blustealer | 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097

Analysis

max time kernel
131s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-04-2023 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Size

996KB
MD5

6b5440ea657619e7301f3e923654cb3c
SHA1

1fbafb550989c2c944d3941545b68bd553175704
SHA256

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
SHA512

a652226f01fdbe1efe10ca765a029fa72a972f04a79b579153e61c3c02fed20bf265293f722a386da3985a152124b2334f140b8620d82862fe2401103f8a2c74
SSDEEP

24576:wxgsRftD0C2nKGe0Djsf9nz4mloFQnpXUMPQDR6q79dA:waSftDnGpDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detects any file with a triage score of 10 19 IoCs

This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

resource	yara_rule
behavioral1/files/0x0006000000014ee5-982.dat	triage_score_10
behavioral1/files/0x0008000000014fff-1039.dat	triage_score_10
behavioral1/files/0x00080000000155fb-1083.dat	triage_score_10
behavioral1/files/0x0008000000015608-1124.dat	triage_score_10
behavioral1/files/0x0008000000015a4b-1163.dat	triage_score_10
behavioral1/files/0x0006000000015c5e-1197.dat	triage_score_10
behavioral1/files/0x0008000000015c6f-1233.dat	triage_score_10
behavioral1/files/0x0008000000015c8a-1270.dat	triage_score_10
behavioral1/files/0x0008000000015ca8-1304.dat	triage_score_10
behavioral1/files/0x0008000000015dab-1339.dat	triage_score_10
behavioral1/files/0x0008000000015e2c-1374.dat	triage_score_10
behavioral1/files/0x0008000000015e79-1415.dat	triage_score_10
behavioral1/files/0x0008000000015e96-1477.dat	triage_score_10
behavioral1/files/0x0008000000015ee4-1527.dat	triage_score_10
behavioral1/files/0x0007000000015ed2-1570.dat	triage_score_10
behavioral1/files/0x0006000000016668-1664.dat	triage_score_10
behavioral1/files/0x0006000000016c3a-1757.dat	triage_score_10
behavioral1/files/0x0008000000016c44-1777.dat	triage_score_10
behavioral1/files/0x0008000000016cba-1810.dat	triage_score_10

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
436	alg.exe
888	aspnet_state.exe
1368	mscorsvw.exe
900	mscorsvw.exe
840	mscorsvw.exe
1536	mscorsvw.exe
1892	dllhost.exe
1612	ehRecvr.exe
1600	ehsched.exe
1244	elevation_service.exe
1548	IEEtwCollector.exe
2016	GROOVE.EXE
1960	maintenanceservice.exe
2084	mscorsvw.exe
2128	msdtc.exe
2292	msiexec.exe
2432	OSE.EXE
2500	mscorsvw.exe
2620	OSPPSVC.EXE
2708	perfhost.exe
2776	locator.exe
2880	snmptrap.exe
2968	mscorsvw.exe
3068	vds.exe
2168	mscorsvw.exe
2328	vssvc.exe
2336	mscorsvw.exe
2084	wbengine.exe
2704	WmiApSrv.exe
2852	mscorsvw.exe
2908	wmpnetwk.exe
3040	mscorsvw.exe
2024	SearchIndexer.exe
2504	mscorsvw.exe
1968	mscorsvw.exe
2556	mscorsvw.exe
2172	mscorsvw.exe
2232	mscorsvw.exe
2744	mscorsvw.exe
1488	mscorsvw.exe
1516	mscorsvw.exe
2308	mscorsvw.exe
1580	mscorsvw.exe
2808	mscorsvw.exe
2848	mscorsvw.exe
2276	mscorsvw.exe
1516	mscorsvw.exe
2876	mscorsvw.exe
1332	mscorsvw.exe
1220	mscorsvw.exe
2168	mscorsvw.exe
2460	mscorsvw.exe
1432	mscorsvw.exe
2596	mscorsvw.exe
1520	mscorsvw.exe
2888	mscorsvw.exe
1568	mscorsvw.exe
1372	mscorsvw.exe
2068	mscorsvw.exe
1636	mscorsvw.exe
1888	mscorsvw.exe
1612	mscorsvw.exe
2000	mscorsvw.exe

