blustealer | 52d4c9785ef46a412ea225c41757168d828d77058976963a9232ffa6bf0d9425

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 34 IoCs

pid	Process
460	Process not Found
1608	alg.exe
1292	aspnet_state.exe
1948	mscorsvw.exe
1936	mscorsvw.exe
1668	mscorsvw.exe
480	mscorsvw.exe
672	dllhost.exe
296	ehRecvr.exe
1072	ehsched.exe
1956	mscorsvw.exe
440	elevation_service.exe
1304	mscorsvw.exe
2084	IEEtwCollector.exe
2244	GROOVE.EXE
2356	maintenanceservice.exe
2508	msdtc.exe
2584	mscorsvw.exe
2596	msiexec.exe
2840	OSE.EXE
2896	mscorsvw.exe
2908	OSPPSVC.EXE
2056	perfhost.exe
2076	locator.exe
2168	mscorsvw.exe
2300	snmptrap.exe
2216	vds.exe
2380	vssvc.exe
2852	wbengine.exe
2980	mscorsvw.exe
892	WmiApSrv.exe
2416	wmpnetwk.exe
336	SearchIndexer.exe
2064	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2596	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\vds.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2af38fa6328eb3a2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\alg.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 680 set thread context of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\MoveTrace.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7DA7F3B0-4DFE-410A-A974-F64DD5F4BB1F}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7DA7F3B0-4DFE-410A-A974-F64DD5F4BB1F}.crmlog	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{DF40964A-9925-469E-9D78-B2A49203E007}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{DF40964A-9925-469E-9D78-B2A49203E007}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
1964	ehRec.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeTakeOwnershipPrivilege	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	480	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	480	mscorsvw.exe
Token: SeShutdownPrivilege	480	mscorsvw.exe
Token: SeShutdownPrivilege	480	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: 33	292	EhTray.exe
Token: SeIncBasePriorityPrivilege	292	EhTray.exe
Token: SeDebugPrivilege	1964	ehRec.exe
Token: 33	292	EhTray.exe
Token: SeIncBasePriorityPrivilege	292	EhTray.exe
Token: SeShutdownPrivilege	480	mscorsvw.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeSecurityPrivilege	2596	msiexec.exe
Token: SeBackupPrivilege	2380	vssvc.exe
Token: SeRestorePrivilege	2380	vssvc.exe
Token: SeAuditPrivilege	2380	vssvc.exe
Token: SeBackupPrivilege	2852	wbengine.exe
Token: SeRestorePrivilege	2852	wbengine.exe
Token: SeSecurityPrivilege	2852	wbengine.exe
Token: SeManageVolumePrivilege	336	SearchIndexer.exe
Token: 33	336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	336	SearchIndexer.exe
Token: 33	2416	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2416	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
292	EhTray.exe
292	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
292	EhTray.exe
292	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1100	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	28
PID 2004 wrote to memory of 1100	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	28
PID 2004 wrote to memory of 1100	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	28
PID 2004 wrote to memory of 1100	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	28
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 2004 wrote to memory of 680	2004	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	29
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 680 wrote to memory of 1540	680	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	34
PID 480 wrote to memory of 1956	480	mscorsvw.exe	41
PID 480 wrote to memory of 1956	480	mscorsvw.exe	41
PID 480 wrote to memory of 1956	480	mscorsvw.exe	41
PID 480 wrote to memory of 1304	480	mscorsvw.exe	44
PID 480 wrote to memory of 1304	480	mscorsvw.exe	44
PID 480 wrote to memory of 1304	480	mscorsvw.exe	44
PID 1668 wrote to memory of 2584	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2584	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2584	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2584	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2896	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2896	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2896	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2896	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 2168	1668	mscorsvw.exe	56
PID 1668 wrote to memory of 2168	1668	mscorsvw.exe	56
PID 1668 wrote to memory of 2168	1668	mscorsvw.exe	56
PID 1668 wrote to memory of 2168	1668	mscorsvw.exe	56
PID 1668 wrote to memory of 2980	1668	mscorsvw.exe	61
PID 1668 wrote to memory of 2980	1668	mscorsvw.exe	61
PID 1668 wrote to memory of 2980	1668	mscorsvw.exe	61
PID 1668 wrote to memory of 2980	1668	mscorsvw.exe	61
PID 1668 wrote to memory of 2064	1668	mscorsvw.exe	65
PID 1668 wrote to memory of 2064	1668	mscorsvw.exe	65
PID 1668 wrote to memory of 2064	1668	mscorsvw.exe	65
PID 1668 wrote to memory of 2064	1668	mscorsvw.exe	65
PID 336 wrote to memory of 3048	336	SearchIndexer.exe	66
PID 336 wrote to memory of 3048	336	SearchIndexer.exe	66
PID 336 wrote to memory of 3048	336	SearchIndexer.exe	66
PID 336 wrote to memory of 1740	336	SearchIndexer.exe	67
PID 336 wrote to memory of 1740	336	SearchIndexer.exe	67
PID 336 wrote to memory of 1740	336	SearchIndexer.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
"C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 260 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1e0 -NGENProcess 1e8 -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:672

