blustealer | f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2

Analysis

max time kernel
153s
max time network
175s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT_copy.exe
Size

1.6MB
MD5

3acff0b9068df07116870bf461f4f7c1
SHA1

fb7c0e6fcee327e8ed755e8f1c5199f35a3c4723
SHA256

f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2
SHA512

0bf707bc83a739e6ed63a56b76323db9c59fd6a3bfb05c760adc77cf918efddf1d9d4769bc14fc5846e0c1d836e3cefc8169778d8c0182e20a0a368e80c6494d
SSDEEP

49152:zxy+4OponS7iO7PYPhR/vNv1YWsWXLbZG8T0Zh591z:MKpoq57+/tztXLbZJGT

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 30 IoCs

pid	Process
460	Process not Found
1904	alg.exe
1584	aspnet_state.exe
1592	mscorsvw.exe
1796	mscorsvw.exe
1244	mscorsvw.exe
820	mscorsvw.exe
1744	dllhost.exe
1288	ehRecvr.exe
1732	mscorsvw.exe
364	mscorsvw.exe
1620	ehsched.exe
1940	mscorsvw.exe
1132	elevation_service.exe
964	IEEtwCollector.exe
2108	mscorsvw.exe
2204	mscorsvw.exe
2328	GROOVE.EXE
2356	mscorsvw.exe
2600	mscorsvw.exe
2696	maintenanceservice.exe
2784	mscorsvw.exe
2896	mscorsvw.exe
2960	msdtc.exe
3004	mscorsvw.exe
108	mscorsvw.exe
2184	msiexec.exe
2304	mscorsvw.exe
1228	OSE.EXE
2616	mscorsvw.exe

Loads dropped DLL 9 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2184	msiexec.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\83af8a8a7693df14.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\msiexec.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\alg.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	TT_copy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 296	1672	TT_copy.exe	28
PID 296 set thread context of 1948	296	TT_copy.exe	31

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	TT_copy.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	TT_copy.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	TT_copy.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	TT_copy.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	TT_copy.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{31F2EDA3-5D76-4E0A-80A4-3082DD5C174A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	TT_copy.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	TT_copy.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	TT_copy.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{31F2EDA3-5D76-4E0A-80A4-3082DD5C174A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	TT_copy.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	TT_copy.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
468	ehRec.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	296	TT_copy.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	820	mscorsvw.exe
Token: SeShutdownPrivilege	820	mscorsvw.exe
Token: SeShutdownPrivilege	820	mscorsvw.exe
Token: SeShutdownPrivilege	820	mscorsvw.exe
Token: SeDebugPrivilege	468	ehRec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
296	TT_copy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 1672 wrote to memory of 296	1672	TT_copy.exe	28
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 296 wrote to memory of 1948	296	TT_copy.exe	31
PID 1244 wrote to memory of 1732	1244	mscorsvw.exe	38
PID 1244 wrote to memory of 1732	1244	mscorsvw.exe	38
PID 1244 wrote to memory of 1732	1244	mscorsvw.exe	38
PID 1244 wrote to memory of 1732	1244	mscorsvw.exe	38
PID 1244 wrote to memory of 364	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 364	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 364	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 364	1244	mscorsvw.exe	39
PID 1244 wrote to memory of 1940	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 1940	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 1940	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 1940	1244	mscorsvw.exe	42
PID 1244 wrote to memory of 2108	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2108	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2108	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2108	1244	mscorsvw.exe	46
PID 1244 wrote to memory of 2204	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 2204	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 2204	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 2204	1244	mscorsvw.exe	47
PID 1244 wrote to memory of 2356	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2356	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2356	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2356	1244	mscorsvw.exe	49
PID 1244 wrote to memory of 2600	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2600	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2600	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2600	1244	mscorsvw.exe	50
PID 1244 wrote to memory of 2784	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 2784	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 2784	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 2784	1244	mscorsvw.exe	52
PID 1244 wrote to memory of 2896	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 2896	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 2896	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 2896	1244	mscorsvw.exe	53
PID 1244 wrote to memory of 3004	1244	mscorsvw.exe	55
PID 1244 wrote to memory of 3004	1244	mscorsvw.exe	55
PID 1244 wrote to memory of 3004	1244	mscorsvw.exe	55
PID 1244 wrote to memory of 3004	1244	mscorsvw.exe	55
PID 1244 wrote to memory of 108	1244	mscorsvw.exe	56
PID 1244 wrote to memory of 108	1244	mscorsvw.exe	56
PID 1244 wrote to memory of 108	1244	mscorsvw.exe	56
PID 1244 wrote to memory of 108	1244	mscorsvw.exe	56
PID 1244 wrote to memory of 2304	1244	mscorsvw.exe	58
PID 1244 wrote to memory of 2304	1244	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
"C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
  "C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1592

