blustealer | 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097

Analysis

max time kernel
176s
max time network
189s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Size

996KB
MD5

6b5440ea657619e7301f3e923654cb3c
SHA1

1fbafb550989c2c944d3941545b68bd553175704
SHA256

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
SHA512

a652226f01fdbe1efe10ca765a029fa72a972f04a79b579153e61c3c02fed20bf265293f722a386da3985a152124b2334f140b8620d82862fe2401103f8a2c74
SSDEEP

24576:wxgsRftD0C2nKGe0Djsf9nz4mloFQnpXUMPQDR6q79dA:waSftDnGpDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 28 IoCs

pid	Process
464	Process not Found
1416	alg.exe
1540	aspnet_state.exe
684	mscorsvw.exe
1184	mscorsvw.exe
1056	mscorsvw.exe
1824	mscorsvw.exe
592	dllhost.exe
1624	ehRecvr.exe
844	ehsched.exe
1776	mscorsvw.exe
868	mscorsvw.exe
840	mscorsvw.exe
1776	elevation_service.exe
1040	IEEtwCollector.exe
1728	mscorsvw.exe
684	mscorsvw.exe
1448	GROOVE.EXE
2056	maintenanceservice.exe
2156	mscorsvw.exe
2236	msdtc.exe
2372	mscorsvw.exe
2404	msiexec.exe
2584	mscorsvw.exe
2680	mscorsvw.exe
2768	mscorsvw.exe
3016	mscorsvw.exe
2108	mscorsvw.exe

Loads dropped DLL 9 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2404	msiexec.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d36029ab7693df14.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 688 set thread context of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehsched.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1C927F30-9185-4587-B71A-5C14E7C09DCE}.crmlog	dllhost.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1C927F30-9185-4587-B71A-5C14E7C09DCE}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1760	ehRec.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1824	mscorsvw.exe
Token: SeShutdownPrivilege	1824	mscorsvw.exe
Token: SeShutdownPrivilege	1824	mscorsvw.exe
Token: SeShutdownPrivilege	1824	mscorsvw.exe
Token: 33	1684	EhTray.exe
Token: SeIncBasePriorityPrivilege	1684	EhTray.exe
Token: SeDebugPrivilege	1760	ehRec.exe
Token: 33	1684	EhTray.exe
Token: SeIncBasePriorityPrivilege	1684	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 688 wrote to memory of 836	688	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	29
PID 1056 wrote to memory of 1776	1056	mscorsvw.exe	37
PID 1056 wrote to memory of 1776	1056	mscorsvw.exe	37
PID 1056 wrote to memory of 1776	1056	mscorsvw.exe	37
PID 1056 wrote to memory of 1776	1056	mscorsvw.exe	37
PID 1056 wrote to memory of 868	1056	mscorsvw.exe	39
PID 1056 wrote to memory of 868	1056	mscorsvw.exe	39
PID 1056 wrote to memory of 868	1056	mscorsvw.exe	39
PID 1056 wrote to memory of 868	1056	mscorsvw.exe	39
PID 1056 wrote to memory of 840	1056	mscorsvw.exe	40
PID 1056 wrote to memory of 840	1056	mscorsvw.exe	40
PID 1056 wrote to memory of 840	1056	mscorsvw.exe	40
PID 1056 wrote to memory of 840	1056	mscorsvw.exe	40
PID 1056 wrote to memory of 1728	1056	mscorsvw.exe	44
PID 1056 wrote to memory of 1728	1056	mscorsvw.exe	44
PID 1056 wrote to memory of 1728	1056	mscorsvw.exe	44
PID 1056 wrote to memory of 1728	1056	mscorsvw.exe	44
PID 1056 wrote to memory of 684	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 684	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 684	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 684	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 2156	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 2156	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 2156	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 2156	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 2372	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2372	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2372	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2372	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2584	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2584	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2584	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2584	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2680	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 2680	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 2680	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 2680	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 2768	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 2768	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 2768	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 2768	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 3016	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 3016	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 3016	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 3016	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 2108	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 2108	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 2108	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 2108	1056	mscorsvw.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
"C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 168 -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 25c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 1f8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 184 -NGENProcess 254 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 26c -NGENProcess 1b0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e8 -NGENProcess 274 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 278 -NGENProcess 1b0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 1f0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1b0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:592