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:296

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:292

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2084

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2840

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:892

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3948302646-268491222-1934009652-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3948302646-268491222-1934009652-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4607f53a34c80d66b026836b25750b17

SHA1
4390340dd0d7ab5c96b158f8f792d159660d2cd4

SHA256
8af38b1f070fe1514f78baf37ee31b4f3f2ba7ab604db28473b7f76673c2378e

SHA512
0daaa72d996c6eb6b8bb36ce1578574059ec5ea0f3fb09b241af63f385b8fbc2c2e69d9032b916157925a6b81666f8a4f94302c1d4c34b9405eea7fbcad2bece

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
3f50afed12c37626b163e7df5c6da350

SHA1
638ac03d54a366c52c820d739e06dd36ce33c80a

SHA256
38aca39897d931ac55cbd700b54724859c6aeeea3ec7684b1d9d94ac4ad75ac7

SHA512
0f0c256ae7dfba558fd839d9a489fcd719f9f58997c29f52ad92b1d00f5a15eaffc4b71cea889ede86fb85c797b635365589c133e3e2bdbd3b8255325365b0ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
54f140362c238defa3d6840d5ed967f3

SHA1
b377dfd72a21b541e275c87b5deffe46aa7426fa

SHA256
17e9d04cb4666908bb8708456c39bd6a94782dcc5a6a569652b86e538315656e

SHA512
e1cce37c086f7de5c2ea70842e0a1e8b3fe2b7cf2af2cfc495e302f105b0e8e989cd919e75d5ac44ae05dd8833f6cfce84a5ab9df0f52b4a2a2a5e3a06d76c32

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
15fee057b2ca2a8adcf5270d1156bd64

SHA1
352f5e8d389ba80b2ca79689e9ce3c6d9c54a989

SHA256
7fc4010a0f5ce002cb47f3812c0afeefbdfa0a1ec6a172228dffe2c00107cfbc

SHA512
6d9952d8dff8394a909172a94bcf24daa5175ebad88ab4e02366f02c7cb4a477265cd74d51827e2da15ec6385f11d6bed41b852316c969c32074f56fe5746e3b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7586bb9d8070484a82ccffcfe6d43424

SHA1
c9f35fafb15be60bafe9327d23617656ca9e8637

SHA256
7c219769a69ecc8d6856eb39aa5a92bf85a380062a77a53a21070a5860c4076c

SHA512
665d7964977421ad37316eb110a05f56d29266a23a4e31c82b3c4309de017d08db2355b0a9de90f95c2012dd0742f4dbb927346f58e9c8a0f13b722b69f3ef28

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
fdc8678f66cc6cf5d4330d9b1039b420

SHA1
62c11d2029bbfa3e6656cb867725246b97dbad54

SHA256
4fe1a6a519f0b39df60f5e9ee92fed732606cde06a85043ce46653bd1a8a19c6

SHA512
d63b7098514c5e48f7f8236f13804369f1e55a1cfa8d3d870e05678421efdc670cd103e8b38ae7eb152e8711336cc47351f91425f3f1f71f0d636ebf330e690a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
603b03cd3fb07d905d5bd2baf23e77c6