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 258 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e0 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 248 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1ac -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 244 -NGENProcess 23c -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 274 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 280 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1288

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:1580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2328

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2696

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4ed94ec5e9e4569ba3f5b262c61afba2

SHA1
1271bfcad845be634f8fd886b206acdbe4f28ffd

SHA256
ab64a0af004fbe683862ff5cf531cfff5183d625f48c233d94a8b8c09a9c5607

SHA512
023d1c6e3cc68fc86a20b18ca7f2252893d996640a215b39ea553b91aebc5c63a4f03e6686ceb3854dd48585ed56ad8c908ee38610a1641c0a1fc927090cc7db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
eca068f13299139c1323b794edab8d33

SHA1
5b854fdd81ecf65340240e82143ef7389753e8fc

SHA256
0ac6f52abdfec924c03d2968cb2b6af6f9f29b41cd2f25e30ca3e96a4f6484c4

SHA512
999e6cdec080e04a35daf3e6ee9a64811d24c0d7f47a4e1713e0146704f65798d7b885163c88cc2163f6420ec96893adf3e643aa1902e1b98732b44d763af2f1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
16c4b9c7239c6768400a7e9e35ac37e2

SHA1
a25b84f488326480793053a8f981705c50008b43

SHA256
03f53cb2a8666f99042464e0100ec53645239d5728f6bd59d73efde810a8c428

SHA512
94621779834a0837f2b4384d23a063991d2760fe3a0caf65def34b0300eb936474013da254f5a47e8d72e7f9b00670dba14671cd7d74edd1f60aae685ec61576

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d737c1d1797fe4f73c1ac778a1bced07

SHA1
3dbe94e8d84a8279c6bec37f0694f34beb80fe9c

SHA256
094fd13ecc710e2e281886d9f7c114f2f64b1822f802cee53a12881b6853cc91

SHA512
1de7bc2173c5e04f5f5228296880bb481d04e9f082f29154bf41bd51bed9eb2656653453bde5e7d6a37bb4aed553410ca9fdd2377979f7c870cee0e6048b3db6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
45bc1156d4274fce161a0a6a156d6c22

SHA1
d6d973741b25f20956af73e773f175d73e3fd171

SHA256
9069a0ccebb2f6dc69dd0274b5955edb9dbd7a4680edc0b7c5540fee74464405

SHA512
3a57ad6e5e6cc15f121c70a54ba8397c83bdc1ea945eaa32dc23f1aa4c6681e18f7c1e837833957f73c4c63083b8468beb7e9d65675c8effa6d94ae5457d0681

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
45bc1156d4274fce161a0a6a156d6c22

SHA1
d6d973741b25f20956af73e773f175d73e3fd171

SHA256
9069a0ccebb2f6dc69dd0274b5955edb9dbd7a4680edc0b7c5540fee74464405

SHA512
3a57ad6e5e6cc15f121c70a54ba8397c83bdc1ea945eaa32dc23f1aa4c6681e18f7c1e837833957f73c4c63083b8468beb7e9d65675c8effa6d94ae5457d0681

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3fe51f8206d45b73aeb44bf907418919

SHA1
613eab2f6f1a8a5ebbd7a2faeee5f29aafde9d35

SHA256
42e26a3d337888bca949fb106202d33b5090766126910a0aad087242c1be598a

SHA512
e4bd0dda9f925a9e71f300362a62b855262579a0cbf1cb1d306a512dea395f97adceba28469bce38c0c044f8c8b8162d3babb25c91d6a609a645cb4fb65d7e4a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
2f56b463909056836fe3f9ee41af7b28

SHA1
aa37ed4b0873370eb5230323f81b1e3293ec549a

SHA256
5faf80352a06a7cfb7b3234a5e278dc436e6ce68b0ea14ec1e02a93c3496019d

SHA512
f4eee5136b4cdeb1d8df04ecf6c690048f84c4dc3a391f9b49bfcf236f15975bd38bc5e20fbf286cd7cc5f8b968ff32641c84d9f3fc235113271e12317640273

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
aac2b4aac38d031a8de1ffaf5f42a147