Loads dropped DLL 30 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2292	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found
2888	mscorsvw.exe
2888	mscorsvw.exe
1372	mscorsvw.exe
1372	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\locator.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\vds.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\wbengine.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a6e46c8247bf3ad0.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\vssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2EBF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP281B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP24A1.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB19.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP58D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{04C5741B-AE56-4960-8957-07A5735A9FD9}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{04C5741B-AE56-4960-8957-07A5735A9FD9}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1608	ehRec.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: 33	1044	EhTray.exe
Token: SeIncBasePriorityPrivilege	1044	EhTray.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeDebugPrivilege	1608	ehRec.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeRestorePrivilege	2292	msiexec.exe
Token: SeTakeOwnershipPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: 33	1044	EhTray.exe
Token: SeIncBasePriorityPrivilege	1044	EhTray.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeBackupPrivilege	2328	vssvc.exe
Token: SeRestorePrivilege	2328	vssvc.exe
Token: SeAuditPrivilege	2328	vssvc.exe
Token: SeBackupPrivilege	2084	wbengine.exe
Token: SeRestorePrivilege	2084	wbengine.exe
Token: SeSecurityPrivilege	2084	wbengine.exe
Token: SeManageVolumePrivilege	2024	SearchIndexer.exe
Token: 33	2908	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2908	wmpnetwk.exe
Token: 33	2024	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2024	SearchIndexer.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeDebugPrivilege	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeDebugPrivilege	436	alg.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1044	EhTray.exe
1044	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1044	EhTray.exe
1044	EhTray.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
1952	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1060 wrote to memory of 1360	1060	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1536 wrote to memory of 2084	1536	mscorsvw.exe	43
PID 1536 wrote to memory of 2084	1536	mscorsvw.exe	43
PID 1536 wrote to memory of 2084	1536	mscorsvw.exe	43
PID 1536 wrote to memory of 2500	1536	mscorsvw.exe	47
PID 1536 wrote to memory of 2500	1536	mscorsvw.exe	47
PID 1536 wrote to memory of 2500	1536	mscorsvw.exe	47
PID 840 wrote to memory of 2968	840	mscorsvw.exe	52
PID 840 wrote to memory of 2968	840	mscorsvw.exe	52
PID 840 wrote to memory of 2968	840	mscorsvw.exe	52
PID 840 wrote to memory of 2968	840	mscorsvw.exe	52
PID 840 wrote to memory of 2168	840	mscorsvw.exe	54
PID 840 wrote to memory of 2168	840	mscorsvw.exe	54
PID 840 wrote to memory of 2168	840	mscorsvw.exe	54
PID 840 wrote to memory of 2168	840	mscorsvw.exe	54
PID 840 wrote to memory of 2336	840	mscorsvw.exe	56
PID 840 wrote to memory of 2336	840	mscorsvw.exe	56
PID 840 wrote to memory of 2336	840	mscorsvw.exe	56
PID 840 wrote to memory of 2336	840	mscorsvw.exe	56
PID 840 wrote to memory of 2852	840	mscorsvw.exe	59
PID 840 wrote to memory of 2852	840	mscorsvw.exe	59
PID 840 wrote to memory of 2852	840	mscorsvw.exe	59
PID 840 wrote to memory of 2852	840	mscorsvw.exe	59
PID 840 wrote to memory of 3040	840	mscorsvw.exe	61
PID 840 wrote to memory of 3040	840	mscorsvw.exe	61
PID 840 wrote to memory of 3040	840	mscorsvw.exe	61
PID 840 wrote to memory of 3040	840	mscorsvw.exe	61
PID 840 wrote to memory of 2504	840	mscorsvw.exe	63
PID 840 wrote to memory of 2504	840	mscorsvw.exe	63
PID 840 wrote to memory of 2504	840	mscorsvw.exe	63
PID 840 wrote to memory of 2504	840	mscorsvw.exe	63
PID 2024 wrote to memory of 1952	2024	SearchIndexer.exe	64
PID 2024 wrote to memory of 1952	2024	SearchIndexer.exe	64
PID 2024 wrote to memory of 1952	2024	SearchIndexer.exe	64
PID 2024 wrote to memory of 2388	2024	SearchIndexer.exe	65
PID 2024 wrote to memory of 2388	2024	SearchIndexer.exe	65
PID 2024 wrote to memory of 2388	2024	SearchIndexer.exe	65
PID 840 wrote to memory of 1968	840	mscorsvw.exe	66
PID 840 wrote to memory of 1968	840	mscorsvw.exe	66
PID 840 wrote to memory of 1968	840	mscorsvw.exe	66
PID 840 wrote to memory of 1968	840	mscorsvw.exe	66
PID 840 wrote to memory of 2556	840	mscorsvw.exe	67
PID 840 wrote to memory of 2556	840	mscorsvw.exe	67
PID 840 wrote to memory of 2556	840	mscorsvw.exe	67
PID 840 wrote to memory of 2556	840	mscorsvw.exe	67
PID 840 wrote to memory of 2172	840	mscorsvw.exe	68
PID 840 wrote to memory of 2172	840	mscorsvw.exe	68
PID 840 wrote to memory of 2172	840	mscorsvw.exe	68
PID 840 wrote to memory of 2172	840	mscorsvw.exe	68
PID 840 wrote to memory of 2232	840	mscorsvw.exe	69
PID 840 wrote to memory of 2232	840	mscorsvw.exe	69
PID 840 wrote to memory of 2232	840	mscorsvw.exe	69
PID 840 wrote to memory of 2232	840	mscorsvw.exe	69
PID 840 wrote to memory of 2744	840	mscorsvw.exe	70
PID 840 wrote to memory of 2744	840	mscorsvw.exe	70
PID 840 wrote to memory of 2744	840	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
"C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1360