SHA1
1dfd2c27609d2a35612a38632b2cdb8d9659d40a

SHA256
8b6f97b1a606204d4b4ed9f377d34afbfd67c6fdf2fa09bdf806668c763b8782

SHA512
4e70e5bf808bb642b039711cf31c8843e481cb861fd27872ac489a1fe8b49d991cd2b101052225c168359a631934338d6e1fb579b560e1f3313129fcd070d19d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b82ec61befce08fe0ad5ecd456bc9dbc

SHA1
7aa29e46f5284d52add027a8814427177f65ff4a

SHA256
4fad5c88ef273e8c55ca8d681aa0d9ace31be700c31f0df8b78b86d9efbd22dd

SHA512
069fdfd1d02478ff8036793d45a7c9fbe8e1f2e728219b93a1afd6e538db05d2a6ce02ed72d160f653c907cdcc3eb4f621a78d89b91a752bf7e3b3bca2d4f4bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b82ec61befce08fe0ad5ecd456bc9dbc

SHA1
7aa29e46f5284d52add027a8814427177f65ff4a

SHA256
4fad5c88ef273e8c55ca8d681aa0d9ace31be700c31f0df8b78b86d9efbd22dd

SHA512
069fdfd1d02478ff8036793d45a7c9fbe8e1f2e728219b93a1afd6e538db05d2a6ce02ed72d160f653c907cdcc3eb4f621a78d89b91a752bf7e3b3bca2d4f4bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
7632834176110c87b7f4829041dfd623

SHA1
1b807fdc8853330f5cf2c20c1cc9a93f488dcc6b

SHA256
5dc42492827e8aa2bd040cf601f248c16f1d68a887d00b041fe159ebdcd60642

SHA512
ad92d1a272acf215245591c6ea008ae483fe5b8a2688c9f3035c11602d46b3a1793d431217e8942bb711f58390470c89009c0eb7cd6975e53dda4eccfc221f23

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
847c0b3811c1b1ab87a183fb5c25f3ab

SHA1
d8e642cf0bf9c6eb8a30e0c0cb04f856c9ee73e4

SHA256
671174fcf36ec6eac7e154b78807fd86ad9a34336afb3670266eac9e94ddd4a4

SHA512
11b10a867cf8381bfeee59c00bae215b5c1ba7146326b5dec4c8bfdf9bf85605d3593775f29cfbdba4575da3d63b7e01004aef2618ea0919222f8e62b422584a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc4e27a50cab9bebe629d8c610a31319

SHA1
27dff4734db170a00beb800c5be0ae63d0c1c0d5

SHA256
8b84a202afa6518a3e413343ba10c332f1e3b482b875a6fb4bd1636740ccbe36

SHA512
2e9fe07531cc4862b17134f656e0cd6e058d38ac3fb0ba1aabb491e22f6edd9d22a6d502d4a08091d12baf0bed7c3fcd471946ac280de5dc5ecca2e37b008e9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc4e27a50cab9bebe629d8c610a31319

SHA1
27dff4734db170a00beb800c5be0ae63d0c1c0d5

SHA256
8b84a202afa6518a3e413343ba10c332f1e3b482b875a6fb4bd1636740ccbe36

SHA512
2e9fe07531cc4862b17134f656e0cd6e058d38ac3fb0ba1aabb491e22f6edd9d22a6d502d4a08091d12baf0bed7c3fcd471946ac280de5dc5ecca2e37b008e9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc4e27a50cab9bebe629d8c610a31319

SHA1
27dff4734db170a00beb800c5be0ae63d0c1c0d5

SHA256
8b84a202afa6518a3e413343ba10c332f1e3b482b875a6fb4bd1636740ccbe36

SHA512
2e9fe07531cc4862b17134f656e0cd6e058d38ac3fb0ba1aabb491e22f6edd9d22a6d502d4a08091d12baf0bed7c3fcd471946ac280de5dc5ecca2e37b008e9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dc4e27a50cab9bebe629d8c610a31319

