blustealer | dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.6MB
MD5

e90e41677f6030ffc3eac62929ced1d9
SHA1

edb0a2acdec33328a864ac178bfb0b42a2e0d444
SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
SHA512

a2e20c8b160c366baed60adca173587e5c3b94b811f4f52ac3aaab01a0301716e30cc7c7d2a426ee32a6df651021717e4fe097073610860a949e7933468e10fa
SSDEEP

24576:KRKQxWUF61/J27K4mgZB67gTsD6RROjiDefziWX2GDjGBXtnZYx:K4QcUFO34mg367gTOwMMohjw9Z+

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 41 IoCs

pid	Process
460	Process not Found
1460	alg.exe
892	aspnet_state.exe
1912	mscorsvw.exe
956	mscorsvw.exe
1828	mscorsvw.exe
1184	mscorsvw.exe
1484	dllhost.exe
1108	ehRecvr.exe
692	ehsched.exe
520	mscorsvw.exe
1756	elevation_service.exe
2004	mscorsvw.exe
1836	IEEtwCollector.exe
2116	GROOVE.EXE
2216	maintenanceservice.exe
2304	msdtc.exe
2432	msiexec.exe
2536	OSE.EXE
2588	OSPPSVC.EXE
2732	perfhost.exe
2784	locator.exe
2808	mscorsvw.exe
2928	snmptrap.exe
3052	mscorsvw.exe
3040	vds.exe
2360	vssvc.exe
2484	mscorsvw.exe
2596	wbengine.exe
2780	WmiApSrv.exe
2888	mscorsvw.exe
3032	wmpnetwk.exe
1832	SearchIndexer.exe
2300	mscorsvw.exe
2904	mscorsvw.exe
2960	mscorsvw.exe
2132	mscorsvw.exe
316	mscorsvw.exe
1168	mscorsvw.exe
2208	mscorsvw.exe
3064	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2432	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\58c26cae826a969e.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 1260	1756	Quote 1345 rev.3.exe	28
PID 1260 set thread context of 280	1260	Quote 1345 rev.3.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0E424906-E1B1-45F4-9C81-644E0F1C6929}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0E424906-E1B1-45F4-9C81-644E0F1C6929}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{88A3483D-1D7E-4570-A5CC-1E0ADCAB03F2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{88A3483D-1D7E-4570-A5CC-1E0ADCAB03F2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1832	ehRec.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe
1260	Quote 1345 rev.3.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1260	Quote 1345 rev.3.exe
Token: SeShutdownPrivilege	1828	mscorsvw.exe
Token: SeShutdownPrivilege	1184	mscorsvw.exe
Token: SeShutdownPrivilege	1828	mscorsvw.exe
Token: SeShutdownPrivilege	1184	mscorsvw.exe
Token: SeShutdownPrivilege	1184	mscorsvw.exe
Token: SeShutdownPrivilege	1184	mscorsvw.exe
Token: SeShutdownPrivilege	1828	mscorsvw.exe
Token: SeShutdownPrivilege	1828	mscorsvw.exe
Token: 33	512	EhTray.exe
Token: SeIncBasePriorityPrivilege	512	EhTray.exe
Token: SeDebugPrivilege	1832	ehRec.exe
Token: 33	512	EhTray.exe
Token: SeIncBasePriorityPrivilege	512	EhTray.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeSecurityPrivilege	2432	msiexec.exe
Token: SeShutdownPrivilege	1184	mscorsvw.exe
Token: SeBackupPrivilege	2360	vssvc.exe
Token: SeRestorePrivilege	2360	vssvc.exe
Token: SeAuditPrivilege	2360	vssvc.exe
Token: SeBackupPrivilege	2596	wbengine.exe
Token: SeRestorePrivilege	2596	wbengine.exe
Token: SeSecurityPrivilege	2596	wbengine.exe
Token: 33	3032	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3032	wmpnetwk.exe
Token: SeDebugPrivilege	1260	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1260	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1260	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1260	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1260	Quote 1345 rev.3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
