 1724 wrote to memory of 2920	1724	mscorsvw.exe	63
PID 1724 wrote to memory of 2920	1724	mscorsvw.exe	63
PID 1724 wrote to memory of 2920	1724	mscorsvw.exe	63
PID 1724 wrote to memory of 2920	1724	mscorsvw.exe	63
PID 2104 wrote to memory of 2860	2104	SearchIndexer.exe	67
PID 2104 wrote to memory of 2860	2104	SearchIndexer.exe	67
PID 2104 wrote to memory of 2860	2104	SearchIndexer.exe	67
PID 2104 wrote to memory of 2676	2104	SearchIndexer.exe	68
PID 2104 wrote to memory of 2676	2104	SearchIndexer.exe	68
PID 2104 wrote to memory of 2676	2104	SearchIndexer.exe	68
PID 2104 wrote to memory of 1420	2104	SearchIndexer.exe	69
PID 2104 wrote to memory of 1420	2104	SearchIndexer.exe	69
PID 2104 wrote to memory of 1420	2104	SearchIndexer.exe	69
PID 1724 wrote to memory of 2276	1724	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
"C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
  "C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe"
  2⤵
  PID:812
- C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
  "C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe"
  2⤵
  PID:560
- C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
  "C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 250 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1ac -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 280 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 250 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2012

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:664

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:960

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1924

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2440

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2676
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2c2ec8e6cde65d848213d475ddf308e9

SHA1
b0acb189b49032b5a565c2e77ab745a7dfec80b6

SHA256
34ffdcfd280b346a5b80076d865844d07f0ad1ec42ad1d495e9b46c834a92c1b

SHA512
ac08ad96e78ee4cdf78a7df65f219c166746dcf449499e4dea4d67b7df7a3373c76fdbe97d3639d7626f595a2f810969d063662bf592c934e95ca522db515d78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
243c52920d5007cddc37804f1bf2fc88

SHA1
4bec231ba25dd24d360485310f1bee046ca2ab21

SHA256
3a97a74857c8b8c100a4e0088e6982fbed6fbdded98b6d8718aaab90210f202e

SHA512
25f122faab7d3125d2c0e46655fb6bea5ec2821f0f8d5e6a626ec62e12115e567951a52d391264775dd95b6fd015cdabd6b86a5a8cf762b90cfc3c652bbe29ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
68c78ce4459db68065b3371f3f7774e4

SHA1
675bb5d625ebafdfff4ef00a53b21bf7c52ae588

SHA256
a14ef216b80011aef8b390da398f9bc44766d48dbf92564e6ffc870c9cf06bbb

SHA512
dbf0c0a52aa47a3e1a2e5563bf3369c3dead328adfa115dc1254a1333bd5c4cb0968da697be72d44f0ee3b56365595b22769aa1fe7555a6375ea62c3f3c8a8d2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b484c22770654ea86e65d16f61fee6f5

SHA1
efdf0c76db8cbf51943f478d55b432462b93fc83

SHA256
8acece75ca296a72ce8e89186d8a804ffc5a7fadb0a0bf9ece218a26f726e075

SHA512
b9d5e2233331a95a1e8f73e5e7be3e3c0fa10928c63ec7d94ac2c78101519fbe723371687c8286f65299edb3be74e59c3e86949ce6a27d43dcbc4ac5eb06319f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3346f92d33cb92896262b13c53d6e0ff

SHA1
2377bf796248143fc0d05cfcd33e126ed992bca9

SHA256
4e159478add6cef919c0673ebb068123bb84e31c5146e90aac231f879022c56d

SHA512
ab66ed250058c99e24a2730d5a88058656b7a9c38cfa0413f23bef6301f422e69a157936b675c2d3b36310767cfd4b957f7456d2fdc58da7e9cdafdcb4948adf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a516efc4605b879ff5d15d29e95e0620

SHA1
7fe1a3b1078695ee5804710626870f4cfb2b8680

SHA256
60d48a5f6ed4ec364608e773aff0b7c62aef217734fbaf4735fccaf271324ee1

SHA512
7e9e8c28413b92bf0be0533f91b53d7c129ba12943b2139176af8424e6de214590822fd6b7b90ea5b4f1909c98af87bd14aa9d48aa89f5959a2c31f431a66438

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e8dd217090c510e7920e0c2a9609c699