SHA1
27dff4734db170a00beb800c5be0ae63d0c1c0d5

SHA256
8b84a202afa6518a3e413343ba10c332f1e3b482b875a6fb4bd1636740ccbe36

SHA512
2e9fe07531cc4862b17134f656e0cd6e058d38ac3fb0ba1aabb491e22f6edd9d22a6d502d4a08091d12baf0bed7c3fcd471946ac280de5dc5ecca2e37b008e9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
962517eb799cafb0fff49290eb55f927

SHA1
4996f00b9720fe32c9842a71583a26f724a675e1

SHA256
1655e7d4c830eeb1224211527d2c4de67f753031e5d2d549f880d4120359e4d5

SHA512
767a19fb03a48dfcef94b198a07065c46cd3cab5a03e88d9594fbcd77c5965da4eb561b2ee0f01323da7838eabab9eb55f00e47ad9dddf45c5f57f851c771f8e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
962517eb799cafb0fff49290eb55f927

SHA1
4996f00b9720fe32c9842a71583a26f724a675e1

SHA256
1655e7d4c830eeb1224211527d2c4de67f753031e5d2d549f880d4120359e4d5

SHA512
767a19fb03a48dfcef94b198a07065c46cd3cab5a03e88d9594fbcd77c5965da4eb561b2ee0f01323da7838eabab9eb55f00e47ad9dddf45c5f57f851c771f8e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
94c75723d4d6010b9842249cad984934

SHA1
040ec38433ac5909e96dd2e2ec4fd8bed2d09a56

SHA256
a597b982ef92526e5aa3c09e3dca9069e2a67e9ad2eb1b98c3815ae20ad7c037

SHA512
e65bdd7f32476bfe240d439cfb498c3d83ae84f63efc93d8463ffe8bd1162894092d5951a45a130e92b70abd05638ecbd2dabe213ab96d59e42cebc0ea2cc3e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a25f17f1141303c7f259a45da5ebef94

SHA1
7b541bfb55886719ce77bca2986cc6ddd5a4d399

SHA256
0e456fce35856dae5c9b249cd682e50a621ba1ece378d7450263a8517e2e165b

SHA512
7016aed6ccfa3a904ab2977589e3296d46e076b128fac0588b1995a86e7509763051728a9cc4cd6f79b564b11dd0569825da96e0c082dcd146cbbcb62d617c15

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
97998c703828fbbed44631ba14a418ed

SHA1
0e2b0fd6d6fec8e89c296ce7f0ec69b8899ace50

SHA256
12f524270877dfed42805ac2942f9a2bcf51c00f6139ce27fbd77a395c41f425

SHA512
7ad1656f683fad0d446901499f2b7b3906a25ed2e9477f3350988d83ee61719b65466987a6e39986a043fac8a2aff4c02bf66d3e5d5a19f2ccd038754abb7805

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
625c01f6ff9371032a78ac4ef15ce695

SHA1
38460217891be840a1f01d4f751679f5df7b05bf

SHA256
3edcbcb3a6b588e5286534220f98f19923b821aa045a75696c42997a5aea15e0

SHA512
c6d2ddd8415a8d0143651b3438138fc51be41ebadf7ede557d172e723c87f9900ea7ae8f700a40824f9d5e44401f53ea318848caaeec07ee726b1238837cb0cf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
98997ff66a3d4daf0b3ed0c681b08f00

SHA1
c283878518cf6972e22714e2fe5028eb734e8670

SHA256
65e5a9e5c73d5aee8ebfa22464e56262d91e00d3582753d2e95f211278919bb9

SHA512
f514c13118c565b336089669f5613e8dba9d8aba5278d07364ed26d58c0190c2ef7f8fbb37c522ed84e272939a4d7a76c86780823993df8d9c0e13a7d954996b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
1c0e618ac7ec80e59b34162650b9779e

SHA1
f34747292db340dfb201511ee38ce926badb6999

SHA256
8e694abad75c5f41217c10a7a54232793da9c65aff94b1bc4ebb3eee6c11ecdd

SHA512
ead7d49f910dc33a57b1428440f525a1343bf78e1a0797969881cb3118201529eba2b600b2a036a654cc1b91b68e18bf6480cfa7011b2ac8daa4cf0d957c9b40