SHA1
2a07a2b6f1e99120cb24242b1027ef25a1bb61e2

SHA256
48b4e9ea22911b50686fef09256da576ed79150bbd8de17e0d4e2f928883f385

SHA512
67b331618194d6eaad90e4c96d836b8b185d9f9e1675a7ef280e6fd34e0f6b09deeee7c31a466603ae0cc49a8373364258de7ecf367b77a37cd910cf7df11165

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
aac2b4aac38d031a8de1ffaf5f42a147

SHA1
2a07a2b6f1e99120cb24242b1027ef25a1bb61e2

SHA256
48b4e9ea22911b50686fef09256da576ed79150bbd8de17e0d4e2f928883f385

SHA512
67b331618194d6eaad90e4c96d836b8b185d9f9e1675a7ef280e6fd34e0f6b09deeee7c31a466603ae0cc49a8373364258de7ecf367b77a37cd910cf7df11165

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8fe03a2c237486eca6b51ac86a3debd3

SHA1
d02b784a63a6fb7b9a3189f0fb33e85bc2a74a67

SHA256
da678472cee138643082b7172528aade1d386bb201bb030c10672ca6e813dd3c

SHA512
aabf2aab2a6dad95affa528b18a5be06f71effc23441faceee0d4add8f9813f7cd84d12767683e6d606f92e8555a2ae8cd4c267b04b164f1452fc0f48d83f52c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8fe03a2c237486eca6b51ac86a3debd3

SHA1
d02b784a63a6fb7b9a3189f0fb33e85bc2a74a67

SHA256
da678472cee138643082b7172528aade1d386bb201bb030c10672ca6e813dd3c

SHA512
aabf2aab2a6dad95affa528b18a5be06f71effc23441faceee0d4add8f9813f7cd84d12767683e6d606f92e8555a2ae8cd4c267b04b164f1452fc0f48d83f52c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
abac1c35c3e80b83822654ae05901165

SHA1
13ee184dc368e55ecb7a0ed92c60a4eb55e0edf4

SHA256
45f53760a484d4147dcb36ea8b67048580721315bddfe8621286397434394b08

SHA512
3604f58dc0ddc6fb0644219dbfc502f0263c80744620e0ec65b0495416a6d2ee3e13274be446dd8044e5cd4e7cca915bc07d342540342f38cc9009e75407cf91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4ee015632eb72b3abd675c581a684ec1

SHA1
3c654be09e20dca1aa336b75ce06e5c45deb2e2f

SHA256
8c6a8c1c87445554e3e72e331bee496342745aed9db8295ed30ff08ea303c037

SHA512
1338b5592c0b25e408fa42b267ca94cae9c4c590d76d56052927f49974fc5fcd2d231116c6e5d661986802c320fd3ab5c8a27eefb93e4a84c50954966202239e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3dd9c90146fed231d29ca9d1dabf4efb

SHA1
e0ffd43cc11b5686e31bff8ed2fbd0b09532d88e

SHA256
4a41da6ff397453dd878c2a24af8e5d070e855b16be3a7a01f09c8bb8d5634a4

SHA512
af625c463c92a070fefdcec05cfd75a08ea8584e4f4afab0657a0cc9f122fc68e179368c4ab76504ad4ee442434237ca0dcdc16736dd96f752c66cb88f353102

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
a3ad0db3dc6845645e4d4352d0fc655b

SHA1
7c2a2344b08b55974156638b6cb5c82463d08955

SHA256
41b3da9bdfa820935daf8139bb291d302bb354d0a4a12d169ab9a9310a8ff4db

SHA512
36641a441b8b13aa43fcda1b6ff88a0c912eec293902779304a00e6e92b2f9fe404eb7a81540628a3be47c698fccfd1e2b472bc49311851b075d54454afccef9

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c326c8e6f34183e4b2342608b61600eb

SHA1
7e33f7b887d2941ff4a9813b47be29919e98c410

SHA256
d9019c65d14ee6503abb81b7aa35ba5cd08d91958fd51d3937094778e19a28c7

SHA512
4b9be8b6b5298f3d3a1790cf19ea12c709498950823a23c3278e2e233771fc1c1e771ef72a20f0156628c1289fa5ede535c4a5688bf786edfc34815de11e9b11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4f0e07bb600ff849917bbf82c571c1dc