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1368

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 24c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 24c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 250 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 240 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1e8 -NGENProcess 1d4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 284 -NGENProcess 250 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 240 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 250 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 290 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 290 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 250 -NGENProcess 29c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2b0 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 184 -NGENProcess 1b0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 204 -NGENProcess 1ec -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 1f0 -NGENProcess 20c -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1fc -NGENProcess 1ec -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 210 -NGENProcess 204 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1ec -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 21c -NGENProcess 214 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 210 -NGENProcess 224 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1f0 -NGENProcess 214 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 214 -NGENProcess 220 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 230 -NGENProcess 224 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 238 -NGENProcess 230 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1b0 -NGENProcess 1f0 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 204 -NGENProcess 214 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 234 -NGENProcess 1f0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1f0 -NGENProcess 240 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 214 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 234 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 150 -NGENProcess 214 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 254 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 224 -NGENProcess 214 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 214 -NGENProcess 250 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 260 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 240 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 25c -Pipe 194 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 254 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 254 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 24c -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 28c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 288 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 248 -NGENProcess 290 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 27c -NGENProcess 2a8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 248 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 27c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 2a0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 248 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 27c -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2a0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 248 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 27c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2a0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2400

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1612

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1548

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2016

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1563773381-2037468142-1146002597-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1563773381-2037468142-1146002597-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b9cab3fbd24aaa054ee448f80ac31bb4

SHA1
76a1ec471cabc87d94f698937d273e608ec0fe01

SHA256
d378fc26e8a9f105bac9f861c81c60ada08fab042952817bde23646d41cea80b

SHA512
911c1e90a541b14cdea9e3cc5f932f6a18e4548172db05cb10471f47d36b3d8576ab07aabef9e431faed5270c61741dfabf2283725b50fce7518299ecc7057aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
98267bc81152e5fd0d62700be1113d18

SHA1
6840b8f7d3ddb1206b9924778f5a0a37fbb6ee66

SHA256
137d7cdec940f2741f19fd80330ebd4719a4643c0943000274ce31c5ea0d9b80

SHA512
6705a901ff83f488955a32abfe8192f8f10c76930773e432ba72cdcc064b941dbcc6cd36093edfddbe9ab595a9d81561ed2079936fb91643fcc624031f02acaa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
eafd6dcba89221c7ca7ca02c0922d73f

SHA1
5c8c88a03cdc0e46fb75e60fc57677cae46270c1

SHA256
c25a948816a4c6df91cb257a300a6fe4b08a060cb4129601b324d8590a50b028

SHA512
d5b1f1bfb84eef367d8bbe690b9d6458a24d16d5f4cdf5be19a39db4a14cf5d96c8eb5bd6afac66a4b2126b6b05d8a4f999b4957dbc6a4f1c89eec62cea72a6b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
605922ac2c58c613a98d6eddd4ec14bb

SHA1
43e4c5bf809e309e93b4b24a8ac7ee2fed0a27f1

SHA256
dbbc8ff47f0b8ef33b9dc91091f880b1f5b29956310d71e8efb730504a74e200

SHA512
f705903b116f8b8b5de65af72a9eaa75751572a18657c0f6fb8e57e02da7dbc3e1dceaeaf32409266417e11018a9376178a45078fe9c3e9e338f89c59a5079f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b95f0efe6dde0677b5b3a4d688672c54

SHA1
39470c6f5217020279159e036b9a9b8fa3eea9cf

SHA256
0a083664c74e2fa9983f0cf14410372ce2a492dd5996422b8b6ce49b72e18e8d

SHA512
96111fb2998f6b2a92fb4d92e037af26f2edb22e20a1017a8e03415b5f46e62aa0fbce4690bf75fb8b314400fa802710868882996bae2b10ec27d45965dad2f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
61f8e7c1bbe38f5bdfc2cb26e58cc007

SHA1
e1804617b5fe7ea930f43e24fa83f267724be26f

SHA256
5fa80219455736222840ab982c2c06d0a7277feb4f65d651804b050373423f64

SHA512
aacd02b8c585d86b1e98fde132f1d4cb3fe299c292fc99a268fe59d3c77bca11698f8cef51cf0b14cfa84955a641f83773149d9840d3aaa2c4d603abccf76530

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
db00eba02cdd2eadb056f64e63d3f6e4

SHA1
793ff1fb71239093af61d34f5e69ac1550842482

SHA256
1def3fabc184cc09761c5987a01358840cf126b30a17d3bacbd5906275c94f44

SHA512
b2504024342805748bcbe54b21d664560df24470b121115b6af0770ef44fc14193e4d19f0fe01f23be7451fdca85e61397c9746edcbddf2e7650e62c8f9065a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
30c75a6def85c8e374f433d3a7b6954f

SHA1
038c699cb7d864f194f6d5ad1a0ade35f4754a78

SHA256
a0eeab22f80cc014e1c843a06f0808ca9fa492a3d0cb30da9419afd0070680cf

SHA512
7e83b4a1a9a3b5a1e17199f8d6f0a8b8761fe170778515b923ec34a8ea8b2610bbd1c79d4a83b2a6652f2d7560684622178d04dd3a3aa18d974e6dc1cf8ceed9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
30c75a6def85c8e374f433d3a7b6954f