SHA1
c14e483f6e6fa8d64375d0a125bcafefd7d7dbdd

SHA256
73824eabae5f0399694e52e655e9325ba47a1f1e8af21f642c9b8577da01d635

SHA512
1d53eec4d2407195cdf93e239b9c617203dec370b9d92a0b9b3cce4520ec0db64f7b0f9b2306ab9cbb3c94cb6b30fb087824c9c8faae4c758b32c66be9c3320f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e8dd217090c510e7920e0c2a9609c699

SHA1
c14e483f6e6fa8d64375d0a125bcafefd7d7dbdd

SHA256
73824eabae5f0399694e52e655e9325ba47a1f1e8af21f642c9b8577da01d635

SHA512
1d53eec4d2407195cdf93e239b9c617203dec370b9d92a0b9b3cce4520ec0db64f7b0f9b2306ab9cbb3c94cb6b30fb087824c9c8faae4c758b32c66be9c3320f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
429294fd39155b7dccf1da0cda6130ef

SHA1
1de4fc7275176b59adb64ade04e9fe78f4106834

SHA256
f70244622efce8653eff0902e16f368c9af322191f16796afcb1184cbb110590

SHA512
c9b916b8ed577dfe947a52754366711b87127653553c00be1ecf030321201c9b3525cadc9f25fef41c2fcaa1cccbeccb7a968bf7808ac421173410b26f343a1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
56b252e3e4b27ea663930fb49fd3624c

SHA1
8c7ed5e68b1998d8c8ad11ebab0e3558f4a9bb9e

SHA256
836fb73f2ef4d799942b5e33f7140171f033b55ed92de406f724cde1616dd13f

SHA512
f02ca7baf5f4cbae4e01927e47f5d4995a9399c1f3a812c04a0dfaeea00f621f076973219a7e86ee73905d9bf5fc7f1aec2d2ed44bba8f1aa32ed32fce603182

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d296125794621fc0a773bb3bee75dbdb

SHA1
577dce387159121c53a1fc6b799378de2166357b

SHA256
f1010c3296276458405106a8901cbffd646fb6ff953779fd131f69711f1af449

SHA512
d825e850d0671376d3cfc5882884c590317d588c0dc5f614c698b379ce1bf6d39d86633da31b0e3ee030f30ab65d13ab43fdf1ddbee0b695b2ad3541f0952f8d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d296125794621fc0a773bb3bee75dbdb

SHA1
577dce387159121c53a1fc6b799378de2166357b

SHA256
f1010c3296276458405106a8901cbffd646fb6ff953779fd131f69711f1af449

SHA512
d825e850d0671376d3cfc5882884c590317d588c0dc5f614c698b379ce1bf6d39d86633da31b0e3ee030f30ab65d13ab43fdf1ddbee0b695b2ad3541f0952f8d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
31ce07fa6bff3d748776a5aab43ddb48

SHA1
e7259c7829e05693d88f42941ab67b7eab86198b

SHA256
2d206623ca2a8d14435d81dbcdd9443b8dcc26310003709f116cae469ca34309

SHA512
d1cfbc7d2420b18d72decef0242fe2dfe54ccf9583c79f295729bb3144673fd3e8d40b21d97218152c3af13d8d7cadc9285df930be931a62fa8b23e7626bcc8f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
31ce07fa6bff3d748776a5aab43ddb48

SHA1
e7259c7829e05693d88f42941ab67b7eab86198b

SHA256
2d206623ca2a8d14435d81dbcdd9443b8dcc26310003709f116cae469ca34309

SHA512
d1cfbc7d2420b18d72decef0242fe2dfe54ccf9583c79f295729bb3144673fd3e8d40b21d97218152c3af13d8d7cadc9285df930be931a62fa8b23e7626bcc8f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
93250926d100d6f480ed6677ab4a953e

SHA1
df61045a0a4f0ffbe6c2fd00213736fc0ab6d1be

SHA256
7ad39601508888a8d7422bb7d55cb419c92347f8c7c7ed1a3c9a7c0fe350be9d

SHA512
7542c130230ba301eaaecee7eb2280439a152a7c3bcca0ff885b389e50a2102560bfba7b09315b4076a5abb6a84ba956199c1f887a1cd836ef085e8cb4eac9aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a57fbc94052301bb8fffc49d0d511b48

SHA1
ea0fc688725fc18d0cbd66308e9976d8a90f0ef0

SHA256
2f9791b057c103cbb1e3b7fca65b120cb5b1ea3578cffeba6100f2cbcc91cd3b

SHA512
942e3caf022c0b37b107824640fd9c0406229836765fcfbaa5c9bb40c8ab980ddd748e7b4932ae05569afc0331d6e8006fc091adca882698fa17cc97acaaca39

