blustealer | af2ff9bc5e9582e3301aea8cae68cb9fdea3e56b75dd57853c156c15757462d7

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-05-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Size

1.5MB
MD5

581f51fd35e943a69a4c569fa8654736
SHA1

610e7579a996ea788ccb688a9dda9d4855a40a2d
SHA256

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043
SHA512

8bb8ce0f096c5a08e2457c7039f0169ae312f850e8189e240176e7a4ccf4ba113efe9f3a19e4e282ff66b60e48b0e07127270da804e0192f5ef091f7ea9e03db
SSDEEP

24576:Xbj8B+M73OglQfGmzu7SulbydbwcLxTDkU9tMMkB5lO2dMqtX1uP:XX++tglKKPwbwcLh4otmB7ldMg1C

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
1556	alg.exe
824	aspnet_state.exe
1076	mscorsvw.exe
288	mscorsvw.exe
1984	mscorsvw.exe
1912	mscorsvw.exe
1320	dllhost.exe
360	ehRecvr.exe
884	ehsched.exe
268	elevation_service.exe
1452	IEEtwCollector.exe
1076	GROOVE.EXE
668	maintenanceservice.exe
2136	msdtc.exe
2252	msiexec.exe
2324	mscorsvw.exe
2476	OSE.EXE
2516	mscorsvw.exe
2640	mscorsvw.exe
2632	OSPPSVC.EXE
2836	perfhost.exe
2868	locator.exe
2960	snmptrap.exe
3048	vds.exe
2172	vssvc.exe
2184	mscorsvw.exe
2512	mscorsvw.exe
2588	wbengine.exe
2600	WmiApSrv.exe
2904	mscorsvw.exe
2068	wmpnetwk.exe
2236	mscorsvw.exe
2440	SearchIndexer.exe
2404	mscorsvw.exe
2824	mscorsvw.exe
2976	mscorsvw.exe
1928	mscorsvw.exe
2780	mscorsvw.exe
808	mscorsvw.exe
2088	mscorsvw.exe
2624	mscorsvw.exe
620	mscorsvw.exe
2204	mscorsvw.exe
1928	mscorsvw.exe
2780	mscorsvw.exe
2100	mscorsvw.exe
668	mscorsvw.exe
2244	mscorsvw.exe
2604	mscorsvw.exe
2752	mscorsvw.exe
2292	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2252	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\alg.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\msiexec.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\locator.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\vds.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\msdtc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\wbengine.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4714cc6bdecfa14c.bin	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 764 set thread context of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8D3691E4-5EC2-4570-AE62-1AB9A0DB49FE}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8D3691E4-5EC2-4570-AE62-1AB9A0DB49FE}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{2A7332FB-950F-408C-99F8-4ED9451EEC00}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{2A7332FB-950F-408C-99F8-4ED9451EEC00}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1740	ehRec.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: 33	1376	EhTray.exe
Token: SeIncBasePriorityPrivilege	1376	EhTray.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeDebugPrivilege	1740	ehRec.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeRestorePrivilege	2252	msiexec.exe
Token: SeTakeOwnershipPrivilege	2252	msiexec.exe
Token: SeSecurityPrivilege	2252	msiexec.exe
Token: 33	1376	EhTray.exe
Token: SeIncBasePriorityPrivilege	1376	EhTray.exe
Token: SeBackupPrivilege	2172	vssvc.exe
Token: SeRestorePrivilege	2172	vssvc.exe
Token: SeAuditPrivilege	2172	vssvc.exe
Token: SeBackupPrivilege	2588	wbengine.exe
Token: SeRestorePrivilege	2588	wbengine.exe
Token: SeSecurityPrivilege	2588	wbengine.exe
Token: 33	2068	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2068	wmpnetwk.exe
Token: SeManageVolumePrivilege	2440	SearchIndexer.exe
Token: 33	2440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2440	SearchIndexer.exe
Token: SeDebugPrivilege	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeDebugPrivilege	1556	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1376	EhTray.exe
1376	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1376	EhTray.exe
1376	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
316	SearchProtocolHost.exe
316	SearchProtocolHost.exe
316	SearchProtocolHost.exe
316	SearchProtocolHost.exe
316	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
2540	SearchProtocolHost.exe
316	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 1320 wrote to memory of 764	1320	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	28
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 764 wrote to memory of 1048	764	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	31
PID 1984 wrote to memory of 2324	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2324	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2324	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2324	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2516	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2516	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2516	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2516	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2640	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2640	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2640	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2640	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2184	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2184	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2184	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2184	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2512	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 2512	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 2512	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 2512	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 2904	1984	mscorsvw.exe	61
PID 1984 wrote to memory of 2904	1984	mscorsvw.exe	61
PID 1984 wrote to memory of 2904	1984	mscorsvw.exe	61
PID 1984 wrote to memory of 2904	1984	mscorsvw.exe	61
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 2404	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 2404	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 2404	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 2404	1984	mscorsvw.exe	65
PID 2440 wrote to memory of 316	2440	SearchIndexer.exe	66
PID 2440 wrote to memory of 316	2440	SearchIndexer.exe	66
PID 2440 wrote to memory of 316	2440	SearchIndexer.exe	66
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 2976	1984	mscorsvw.exe	68
PID 1984 wrote to memory of 2976	1984	mscorsvw.exe	68
PID 1984 wrote to memory of 2976	1984	mscorsvw.exe	68
PID 1984 wrote to memory of 2976	1984	mscorsvw.exe	68
PID 1984 wrote to memory of 1928	1984	mscorsvw.exe	69
PID 1984 wrote to memory of 1928	1984	mscorsvw.exe	69
PID 1984 wrote to memory of 1928	1984	mscorsvw.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
"C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
  "C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1076