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1624

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1040

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a2416345ad36fa2bac9e05179f09e54e

SHA1
d74de18bd7dd91f98d35e814ed233c09cdd4b438

SHA256
01653b8d0dc0d3b3d069bc33beba81df5e645f8468156919ca8ee0ec3cb627dd

SHA512
34d15603e2a339732be59cbf1885224f3540f48549965cfaded9eb62e891e9e39b2231ed2eecb8561064ce844dbdaab025bb23ebab5d593f67d58875484d7d92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
aaaa001f07a11f6a0b1f6c4d81002ee6

SHA1
42fe8212ad72544af9a6e9b40d984c4efaa657a6

SHA256
2d4d8746e690fd444f0dcdf3fba4c21b678152591a52eab776f0d08bb31e1060

SHA512
f878524ac29b030a4f1742a0cf55a9d0e3b8da19140b8dacc8d7f45ab6b49fa1ef8e03bb93b13771ef2563f5466a37f90845024b54ee822cdd1dca624a603dc3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
530e730bf7f185bc7adc1fe7ab3315eb

SHA1
d7a9e4917cdb0c04433d3adc16eb896bef9928c1

SHA256
a9ae6c8f103f1d5b070b051323209eb5d90427a7496ec39b0fa7a54c92f3ec27

SHA512
550c4fa9bb80860b21a6121dcf155118c2751b2e2d322c8abeb9b9e5d59dce10a56673036e28c02965ea349436bc3eaa6001ee22dd331889c583047dbfc1a880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
70fb48ae201ab4205732c8169d192e07

SHA1
02107468a947ec419beaf957e7b9218cae488693

SHA256
6879fb29244786d4d3518042df7eca64a950587b24ace7fb597fa3226cc44793

SHA512
7f2188f81b8b04a5b8c0c3b5179ab3889c21f1840cb493c794f18ca430cad630d1c3e31f0edefbe7d36227fe6763a6f12f4e81fa5d1b796f63765c02d3b9c28e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
70fb48ae201ab4205732c8169d192e07

SHA1
02107468a947ec419beaf957e7b9218cae488693

SHA256
6879fb29244786d4d3518042df7eca64a950587b24ace7fb597fa3226cc44793

SHA512
7f2188f81b8b04a5b8c0c3b5179ab3889c21f1840cb493c794f18ca430cad630d1c3e31f0edefbe7d36227fe6763a6f12f4e81fa5d1b796f63765c02d3b9c28e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
28e823d014666971b8af6225513d8868

SHA1
61acd4ce51ccec02d4abb6458ecde1564614936f

SHA256
dc8972f96c5ed9af7f7d9585e54109842508ca599e18b6f6423b22e09f25fadc

SHA512
707775f324a260f804ba4a4ec93899d1bdeca35f1f3e1ef66d97a0064f7faebff49bb57956ae1db1a85ac6b3a78db928e4cde1632cbb4c2b4e65b7688b3acd1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
f36ba59aa327e604078addd81a3b86b7

SHA1
79a77e7b1499f52a484323e4a258fabb9121e765

SHA256
a3dac94ad3fd75b6137b177576595bd6a8b87b1f1c57656a409ffdea3a13bf4c

SHA512
4c19afea9e65ecb7b406d739847d57e00a12b7ddb9cd0fa48ff1f7b7bbb1ec0f86ea19aebdd5151efca970e2443e595f0dee0227c5ffb196b8e0440c15dda601

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
33526e671dbd611e503994b828d2f95e

SHA1
ca41836826eb3bc75b5970395d8f0f92c2a30658

SHA256
f36965d4ac787cfb8b608ebdba40ebbd5e4ac5f811635f376cb072f8342697a3

SHA512
0eac1a1dace372a7b91ed56efccd3b1dbcb20a10125193a87444840c3597b124a77d5e7f829df1206263f108420ae1e0390bcc73a6844efb7b7bde7a25cc3497

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
33526e671dbd611e503994b828d2f95e