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0d8c696e4faec1794afbcd866dbdd853

SHA1
e380b3c2fc63608fa73070dac4ebc2262b95a318

SHA256
edf83d9a26505f152b23dbd82356d9977dc03988f710f5afd553c328916aa11d

SHA512
d7d1060feb790e653055fe7583c7927733ce614d877db0bdfc59fc90df68e8a7242b0dba51a268ecf510eece85cddad58c8429e64887d9256ccec0ad26175db6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f8fccc6d780b93201522f054d6334c94

SHA1
70b8ffcadee72890d51d7751cd4861f5455eb81d

SHA256
d61110779843642e36bc585cd9e2b7152187604f6a73cbc4980688e0b825f727

SHA512
f8ec73126895fdbfb3e364200f16b4a5d62860d7697d2592b84697daf532ebf0148cde569afe623d67806ca32c408b3ad1c2151ca2e952b052b1a92bf606ff79

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
81b82a9f2d15eb92197e81cf676e4356

SHA1
d01bf56ed9e49976e3b0d97d50adfa857786431b

SHA256
ca318c081073f0c1275631b7608ac0936a83cc96cb8b0b9464b3049830d7972e

SHA512
927de6920e4d76afb21f1ccc9c703458b5e757b2715f94ce16c4174d7b5127b740edc0695a601b5e87910b017402875fdacd232515a43f73d2377f57ee20703f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
233a852522994df31f1704b41ae669eb

SHA1
093395ae52e46a96dc0edfc9a5bee5709b963779

SHA256
7c9333aeca01c171f562b4127beec4aac64b7a3dda5ee0db29b6f469f87be8ea

SHA512
dafa932a94e47c4242b4472ce4fe79c86e7b1d3fdf84330e9013cc4fcdfa06a85ba8df2feafa823a6b1f318a800a2b97e1d2fc9b931d2432aed33ba976536f78

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ff9b52f4f104d0d78645cc3620972102

SHA1
0089e71014e3fdae783942d013babefb5794cc25

SHA256
332b7efa84ea2ee9994a701a4fcec6942717c6aa1d871fdf1a56723bcac855ea

SHA512
d53034428b5f7a8a022bce89292c665f951d54dbbd513f3f3c3770e8187a2bec7238785cfd7b7051e58d67ea788dc6d2e2b87e8ec8666c603b7bcf3d8402e82b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
efa3416b1a3ca0acb52ec1b507532a88

SHA1
c9d68783e6e3ae03b5bd5bb52951e9e241ef7e27

SHA256
85020bef4dd37df3404b8dd8cfd4e08c65bbbc0db60d04c25c5a42ef67058e98

SHA512
9e077f187835247ed71b6c32dbe3fe60a7f929b477e7959544a6b8de620e2dc7fdfd6b2b96f19047a3d2ee84242a5b6c49aec6033fc5310703252f63f5fcb015

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
82c2dd15f01246da9a257167b3fa1349

SHA1
88cd5dcd5434a817bdc9ee73f31fbbbb713b3fdb

SHA256
851729e0ac55b17484ff27eff9146942aecd246ffa150f60dd05f7d7e662137d

SHA512
a8555f32c54f062c224bd66b800a30f2452e89922d05d84b26b93acb269e6f7ccd8a0df52cb61b310c8ae1e0133c1bd40ad72d47c06718a501665aacc6836f6b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a1247e56e50f39559ce5e1c11244a59e

SHA1
1cd2448779a559cf456ac4de5b55ee1d673e86ae

SHA256
70d00fed008f831b37a7fd75850e27d8104e164f54a30a5960181b7d0d2809b1

SHA512
c32fb06df553cf7fc6bbbdfc80606a9afa8c6fc5732f0081cbe2e5f3ff2654543c3d394f00807229182375584eb03be1e74b525fd89acdb7a2135e285dd23007

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
722ac34c791242438cb69a7456736c20

SHA1
6445587a9946390a18ae7ef4e014f0aca23c593e

SHA256
540dcc31bb8ed68ef19216455999f2fb38314f98e311fb1ae040766995dc2ebf

SHA512
8591b835356335813ea069257b5c6c150faa8cd3532797fb4278ea84d8ca38ec73a547bbbbc1f3c5b6fb1d0464c4febcce12a4f4d5d389aad8c8dc7cf727bc06

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
69e7bafd910bf36beb6d5edf2b7e3472