512	EhTray.exe
512	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
512	EhTray.exe
512	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1756 wrote to memory of 1260	1756	Quote 1345 rev.3.exe	28
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1260 wrote to memory of 280	1260	Quote 1345 rev.3.exe	32
PID 1184 wrote to memory of 520	1184	mscorsvw.exe	40
PID 1184 wrote to memory of 520	1184	mscorsvw.exe	40
PID 1184 wrote to memory of 520	1184	mscorsvw.exe	40
PID 1184 wrote to memory of 2004	1184	mscorsvw.exe	43
PID 1184 wrote to memory of 2004	1184	mscorsvw.exe	43
PID 1184 wrote to memory of 2004	1184	mscorsvw.exe	43
PID 1828 wrote to memory of 2808	1828	mscorsvw.exe	53
PID 1828 wrote to memory of 2808	1828	mscorsvw.exe	53
PID 1828 wrote to memory of 2808	1828	mscorsvw.exe	53
PID 1828 wrote to memory of 2808	1828	mscorsvw.exe	53
PID 1828 wrote to memory of 3052	1828	mscorsvw.exe	56
PID 1828 wrote to memory of 3052	1828	mscorsvw.exe	56
PID 1828 wrote to memory of 3052	1828	mscorsvw.exe	56
PID 1828 wrote to memory of 3052	1828	mscorsvw.exe	56
PID 1828 wrote to memory of 2484	1828	mscorsvw.exe	58
PID 1828 wrote to memory of 2484	1828	mscorsvw.exe	58
PID 1828 wrote to memory of 2484	1828	mscorsvw.exe	58
PID 1828 wrote to memory of 2484	1828	mscorsvw.exe	58
PID 1828 wrote to memory of 2888	1828	mscorsvw.exe	61
PID 1828 wrote to memory of 2888	1828	mscorsvw.exe	61
PID 1828 wrote to memory of 2888	1828	mscorsvw.exe	61
PID 1828 wrote to memory of 2888	1828	mscorsvw.exe	61
PID 1828 wrote to memory of 2300	1828	mscorsvw.exe	64
PID 1828 wrote to memory of 2300	1828	mscorsvw.exe	64
PID 1828 wrote to memory of 2300	1828	mscorsvw.exe	64
PID 1828 wrote to memory of 2300	1828	mscorsvw.exe	64
PID 1828 wrote to memory of 2904	1828	mscorsvw.exe	65
PID 1828 wrote to memory of 2904	1828	mscorsvw.exe	65
PID 1828 wrote to memory of 2904	1828	mscorsvw.exe	65
PID 1828 wrote to memory of 2904	1828	mscorsvw.exe	65
PID 1828 wrote to memory of 2960	1828	mscorsvw.exe	66
PID 1828 wrote to memory of 2960	1828	mscorsvw.exe	66
PID 1828 wrote to memory of 2960	1828	mscorsvw.exe	66
PID 1828 wrote to memory of 2960	1828	mscorsvw.exe	66
PID 1828 wrote to memory of 2132	1828	mscorsvw.exe	67
PID 1828 wrote to memory of 2132	1828	mscorsvw.exe	67
PID 1828 wrote to memory of 2132	1828	mscorsvw.exe	67
PID 1828 wrote to memory of 2132	1828	mscorsvw.exe	67
PID 1828 wrote to memory of 316	1828	mscorsvw.exe	68
PID 1828 wrote to memory of 316	1828	mscorsvw.exe	68
PID 1828 wrote to memory of 316	1828	mscorsvw.exe	68
PID 1828 wrote to memory of 316	1828	mscorsvw.exe	68
PID 1828 wrote to memory of 1168	1828	mscorsvw.exe	69
PID 1828 wrote to memory of 1168	1828	mscorsvw.exe	69
PID 1828 wrote to memory of 1168	1828	mscorsvw.exe	69
PID 1828 wrote to memory of 1168	1828	mscorsvw.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e0 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e0 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1ac -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 254 -NGENProcess 270 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 23c -NGENProcess 184 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 254 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1e0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1484