SHA1
038c699cb7d864f194f6d5ad1a0ade35f4754a78

SHA256
a0eeab22f80cc014e1c843a06f0808ca9fa492a3d0cb30da9419afd0070680cf

SHA512
7e83b4a1a9a3b5a1e17199f8d6f0a8b8761fe170778515b923ec34a8ea8b2610bbd1c79d4a83b2a6652f2d7560684622178d04dd3a3aa18d974e6dc1cf8ceed9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4cf6cae45e870b91ab9c155a34661ade

SHA1
55403e87d86359c82aed65bf476e85ec9731572a

SHA256
cacd9ce4473383d8f5ab469e4239d1721208d32e7250d130d76e3ab2f8b02f77

SHA512
8f38aed187e90902e4d5d6375519826a049e865ed08e581973f5989799923e488b1d926213444f83a115cbc56eed78d3d1c3a742626eff1dfd49568dee19ad19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
a3c78ffb38650e0b793c3a282c10f729

SHA1
5617ad3b7900c2e3b61319fa61cc9a00b4abdf4c

SHA256
93c9948174a836dd2bbde02d787d7c917a39374594328cca9cea78cbf5dcde5a

SHA512
7eb53c2b2866c15a60d2d2ea8ad1d904fb96257c0a772fc90344a371aa759a013b4b4a1305d0d9cadadb53dd8a12d3c4911a590d440f7a3c04b5900966b40462

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
22334ce405ed4f5176f903e34a65a10c

SHA1
5948041c133ed4d71cec4f94a5facad8efc388e3

SHA256
09a99f1f1b599517bec0f5e28a1115d074c851f02e46a9e418348f6801a971e3

SHA512
a71f819ee671bd2435208fdbf19bafff75c12ce0fd271b917f7efe5eba78e259696e17afcacecc57b7924becd5bfdd9fb0bfcd91faf048aaae8495c6b402e3c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
22334ce405ed4f5176f903e34a65a10c

SHA1
5948041c133ed4d71cec4f94a5facad8efc388e3

SHA256
09a99f1f1b599517bec0f5e28a1115d074c851f02e46a9e418348f6801a971e3

SHA512
a71f819ee671bd2435208fdbf19bafff75c12ce0fd271b917f7efe5eba78e259696e17afcacecc57b7924becd5bfdd9fb0bfcd91faf048aaae8495c6b402e3c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
22334ce405ed4f5176f903e34a65a10c

SHA1
5948041c133ed4d71cec4f94a5facad8efc388e3

SHA256
09a99f1f1b599517bec0f5e28a1115d074c851f02e46a9e418348f6801a971e3

SHA512
a71f819ee671bd2435208fdbf19bafff75c12ce0fd271b917f7efe5eba78e259696e17afcacecc57b7924becd5bfdd9fb0bfcd91faf048aaae8495c6b402e3c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
22334ce405ed4f5176f903e34a65a10c

SHA1
5948041c133ed4d71cec4f94a5facad8efc388e3

SHA256
09a99f1f1b599517bec0f5e28a1115d074c851f02e46a9e418348f6801a971e3

SHA512
a71f819ee671bd2435208fdbf19bafff75c12ce0fd271b917f7efe5eba78e259696e17afcacecc57b7924becd5bfdd9fb0bfcd91faf048aaae8495c6b402e3c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
62f717ba295b67c2116bb9b1b51f0173

SHA1
d4bcc04328ebb22564fcf2c780bcffd891ee36bb

SHA256
b4e60a6982c857499b13c1c975695e1a526ba00bb002d6fa78954740970f64a3

SHA512
20ddbf92b97e3e5f22057d6792ce99b49ce063c28f9ada6913a9006de6144aa569671ee37f0004580ec7696bf5911e7c77c459e6151aba51bc8a46271b376334

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f30fbce3a09fa33580971c2c9bcb0d94

SHA1
2a4d0b908a4651d75ebc04842899de173f31f85e

SHA256
6dcaa6c0a53b776350437a69170fd406bac809e42a42ff089469763c28abbbfb

SHA512
ac2ad030c267e463c355b7e97e42c65bf496740b52a094ee1bbdcd0078cf103e6d18c3ad576ee75085a55fd183ce5bc5f9d6010aead3b0524d4e507a31776e5e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f30fbce3a09fa33580971c2c9bcb0d94

SHA1
2a4d0b908a4651d75ebc04842899de173f31f85e

SHA256
6dcaa6c0a53b776350437a69170fd406bac809e42a42ff089469763c28abbbfb

SHA512
ac2ad030c267e463c355b7e97e42c65bf496740b52a094ee1bbdcd0078cf103e6d18c3ad576ee75085a55fd183ce5bc5f9d6010aead3b0524d4e507a31776e5e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
6c827cad72f3401c157610d2cd2bda7f

SHA1
fe1f3e959fac4f1a0b0574d279c430df0954ea98

SHA256
ce85c8268db6cdde625a770f3009e68deffa539ea55980a6988e74dfbccaaaac

SHA512
53e507528bb77052575da793587a74f564ce74375fe9dad6d3e36db16297e04525b81bd5254000a90ffbc746a5403e209f9452cdf5a1c0fb7cfdf00e69afee90