SHA1
228dc6ab7b3e91bba1b78230f57e9870db4c6a08

SHA256
9ae01341d3ef8ea2a83a9be966ad5a9659e4005d641366fe1d6fb5bde26b7030

SHA512
6c5a88a443aef5c4d60aaf7f38d7dc486c9f25492bf3fcf25b4dd745a559aef0f40e0d9b4c5bb0a39302c8635900effc121f84bf5dec436839103ef473a9d1ec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3ed7f74bfbc58569f7b0c0afae55342e

SHA1
2dce21df7488790647930b2daaccd15ecec8b281

SHA256
874d7dfcd6a308de4f80c7ea70f4fbf33418e48953f4d7adffc97f4a2ffdec43

SHA512
f343d2095281bae5f67ff5f89cda8bbd3db9d0a9823f0b58dc436ce6846c2fb592d2fb32f8f715379bbf8f4353788492011888ecb49c1dc3f589c508a4fd99a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0596a5581f8bb56ad289933cb467be43

SHA1
39bc17d5271c268b1d332ec54e40a7df38ecbcee

SHA256
cb07b755963d1939622cda68c1ff8c6491d788505c6c5d2d4016063bc455aa49

SHA512
6668dae26cfe8458a918738e67d275085ab695ccca9be8e15f73b721a27288f5503f89d4a9607ac0af47eeeb7f02e1f201786cc5af7266ab50779ce4b6839de3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
21202c92ef4843a1ea7915cee544c3a9

SHA1
78051d706fe7497d2b3df2b5230bd9f50688d463

SHA256
7bbece13756b99bcc7d75665749e9d499679c44fe6d6a1070c9b22d3286332b7

SHA512
f74678cb0f55a6ae47e680b85f58e75cdeec5a28804154b389e69e63eacb505165f384aa7a8410cdc20a26ecb01e576e3faf659e998376375ebd9f1f10170666

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b3b7eec5b4b617d8a3d633917ff08fca

SHA1
606084c6870f653899d688401db7b55ab3be3b34

SHA256
ddc0e73f20ec20fc015c0475519ebf8e3775a7eb4c5a0c2c834911831c0ddb08

SHA512
e6a908b3ceccf10d583c7e2736b863c7da0778c5c04e288e7131bbf8371d37b6e68f286537eac0e264f629cbf7a8002af368d5b49045e1fbf13da777bc756935

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
783e44682e89add68fc97f9c1ede67ae

SHA1
5ae8973adcc6ea4443b4d432e7f23b1f9bff2f75

SHA256
b4919d43d14d478466ece2629a3b78e35693e180542737f6d664e3faa55664ae

SHA512
ff57440e804ed77d9a4211ab5b6f4e569184403cc4e9f365b4791b19b503277ad0993aad405b31b08d636d92698028bcd25c60a37af514c14cc8e60e584e84a3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
722ac34c791242438cb69a7456736c20

SHA1
6445587a9946390a18ae7ef4e014f0aca23c593e

SHA256
540dcc31bb8ed68ef19216455999f2fb38314f98e311fb1ae040766995dc2ebf

SHA512
8591b835356335813ea069257b5c6c150faa8cd3532797fb4278ea84d8ca38ec73a547bbbbc1f3c5b6fb1d0464c4febcce12a4f4d5d389aad8c8dc7cf727bc06

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a516efc4605b879ff5d15d29e95e0620

SHA1
7fe1a3b1078695ee5804710626870f4cfb2b8680

SHA256
60d48a5f6ed4ec364608e773aff0b7c62aef217734fbaf4735fccaf271324ee1

SHA512
7e9e8c28413b92bf0be0533f91b53d7c129ba12943b2139176af8424e6de214590822fd6b7b90ea5b4f1909c98af87bd14aa9d48aa89f5959a2c31f431a66438

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a516efc4605b879ff5d15d29e95e0620

SHA1
7fe1a3b1078695ee5804710626870f4cfb2b8680

SHA256
60d48a5f6ed4ec364608e773aff0b7c62aef217734fbaf4735fccaf271324ee1

SHA512
7e9e8c28413b92bf0be0533f91b53d7c129ba12943b2139176af8424e6de214590822fd6b7b90ea5b4f1909c98af87bd14aa9d48aa89f5959a2c31f431a66438

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e8dd217090c510e7920e0c2a9609c699