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e4 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 1d0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1e4 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 25c -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 28c -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 294 -NGENProcess 2a0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 294 -NGENProcess 1ec -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 1ec -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 280 -NGENProcess 2b0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 1ec -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1320

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:360

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:268

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1452

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:668

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2476

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:316
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a24b202c855c85163b00e42784951910

SHA1
19155dda28ccf9339cb72e7bcdc088d29cc86100

SHA256
c5369b29160b564dfafad0fc62594d5b2ef30b79417adc39675c88bea0121c56

SHA512
9eff5db694081350bdb11b67d2f3ded337f6ff6169cc82e542df9f120894cfb893e13c8509c74497a5cddd13f16e52ad8155789736ecd4a929386b2e35338112

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
9d322ec3f09c51ad9b9b7eb0f194a36a

SHA1
d6e64fde995de05bf9531c79b1ee2aab2a2630f9

SHA256
21eb13dd1f4378135ffd87dcffe607148b223883bba40a6467f1f5dbac0f3ccd

SHA512
3e8c30bc02042076c187f880ca3d421feb00e89108d02946137061088af0300f02aacc0642ebe68820a7a0165e934e6180db6370b3a0709cdc2d1436f7e1c006

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cb8ae74e34ab118b0df7ef9c216af138

SHA1
c93a04e051315a759ae31e45ad823e9cfbb4454c

SHA256
e721da5057d242d498eece714a6738f3e95e0a919589c678991f5cdeb63e329d

SHA512
8bb0537012eb649b45b89cf081df0d06fb1e01771671edea0f26affc5d63cd665c53749023a510109dfa3517c990fd6e56a97cdbf58406d9c882e9a798fb889e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b2055c44c06efbac9b301f1194a4a573

SHA1
565a199d71b06cb528c0f97cae870edbceda57a8

SHA256
e56c33118f23b8921613f713aaa664a753e7792bd4a4f2f08edd05ba34ad2759

SHA512
35d03efe60f27247d8d7f3a6171a0c4b9c28f5cbe3c3580bbfe6f881a408cd38cbdffd287136fa233e5c1b634bf5433312294add50b14289869f98b63540f96c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2483b6fd9fc0fcaa0772b5ae86726fb