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
39bf308cfa24d05872f95c0041e8928f

SHA1
ac7355641498913531b212ae83bdbdea350bfd5e

SHA256
4dfffa03b8114d542d4f5486ed110ad833e723c101ebcc0e894c72790a33fa8d

SHA512
d064cafc0b4f29e0be1b94dc2660ec25f4499c76eb058697ba79174aca78d0b68805d9b21cb3540b3b478c092808a55328b45f7c908bd09b714d9f49b8e3d1cc

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
180b0b45aceee8266c7c3da0fcd8673a

SHA1
9722ee1187336ad2b63c34d3467982b4bd9ce139

SHA256
06760fc8503b97723bab625f7fa052866512bd9ae34e2394fa115d6290abcee4

SHA512
b7e4831dd783400151f78f59eb6a1f2724755400ffc2d6ba5dedecb89fa16bb33ab35029b7c0f3c2971e82cabc3dcb1c0ba73ce95af0ce3cd2240469ac317b56

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
31556efdde6ca8ada4c28c7d5aa825d2

SHA1
460423ed9481b555d1189c612d97ab74019268b7

SHA256
5f48b19cedc6c4b0546054edb986fcc2483d39e6d2d219acd94d7911d0155a17

SHA512
87183fe0fd3310bcc0e4fb245faafe2d0518314c2685aecc4093c56b081f17c65b03090e5193700557fc07846e104bb16a5ae50388f4c436a616adfd60d2e652

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
951f1d565aa583e379f8addf343551f8

SHA1
9a3837c06f1a8f73b8f123455accfd12854ca2f4

SHA256
d352f257655dcb599b10f031a9da872e365076bc7e52bd7468e800fbe20ef4f9

SHA512
317d3e92dd46891202710b54fd003b3c50d8966a63f2b84685999316c0f83dd04ffa4212fb3d413c9166187dd3dfe26448f8ca4e8eeb9c1093e507ee24726141

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7f44b887ec0d2a1e0c16296c5455ba6d

SHA1
b96356bfcbe7f4d808a6c6d59aaed9690273036a

SHA256
d958007b4bcff662eb3ccb7c861f5b226b5e7d5cacc0f77b4faf89f500c74e04

SHA512
6c393100bced9848db94725cbcfc18a14c71cc583459c554e5d0e96fdb164c9a30694c7a3301ad3a9d58a4db08ce6473ef9f7896d54d560fafe2f5401fec1c13

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
628933c988620d3c495894b10ecbbad4

SHA1
4a7c27245ac0378106d1f533c848c022ca9c383a

SHA256
5771dffc65d4c1f8a7783d80fd09896f35647a7d62cb91b70da65be28fef7537

SHA512
1c723b43043d78e3311f951047dfccc4219c42c6b4288c6750e98365022c249534abff5d02c1261fd0a2d3ebdc9592e82f2fd06e99375a602354f0b7e5c18604

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
c24babc39b7d6bc6ec77e74ab2c39d9c

SHA1
3a799b3a8fc00dc3d966ac7a5fdc4043749162a6

SHA256
70d5fe55253423b86bf9667e9670cedabc38d66df0edbe57c9a3cb5a92cbd6bb

SHA512
c24c29d48abe8e1bb2448975ae14c78f17bb6225f06738d510985ce660be89715babfc23262cff4257e90e705b958c47c831bee2d4a56d9b7e9aaded911945a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ec67e860a9b0d88b819953be5934fe53

SHA1
faee1ce9597147f4677dc0b5dc4770a31c76666b

SHA256
e9b8e8fee9d70d2bf08d5e3f873d2a8230c94ef89f26ad1a76e9f52aaa9342ab

SHA512
1cc1af8914857d1fa58c5736d767b4e9944f9d22edd060a38d605c3b559727582f94c1a392f9a9f1a44d6898cb4c9b911d8a4fbca5f808db4923948c2cf31ab1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5e9e8d290d7e3ded0a171a5c7aeceb36