SHA1
c14e483f6e6fa8d64375d0a125bcafefd7d7dbdd

SHA256
73824eabae5f0399694e52e655e9325ba47a1f1e8af21f642c9b8577da01d635

SHA512
1d53eec4d2407195cdf93e239b9c617203dec370b9d92a0b9b3cce4520ec0db64f7b0f9b2306ab9cbb3c94cb6b30fb087824c9c8faae4c758b32c66be9c3320f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
56b252e3e4b27ea663930fb49fd3624c

SHA1
8c7ed5e68b1998d8c8ad11ebab0e3558f4a9bb9e

SHA256
836fb73f2ef4d799942b5e33f7140171f033b55ed92de406f724cde1616dd13f

SHA512
f02ca7baf5f4cbae4e01927e47f5d4995a9399c1f3a812c04a0dfaeea00f621f076973219a7e86ee73905d9bf5fc7f1aec2d2ed44bba8f1aa32ed32fce603182

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f8fccc6d780b93201522f054d6334c94

SHA1
70b8ffcadee72890d51d7751cd4861f5455eb81d

SHA256
d61110779843642e36bc585cd9e2b7152187604f6a73cbc4980688e0b825f727

SHA512
f8ec73126895fdbfb3e364200f16b4a5d62860d7697d2592b84697daf532ebf0148cde569afe623d67806ca32c408b3ad1c2151ca2e952b052b1a92bf606ff79

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ff9b52f4f104d0d78645cc3620972102

SHA1
0089e71014e3fdae783942d013babefb5794cc25

SHA256
332b7efa84ea2ee9994a701a4fcec6942717c6aa1d871fdf1a56723bcac855ea

SHA512
d53034428b5f7a8a022bce89292c665f951d54dbbd513f3f3c3770e8187a2bec7238785cfd7b7051e58d67ea788dc6d2e2b87e8ec8666c603b7bcf3d8402e82b

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
efa3416b1a3ca0acb52ec1b507532a88

SHA1
c9d68783e6e3ae03b5bd5bb52951e9e241ef7e27

SHA256
85020bef4dd37df3404b8dd8cfd4e08c65bbbc0db60d04c25c5a42ef67058e98

SHA512
9e077f187835247ed71b6c32dbe3fe60a7f929b477e7959544a6b8de620e2dc7fdfd6b2b96f19047a3d2ee84242a5b6c49aec6033fc5310703252f63f5fcb015

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
82c2dd15f01246da9a257167b3fa1349

SHA1
88cd5dcd5434a817bdc9ee73f31fbbbb713b3fdb

SHA256
851729e0ac55b17484ff27eff9146942aecd246ffa150f60dd05f7d7e662137d

SHA512
a8555f32c54f062c224bd66b800a30f2452e89922d05d84b26b93acb269e6f7ccd8a0df52cb61b310c8ae1e0133c1bd40ad72d47c06718a501665aacc6836f6b

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a1247e56e50f39559ce5e1c11244a59e

SHA1
1cd2448779a559cf456ac4de5b55ee1d673e86ae

SHA256
70d00fed008f831b37a7fd75850e27d8104e164f54a30a5960181b7d0d2809b1

SHA512
c32fb06df553cf7fc6bbbdfc80606a9afa8c6fc5732f0081cbe2e5f3ff2654543c3d394f00807229182375584eb03be1e74b525fd89acdb7a2135e285dd23007

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
722ac34c791242438cb69a7456736c20

SHA1
6445587a9946390a18ae7ef4e014f0aca23c593e

SHA256
540dcc31bb8ed68ef19216455999f2fb38314f98e311fb1ae040766995dc2ebf

SHA512
8591b835356335813ea069257b5c6c150faa8cd3532797fb4278ea84d8ca38ec73a547bbbbc1f3c5b6fb1d0464c4febcce12a4f4d5d389aad8c8dc7cf727bc06

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
722ac34c791242438cb69a7456736c20

SHA1
6445587a9946390a18ae7ef4e014f0aca23c593e

SHA256
540dcc31bb8ed68ef19216455999f2fb38314f98e311fb1ae040766995dc2ebf

SHA512
8591b835356335813ea069257b5c6c150faa8cd3532797fb4278ea84d8ca38ec73a547bbbbc1f3c5b6fb1d0464c4febcce12a4f4d5d389aad8c8dc7cf727bc06

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
69e7bafd910bf36beb6d5edf2b7e3472

SHA1
228dc6ab7b3e91bba1b78230f57e9870db4c6a08

SHA256
9ae01341d3ef8ea2a83a9be966ad5a9659e4005d641366fe1d6fb5bde26b7030

SHA512
6c5a88a443aef5c4d60aaf7f38d7dc486c9f25492bf3fcf25b4dd745a559aef0f40e0d9b4c5bb0a39302c8635900effc121f84bf5dec436839103ef473a9d1ec