SHA1
668caf559f315cfacaf7bbbfde2f7f2927934b93

SHA256
99c3aa2560477ecf4eabcdffd97e1fa42aca2edb3219a1b74276ed18436e159c

SHA512
de85635e3572fb94ad2f0864e81ec881fcf6f9646d6bb704a04036376339fb118d3fde32243dee19d25f11d5dbcca70c480f618806487ba6326f34d275ac3749

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c7a4b5b368a5acc5e74c0c33e67d6636

SHA1
578c0e96165269a9d8988df2974d05c4c961f03c

SHA256
e19f11f7f26283615271f120fa0ef024d185c519db4c7787d0f55b3a2a361904

SHA512
200b24b6cc31c2177dfe439dc960b9e6b211e739faa517d59a92bdb5f2d7f598cc04c7a18dc7e4b50fc2f9b9d4b82a97c0e1748a167002d2caf36df0f12dda62

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
22003ca85dddb168a764447b27aecb0f

SHA1
a9448ab4f64c78e9da129a86c19124c7331791e4

SHA256
011588b9ed5c85a2ee0860de9c985c46555abc2a1492d9267e4a430bc8e196ac

SHA512
f45bc045e204655bf34cfba64c8f801bd9b7ce8e3d150f92f5553b6b5240ed45bfcfd0ec9a04d2c0314941efb362261f67656507cab30e935f71b2091a243457

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
22003ca85dddb168a764447b27aecb0f

SHA1
a9448ab4f64c78e9da129a86c19124c7331791e4

SHA256
011588b9ed5c85a2ee0860de9c985c46555abc2a1492d9267e4a430bc8e196ac

SHA512
f45bc045e204655bf34cfba64c8f801bd9b7ce8e3d150f92f5553b6b5240ed45bfcfd0ec9a04d2c0314941efb362261f67656507cab30e935f71b2091a243457

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4dbd74e84dffe712f1faeca4e2bf58a2

SHA1
db50ca283b5104265c8326df9c8cbc13e3bccb4f

SHA256
ace6f4f6cfc9bf667e2b6c94e760763745818596a8881c3672c2f2d4cea7a365

SHA512
60dfcadc4283f76c253c0344dd3069cef824856c3da68c25470126c87bd942f5879bb4bc0c0284882a80622ac026d6d6ff6efd3578ecde47542a7d5d4589c97d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
6c26fe643a0fae30a8ce540cafe1d1c2

SHA1
2a29fad8112940fe11f3ed78ed42a8aefa5f1da6

SHA256
6d4d4f393f9cab240041c343a11433772670d2af5c2153ccd11830d1d0fd0da8

SHA512
b0bf582715a6a961a1103e9593732e403402c47d4d9fa0860db0b4f069a91029c5aa5c1216375f6d1d5448b7b58f79d96ca1d72292e6deffa1a91afaea3003dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
acc798d491e9d8f1041de45be3df296a

SHA1
d1032b76a9541d0fec95b6fcd992ca86f1a2ae36

SHA256
9d04ce5c91a96c66f0fd6d12fb18485a4ef492d7c1f11cd2a43cf4ba79ee7758

SHA512
d315e33893b6c9346cd5276e5a1aaca68a6406ef8e98f1a0e72c774417638d562ecd7e8ee6927c8f13be4bb091864cec2a6d517eea915a16fa91c15bfdaa514a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
acc798d491e9d8f1041de45be3df296a

SHA1
d1032b76a9541d0fec95b6fcd992ca86f1a2ae36

SHA256
9d04ce5c91a96c66f0fd6d12fb18485a4ef492d7c1f11cd2a43cf4ba79ee7758

SHA512
d315e33893b6c9346cd5276e5a1aaca68a6406ef8e98f1a0e72c774417638d562ecd7e8ee6927c8f13be4bb091864cec2a6d517eea915a16fa91c15bfdaa514a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f4a36a78d2a618c7fa025f592f363747

SHA1
1c0852c96975e96c18fd50b777d16dbd5d445e28

SHA256
28463467e4fa67df16d16f9c87ea88200c4b9faf6614c7346e3669d904a62ebb

SHA512
be4494ec01d8767e271c95e7706ac83f67efffc1629a78c72bb6e7beadd11431e3558d715eb77e9ccabdb144cad7e9d2cbc3fc7e57c990cae7a42bedf64a1cd0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f4a36a78d2a618c7fa025f592f363747