SHA1
ca41836826eb3bc75b5970395d8f0f92c2a30658

SHA256
f36965d4ac787cfb8b608ebdba40ebbd5e4ac5f811635f376cb072f8342697a3

SHA512
0eac1a1dace372a7b91ed56efccd3b1dbcb20a10125193a87444840c3597b124a77d5e7f829df1206263f108420ae1e0390bcc73a6844efb7b7bde7a25cc3497

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ce94e2b68dc0254d550cdbd324c8b3a0

SHA1
f62957619bfb935e42d3cbaff77af5736038a7df

SHA256
da5fe3d72bfae2cdba8874332a6de7e353a22df2ea096479943bd1e51b4372ff

SHA512
e2ff1b36a934920f402d504f957957b0f45c20fb52640cb17249ea449481bf771961b32afb26c35c12bcf62cf6d2e817f001fd68a1451c06a5ce42cce01acafd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ce94e2b68dc0254d550cdbd324c8b3a0

SHA1
f62957619bfb935e42d3cbaff77af5736038a7df

SHA256
da5fe3d72bfae2cdba8874332a6de7e353a22df2ea096479943bd1e51b4372ff

SHA512
e2ff1b36a934920f402d504f957957b0f45c20fb52640cb17249ea449481bf771961b32afb26c35c12bcf62cf6d2e817f001fd68a1451c06a5ce42cce01acafd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ee45d72e2165503b4020fd768a1ec3fd

SHA1
88131848c2283c0e9ae520abcd70b48544a5ea47

SHA256
cc9bf1010cc7aed26022679cbd4813aa38e0990878ee391fd78a79374cb06b2c

SHA512
6a356817e5a6c09a5cd0d5802c2f8e5628f2e3f8564422dddc5421dcfc36da7299860abd851e244bd1ecef484bf0832cd7cf2ed2df8c067ecfdc3a8002799507

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ad3c22d5178210777244036322227eb9

SHA1
a6ec3a884075d14c7c2451dee42127112db40f93

SHA256
982003ed8a4d8376fee24a6101f5f5312f32289bc3261ce5070660b7b08523ab

SHA512
7b8379a892cb9d280b1313600b1ff060f9e3e5283ba8c0c5e91c7356ee3b25aa91da29862eeb4a708f328974854b1cb9aa5585632629d36d8019013644cbfed2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
69604d8d7877573f1894c9f8c6aee742

SHA1
54d461345df9ae1852b0509375556d3e828fe8c4

SHA256
3054e97b6f733c8257d3a9f1af0ac50cacac84990331b43320cee39c6cceba69

SHA512
05f4da55d610786fb6c08974baa890666980f5d5fcff0a8dcef0700e4d50ab26e85169ef3b53bf2c0a00f7a05630f7b5ff6e2e7fdf49fd7866f60591dd9f2495

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
c989d91bccc19d246bc7df6b46138e6c

SHA1
617e4aaa252627ea4f1dff997134ac5baceac1af

SHA256
85d57f2cc1bf0bb03792bbf4d7d5d6d6bca3b704f3df513b9ae574035f5e803d

SHA512
ff6c0e96368c4dc60a3e38601ae8d52539ea34e9cf1ede68652d51ee911e85728c0675e6cb8ee10de22545c1198bc5453a99e2d05db6f259bce86bfdb4c9cff0

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
97713b24d4578e3243bb3b2f3bdb3126

SHA1
7d6390459fdd308b412b74daa49afad7d0e1b909

SHA256
db2ca90f6f411decd7e1c11e6ebec50d6e389f4a541693afec297c8e4b9a5350

SHA512
9a47441d39103342669af21f20296bb5c956155fec00f688fcdccf2b18ba34ea356e8287bc86a86b84dec54b1a1211b9a1724cf24b5148dcbb7fc3d4dbe2f72c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
8c0b871e8510485c20a75c3357b8b580

SHA1
541f2217f6aab186c698da62276a1c1d9ed63948

SHA256
5ede32e852e2a639a766dbe7d9ee086a673bedb0c7537496734ad2fe69ced97f

SHA512
716708921b39abbced746afc4f757e572230221893adb4ad6bd3ea62328c85318b6292ae5cad5e1d78255acd38639697e61640a3cf34a81a452b4aff609572f9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
acd0e6c693b4907fdf2383951f471902