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3ed7f74bfbc58569f7b0c0afae55342e

SHA1
2dce21df7488790647930b2daaccd15ecec8b281

SHA256
874d7dfcd6a308de4f80c7ea70f4fbf33418e48953f4d7adffc97f4a2ffdec43

SHA512
f343d2095281bae5f67ff5f89cda8bbd3db9d0a9823f0b58dc436ce6846c2fb592d2fb32f8f715379bbf8f4353788492011888ecb49c1dc3f589c508a4fd99a8

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0596a5581f8bb56ad289933cb467be43

SHA1
39bc17d5271c268b1d332ec54e40a7df38ecbcee

SHA256
cb07b755963d1939622cda68c1ff8c6491d788505c6c5d2d4016063bc455aa49

SHA512
6668dae26cfe8458a918738e67d275085ab695ccca9be8e15f73b721a27288f5503f89d4a9607ac0af47eeeb7f02e1f201786cc5af7266ab50779ce4b6839de3

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
21202c92ef4843a1ea7915cee544c3a9

SHA1
78051d706fe7497d2b3df2b5230bd9f50688d463

SHA256
7bbece13756b99bcc7d75665749e9d499679c44fe6d6a1070c9b22d3286332b7

SHA512
f74678cb0f55a6ae47e680b85f58e75cdeec5a28804154b389e69e63eacb505165f384aa7a8410cdc20a26ecb01e576e3faf659e998376375ebd9f1f10170666

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b3b7eec5b4b617d8a3d633917ff08fca

SHA1
606084c6870f653899d688401db7b55ab3be3b34

SHA256
ddc0e73f20ec20fc015c0475519ebf8e3775a7eb4c5a0c2c834911831c0ddb08

SHA512
e6a908b3ceccf10d583c7e2736b863c7da0778c5c04e288e7131bbf8371d37b6e68f286537eac0e264f629cbf7a8002af368d5b49045e1fbf13da777bc756935

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
783e44682e89add68fc97f9c1ede67ae

SHA1
5ae8973adcc6ea4443b4d432e7f23b1f9bff2f75

SHA256
b4919d43d14d478466ece2629a3b78e35693e180542737f6d664e3faa55664ae

SHA512
ff57440e804ed77d9a4211ab5b6f4e569184403cc4e9f365b4791b19b503277ad0993aad405b31b08d636d92698028bcd25c60a37af514c14cc8e60e584e84a3

Download Submit
memory/648-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-74-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/648-69-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/648-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-390-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/648-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-90-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/664-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/664-177-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/664-410-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/664-200-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/664-152-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/664-158-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/664-176-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/852-82-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/852-91-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/852-88-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/852-391-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/896-329-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/896-242-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/896-201-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/960-179-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/960-185-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/960-440-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/960-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1320-109-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1424-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1580-139-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1696-110-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1712-411-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1712-481-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1712-163-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1712-172-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1712-171-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1724-119-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1724-128-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1724-141-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1760-216-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1760-443-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1788-127-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1788-131-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1788-122-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1788-137-0x0000000000CA0000-0x0000000000D5C000-memory.dmp

Filesize
752KB

Download
memory/1788-142-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1788-120-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1788-118-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1808-114-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1924-202-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1924-190-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2012-168-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2044-60-0x0000000007D90000-0x0000000007F4A000-memory.dmp

Filesize
1.7MB

Download
memory/2044-59-0x00000000059C0000-0x0000000005B02000-memory.dmp

Filesize
1.3MB

Download
memory/2044-55-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/2044-54-0x0000000000270000-0x00000000003F2000-memory.dmp

Filesize
1.5MB

Download
memory/2044-58-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2044-56-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2044-57-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/2072-355-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2104-463-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2132-461-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2136-382-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2192-239-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2192-477-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2212-245-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2212-315-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2244-392-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2340-479-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2340-275-0x0000000000590000-0x0000000000799000-memory.dmp

Filesize
2.0MB

Download
memory/2340-533-0x0000000000590000-0x0000000000799000-memory.dmp

Filesize
2.0MB

Download
memory/2340-267-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2424-412-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2424-393-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2440-538-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2440-278-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2480-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2600-447-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2644-321-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2680-327-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2708-408-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2744-430-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-409-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2780-342-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2780-331-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2880-354-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2920-449-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2960-364-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2960-356-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download