SHA1
1c0852c96975e96c18fd50b777d16dbd5d445e28

SHA256
28463467e4fa67df16d16f9c87ea88200c4b9faf6614c7346e3669d904a62ebb

SHA512
be4494ec01d8767e271c95e7706ac83f67efffc1629a78c72bb6e7beadd11431e3558d715eb77e9ccabdb144cad7e9d2cbc3fc7e57c990cae7a42bedf64a1cd0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8284de2136e50eb397aaf3fdafcd1ad8

SHA1
cf52249b32f3179a6cf62c84296dc836045b161e

SHA256
e7697e46822b1b3bd4c9d5ac7131570f7dcc98aff6aa71bf7b1b367774b6be98

SHA512
95bfab7d8298de8d5315cd7d5bb074d066bd28fecd93c4f7f51de46922e8ee1962d995a4cd2d3313afe4fe2f825cb2421d9a68af3fd967d2ae5913a4f22b5e3a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1015d100516960ffc9717717e7977d3e

SHA1
878e5ea2f7d2d1ba0ad785b849e38666eabb5a93

SHA256
95d3522f05e2af6a03efb3890e6a7f010fea2597582daab28f064ccb944e192c

SHA512
40ad8b32b06c37cd6161afb6d3ca22978db0f9952ec795f86160b11ceb147a6f5a816f9ef1bf94a51664b119c2ec354abd33632412f18a3b2a24e533389a9056

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ba991c42ea56b32f83ad3e5c078eca2b

SHA1
d2dd60317897443973ae8109538fb4530ab49c6a

SHA256
0d6e5d14dc84e33c03d9f3ebc57a43f1944f47b08f0451dadbed296de8725091

SHA512
da26792a9e2cb6ae5d0ea1f2393b3443f13ec4c1712eca54f207835071ef4b624a79533184123ce11079200a07d169adb745ce0eac36a79bdd5fc70ac75ace6b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9a459f7f0911a369d07deb2aa063e211

SHA1
2e6a38f6b5b1fc5e506753cee6402d8b05a4f727

SHA256
2f6bddde5d38da2abcb9d8175b0e05ce17c264b2a06769161f53f7ee46d087fb

SHA512
a5fff76b8f2818ab36657884085ba6a89ef730a4917e28669a80994056984d6f18b89a60b851180e64ac2e6f324fc3a5ef675e720ddeb95406a0ecd0f478e825

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
b4bb696f8413ec93fe6a7abdae0c81cc

SHA1
b20d320fbb3304a6125d2e3349e0e25ddd094f70

SHA256
a35772fd954c02fc757d23fe887d4365b02b05c1a0c6bf0a2b516988388ae5f4

SHA512
db1ae6134c061f66a6a13e8646ec07b137d4267077b265f252d933f603e75ed764ae450615fa0e487dcbd83d0e6d1e69ba967bf3522f48db9c792a5bf687c34f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
a46932a5892edd785fb03874a93c7c98

SHA1
0b7490758dcf0bb122141b2b784151e3d9d52e9b

SHA256
a19abc99ed9db13b95a642370f2ecdc5f20eb3fb86406b9e5b802dea9649a6a7

SHA512
f758c36fb7cbf5e4d0ee6bf27892ba913596ea929fee8615e72869962ef28f0ee3c94b4aa49972b41aada542766201c7d81cecfb840b6db6f6a7feb9328ff8c1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
584f4dd7dcb44033d54e52b09d9f2cb7

SHA1
7cf0d74eac19ebd7452722b290907f68558f6783

SHA256
0f7a0846e4bbdeecb06ac67255444ae478a89dd005df59987374c0e2e26bb1a4

SHA512
83c943538a62d233ce91adfa24ac953c4dabb18db771e7cbb4577656434a2684b6b836f49b12a4293682813557109c6c463ddc32dc3bd615e92606b3b76058b7