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1108

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:692

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2536

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2588

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0937d934158bd2b6d4a0aba6790f872b

SHA1
6fc7aac45abb9c94fdeb5e8466a19b17e3af4261

SHA256
3cf648df2ffb1228b2e5eb50e55b9f033ae4f42b27ed610dd7bff76ea32abc90

SHA512
7b64eecc98936d519fbf7a899dee4f1d2053eaa2640c01767f9b889e127ae2ea88400e0c85481a2d11789877493433bfa79aece5afb124169b091b4f93e6b0b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
35a561c70cbeebc858afdabea0dbc8b8

SHA1
b2aed4ec03368380c09f06cb1fa980bdbf506548

SHA256
4e9906ae6683430bbeb112a9f28d458c8ade6fe9a07428fa7e9329eb0977311d

SHA512
ff489b33c44ab503f331936203b04e073497f159e1f870bfa0f9dbd281665eb6012802ef8b4082b8a6930bb454858e66bc2254062380054052145332330b3e40

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fbc4907093e075d7f9a6ea0e034f6490

SHA1
27523202a4f1cf77f38ce3a9250eb40bfa1bfe86

SHA256
18812d4dbc57a4860d2df873fff241811694b05d08f6c74ee970ed322f7319bd

SHA512
17fda6658812126d9b3cc2b7fa0d92d125e3122048118f433100043dce4adc330698c2b6697ee999962459281ebfe44eaa7c882e6e910ca157bc52a30bbba954

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c44bd01bbf83dcec2c6c3e16ef6c6e46

SHA1
b222ca9d4b3aeff24a73b062cfb533c6d919f728

SHA256
907326ce7cbc9b38d339ac2330b2026d2690583edc38e4f18fcdca289d20f4e2

SHA512
8e6b649e48f3f1344e32d5332df0f2e2d5aae3dfe28d627c09d7ea4b3a1d4702ba0a3d872eecd2b62768d990b7030f1020936d70b691f143c5dc35836b86e4a7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4e00854b8daefe694ddf4a3ebc7d5770

SHA1
e2e37bbe209de887c91fa9189514b8b67db2ca26

SHA256
5ee2166fd7d989a6a96347250d7a44df4e2bd9e60f39c887bb17994bbac6e752

SHA512
449fe627fe5b4ed9e4d2d651741a12394bb2b96d36806d5dddef8cc69ea52add69c28f570db22634bb136ef34274beb9703176e38c031f6c83fe217a70b6d104

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
01480185f784f42274f722144dc737fe

SHA1
7df445c6e19e7529d10546cb3e6f27bb18139160

SHA256
5b8ce96439d77f7e8b71632a630aca705ceeb66002c4280b56e5b62b4c313d01

SHA512
1454cdfc970dabb2025cc5173ed4f3a7a39523cb4400bc9b2dd235a5c2d04e88202a9d78d492d67a7f2ada7414a416f8fef762a4250aab1e3412e387196d8d7d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
43d9e565fdbb6982169f7065a0781b13

SHA1
f9b7e7b7c9a61ed6cef89fd8ad6b16e76c4de4ac

SHA256
060b5247434e7c893d75dbedfb0fc77ec1b7f8eab2444c591152160320a08e38

SHA512
6084408a208dbbdb397209cadd47b60c5dd9f8c036f1ea8716ed1893d3650642e22a8caab9aea1e653304ecc90e9a2cf2661e586f00e8515fb034043d49477c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
43d9e565fdbb6982169f7065a0781b13

SHA1
f9b7e7b7c9a61ed6cef89fd8ad6b16e76c4de4ac

SHA256
060b5247434e7c893d75dbedfb0fc77ec1b7f8eab2444c591152160320a08e38

SHA512
6084408a208dbbdb397209cadd47b60c5dd9f8c036f1ea8716ed1893d3650642e22a8caab9aea1e653304ecc90e9a2cf2661e586f00e8515fb034043d49477c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c02870309c7adedb8c45da3035e1cce8

SHA1
1dc1f529d448db402a969085acfd1dd9622661e2

SHA256
677859334a5b9e52fb4e40f3ff40416ae2b7e95a1fe8b73cd64ffdbe797b672a

SHA512
fcd349a56e71efb59ce9bf5b9af34e933f2d0795bf5bbdc4f690b28581cfeaf8cb0eedee664b13ee1f455889895bf40dd94d5f4610e65a97fd39922c6e457cdf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
d7cbd60f8a3c538c3177f025e82a02d4

SHA1
d25c76a6bad5a0b9b8c49a4b319b0e7819503dae

SHA256
eacfcfc2bb6f06a5d3c24c458180afaba0e1f5c1e86cca9d399331cf2fb5202a

SHA512
2c9169d3eefcc26ee1e8f6b025a16945cfb2a1be681d7f47ed774bf88c42104025591120711bcc30588770db8b7451b10e64a945830e0d0666ec00d685309e95

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a9149e3552114b0c5efed6e6edcf2a86