SHA1
621b4c143724fbfcd35b638d84b9f9d22d2ad47c

SHA256
5579ec365e7d39351bed2a5d06f15fe17c60098bf6b0e6aef6db0de7df0589de

SHA512
65b8c016cfe7d08c2d329105e43493896b1e2031c27955db87ee9d5b61fed706ff59f9fae6220bf5ee003b4889320df03125ae39a3b57c0704de11a73721d217

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
20e38f885b712c3fc8f798125e7fbff4

SHA1
00e97811560b1bb224772809a3e8b325e19e0de5

SHA256
e4d36c088a823a150711b23bc6dfc53ace6cac9d82f28ef55a800b73467655f8

SHA512
875a17411d67c79f3c0e1b0d84a560c303b7ba87f57c41284e89c0af42971a13cf92dfdc5a331b5735b5881487baacc0099ca5043e5e022cf096027c65849859

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b46fc4c4f0715325f6e534c627d2c537

SHA1
c1d252a055391878e87a0305fa9bc0d5b6adf7d0

SHA256
218f3d455de18dc8de8718cb637d914bf70e2db240702678458c6d465d8d4064

SHA512
dd9bb926d484aa14f4e485c6e02f45168d745669488182d95df219b2f118da8d9e380826ab51ab30bd1369bc036a18f682c855d702fa3c4b9675f048b5236a9d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
17222838641648803267e9814947a95a

SHA1
ac83562be67e570d1f817cdca523fb224d54e84b

SHA256
02acb753ee49213bcb5a85763b73890be2cd642bcb2bd0e597ebebc90babb57d

SHA512
9ad1c01245c337b31b784ac03073e5a4431db78ba89a7bf52613947da5d56053bcd079fdf3b2c5d04136b971bd6f30ef24afec30415947f850eed89e0201b15d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
20e38f885b712c3fc8f798125e7fbff4

SHA1
00e97811560b1bb224772809a3e8b325e19e0de5

SHA256
e4d36c088a823a150711b23bc6dfc53ace6cac9d82f28ef55a800b73467655f8

SHA512
875a17411d67c79f3c0e1b0d84a560c303b7ba87f57c41284e89c0af42971a13cf92dfdc5a331b5735b5881487baacc0099ca5043e5e022cf096027c65849859

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
45bc1156d4274fce161a0a6a156d6c22

SHA1
d6d973741b25f20956af73e773f175d73e3fd171

SHA256
9069a0ccebb2f6dc69dd0274b5955edb9dbd7a4680edc0b7c5540fee74464405

SHA512
3a57ad6e5e6cc15f121c70a54ba8397c83bdc1ea945eaa32dc23f1aa4c6681e18f7c1e837833957f73c4c63083b8468beb7e9d65675c8effa6d94ae5457d0681

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
2f56b463909056836fe3f9ee41af7b28

SHA1
aa37ed4b0873370eb5230323f81b1e3293ec549a

SHA256
5faf80352a06a7cfb7b3234a5e278dc436e6ce68b0ea14ec1e02a93c3496019d

SHA512
f4eee5136b4cdeb1d8df04ecf6c690048f84c4dc3a391f9b49bfcf236f15975bd38bc5e20fbf286cd7cc5f8b968ff32641c84d9f3fc235113271e12317640273

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3dd9c90146fed231d29ca9d1dabf4efb

SHA1
e0ffd43cc11b5686e31bff8ed2fbd0b09532d88e

SHA256
4a41da6ff397453dd878c2a24af8e5d070e855b16be3a7a01f09c8bb8d5634a4

SHA512
af625c463c92a070fefdcec05cfd75a08ea8584e4f4afab0657a0cc9f122fc68e179368c4ab76504ad4ee442434237ca0dcdc16736dd96f752c66cb88f353102

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
a3ad0db3dc6845645e4d4352d0fc655b

SHA1
7c2a2344b08b55974156638b6cb5c82463d08955

SHA256
41b3da9bdfa820935daf8139bb291d302bb354d0a4a12d169ab9a9310a8ff4db

SHA512
36641a441b8b13aa43fcda1b6ff88a0c912eec293902779304a00e6e92b2f9fe404eb7a81540628a3be47c698fccfd1e2b472bc49311851b075d54454afccef9

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c326c8e6f34183e4b2342608b61600eb

SHA1
7e33f7b887d2941ff4a9813b47be29919e98c410

SHA256
d9019c65d14ee6503abb81b7aa35ba5cd08d91958fd51d3937094778e19a28c7

SHA512
4b9be8b6b5298f3d3a1790cf19ea12c709498950823a23c3278e2e233771fc1c1e771ef72a20f0156628c1289fa5ede535c4a5688bf786edfc34815de11e9b11