SHA1
cda6756197994b9e5420e94193df2a65772efc3a

SHA256
d2d89b9cf8bb8fbfa2f5a63f1c9d096fcad633e8487b5f10fb7ca0a76f64814f

SHA512
81878aa01e7a99338e9c608caa1214de7d70926209386e35b06a689008852663721886a4dbabe038e539b820d94a414ae331e3267f63fa05fee9bfb3c821d27b

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
16b4819ea74a541e7e15151c7b97496d

SHA1
3fc98f552da23e8c9d1920b0cb033e03c96a3a36

SHA256
f9a4a4753b30f6ff1e0c4d5265bd990ab1b3cc1458d017b70f5eab5dfea4abca

SHA512
85136f5f5c74b05f23ea7c54ffe89caebaaa52556ad3de759aba7d095b462038e1ff7c1e57fd5c49105736ef5ffa7555dd36ac6eb64238fda668da79714aa746

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
568e391a4dc2f8ca7b1aef8948feaf63

SHA1
58a5bbe08d8daba81d1e2f38d52a1b2553e3f9b0

SHA256
7e579dd131fe227896258505c3e7c81e145f7af4b9ea1d307cfa961f10c4739f

SHA512
867b2b3ef8eab2d86e5190ce4f10f3131b585ce1097bf9ea41a95475e18ecf6d41e2d29717b6d6b16452ac6b89b8f666342430d90286c69ed2568a83305f6c43

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
acd0e6c693b4907fdf2383951f471902

SHA1
cda6756197994b9e5420e94193df2a65772efc3a

SHA256
d2d89b9cf8bb8fbfa2f5a63f1c9d096fcad633e8487b5f10fb7ca0a76f64814f

SHA512
81878aa01e7a99338e9c608caa1214de7d70926209386e35b06a689008852663721886a4dbabe038e539b820d94a414ae331e3267f63fa05fee9bfb3c821d27b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
70fb48ae201ab4205732c8169d192e07

SHA1
02107468a947ec419beaf957e7b9218cae488693

SHA256
6879fb29244786d4d3518042df7eca64a950587b24ace7fb597fa3226cc44793

SHA512
7f2188f81b8b04a5b8c0c3b5179ab3889c21f1840cb493c794f18ca430cad630d1c3e31f0edefbe7d36227fe6763a6f12f4e81fa5d1b796f63765c02d3b9c28e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
f36ba59aa327e604078addd81a3b86b7

SHA1
79a77e7b1499f52a484323e4a258fabb9121e765

SHA256
a3dac94ad3fd75b6137b177576595bd6a8b87b1f1c57656a409ffdea3a13bf4c

SHA512
4c19afea9e65ecb7b406d739847d57e00a12b7ddb9cd0fa48ff1f7b7bbb1ec0f86ea19aebdd5151efca970e2443e595f0dee0227c5ffb196b8e0440c15dda601

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
69604d8d7877573f1894c9f8c6aee742

SHA1
54d461345df9ae1852b0509375556d3e828fe8c4

SHA256
3054e97b6f733c8257d3a9f1af0ac50cacac84990331b43320cee39c6cceba69

SHA512
05f4da55d610786fb6c08974baa890666980f5d5fcff0a8dcef0700e4d50ab26e85169ef3b53bf2c0a00f7a05630f7b5ff6e2e7fdf49fd7866f60591dd9f2495

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
c989d91bccc19d246bc7df6b46138e6c

SHA1
617e4aaa252627ea4f1dff997134ac5baceac1af

SHA256
85d57f2cc1bf0bb03792bbf4d7d5d6d6bca3b704f3df513b9ae574035f5e803d

SHA512
ff6c0e96368c4dc60a3e38601ae8d52539ea34e9cf1ede68652d51ee911e85728c0675e6cb8ee10de22545c1198bc5453a99e2d05db6f259bce86bfdb4c9cff0

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
97713b24d4578e3243bb3b2f3bdb3126