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
9b44e48837b5bf0c3b2220bf6c0383cb

SHA1
e1dcace2ddd281b656afcb4e9d8811eda8b994af

SHA256
d0e8928071f854ce636d937eca785af483ca3a8b2bbfdf96840c7fd4eb61d024

SHA512
6e43e4a18a9f5f50ed61e3ea8d73fdb8d6d681dfaa3b355c1e0eeeae55b7c1e2d3907c3b2a3fb62370b3c61f1215e5d21cbde4aa4a9f4970f6434610afaae118

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
0436e858f877b5615d101d3db8fef9f1

SHA1
726cb808d7ae8ef833355335e6b9762fdc3d9008

SHA256
5d51c90d37ccaaff9330bf6a2b4f54951c8bca5d09038e48af6ae9483b0b701e

SHA512
075a0898ad6234f5f42f782788fa2bbe271ded3c6d571e29932a0b7140ddf9868b37aeba2fa65fd24c59bae2213547fe9291d3da6785a3b2c398ba544392da9a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4ea44eeb28b0f5a4a750cdce9fa3a2b3

SHA1
811fa452cc529059f02f62527db5b2d90fa22a35

SHA256
7360cf17177b8c57b97bd78daa637593414c0ae5e62e028627c9a0b74c7425fd

SHA512
d6aca42f8dfe8d0343e5c121ed0d221d9bcfba990740f9b4be1b653ea55767a6903e1eda999006825b50f0f94a370b647c1a07c1a30ae41c1824c22830779f35

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
598a0d201ae0edfc485bd2ec9a4bc47e

SHA1
dc0dd86a58e840861ca21b8f64ddc8c1686467ee

SHA256
3ecd62aa1de2fdea2df7d1d448ac1796ad19f9ecb753a0eb73ca8526a5ac92be

SHA512
e14de1c837fe7f23f99df857d7d36054e02a2d75057b01bab16c77e640e17e24d6aa2dd8d7ea44d8e31e520336be6b77f5aed2b5223af78eb04f4c9adf5cdfc1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e248c716635affa53a2f93beffed5306

SHA1
7071601f23add9c36891d7c69cdbce7f8e62bfb5

SHA256
cc2d5744b42539421bc36945f42014100d516d52c7784513aa2c69450abe9548

SHA512
9c4b00cc312694ab278c379927c1e46287a08694ba3bb22e93c57aa53f45559c43ed0e8fc30aa194f098975b724f23899028f59a06aceebb4a11b91c70906ba4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d4dbe05ef75df5db42f123ac34c5bbc4

SHA1
3f705b613732b41a2d1942c670b6eebd151be97b

SHA256
8b2c80bdf09a7b716b3e793194ed8a54edec479c7646081568f0a3e2c4ca9a8f

SHA512
6893beb6ad116ef9cdc8309e5bdcd557499d783c373d52b8433e5742449fbd244978e4c14e2af99e40adbe5276fbe151876a7c2c2532fb534d44b0423d680048

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2e7fdf6f43f401c899df3d08a6b50a34

SHA1
d7180403f9486707cd33674889caa5c100654ac2

SHA256
1251ae13b1de1d7ededd1ca7bf27e33a490e5d61d65e9e174091605f2dede916

SHA512
09d335c4720052b323e0fbe98ac50c067f060a6e8f0e24cd1e4c7012349d8fd6689ef7a4ab56962805ed1c4ef13cd948a7e43466c01c8820d087e682dad23894

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
42e2ceba03badf2c6ddb82917d78bac3

SHA1
c7ea0fd7b38de5c9ea0fafd506f6aae40e99d666

SHA256
31ffc606dc71d0510bd211457045a557c02c3f540b8b9eea06afceb3b5509c2a

SHA512
56a674a74e1af9453257e85080d08665da924417bd64a9fa8253d4ffb25e72ac2cbdd06d3ac610c11f53ab51ea8e9be373f67a5e8667e76f59206bf9baae1ed2

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
27b0d33b63c96d60d66800b7eba360ef