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4f0e07bb600ff849917bbf82c571c1dc

SHA1
621b4c143724fbfcd35b638d84b9f9d22d2ad47c

SHA256
5579ec365e7d39351bed2a5d06f15fe17c60098bf6b0e6aef6db0de7df0589de

SHA512
65b8c016cfe7d08c2d329105e43493896b1e2031c27955db87ee9d5b61fed706ff59f9fae6220bf5ee003b4889320df03125ae39a3b57c0704de11a73721d217

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
20e38f885b712c3fc8f798125e7fbff4

SHA1
00e97811560b1bb224772809a3e8b325e19e0de5

SHA256
e4d36c088a823a150711b23bc6dfc53ace6cac9d82f28ef55a800b73467655f8

SHA512
875a17411d67c79f3c0e1b0d84a560c303b7ba87f57c41284e89c0af42971a13cf92dfdc5a331b5735b5881487baacc0099ca5043e5e022cf096027c65849859

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
20e38f885b712c3fc8f798125e7fbff4

SHA1
00e97811560b1bb224772809a3e8b325e19e0de5

SHA256
e4d36c088a823a150711b23bc6dfc53ace6cac9d82f28ef55a800b73467655f8

SHA512
875a17411d67c79f3c0e1b0d84a560c303b7ba87f57c41284e89c0af42971a13cf92dfdc5a331b5735b5881487baacc0099ca5043e5e022cf096027c65849859

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b46fc4c4f0715325f6e534c627d2c537

SHA1
c1d252a055391878e87a0305fa9bc0d5b6adf7d0

SHA256
218f3d455de18dc8de8718cb637d914bf70e2db240702678458c6d465d8d4064

SHA512
dd9bb926d484aa14f4e485c6e02f45168d745669488182d95df219b2f118da8d9e380826ab51ab30bd1369bc036a18f682c855d702fa3c4b9675f048b5236a9d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
17222838641648803267e9814947a95a

SHA1
ac83562be67e570d1f817cdca523fb224d54e84b

SHA256
02acb753ee49213bcb5a85763b73890be2cd642bcb2bd0e597ebebc90babb57d

SHA512
9ad1c01245c337b31b784ac03073e5a4431db78ba89a7bf52613947da5d56053bcd079fdf3b2c5d04136b971bd6f30ef24afec30415947f850eed89e0201b15d

Download Submit
memory/108-390-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/296-73-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/296-95-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/296-65-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-60-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-145-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-67-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/296-68-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/364-176-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/364-203-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/364-182-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/468-263-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/468-422-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/468-287-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/468-223-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/468-364-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/820-139-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/964-312-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/964-258-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1132-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1132-222-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1228-420-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1244-128-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/1244-122-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/1244-134-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1288-167-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1288-172-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1288-221-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1288-158-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1288-260-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1584-98-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1592-132-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1620-261-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1620-187-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1620-201-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1672-54-0x0000000000E90000-0x000000000103C000-memory.dmp

Filesize
1.7MB

Download
memory/1672-57-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/1672-59-0x0000000005E50000-0x0000000006000000-memory.dmp

Filesize
1.7MB

Download
memory/1672-55-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/1672-58-0x0000000005D10000-0x0000000005E48000-memory.dmp

Filesize
1.2MB

Download
memory/1672-56-0x00000000044F0000-0x0000000004530000-memory.dmp

Filesize
256KB

Download
memory/1732-184-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1732-173-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1732-156-0x0000000000730000-0x0000000000796000-memory.dmp

Filesize
408KB

Download
memory/1732-168-0x0000000000730000-0x0000000000796000-memory.dmp

Filesize
408KB

Download
memory/1744-152-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1796-131-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1904-81-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1904-87-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1904-96-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1940-245-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1940-205-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1948-112-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1948-120-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1948-115-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1948-127-0x00000000023D0000-0x000000000248C000-memory.dmp

Filesize
752KB

Download
memory/1948-117-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1948-114-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-137-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2108-256-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2184-391-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2184-413-0x0000000000550000-0x0000000000759000-memory.dmp

Filesize
2.0MB

Download
memory/2204-257-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2204-268-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2304-392-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2304-411-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2328-288-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2328-277-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2356-278-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2356-299-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2600-323-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2616-421-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2696-361-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2696-325-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2784-324-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2784-335-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2896-350-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2960-363-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3004-376-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3004-365-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download