SHA1
7d6390459fdd308b412b74daa49afad7d0e1b909

SHA256
db2ca90f6f411decd7e1c11e6ebec50d6e389f4a541693afec297c8e4b9a5350

SHA512
9a47441d39103342669af21f20296bb5c956155fec00f688fcdccf2b18ba34ea356e8287bc86a86b84dec54b1a1211b9a1724cf24b5148dcbb7fc3d4dbe2f72c

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
8c0b871e8510485c20a75c3357b8b580

SHA1
541f2217f6aab186c698da62276a1c1d9ed63948

SHA256
5ede32e852e2a639a766dbe7d9ee086a673bedb0c7537496734ad2fe69ced97f

SHA512
716708921b39abbced746afc4f757e572230221893adb4ad6bd3ea62328c85318b6292ae5cad5e1d78255acd38639697e61640a3cf34a81a452b4aff609572f9

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
acd0e6c693b4907fdf2383951f471902

SHA1
cda6756197994b9e5420e94193df2a65772efc3a

SHA256
d2d89b9cf8bb8fbfa2f5a63f1c9d096fcad633e8487b5f10fb7ca0a76f64814f

SHA512
81878aa01e7a99338e9c608caa1214de7d70926209386e35b06a689008852663721886a4dbabe038e539b820d94a414ae331e3267f63fa05fee9bfb3c821d27b

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
acd0e6c693b4907fdf2383951f471902

SHA1
cda6756197994b9e5420e94193df2a65772efc3a

SHA256
d2d89b9cf8bb8fbfa2f5a63f1c9d096fcad633e8487b5f10fb7ca0a76f64814f

SHA512
81878aa01e7a99338e9c608caa1214de7d70926209386e35b06a689008852663721886a4dbabe038e539b820d94a414ae331e3267f63fa05fee9bfb3c821d27b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
16b4819ea74a541e7e15151c7b97496d

SHA1
3fc98f552da23e8c9d1920b0cb033e03c96a3a36

SHA256
f9a4a4753b30f6ff1e0c4d5265bd990ab1b3cc1458d017b70f5eab5dfea4abca

SHA512
85136f5f5c74b05f23ea7c54ffe89caebaaa52556ad3de759aba7d095b462038e1ff7c1e57fd5c49105736ef5ffa7555dd36ac6eb64238fda668da79714aa746

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
568e391a4dc2f8ca7b1aef8948feaf63

SHA1
58a5bbe08d8daba81d1e2f38d52a1b2553e3f9b0

SHA256
7e579dd131fe227896258505c3e7c81e145f7af4b9ea1d307cfa961f10c4739f

SHA512
867b2b3ef8eab2d86e5190ce4f10f3131b585ce1097bf9ea41a95475e18ecf6d41e2d29717b6d6b16452ac6b89b8f666342430d90286c69ed2568a83305f6c43

Download Submit
memory/592-139-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/684-261-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/684-85-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/684-277-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/684-108-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/688-406-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/688-54-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/688-64-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/688-59-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/836-121-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/836-91-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/836-119-0x0000000004B20000-0x0000000004BDC000-memory.dmp

Filesize
752KB

Download
memory/836-96-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/836-90-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/836-94-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/836-92-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/840-236-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/840-203-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/840-191-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/844-189-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/844-154-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/844-172-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/844-168-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/868-186-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/868-181-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/868-180-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/868-200-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1040-235-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1056-120-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1056-117-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1056-112-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1184-101-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1416-74-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1416-68-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1416-78-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1448-260-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1448-383-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1540-83-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1540-82-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1624-148-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1624-159-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1624-175-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1624-170-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1624-142-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1624-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1624-188-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1728-249-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1728-237-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1760-405-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1760-270-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1760-374-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1760-400-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1760-202-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1760-331-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1776-166-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1776-169-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1776-161-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1776-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1776-375-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1776-179-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1824-132-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2056-301-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2056-272-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2108-401-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2156-292-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2156-326-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2236-402-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2236-290-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2372-327-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2372-342-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2404-330-0x00000000005C0000-0x00000000007C9000-memory.dmp

Filesize
2.0MB

Download
memory/2404-329-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2404-403-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2404-404-0x00000000005C0000-0x00000000007C9000-memory.dmp

Filesize
2.0MB

Download
memory/2584-350-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2680-362-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2768-387-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2768-365-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3016-388-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3016-399-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download