blustealer | d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/05/2023, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.5MB
MD5

a838a2013c038b3a5039cb9abb199922
SHA1

6a315d36c940cd95359cd4ef46c5688352a22a42
SHA256

d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7
SHA512

8b80c742b598d0df74e5d7b57e5ceb386d74531572a41b02614651ef9f914367e00ef23c12548f9009500af8ca9d6085406d417fc405f6ca528222a77ea83cbe
SSDEEP

24576:Bq3UElwshsKgvyH1kz7iQ2Py9so+4XfbqQtTpSrwCDCSD85vvOn2rRAJdqfcd7AH:Q3UElf6Lk1y7iSFd5BvWn2WJdyk8P

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 39 IoCs

pid	Process
464	Process not Found
1692	alg.exe
1608	aspnet_state.exe
1936	mscorsvw.exe
1888	mscorsvw.exe
1040	mscorsvw.exe
920	mscorsvw.exe
1316	dllhost.exe
1568	ehRecvr.exe
1300	ehsched.exe
1724	elevation_service.exe
1624	mscorsvw.exe
1772	mscorsvw.exe
2096	mscorsvw.exe
2216	mscorsvw.exe
2408	IEEtwCollector.exe
2484	mscorsvw.exe
2520	GROOVE.EXE
2652	maintenanceservice.exe
2736	msdtc.exe
2840	msiexec.exe
2940	OSE.EXE
2980	OSPPSVC.EXE
3056	perfhost.exe
3068	mscorsvw.exe
2132	locator.exe
1368	snmptrap.exe
2332	vds.exe
2428	vssvc.exe
2548	wbengine.exe
2724	WmiApSrv.exe
2760	wmpnetwk.exe
2952	SearchIndexer.exe
2360	mscorsvw.exe
2584	mscorsvw.exe
1468	mscorsvw.exe
784	mscorsvw.exe
2224	mscorsvw.exe
484	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2840	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\690173fadecfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 332	1316	Purchase Order 202319876.exe	29
PID 332 set thread context of 316	332	Purchase Order 202319876.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchase Order 202319876.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4E1FC57-584E-41D1-AFDE-F4ED26161410}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4E1FC57-584E-41D1-AFDE-F4ED26161410}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{8967DB7F-89F7-4FE9-BB6A-4A791E689E5B}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{8967DB7F-89F7-4FE9-BB6A-4A791E689E5B}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1316	Purchase Order 202319876.exe
1316	Purchase Order 202319876.exe
1368	ehRec.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe
332	Purchase Order 202319876.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	Purchase Order 202319876.exe
Token: SeTakeOwnershipPrivilege	332	Purchase Order 202319876.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: 33	784	EhTray.exe
Token: SeIncBasePriorityPrivilege	784	EhTray.exe
Token: SeDebugPrivilege	1368	ehRec.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: 33	784	EhTray.exe
Token: SeIncBasePriorityPrivilege	784	EhTray.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeSecurityPrivilege	2840	msiexec.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeBackupPrivilege	2548	wbengine.exe
Token: SeRestorePrivilege	2548	wbengine.exe
Token: SeSecurityPrivilege	2548	wbengine.exe
Token: 33	2760	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2760	wmpnetwk.exe
Token: SeManageVolumePrivilege	2952	SearchIndexer.exe
Token: 33	2952	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2952	SearchIndexer.exe
Token: SeDebugPrivilege	332	Purchase Order 202319876.exe
Token: SeDebugPrivilege	332	Purchase Order 202319876.exe
Token: SeDebugPrivilege	332	Purchase Order 202319876.exe
Token: SeDebugPrivilege	332	Purchase Order 202319876.exe
Token: SeDebugPrivilege	332	Purchase Order 202319876.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
784	EhTray.exe
784	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
784	EhTray.exe
784	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
332	Purchase Order 202319876.exe
2872	SearchProtocolHost.exe
2872	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1120	1316	Purchase Order 202319876.exe	28
PID 1316 wrote to memory of 1120	1316	Purchase Order 202319876.exe	28
PID 1316 wrote to memory of 1120	1316	Purchase Order 202319876.exe	28
PID 1316 wrote to memory of 1120	1316	Purchase Order 202319876.exe	28
PID 1316 wrote to memory of 1640	1316	Purchase Order 202319876.exe	30
PID 1316 wrote to memory of 1640	1316	Purchase Order 202319876.exe	30
PID 1316 wrote to memory of 1640	1316	Purchase Order 202319876.exe	30
PID 1316 wrote to memory of 1640	1316	Purchase Order 202319876.exe	30
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 1316 wrote to memory of 332	1316	Purchase Order 202319876.exe	29
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 332 wrote to memory of 316	332	Purchase Order 202319876.exe	34
PID 1040 wrote to memory of 1624	1040	mscorsvw.exe	44
PID 1040 wrote to memory of 1624	1040	mscorsvw.exe	44
PID 1040 wrote to memory of 1624	1040	mscorsvw.exe	44
PID 1040 wrote to memory of 1624	1040	mscorsvw.exe	44
PID 1040 wrote to memory of 1772	1040	mscorsvw.exe	45
PID 1040 wrote to memory of 1772	1040	mscorsvw.exe	45
PID 1040 wrote to memory of 1772	1040	mscorsvw.exe	45
PID 1040 wrote to memory of 1772	1040	mscorsvw.exe	45
PID 1040 wrote to memory of 2096	1040	mscorsvw.exe	46
PID 1040 wrote to memory of 2096	1040	mscorsvw.exe	46
PID 1040 wrote to memory of 2096	1040	mscorsvw.exe	46
PID 1040 wrote to memory of 2096	1040	mscorsvw.exe	46
PID 1040 wrote to memory of 2216	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 2216	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 2216	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 2216	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 2484	1040	mscorsvw.exe	49
PID 1040 wrote to memory of 2484	1040	mscorsvw.exe	49
PID 1040 wrote to memory of 2484	1040	mscorsvw.exe	49
PID 1040 wrote to memory of 2484	1040	mscorsvw.exe	49
PID 1040 wrote to memory of 3068	1040	mscorsvw.exe	57
PID 1040 wrote to memory of 3068	1040	mscorsvw.exe	57
PID 1040 wrote to memory of 3068	1040	mscorsvw.exe	57
PID 1040 wrote to memory of 3068	1040	mscorsvw.exe	57
PID 1040 wrote to memory of 2360	1040	mscorsvw.exe	66
PID 1040 wrote to memory of 2360	1040	mscorsvw.exe	66
PID 1040 wrote to memory of 2360	1040	mscorsvw.exe	66
PID 1040 wrote to memory of 2360	1040	mscorsvw.exe	66
PID 2952 wrote to memory of 2872	2952	SearchIndexer.exe	67
PID 2952 wrote to memory of 2872	2952	SearchIndexer.exe	67
PID 2952 wrote to memory of 2872	2952	SearchIndexer.exe	67
PID 1040 wrote to memory of 2584	1040	mscorsvw.exe	68
PID 1040 wrote to memory of 2584	1040	mscorsvw.exe	68
PID 1040 wrote to memory of 2584	1040	mscorsvw.exe	68
PID 1040 wrote to memory of 2584	1040	mscorsvw.exe	68
PID 1040 wrote to memory of 1468	1040	mscorsvw.exe	69
PID 1040 wrote to memory of 1468	1040	mscorsvw.exe	69
PID 1040 wrote to memory of 1468	1040	mscorsvw.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:316
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  PID:1640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 24c -NGENProcess 264 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 288 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1316