SHA1
004c236e808a557271e0eb06ea4d4288417c9546

SHA256
58354d7fe6d0692bd58bd8b681b962ca1179b0f2b2d0834aae75ea5a2cdf680c

SHA512
32f1b7ad988f9708b013b0d20679866439099a561a0b6b271313de366e435902aa8d1f69a8960dca42d23d052d321f3820bdcfae44b97499233a8268442c1b4d

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
221f9887138106a2283823a854adcc2a

SHA1
8dee140a867d937249c9dc3e627419b73531a8b2

SHA256
af9fe3b117a34c474b77340672dc5cf29e3b89db9e68f0b5e21990590c6b11ae

SHA512
df1146d7577f53805d5315ea0224f15ae52ea686eb61da8fc970b1842023ef7bf1fd53684d2b937f8168b0443ff6c9565c84042d9408e9f48b51ff8126ed0950

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
10fbd714fe55fbb3563dac602f300e6e

SHA1
89049b4c85939478eb0caa08134c382dc7ed3941

SHA256
2391e7c0e088274d0faf38ff7e52d5d91494ebfa833a55a8c8262d6d69f81e20

SHA512
d969ccab99d1b6ac05f3337c516e0c63a7c3047900f951aaadc835f038123fe5113fe9e6238cb5eadef06bf4548d813a06913e9f225b202e2d09fef6cb155699

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
7f44b887ec0d2a1e0c16296c5455ba6d

SHA1
b96356bfcbe7f4d808a6c6d59aaed9690273036a

SHA256
d958007b4bcff662eb3ccb7c861f5b226b5e7d5cacc0f77b4faf89f500c74e04

SHA512
6c393100bced9848db94725cbcfc18a14c71cc583459c554e5d0e96fdb164c9a30694c7a3301ad3a9d58a4db08ce6473ef9f7896d54d560fafe2f5401fec1c13

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
fdc8678f66cc6cf5d4330d9b1039b420

SHA1
62c11d2029bbfa3e6656cb867725246b97dbad54

SHA256
4fe1a6a519f0b39df60f5e9ee92fed732606cde06a85043ce46653bd1a8a19c6

SHA512
d63b7098514c5e48f7f8236f13804369f1e55a1cfa8d3d870e05678421efdc670cd103e8b38ae7eb152e8711336cc47351f91425f3f1f71f0d636ebf330e690a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
fdc8678f66cc6cf5d4330d9b1039b420

SHA1
62c11d2029bbfa3e6656cb867725246b97dbad54

SHA256
4fe1a6a519f0b39df60f5e9ee92fed732606cde06a85043ce46653bd1a8a19c6

SHA512
d63b7098514c5e48f7f8236f13804369f1e55a1cfa8d3d870e05678421efdc670cd103e8b38ae7eb152e8711336cc47351f91425f3f1f71f0d636ebf330e690a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b82ec61befce08fe0ad5ecd456bc9dbc

SHA1
7aa29e46f5284d52add027a8814427177f65ff4a

SHA256
4fad5c88ef273e8c55ca8d681aa0d9ace31be700c31f0df8b78b86d9efbd22dd

SHA512
069fdfd1d02478ff8036793d45a7c9fbe8e1f2e728219b93a1afd6e538db05d2a6ce02ed72d160f653c907cdcc3eb4f621a78d89b91a752bf7e3b3bca2d4f4bb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
847c0b3811c1b1ab87a183fb5c25f3ab

SHA1
d8e642cf0bf9c6eb8a30e0c0cb04f856c9ee73e4

SHA256
671174fcf36ec6eac7e154b78807fd86ad9a34336afb3670266eac9e94ddd4a4

SHA512
11b10a867cf8381bfeee59c00bae215b5c1ba7146326b5dec4c8bfdf9bf85605d3593775f29cfbdba4575da3d63b7e01004aef2618ea0919222f8e62b422584a

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
625c01f6ff9371032a78ac4ef15ce695

SHA1
38460217891be840a1f01d4f751679f5df7b05bf

SHA256
3edcbcb3a6b588e5286534220f98f19923b821aa045a75696c42997a5aea15e0

SHA512
c6d2ddd8415a8d0143651b3438138fc51be41ebadf7ede557d172e723c87f9900ea7ae8f700a40824f9d5e44401f53ea318848caaeec07ee726b1238837cb0cf