SHA1
a6350738f1041c1718f6cbba875f8262f948013f

SHA256
f96d593b1788e405231b77005eee5d8b99216c3d54c31dd9e54dcf83b45cd95b

SHA512
f0b999c7b1f69815997af668dc92ecde8ff985d42f605b741576d3b3e2adaf7c0d335d688ba2d0787c4691d22a4dbad3b250c3e9a57ad4f811a87327b2027235

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a9149e3552114b0c5efed6e6edcf2a86

SHA1
a6350738f1041c1718f6cbba875f8262f948013f

SHA256
f96d593b1788e405231b77005eee5d8b99216c3d54c31dd9e54dcf83b45cd95b

SHA512
f0b999c7b1f69815997af668dc92ecde8ff985d42f605b741576d3b3e2adaf7c0d335d688ba2d0787c4691d22a4dbad3b250c3e9a57ad4f811a87327b2027235

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a9149e3552114b0c5efed6e6edcf2a86

SHA1
a6350738f1041c1718f6cbba875f8262f948013f

SHA256
f96d593b1788e405231b77005eee5d8b99216c3d54c31dd9e54dcf83b45cd95b

SHA512
f0b999c7b1f69815997af668dc92ecde8ff985d42f605b741576d3b3e2adaf7c0d335d688ba2d0787c4691d22a4dbad3b250c3e9a57ad4f811a87327b2027235

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a9149e3552114b0c5efed6e6edcf2a86

SHA1
a6350738f1041c1718f6cbba875f8262f948013f

SHA256
f96d593b1788e405231b77005eee5d8b99216c3d54c31dd9e54dcf83b45cd95b

SHA512
f0b999c7b1f69815997af668dc92ecde8ff985d42f605b741576d3b3e2adaf7c0d335d688ba2d0787c4691d22a4dbad3b250c3e9a57ad4f811a87327b2027235

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2d9318204b5a75d60c360a142b6b2405

SHA1
adcd1102c0008602a94b45639d5a66f8436002e9

SHA256
32b2623927a02e732d4c65d9681a0ef9e6bc747410534490d92ba2da83d1c9bf

SHA512
cfdd538420d49e366858fb822168dd1ad27722b612aad0851e708c78eaced28781ed59d6a9f49be06f015506be1bcc92fe467ca55ed473fd5cb7ba6f07ffa1de

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2d9318204b5a75d60c360a142b6b2405

SHA1
adcd1102c0008602a94b45639d5a66f8436002e9

SHA256
32b2623927a02e732d4c65d9681a0ef9e6bc747410534490d92ba2da83d1c9bf

SHA512
cfdd538420d49e366858fb822168dd1ad27722b612aad0851e708c78eaced28781ed59d6a9f49be06f015506be1bcc92fe467ca55ed473fd5cb7ba6f07ffa1de

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2cdfdeb52b90b3650ce5fce0fe249f4e

SHA1
132c8821d15851d84d434c2f12f6ed64b28ad5e3

SHA256
49d1001ad2996fe56ae141a6271ae3ab40b33457f83e826c0bf8bed0fdce63aa

SHA512
6a07db4346d00986f2d4c043fff00d696881b514f4d290dd0013f6bbff62262014b4332caa318890de145241e8a931ca00f61fba6960ea0470507d6c3e3d6074

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc96df88a3e214b05cd1ee3eff092f74

SHA1
6f0a74365bc3530da26861b65ca8953ab10b550a

SHA256
28377d2e413438770d443ee90bbb9de04228cf031d385b3d0fb6381b48f32e32

SHA512
b1bde5dbcb85c6d66c13eb0ccab1b85ab6e7426d0f436c8e3d4cfb06f8fe85b39af98a0672101a3043e48350035aaf17c05d5a885db92ba2c57be20dde5a1b6b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2c86100d7d78b4b41250d145e4d89606

SHA1
8ec43f7ad69ba527af7accde1406be1ee1337183

SHA256
87a61f6844feff4b0af070b496d4cad13b7421c249fac5ab8abbf97de9e3e44e

SHA512
3a87560d5587d4a617f7ae113f366dabce3f811d8706568da6d505e8e588836a0f8501c6ccbdbf3065c971fce75abb2f4aecfa69e34ae0116b67c92cb9eb4371

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d8b378a79b674fd5c92a244bef3434b3