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ee996a63d5fcbfcbe5a9343a7c7e733c

SHA1
e0ff46ec849b2662d3b77e3b0216dbfc1ceee87b

SHA256
b57c66eb49e33f665478679043a6a153336ed99e86089a3580fe8643b9337d6e

SHA512
6ae0816825700d3606545e4f27b3df70a857d54a5eb8cf95357f9802d049fab91e36f93b183921f5aced69ed739a16b8a8a7b5f885c1574c16d65c42b5013307

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b6fe090f1d9dab051885f7b865434a42

SHA1
a5daa7f179872e49fcb7e5d83160d676be604973

SHA256
f87362f6583e54f1b4f07736537ece74c5592b0e362718ad9230f2d94668dfe0

SHA512
0fc9b001ec2af5346e894d7fcf9da7436edf5fbb58f22e1bd1c3dae69db667ac7f982436f721f4610df258b0cc21f343329865f8f5336a6bdb6a8a67d5c3e912

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2965d75e75bd3d75614843cb5674494f

SHA1
1f5b5f25eaf3dffb2077a4897bdce44edeb3a28b

SHA256
c74a96aed9292652464b1e1b78e656c47264b325ebc34de4aa83e47d799da47d

SHA512
58332cb88c10ea20fdbf7b8fc099362070cdfd266b792dc91f5b82bc9e59f1ebf714d610e9e63dd2e0834381c93c24f8dbc7fb7415e90a623b025403f85bdbc8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
bb816d15174cbdf2f59612bead2feec8

SHA1
05099feaaaff0482dedb845f0e745e4ad3739eb3

SHA256
68fa96e79074cafe54b98626cdba6d6ec640a6b6620a1d322cf9c166e5741028

SHA512
8430f81f055d41bca7edf5a9cf737ad5c8dfc0f2e2b6477b5f1cc947be96127394468d948ddee71c30d685ec35f245ab72552bda9c6bc4c83800b45f4c84a7ef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
ddcfb2ce151707bd4cc90cf95805006c

SHA1
7fe41a9c9862c33c5143aa28f2e5af89901728ee

SHA256
01f796a11442627c9ee0a544d4571b36abd8756d053eefe030451a157efb4f25

SHA512
27bef1fac8072f57c44cbc3a869b8c349899874979d1dafe588bc9876db39164bbe9b2f713422ba87d5e0b315c449214e651fb2ed1f55393863baa69dfc67aaf

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ed647ce85a418e823c68814aad0d6ef1

SHA1
106fb67bf0213a37d4d29fe272ae8177a2a66682

SHA256
cdca80fe6dcdc11e26d4e78f5e3d14098d6937452b652c0164a1168f543cbec2

SHA512
66febf5f25471cecd5205c334bad37427ed22d7e9827e046e8de998f34758cda0595dcc4cd76a8142543353dde3dd54250756619598e2bac892ece5c46f779fd

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
62bd26687dcdf0aa2a9fb75454e2d053

SHA1
6ac61448c48adb7fb032a942c4380793fc7e71b5

SHA256
67b460cc5e3961f47421903146097e455fe6e22f0c5bb76bd27bdc612ddc9980

SHA512
bcd289d8d2a04d4e5facbdff87ed01e71cc0c77340cb828addf22c716fe62b1edad5f096bfcd360ed55f36673a34347bbc88f297eda53387f9dd7029369147f3

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
790afcd7763619295a28d60216a3e6d4

SHA1
9e7d9ec2ab030141d53050605c9e707d203bfccc

SHA256
3ff383c71867eceac491e7c34b293bcfe9b93be050b7d8dd51a2e27228057607

SHA512
ff6d855b30e4cdb78854ef3efa0dc450fd8ed8d2c0526a9a72d9722ef78abbd70c6a2e2e585ae12547b30c969bbae480b9d072ff66dfc1ddd6310e2fba5a5a21

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1a15d1c88384d70a14774666b6fa9580

SHA1
e74ffc8a8c5f60225c1ad86537e972e5dd7616e8

SHA256
4951d29a69fa278a2d2f4d26cb9fa1b81d9beeaed111cd056f209b27c2c58043

SHA512
01b7af15bb94c3ce4a57b1e3a454a2cbd1681f3ff3d13853065b9e016fc267a11de65268ffd9404d0781bef7bb786f668dfb71f7d1101df2adddf314b9fbb750

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0bc72dbbf5fa18588eef964a1764d25f

SHA1
e6a5c7db6f3e6a069c81c45597745f7fe0c83da0

SHA256
fb7e5ea72f92caa91d7f8a5839e256461626a41e0430ce7df92eee26e0ce022f

SHA512
80b54c69a38b0f5bf325b7ae49493d96b5d42c5f3f1cb586bc36d9c168cdd94cc84475d643038c3a5bf147004c2077046b927363dc64d709113a2042ad91b82c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0263e96c041317711293b53f64f22356