SHA1
4917a47b1f778d2522e0d566182e84f9f8d9977e

SHA256
3a24b324509b7a10ff7ddbc0a2624d34e36b750c80fc6d1e991fd7421f77a7a4

SHA512
4e5c9f80020a19e5c937b6e3c55123d165db47a6c3f82e1f72c245b51dc688ed0632e4c916bcf768e4d12baab32a77f905ef951fee1ef8d4d2f1984254ece993

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d2b4012aee2a8dab2a36faf5f838a807

SHA1
bdcbe97d313b1bbf3e89262fc6d02f8691cd3a8a

SHA256
aee35934a6f4db44885ead44d46f4ce8029fe5cee2f075f28c82cc5522ef371d

SHA512
8cbd52840a1309ae2b0e7ec6c7711209e6e45ca643d2689381bd8cc9738ba161f5c1fa642e6cdd08a19f35babc38504a961fa3c0bc1d97c06be67f98102996cb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
598a0d201ae0edfc485bd2ec9a4bc47e

SHA1
dc0dd86a58e840861ca21b8f64ddc8c1686467ee

SHA256
3ecd62aa1de2fdea2df7d1d448ac1796ad19f9ecb753a0eb73ca8526a5ac92be

SHA512
e14de1c837fe7f23f99df857d7d36054e02a2d75057b01bab16c77e640e17e24d6aa2dd8d7ea44d8e31e520336be6b77f5aed2b5223af78eb04f4c9adf5cdfc1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c7a4b5b368a5acc5e74c0c33e67d6636

SHA1
578c0e96165269a9d8988df2974d05c4c961f03c

SHA256
e19f11f7f26283615271f120fa0ef024d185c519db4c7787d0f55b3a2a361904

SHA512
200b24b6cc31c2177dfe439dc960b9e6b211e739faa517d59a92bdb5f2d7f598cc04c7a18dc7e4b50fc2f9b9d4b82a97c0e1748a167002d2caf36df0f12dda62

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c7a4b5b368a5acc5e74c0c33e67d6636

SHA1
578c0e96165269a9d8988df2974d05c4c961f03c

SHA256
e19f11f7f26283615271f120fa0ef024d185c519db4c7787d0f55b3a2a361904

SHA512
200b24b6cc31c2177dfe439dc960b9e6b211e739faa517d59a92bdb5f2d7f598cc04c7a18dc7e4b50fc2f9b9d4b82a97c0e1748a167002d2caf36df0f12dda62

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
22003ca85dddb168a764447b27aecb0f

SHA1
a9448ab4f64c78e9da129a86c19124c7331791e4

SHA256
011588b9ed5c85a2ee0860de9c985c46555abc2a1492d9267e4a430bc8e196ac

SHA512
f45bc045e204655bf34cfba64c8f801bd9b7ce8e3d150f92f5553b6b5240ed45bfcfd0ec9a04d2c0314941efb362261f67656507cab30e935f71b2091a243457

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
6c26fe643a0fae30a8ce540cafe1d1c2

SHA1
2a29fad8112940fe11f3ed78ed42a8aefa5f1da6

SHA256
6d4d4f393f9cab240041c343a11433772670d2af5c2153ccd11830d1d0fd0da8

SHA512
b0bf582715a6a961a1103e9593732e403402c47d4d9fa0860db0b4f069a91029c5aa5c1216375f6d1d5448b7b58f79d96ca1d72292e6deffa1a91afaea3003dc

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9a459f7f0911a369d07deb2aa063e211

SHA1
2e6a38f6b5b1fc5e506753cee6402d8b05a4f727

SHA256
2f6bddde5d38da2abcb9d8175b0e05ce17c264b2a06769161f53f7ee46d087fb

SHA512
a5fff76b8f2818ab36657884085ba6a89ef730a4917e28669a80994056984d6f18b89a60b851180e64ac2e6f324fc3a5ef675e720ddeb95406a0ecd0f478e825

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
584f4dd7dcb44033d54e52b09d9f2cb7