SHA1
d96f32db0337d0d09543bc9124087fe5218f9b0e

SHA256
e5cfbebb108968e95bbe73ddcfe702886bb9c97344d48958c490af77d3699022

SHA512
76b69ab638fa97f1cdfb45a2819899f22c331f3a6b12bae93d25b99eecde35b8127308ce680118bdf6ae9af0c02508ed6bd166f74fa44102d2fbd818bd0f1650

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
3165afc571332294f6bec20fd5b85f1d

SHA1
be3c21d26f39313a7596f035b625a9cefc53d57f

SHA256
22aa2507bf1a297c734643cfc9ef6c849a80e3f6297433ef090ea8ad143a4fbe

SHA512
11714c570fec3c330e6c23849adcc6d1508c4355299e257189859a1be8606a636c12fa2e4d9d69ac1006c549a007a0414ace7cac984fd119f9b1e896a1197f64

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
eafffb05b23d28ba88c461e856c84514

SHA1
30a291d363a9c6f1c31e15dea3daed7127510dad

SHA256
45bd7194809f80aa770fe99634d8942fc2bc7231aedac5dd4e16258173c9d801

SHA512
ef6b46f2eee9fac1bfca3a583085d5d1cb1ebc5cf7978675258263b6c1a8b31ae56975839e81749ccaff14cea1b2f3c93e9b05e1fa237ce9ff2170718118b94b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ee2ced01af20b84f6906ae5aac2d5591

SHA1
8c7cf5c092a83f8a3d0abda4f1ce57baa1a93627

SHA256
eecaaec749a4736c8a3450ecf62477b0b43f21ae4f207b7ff5f4227895801030

SHA512
3504a457f87c8650a10e7343c97fa1c02e6695db9678188afe726ec75eb78741272b819f98ad485e2a809aa19a8051ca846d99e68b36ad712adb4eeeea7f1735

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1634923e5a0c43ba8e3eead1b18db37a

SHA1
10f13e0a734d92eb5ad5f426b3a3a5d92a50089c

SHA256
753805e0cb4776c79d908ac5a7b37e612f01e6ced8ffde1e4ea3bdd6a96da5cb

SHA512
43548060ef8c180448f20fd566b983fceb2ce13c2819c85be2dc3255924316353688492dd13d95719f78181fe8095e52adba219d4bac22a2d1dbc59bdf32346f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
08a30b0911dfbeb149fd59f5e19bf98a

SHA1
6212c776ac1d74da85372b1cebf87fac201e7ca8

SHA256
01dd59aa0280f455ee8af65159ca68bce3027ef2d3ff38dcf08c36c7fa2a7fde

SHA512
38b09bf130c364005b841e04590a6c0f4b1907b1f9cd1497b08e0885980fb4d19999c227ec416d4db422a248eaf5eaadb4161daa4ac7c5c899bdccb17119b514

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f4db865fd4e73e8566654de6a742f226

SHA1
d6a322d7f1a5015e2543ea34e7bbea098003fd6b

SHA256
4f7e372c662e0e2f41b66e58d6741cdb4b0c06202d94961e0bd5a7fdf4742e93

SHA512
a66cbe25071603a5f3d5f0b3008f8311718e4f8c415f72f8cd0991f09d232a6935092ed99582feea75c6f695dd6f9d2b02acb42de9265ef93bab28f7861650ed

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
56223acfc512ec06cad2485f50da5110

SHA1
14a899d92cd0b13269be629094338c39b9876e43

SHA256
9ac8d1e44f78bac5625606b30676317c3dc91abbde0c4a0bfbc0a2e46a35c3b9

SHA512
f82991f770e95a2bbea18996652675786ff240bcc2e006e378400cd49ab074a944ce3a9f4e3d2e087038f630b04d560ee98503c92a71b7d72e5062306ff8c4b1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ea819fa7d2ba4c2d9ad0b48cc3032aac

SHA1
16f1ce4ffe17cbfb19a6489b9cfe4b196125ab3e

SHA256
f850819b8eb14f23e426cedbd42d5eb97f2f7ff24160f34fa6e92bb8151c392c

SHA512
1a345ae9d4d1ba7b64a33e0f11ee18edd2297925d0db34ff5bdb67bbc1d19fdb9d2d09963645e943758d9c693bcc0aa17f539da83c850c32dd98e81815f2e60e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
4c5fed60b4a9696580a649af6a8998f5