SHA1
ca6b1ea508ec2b044982b1328b4285b0043bac2c

SHA256
70fadf247050817f8c8407366db725f2d2ee16e5ba7a158ecfcc551f52ba0a7e

SHA512
983adb3cdc7c100b10272a4909def265a8e4c555d7378763e81f739e5ff064a5608ff252e692f4660deb3eda0cd891d2f5705f3103595367df8c4c0bef4347f9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a04410d13ae2d60e77a136a57356c09c

SHA1
ceee261a62350f1ae6b99e17281e6d6283fdce5f

SHA256
01ca1a385881311a1ea57e833900d540581d33bb13b8a9b70c5e8ac6ec2fead9

SHA512
e1fbfd1146a4b50948adcde22aadd5adebd84554b664c8ff0d41eaf44e26ae19af3ac8651dd948ef44a56e067528c71aca83db0899facf8f150d16d263226d3d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
afee84d50ddcbb524b9f4b9034c04d32

SHA1
a3a5634841d70f741b5daee15c935b8ea0668ab9

SHA256
0f030bb3c3c243d36430f4fd285c1b87895b1ea764587aab6265b786dde240ec

SHA512
da42c5f092a1493151401d7d771973e2e9291cb152fc1d19f6cc53fa6a72235b0559a9f94577e5632f5ddc55026d70cf27376be5f1cfaebe0d2a787cdd23b652

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
ade4baafad8975629d31dab3fe244560

SHA1
19c25dee00e92c4d2b989d3734f96e337e01dc87

SHA256
4105b1e4d485a74f41fa1d44afd398c6f01b8f94c876197ef17ef73a6ee76c0a

SHA512
75551f9b4a36ebfe5dabcb805c843689a83de818d1917e9bda24461a7c392d6162954894d27f2a0abfcab047d38f2c3a28e6760d57a2da65e7ef6fbf66164d52

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7c932d4caf0a8d523e1f5bf408e00067\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
6707687108dd3a9eea7c62103a864acc

SHA1
d3e8e263d620ab9dcaf4cabbc0c896964839df28

SHA256
e26c9f9bd847b08ae764c3cb51e6653970e6695ae33140a7b7194da741f99c9c

SHA512
3f4f20cd3505e7378a56c81dc1fca47cedc97ebe54d5cf7d2dd54c0767a266187007ed60d32759cf943e6fbbadcc0162bacf2ef024d47376c450badee9b1d859

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\946c56ed3a3b728166589c730c311c80\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
d09812092df7c9175abdb035013a8484

SHA1
f4dc91b4996014aa9b43915a7a590a1d7e891ec6

SHA256
fbce3688645f1ac9a4e40c2981cee6074107ae77cb5bc065ff36daa07dea74f7

SHA512
1914f85534dbeaf5eaff476cc8390a9351e9116a4dd1c379684b7b4f34128c3fd38fe5add089d2c1e8e0405177b55db3189d8b54bb2bf0247e3e705c6ad59b4c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9b59905a786b62e9e0aec2cfe9cb7bc1\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
dff3bfa6c2aacd963cf135614c978987

SHA1
76585612bfd107d8668c9ec4da7423b698c7c7b9

SHA256
e7b266f6a5add363135f2710a770e279fa5d64fa13b69a1ebdc8c223e08f6278

SHA512
7534849749326418e320990f1c24847bd9585677ae4dfffb67a133bb4b73a4c7c64004d4519fd435554e1a89fe0ac71b30a08b753d408d2691e05a4f5169f5dc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ee561588999dfbc2e39473b41d99954a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
eb9fbc43539e6fe47f50110c4dbd63d0

SHA1
2b5ee2666c05dbf863f6b8cefb7d66b96ca8e882

SHA256
8d382194c2bd1ab67daee7e465281c4cbe4757b8fcc3908be4fdaf6a33733e81

SHA512
c6e35d860f91ada197aec69673fed6a174c4b8dd91e4f73f8fff9b82be89dfd794088fe1fc2652ec6499e973f7feef40733e590857876bd60256606410b16643

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
248914ac5c176cabe3e8e26c00614dd3

SHA1
762ee9b82ac8c7e202d354c050609251f1da4394

SHA256
68303cae59cc5020033d013ef26ea12e91598dd71dce4127f55fce320ae92cd1

SHA512
9fb48fa3900a383f1220b521a189ac0f8a2cf2c6199ddb9946223a45ec41f94e2ebc4701a65f42aa4f34831f163e13bc7cb5fb6a7913964e15ea37efe592002c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
78dc12bdb6c1d4f75e97cd442198f9cc

SHA1
36e8fa03013fc3b7183ca52231a7566f31223a28

SHA256
aa43dec59a982257e75d23eedb8135f174153d38423e76e7b0771de82630d9fb

SHA512
8a2ef8bb82d169592228ff832f71904e88eedb7cec47be29987dbfc5208ed02d1345b97751f760197a1145e398374d53dad60e9d1b09da0e7ef97b4630b48f7d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
0bc72dbbf5fa18588eef964a1764d25f