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
39bf308cfa24d05872f95c0041e8928f

SHA1
ac7355641498913531b212ae83bdbdea350bfd5e

SHA256
4dfffa03b8114d542d4f5486ed110ad833e723c101ebcc0e894c72790a33fa8d

SHA512
d064cafc0b4f29e0be1b94dc2660ec25f4499c76eb058697ba79174aca78d0b68805d9b21cb3540b3b478c092808a55328b45f7c908bd09b714d9f49b8e3d1cc

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
180b0b45aceee8266c7c3da0fcd8673a

SHA1
9722ee1187336ad2b63c34d3467982b4bd9ce139

SHA256
06760fc8503b97723bab625f7fa052866512bd9ae34e2394fa115d6290abcee4

SHA512
b7e4831dd783400151f78f59eb6a1f2724755400ffc2d6ba5dedecb89fa16bb33ab35029b7c0f3c2971e82cabc3dcb1c0ba73ce95af0ce3cd2240469ac317b56

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
31556efdde6ca8ada4c28c7d5aa825d2

SHA1
460423ed9481b555d1189c612d97ab74019268b7

SHA256
5f48b19cedc6c4b0546054edb986fcc2483d39e6d2d219acd94d7911d0155a17

SHA512
87183fe0fd3310bcc0e4fb245faafe2d0518314c2685aecc4093c56b081f17c65b03090e5193700557fc07846e104bb16a5ae50388f4c436a616adfd60d2e652

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
951f1d565aa583e379f8addf343551f8

SHA1
9a3837c06f1a8f73b8f123455accfd12854ca2f4

SHA256
d352f257655dcb599b10f031a9da872e365076bc7e52bd7468e800fbe20ef4f9

SHA512
317d3e92dd46891202710b54fd003b3c50d8966a63f2b84685999316c0f83dd04ffa4212fb3d413c9166187dd3dfe26448f8ca4e8eeb9c1093e507ee24726141

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7f44b887ec0d2a1e0c16296c5455ba6d

SHA1
b96356bfcbe7f4d808a6c6d59aaed9690273036a

SHA256
d958007b4bcff662eb3ccb7c861f5b226b5e7d5cacc0f77b4faf89f500c74e04

SHA512
6c393100bced9848db94725cbcfc18a14c71cc583459c554e5d0e96fdb164c9a30694c7a3301ad3a9d58a4db08ce6473ef9f7896d54d560fafe2f5401fec1c13

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7f44b887ec0d2a1e0c16296c5455ba6d

SHA1
b96356bfcbe7f4d808a6c6d59aaed9690273036a

SHA256
d958007b4bcff662eb3ccb7c861f5b226b5e7d5cacc0f77b4faf89f500c74e04

SHA512
6c393100bced9848db94725cbcfc18a14c71cc583459c554e5d0e96fdb164c9a30694c7a3301ad3a9d58a4db08ce6473ef9f7896d54d560fafe2f5401fec1c13

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
628933c988620d3c495894b10ecbbad4

SHA1
4a7c27245ac0378106d1f533c848c022ca9c383a

SHA256
5771dffc65d4c1f8a7783d80fd09896f35647a7d62cb91b70da65be28fef7537

SHA512
1c723b43043d78e3311f951047dfccc4219c42c6b4288c6750e98365022c249534abff5d02c1261fd0a2d3ebdc9592e82f2fd06e99375a602354f0b7e5c18604

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
c24babc39b7d6bc6ec77e74ab2c39d9c

SHA1
3a799b3a8fc00dc3d966ac7a5fdc4043749162a6

SHA256
70d5fe55253423b86bf9667e9670cedabc38d66df0edbe57c9a3cb5a92cbd6bb

SHA512
c24c29d48abe8e1bb2448975ae14c78f17bb6225f06738d510985ce660be89715babfc23262cff4257e90e705b958c47c831bee2d4a56d9b7e9aaded911945a8

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ec67e860a9b0d88b819953be5934fe53