SHA1
77d05a492eed4b2607f6b2e650a1df52d15ab389

SHA256
b481ed95e87a6e321f020bd962375e02e90a597748f4dd621fe7d07314a3928b

SHA512
e89ad878bd2021630637138176e5fcd5a3f88c990b2a81a8a4fe6f4785d185f78ee114cf7d438c2046dab22d085ab141c4e7cf844c244a5a2d2a109a922ba8a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
60d752f0a93ce358e65d2549eaf9afc8

SHA1
c48f6c3f1b2889620c26b2878c565124ded20f6a

SHA256
5006e4fafe9517f99ad5d6835acfd9d5acc92d33ab0952333463047402b7df3a

SHA512
e636dcf0f3cd9f70ebff6183e3d55ebbf02f944b4156fb80f4d2762f0e8e58c80737dc0cc484c3010b9e6fa3af3829e4acd9a8229fd4891ac377fa30e48e3366

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b1eca918181430c27788a3af383c0948

SHA1
46ef61b97aa1e3c35d7039d9c75700191ef8aa52

SHA256
2ee10f6594c55f259dab005cd6085cff90d4023921cfe03697b65532b5cd7049

SHA512
d191e4e0d2a1c19f39503c724d45014b3911448873cfd5bd0c048020f618cdbfd1cd9563edf67c68ab3bb20171156c34943a247eeab5bdc946173d818922fd52

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f421ceac3e9bbec240181047627c9209

SHA1
4ff1309cb7e8e644e3fc221c7715c999f04c19f0

SHA256
17e5ea455dc358617a16a83d471b9646ee92f16f56d4f1585e3d2aa3b709da33

SHA512
ae9778f74281b21715d7fb115ac13f91db726237b96c19ff60bf17ae85d5df74ff53cc0b15ee88fe03f0a31e37dcdde0e0fdbd4b2a1b5d0f5ec7ef16ef13a86d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b1f816d01a5439436fb842b1cb2900b6

SHA1
54d30edf8d5a6a4a0f27e0748bfbdfd5767a6b7e

SHA256
d50b66833346959b801005bcb1bac31297db55bc6d251741ebb3ff9bf1365239

SHA512
12e3581e217061369648edebbd15d7c66d74ae2e774d3b8313c3253cd4db7eff415d8c02df85b3898154d657ce84ced2c704cab14aa352b79cfd409abb7b15ec

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
56223acfc512ec06cad2485f50da5110

SHA1
14a899d92cd0b13269be629094338c39b9876e43

SHA256
9ac8d1e44f78bac5625606b30676317c3dc91abbde0c4a0bfbc0a2e46a35c3b9

SHA512
f82991f770e95a2bbea18996652675786ff240bcc2e006e378400cd49ab074a944ce3a9f4e3d2e087038f630b04d560ee98503c92a71b7d72e5062306ff8c4b1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
01480185f784f42274f722144dc737fe

SHA1
7df445c6e19e7529d10546cb3e6f27bb18139160

SHA256
5b8ce96439d77f7e8b71632a630aca705ceeb66002c4280b56e5b62b4c313d01

SHA512
1454cdfc970dabb2025cc5173ed4f3a7a39523cb4400bc9b2dd235a5c2d04e88202a9d78d492d67a7f2ada7414a416f8fef762a4250aab1e3412e387196d8d7d

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
01480185f784f42274f722144dc737fe

SHA1
7df445c6e19e7529d10546cb3e6f27bb18139160

SHA256
5b8ce96439d77f7e8b71632a630aca705ceeb66002c4280b56e5b62b4c313d01

SHA512
1454cdfc970dabb2025cc5173ed4f3a7a39523cb4400bc9b2dd235a5c2d04e88202a9d78d492d67a7f2ada7414a416f8fef762a4250aab1e3412e387196d8d7d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
43d9e565fdbb6982169f7065a0781b13

SHA1
f9b7e7b7c9a61ed6cef89fd8ad6b16e76c4de4ac

SHA256
060b5247434e7c893d75dbedfb0fc77ec1b7f8eab2444c591152160320a08e38

SHA512
6084408a208dbbdb397209cadd47b60c5dd9f8c036f1ea8716ed1893d3650642e22a8caab9aea1e653304ecc90e9a2cf2661e586f00e8515fb034043d49477c1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
d7cbd60f8a3c538c3177f025e82a02d4