SHA1
e6a5c7db6f3e6a069c81c45597745f7fe0c83da0

SHA256
fb7e5ea72f92caa91d7f8a5839e256461626a41e0430ce7df92eee26e0ce022f

SHA512
80b54c69a38b0f5bf325b7ae49493d96b5d42c5f3f1cb586bc36d9c168cdd94cc84475d643038c3a5bf147004c2077046b927363dc64d709113a2042ad91b82c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
61f8e7c1bbe38f5bdfc2cb26e58cc007

SHA1
e1804617b5fe7ea930f43e24fa83f267724be26f

SHA256
5fa80219455736222840ab982c2c06d0a7277feb4f65d651804b050373423f64

SHA512
aacd02b8c585d86b1e98fde132f1d4cb3fe299c292fc99a268fe59d3c77bca11698f8cef51cf0b14cfa84955a641f83773149d9840d3aaa2c4d603abccf76530

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
61f8e7c1bbe38f5bdfc2cb26e58cc007

SHA1
e1804617b5fe7ea930f43e24fa83f267724be26f

SHA256
5fa80219455736222840ab982c2c06d0a7277feb4f65d651804b050373423f64

SHA512
aacd02b8c585d86b1e98fde132f1d4cb3fe299c292fc99a268fe59d3c77bca11698f8cef51cf0b14cfa84955a641f83773149d9840d3aaa2c4d603abccf76530

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
30c75a6def85c8e374f433d3a7b6954f

SHA1
038c699cb7d864f194f6d5ad1a0ade35f4754a78

SHA256
a0eeab22f80cc014e1c843a06f0808ca9fa492a3d0cb30da9419afd0070680cf

SHA512
7e83b4a1a9a3b5a1e17199f8d6f0a8b8761fe170778515b923ec34a8ea8b2610bbd1c79d4a83b2a6652f2d7560684622178d04dd3a3aa18d974e6dc1cf8ceed9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
a3c78ffb38650e0b793c3a282c10f729

SHA1
5617ad3b7900c2e3b61319fa61cc9a00b4abdf4c

SHA256
93c9948174a836dd2bbde02d787d7c917a39374594328cca9cea78cbf5dcde5a

SHA512
7eb53c2b2866c15a60d2d2ea8ad1d904fb96257c0a772fc90344a371aa759a013b4b4a1305d0d9cadadb53dd8a12d3c4911a590d440f7a3c04b5900966b40462

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2965d75e75bd3d75614843cb5674494f

SHA1
1f5b5f25eaf3dffb2077a4897bdce44edeb3a28b

SHA256
c74a96aed9292652464b1e1b78e656c47264b325ebc34de4aa83e47d799da47d

SHA512
58332cb88c10ea20fdbf7b8fc099362070cdfd266b792dc91f5b82bc9e59f1ebf714d610e9e63dd2e0834381c93c24f8dbc7fb7415e90a623b025403f85bdbc8

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ed647ce85a418e823c68814aad0d6ef1

SHA1
106fb67bf0213a37d4d29fe272ae8177a2a66682

SHA256
cdca80fe6dcdc11e26d4e78f5e3d14098d6937452b652c0164a1168f543cbec2

SHA512
66febf5f25471cecd5205c334bad37427ed22d7e9827e046e8de998f34758cda0595dcc4cd76a8142543353dde3dd54250756619598e2bac892ece5c46f779fd

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
62bd26687dcdf0aa2a9fb75454e2d053

SHA1
6ac61448c48adb7fb032a942c4380793fc7e71b5

SHA256
67b460cc5e3961f47421903146097e455fe6e22f0c5bb76bd27bdc612ddc9980

SHA512
bcd289d8d2a04d4e5facbdff87ed01e71cc0c77340cb828addf22c716fe62b1edad5f096bfcd360ed55f36673a34347bbc88f297eda53387f9dd7029369147f3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
790afcd7763619295a28d60216a3e6d4

SHA1
9e7d9ec2ab030141d53050605c9e707d203bfccc

SHA256
3ff383c71867eceac491e7c34b293bcfe9b93be050b7d8dd51a2e27228057607

SHA512
ff6d855b30e4cdb78854ef3efa0dc450fd8ed8d2c0526a9a72d9722ef78abbd70c6a2e2e585ae12547b30c969bbae480b9d072ff66dfc1ddd6310e2fba5a5a21

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1a15d1c88384d70a14774666b6fa9580

SHA1
e74ffc8a8c5f60225c1ad86537e972e5dd7616e8

SHA256
4951d29a69fa278a2d2f4d26cb9fa1b81d9beeaed111cd056f209b27c2c58043

SHA512
01b7af15bb94c3ce4a57b1e3a454a2cbd1681f3ff3d13853065b9e016fc267a11de65268ffd9404d0781bef7bb786f668dfb71f7d1101df2adddf314b9fbb750

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0bc72dbbf5fa18588eef964a1764d25f

SHA1
e6a5c7db6f3e6a069c81c45597745f7fe0c83da0

SHA256
fb7e5ea72f92caa91d7f8a5839e256461626a41e0430ce7df92eee26e0ce022f

SHA512
80b54c69a38b0f5bf325b7ae49493d96b5d42c5f3f1cb586bc36d9c168cdd94cc84475d643038c3a5bf147004c2077046b927363dc64d709113a2042ad91b82c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0bc72dbbf5fa18588eef964a1764d25f