SHA1
7cf0d74eac19ebd7452722b290907f68558f6783

SHA256
0f7a0846e4bbdeecb06ac67255444ae478a89dd005df59987374c0e2e26bb1a4

SHA512
83c943538a62d233ce91adfa24ac953c4dabb18db771e7cbb4577656434a2684b6b836f49b12a4293682813557109c6c463ddc32dc3bd615e92606b3b76058b7

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
9b44e48837b5bf0c3b2220bf6c0383cb

SHA1
e1dcace2ddd281b656afcb4e9d8811eda8b994af

SHA256
d0e8928071f854ce636d937eca785af483ca3a8b2bbfdf96840c7fd4eb61d024

SHA512
6e43e4a18a9f5f50ed61e3ea8d73fdb8d6d681dfaa3b355c1e0eeeae55b7c1e2d3907c3b2a3fb62370b3c61f1215e5d21cbde4aa4a9f4970f6434610afaae118

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
0436e858f877b5615d101d3db8fef9f1

SHA1
726cb808d7ae8ef833355335e6b9762fdc3d9008

SHA256
5d51c90d37ccaaff9330bf6a2b4f54951c8bca5d09038e48af6ae9483b0b701e

SHA512
075a0898ad6234f5f42f782788fa2bbe271ded3c6d571e29932a0b7140ddf9868b37aeba2fa65fd24c59bae2213547fe9291d3da6785a3b2c398ba544392da9a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4ea44eeb28b0f5a4a750cdce9fa3a2b3

SHA1
811fa452cc529059f02f62527db5b2d90fa22a35

SHA256
7360cf17177b8c57b97bd78daa637593414c0ae5e62e028627c9a0b74c7425fd

SHA512
d6aca42f8dfe8d0343e5c121ed0d221d9bcfba990740f9b4be1b653ea55767a6903e1eda999006825b50f0f94a370b647c1a07c1a30ae41c1824c22830779f35

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
598a0d201ae0edfc485bd2ec9a4bc47e

SHA1
dc0dd86a58e840861ca21b8f64ddc8c1686467ee

SHA256
3ecd62aa1de2fdea2df7d1d448ac1796ad19f9ecb753a0eb73ca8526a5ac92be

SHA512
e14de1c837fe7f23f99df857d7d36054e02a2d75057b01bab16c77e640e17e24d6aa2dd8d7ea44d8e31e520336be6b77f5aed2b5223af78eb04f4c9adf5cdfc1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
598a0d201ae0edfc485bd2ec9a4bc47e

SHA1
dc0dd86a58e840861ca21b8f64ddc8c1686467ee

SHA256
3ecd62aa1de2fdea2df7d1d448ac1796ad19f9ecb753a0eb73ca8526a5ac92be

SHA512
e14de1c837fe7f23f99df857d7d36054e02a2d75057b01bab16c77e640e17e24d6aa2dd8d7ea44d8e31e520336be6b77f5aed2b5223af78eb04f4c9adf5cdfc1

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e248c716635affa53a2f93beffed5306

SHA1
7071601f23add9c36891d7c69cdbce7f8e62bfb5

SHA256
cc2d5744b42539421bc36945f42014100d516d52c7784513aa2c69450abe9548

SHA512
9c4b00cc312694ab278c379927c1e46287a08694ba3bb22e93c57aa53f45559c43ed0e8fc30aa194f098975b724f23899028f59a06aceebb4a11b91c70906ba4

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d4dbe05ef75df5db42f123ac34c5bbc4

SHA1
3f705b613732b41a2d1942c670b6eebd151be97b

SHA256
8b2c80bdf09a7b716b3e793194ed8a54edec479c7646081568f0a3e2c4ca9a8f

SHA512
6893beb6ad116ef9cdc8309e5bdcd557499d783c373d52b8433e5742449fbd244978e4c14e2af99e40adbe5276fbe151876a7c2c2532fb534d44b0423d680048

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2e7fdf6f43f401c899df3d08a6b50a34

SHA1
d7180403f9486707cd33674889caa5c100654ac2

SHA256
1251ae13b1de1d7ededd1ca7bf27e33a490e5d61d65e9e174091605f2dede916

SHA512
09d335c4720052b323e0fbe98ac50c067f060a6e8f0e24cd1e4c7012349d8fd6689ef7a4ab56962805ed1c4ef13cd948a7e43466c01c8820d087e682dad23894