SHA1
d25c76a6bad5a0b9b8c49a4b319b0e7819503dae

SHA256
eacfcfc2bb6f06a5d3c24c458180afaba0e1f5c1e86cca9d399331cf2fb5202a

SHA512
2c9169d3eefcc26ee1e8f6b025a16945cfb2a1be681d7f47ed774bf88c42104025591120711bcc30588770db8b7451b10e64a945830e0d0666ec00d685309e95

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d8b378a79b674fd5c92a244bef3434b3

SHA1
d96f32db0337d0d09543bc9124087fe5218f9b0e

SHA256
e5cfbebb108968e95bbe73ddcfe702886bb9c97344d48958c490af77d3699022

SHA512
76b69ab638fa97f1cdfb45a2819899f22c331f3a6b12bae93d25b99eecde35b8127308ce680118bdf6ae9af0c02508ed6bd166f74fa44102d2fbd818bd0f1650

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ee2ced01af20b84f6906ae5aac2d5591

SHA1
8c7cf5c092a83f8a3d0abda4f1ce57baa1a93627

SHA256
eecaaec749a4736c8a3450ecf62477b0b43f21ae4f207b7ff5f4227895801030

SHA512
3504a457f87c8650a10e7343c97fa1c02e6695db9678188afe726ec75eb78741272b819f98ad485e2a809aa19a8051ca846d99e68b36ad712adb4eeeea7f1735

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1634923e5a0c43ba8e3eead1b18db37a

SHA1
10f13e0a734d92eb5ad5f426b3a3a5d92a50089c

SHA256
753805e0cb4776c79d908ac5a7b37e612f01e6ced8ffde1e4ea3bdd6a96da5cb

SHA512
43548060ef8c180448f20fd566b983fceb2ce13c2819c85be2dc3255924316353688492dd13d95719f78181fe8095e52adba219d4bac22a2d1dbc59bdf32346f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
08a30b0911dfbeb149fd59f5e19bf98a

SHA1
6212c776ac1d74da85372b1cebf87fac201e7ca8

SHA256
01dd59aa0280f455ee8af65159ca68bce3027ef2d3ff38dcf08c36c7fa2a7fde

SHA512
38b09bf130c364005b841e04590a6c0f4b1907b1f9cd1497b08e0885980fb4d19999c227ec416d4db422a248eaf5eaadb4161daa4ac7c5c899bdccb17119b514

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f4db865fd4e73e8566654de6a742f226

SHA1
d6a322d7f1a5015e2543ea34e7bbea098003fd6b

SHA256
4f7e372c662e0e2f41b66e58d6741cdb4b0c06202d94961e0bd5a7fdf4742e93

SHA512
a66cbe25071603a5f3d5f0b3008f8311718e4f8c415f72f8cd0991f09d232a6935092ed99582feea75c6f695dd6f9d2b02acb42de9265ef93bab28f7861650ed

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
56223acfc512ec06cad2485f50da5110

SHA1
14a899d92cd0b13269be629094338c39b9876e43

SHA256
9ac8d1e44f78bac5625606b30676317c3dc91abbde0c4a0bfbc0a2e46a35c3b9

SHA512
f82991f770e95a2bbea18996652675786ff240bcc2e006e378400cd49ab074a944ce3a9f4e3d2e087038f630b04d560ee98503c92a71b7d72e5062306ff8c4b1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
56223acfc512ec06cad2485f50da5110

SHA1
14a899d92cd0b13269be629094338c39b9876e43

SHA256
9ac8d1e44f78bac5625606b30676317c3dc91abbde0c4a0bfbc0a2e46a35c3b9

SHA512
f82991f770e95a2bbea18996652675786ff240bcc2e006e378400cd49ab074a944ce3a9f4e3d2e087038f630b04d560ee98503c92a71b7d72e5062306ff8c4b1

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ea819fa7d2ba4c2d9ad0b48cc3032aac

SHA1
16f1ce4ffe17cbfb19a6489b9cfe4b196125ab3e

SHA256
f850819b8eb14f23e426cedbd42d5eb97f2f7ff24160f34fa6e92bb8151c392c

SHA512
1a345ae9d4d1ba7b64a33e0f11ee18edd2297925d0db34ff5bdb67bbc1d19fdb9d2d09963645e943758d9c693bcc0aa17f539da83c850c32dd98e81815f2e60e

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
4c5fed60b4a9696580a649af6a8998f5