SHA1
faee1ce9597147f4677dc0b5dc4770a31c76666b

SHA256
e9b8e8fee9d70d2bf08d5e3f873d2a8230c94ef89f26ad1a76e9f52aaa9342ab

SHA512
1cc1af8914857d1fa58c5736d767b4e9944f9d22edd060a38d605c3b559727582f94c1a392f9a9f1a44d6898cb4c9b911d8a4fbca5f808db4923948c2cf31ab1

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5e9e8d290d7e3ded0a171a5c7aeceb36

SHA1
004c236e808a557271e0eb06ea4d4288417c9546

SHA256
58354d7fe6d0692bd58bd8b681b962ca1179b0f2b2d0834aae75ea5a2cdf680c

SHA512
32f1b7ad988f9708b013b0d20679866439099a561a0b6b271313de366e435902aa8d1f69a8960dca42d23d052d321f3820bdcfae44b97499233a8268442c1b4d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
221f9887138106a2283823a854adcc2a

SHA1
8dee140a867d937249c9dc3e627419b73531a8b2

SHA256
af9fe3b117a34c474b77340672dc5cf29e3b89db9e68f0b5e21990590c6b11ae

SHA512
df1146d7577f53805d5315ea0224f15ae52ea686eb61da8fc970b1842023ef7bf1fd53684d2b937f8168b0443ff6c9565c84042d9408e9f48b51ff8126ed0950

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
10fbd714fe55fbb3563dac602f300e6e

SHA1
89049b4c85939478eb0caa08134c382dc7ed3941

SHA256
2391e7c0e088274d0faf38ff7e52d5d91494ebfa833a55a8c8262d6d69f81e20

SHA512
d969ccab99d1b6ac05f3337c516e0c63a7c3047900f951aaadc835f038123fe5113fe9e6238cb5eadef06bf4548d813a06913e9f225b202e2d09fef6cb155699

Download Submit
memory/296-155-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/296-169-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/296-203-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/296-166-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/296-179-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/296-159-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/296-151-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/336-519-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/440-208-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/440-193-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/440-377-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/480-150-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/672-153-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/680-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/680-178-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-100-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-69-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/680-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/680-74-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/892-453-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/1072-461-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1072-173-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1072-167-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1072-164-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1072-189-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1292-102-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1304-260-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1304-210-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1540-127-0x0000000000AD0000-0x0000000000B8C000-memory.dmp

Filesize
752KB

Download
memory/1540-120-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1540-124-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1540-126-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1540-122-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1540-121-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-101-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1608-88-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1608-82-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1668-118-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/1668-113-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/1668-129-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1936-128-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1948-103-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1956-187-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1956-190-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1956-181-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1956-363-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1964-307-0x0000000000950000-0x00000000009D0000-memory.dmp

Filesize
512KB

Download
memory/1964-206-0x0000000000950000-0x00000000009D0000-memory.dmp

Filesize
512KB

Download
memory/1964-376-0x0000000000950000-0x00000000009D0000-memory.dmp

Filesize
512KB

Download
memory/1964-234-0x0000000000950000-0x00000000009D0000-memory.dmp

Filesize
512KB

Download
memory/2004-55-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2004-56-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2004-59-0x0000000005C50000-0x0000000005D88000-memory.dmp

Filesize
1.2MB

Download
memory/2004-54-0x0000000000C60000-0x0000000000DF6000-memory.dmp

Filesize
1.6MB

Download
memory/2004-57-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2004-58-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2004-60-0x000000000A320000-0x000000000A4D0000-memory.dmp

Filesize
1.7MB

Download
memory/2056-365-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2076-368-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2084-410-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2084-232-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2168-369-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2168-395-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2216-382-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2244-378-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2244-239-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2300-372-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2300-396-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2356-257-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2356-243-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2380-400-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2416-454-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2508-274-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2584-391-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2584-304-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2596-306-0x0000000000560000-0x0000000000769000-memory.dmp

Filesize
2.0MB

Download
memory/2596-305-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2596-392-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2840-333-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2852-428-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2896-334-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2896-375-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2908-394-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2908-335-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2980-430-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2980-534-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download