SHA1
e6a5c7db6f3e6a069c81c45597745f7fe0c83da0

SHA256
fb7e5ea72f92caa91d7f8a5839e256461626a41e0430ce7df92eee26e0ce022f

SHA512
80b54c69a38b0f5bf325b7ae49493d96b5d42c5f3f1cb586bc36d9c168cdd94cc84475d643038c3a5bf147004c2077046b927363dc64d709113a2042ad91b82c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0263e96c041317711293b53f64f22356

SHA1
ca6b1ea508ec2b044982b1328b4285b0043bac2c

SHA256
70fadf247050817f8c8407366db725f2d2ee16e5ba7a158ecfcc551f52ba0a7e

SHA512
983adb3cdc7c100b10272a4909def265a8e4c555d7378763e81f739e5ff064a5608ff252e692f4660deb3eda0cd891d2f5705f3103595367df8c4c0bef4347f9

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a04410d13ae2d60e77a136a57356c09c

SHA1
ceee261a62350f1ae6b99e17281e6d6283fdce5f

SHA256
01ca1a385881311a1ea57e833900d540581d33bb13b8a9b70c5e8ac6ec2fead9

SHA512
e1fbfd1146a4b50948adcde22aadd5adebd84554b664c8ff0d41eaf44e26ae19af3ac8651dd948ef44a56e067528c71aca83db0899facf8f150d16d263226d3d

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
afee84d50ddcbb524b9f4b9034c04d32

SHA1
a3a5634841d70f741b5daee15c935b8ea0668ab9

SHA256
0f030bb3c3c243d36430f4fd285c1b87895b1ea764587aab6265b786dde240ec

SHA512
da42c5f092a1493151401d7d771973e2e9291cb152fc1d19f6cc53fa6a72235b0559a9f94577e5632f5ddc55026d70cf27376be5f1cfaebe0d2a787cdd23b652

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
ade4baafad8975629d31dab3fe244560

SHA1
19c25dee00e92c4d2b989d3734f96e337e01dc87

SHA256
4105b1e4d485a74f41fa1d44afd398c6f01b8f94c876197ef17ef73a6ee76c0a

SHA512
75551f9b4a36ebfe5dabcb805c843689a83de818d1917e9bda24461a7c392d6162954894d27f2a0abfcab047d38f2c3a28e6760d57a2da65e7ef6fbf66164d52

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
248914ac5c176cabe3e8e26c00614dd3

SHA1
762ee9b82ac8c7e202d354c050609251f1da4394

SHA256
68303cae59cc5020033d013ef26ea12e91598dd71dce4127f55fce320ae92cd1

SHA512
9fb48fa3900a383f1220b521a189ac0f8a2cf2c6199ddb9946223a45ec41f94e2ebc4701a65f42aa4f34831f163e13bc7cb5fb6a7913964e15ea37efe592002c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
78dc12bdb6c1d4f75e97cd442198f9cc

SHA1
36e8fa03013fc3b7183ca52231a7566f31223a28

SHA256
aa43dec59a982257e75d23eedb8135f174153d38423e76e7b0771de82630d9fb

SHA512
8a2ef8bb82d169592228ff832f71904e88eedb7cec47be29987dbfc5208ed02d1345b97751f760197a1145e398374d53dad60e9d1b09da0e7ef97b4630b48f7d

Download Submit
memory/436-68-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/436-74-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/436-80-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/840-110-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/840-115-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/840-130-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/888-285-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/888-81-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/900-107-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1060-54-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/1060-59-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/1060-65-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1244-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1244-164-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1244-170-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1360-129-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1360-131-0x0000000004880000-0x000000000493C000-memory.dmp

Filesize
752KB

Download
memory/1360-85-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1360-86-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1360-90-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1360-88-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1360-84-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1368-106-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1536-128-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1548-675-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1548-186-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1548-181-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1600-630-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1600-340-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1600-159-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1600-156-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1600-150-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1608-287-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1608-251-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1608-185-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1612-161-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1612-332-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1612-143-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1612-147-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1612-160-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1612-183-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1612-137-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1892-146-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1960-237-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1960-226-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1968-621-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2016-189-0x0000000000AC0000-0x0000000000B26000-memory.dmp

Filesize
408KB

Download
memory/2016-200-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2024-449-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2084-227-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2084-274-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2084-407-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2128-233-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2128-446-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2168-382-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2172-664-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2172-641-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2232-677-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2232-686-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2292-253-0x0000000000550000-0x0000000000759000-memory.dmp

Filesize
2.0MB

Download
memory/2292-468-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2292-470-0x0000000000550000-0x0000000000759000-memory.dmp

Filesize
2.0MB

Download
memory/2292-252-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2328-383-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2336-384-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2336-420-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2432-269-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2500-271-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2500-313-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2504-597-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2504-566-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2556-655-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2620-648-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2620-286-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2704-408-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2708-314-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2776-315-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2852-439-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2880-336-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2908-445-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2968-361-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2968-337-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3040-531-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3040-451-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3068-341-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download