SHA1
77d05a492eed4b2607f6b2e650a1df52d15ab389

SHA256
b481ed95e87a6e321f020bd962375e02e90a597748f4dd621fe7d07314a3928b

SHA512
e89ad878bd2021630637138176e5fcd5a3f88c990b2a81a8a4fe6f4785d185f78ee114cf7d438c2046dab22d085ab141c4e7cf844c244a5a2d2a109a922ba8a0

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
60d752f0a93ce358e65d2549eaf9afc8

SHA1
c48f6c3f1b2889620c26b2878c565124ded20f6a

SHA256
5006e4fafe9517f99ad5d6835acfd9d5acc92d33ab0952333463047402b7df3a

SHA512
e636dcf0f3cd9f70ebff6183e3d55ebbf02f944b4156fb80f4d2762f0e8e58c80737dc0cc484c3010b9e6fa3af3829e4acd9a8229fd4891ac377fa30e48e3366

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b1eca918181430c27788a3af383c0948

SHA1
46ef61b97aa1e3c35d7039d9c75700191ef8aa52

SHA256
2ee10f6594c55f259dab005cd6085cff90d4023921cfe03697b65532b5cd7049

SHA512
d191e4e0d2a1c19f39503c724d45014b3911448873cfd5bd0c048020f618cdbfd1cd9563edf67c68ab3bb20171156c34943a247eeab5bdc946173d818922fd52

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f421ceac3e9bbec240181047627c9209

SHA1
4ff1309cb7e8e644e3fc221c7715c999f04c19f0

SHA256
17e5ea455dc358617a16a83d471b9646ee92f16f56d4f1585e3d2aa3b709da33

SHA512
ae9778f74281b21715d7fb115ac13f91db726237b96c19ff60bf17ae85d5df74ff53cc0b15ee88fe03f0a31e37dcdde0e0fdbd4b2a1b5d0f5ec7ef16ef13a86d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b1f816d01a5439436fb842b1cb2900b6

SHA1
54d30edf8d5a6a4a0f27e0748bfbdfd5767a6b7e

SHA256
d50b66833346959b801005bcb1bac31297db55bc6d251741ebb3ff9bf1365239

SHA512
12e3581e217061369648edebbd15d7c66d74ae2e774d3b8313c3253cd4db7eff415d8c02df85b3898154d657ce84ced2c704cab14aa352b79cfd409abb7b15ec

Download Submit
memory/280-108-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/280-116-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/280-111-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/280-118-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/280-130-0x0000000000A50000-0x0000000000B0C000-memory.dmp

Filesize
752KB

Download
memory/280-107-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/520-179-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/520-204-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/520-188-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/692-164-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/692-431-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/692-175-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/692-169-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/692-372-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/892-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/892-283-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/956-125-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1108-152-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1108-201-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1108-167-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1108-371-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1108-158-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1108-166-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1108-163-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1184-146-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1260-281-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1260-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1260-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1260-74-0x00000000007B0000-0x0000000000816000-memory.dmp

Filesize
408KB

Download
memory/1260-69-0x00000000007B0000-0x0000000000816000-memory.dmp

Filesize
408KB

Download
memory/1260-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1260-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1260-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1260-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1260-94-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1460-82-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1460-88-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1460-96-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1484-147-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1756-59-0x0000000006040000-0x0000000006178000-memory.dmp

Filesize
1.2MB

Download
memory/1756-205-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1756-58-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1756-57-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1756-376-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1756-187-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1756-60-0x0000000007F90000-0x0000000008140000-memory.dmp

Filesize
1.7MB

Download
memory/1756-54-0x0000000000F40000-0x00000000010E0000-memory.dmp

Filesize
1.6MB

Download
memory/1756-56-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1756-55-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1828-128-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1828-120-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1828-306-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1828-127-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1832-212-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1832-343-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1832-468-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1832-227-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1836-225-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1912-123-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2004-302-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2004-215-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2116-493-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2116-246-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2216-248-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2216-266-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2304-262-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2360-374-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2432-571-0x00000000005A0000-0x00000000007A9000-memory.dmp

Filesize
2.0MB

Download
memory/2432-284-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2432-549-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2432-287-0x00000000005A0000-0x00000000007A9000-memory.dmp

Filesize
2.0MB

Download
memory/2484-427-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2484-404-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2536-572-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2536-290-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2588-308-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2596-405-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2732-307-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2732-573-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2780-440-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2784-340-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2808-366-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2808-341-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2888-478-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2888-442-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2928-342-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/3032-436-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3040-380-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/3052-395-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3052-378-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download