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
42e2ceba03badf2c6ddb82917d78bac3

SHA1
c7ea0fd7b38de5c9ea0fafd506f6aae40e99d666

SHA256
31ffc606dc71d0510bd211457045a557c02c3f540b8b9eea06afceb3b5509c2a

SHA512
56a674a74e1af9453257e85080d08665da924417bd64a9fa8253d4ffb25e72ac2cbdd06d3ac610c11f53ab51ea8e9be373f67a5e8667e76f59206bf9baae1ed2

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
27b0d33b63c96d60d66800b7eba360ef

SHA1
4917a47b1f778d2522e0d566182e84f9f8d9977e

SHA256
3a24b324509b7a10ff7ddbc0a2624d34e36b750c80fc6d1e991fd7421f77a7a4

SHA512
4e5c9f80020a19e5c937b6e3c55123d165db47a6c3f82e1f72c245b51dc688ed0632e4c916bcf768e4d12baab32a77f905ef951fee1ef8d4d2f1984254ece993

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d2b4012aee2a8dab2a36faf5f838a807

SHA1
bdcbe97d313b1bbf3e89262fc6d02f8691cd3a8a

SHA256
aee35934a6f4db44885ead44d46f4ce8029fe5cee2f075f28c82cc5522ef371d

SHA512
8cbd52840a1309ae2b0e7ec6c7711209e6e45ca643d2689381bd8cc9738ba161f5c1fa642e6cdd08a19f35babc38504a961fa3c0bc1d97c06be67f98102996cb

Download Submit
memory/268-506-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/268-186-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/268-200-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/268-180-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/288-135-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/288-116-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/360-169-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/360-199-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/360-166-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/360-168-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/360-159-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/360-153-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/360-448-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/668-226-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/668-242-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/764-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/764-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/764-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/764-75-0x0000000000BC0000-0x0000000000C26000-memory.dmp

Filesize
408KB

Download
memory/764-70-0x0000000000BC0000-0x0000000000C26000-memory.dmp

Filesize
408KB

Download
memory/764-95-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/764-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/764-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/764-339-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/764-67-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/824-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/824-341-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/884-175-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/884-416-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/884-172-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1048-104-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1048-99-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1048-98-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1048-100-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1048-102-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1048-105-0x0000000000C60000-0x0000000000D1C000-memory.dmp

Filesize
752KB

Download
memory/1076-117-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1076-224-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1320-57-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1320-59-0x0000000005E50000-0x0000000005F88000-memory.dmp

Filesize
1.2MB

Download
memory/1320-58-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/1320-54-0x0000000000D80000-0x0000000000EFE000-memory.dmp

Filesize
1.5MB

Download
memory/1320-56-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/1320-55-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1320-60-0x0000000005F90000-0x0000000006140000-memory.dmp

Filesize
1.7MB

Download
memory/1320-65-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1320-167-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1452-203-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1452-191-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1556-83-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1556-96-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1556-89-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1740-345-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1740-305-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1740-202-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/1912-140-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1984-141-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1984-127-0x0000000000830000-0x0000000000896000-memory.dmp

Filesize
408KB

Download
memory/1984-132-0x0000000000830000-0x0000000000896000-memory.dmp

Filesize
408KB

Download
memory/2068-451-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2136-243-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2172-379-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2184-382-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2236-449-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2252-709-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2252-266-0x0000000000660000-0x0000000000869000-memory.dmp

Filesize
2.0MB

Download
memory/2252-265-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2252-710-0x0000000000660000-0x0000000000869000-memory.dmp

Filesize
2.0MB

Download
memory/2324-267-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2324-283-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2404-527-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2440-492-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2476-306-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2512-378-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2512-425-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2516-302-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2588-418-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2600-420-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2632-712-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2632-307-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2640-304-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2640-372-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2824-711-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2836-320-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2868-322-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2904-446-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2904-421-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2960-343-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/3048-347-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download