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1568

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2940

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
07069317e6219465f66ed4884a78c127

SHA1
957a718139afbd6993c75704df61d7b03b3fc292

SHA256
33a71eabd42b7d36111f1450520e5be5ffffe5c799b2b2f99b24f150e53ce31d

SHA512
55a807650bccc6dcd44885e7b082ea6a3aae558dd42da760baa52d1500e7f3eff04870df1243f8de6bf48b70075271c3d8a2a6fa7deca758d0718f1abf4f2ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
acacda2375a2ce49d81ad0bf2e90588a

SHA1
775d88677f452f7d2a17d47243de96285ad9f6ea

SHA256
0fe427d7c021b69cae31ce4c21b99f7c7c87f9dec87179e079e5d08cfe08f723

SHA512
01c5650775b24a91d66bc0f112aa530e85e4abd155b919ddef41c801a53fa4ee02eb827aa7949714bfec59def7e84fa7fd65e028908cfe4f0662fab9c9bf24e9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9c5120b18f7b9bd4601ed791c652ee79

SHA1
0c20b1730cd65d5eea009e16f893e41c2b1c0a7e

SHA256
51ac30946936dfb53ad05ba33726bc04ed3af5d5d38594c824db486d2e491e0d

SHA512
c3dbe978b632634481b42899124cea814094916dae576d508da09aab86ba74e38207e965efb74ee86eae9f9b51cdc0c489bd2d697de37f1a63c7d048ae8ee733

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
4b68a5ff618ae7f39dffe6838ffd2c3e

SHA1
1716a7817c9b3bdafd0264a8f8d1f79a8b10a7b5

SHA256
d8917128c78f34909c87daeb428f387490e2fcf89675693580dd07b541fab4ba

SHA512
6fe690607011eb02629e246139cca370c6a64b0943b456415d6a972d47b679d9b9cc15aff7f12ba2c9e3769cb7719f99cfe42bc46c221d1c002a0a4801739f8b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2ac36cec50f92f2f57f9f72dcd30ea83

SHA1
f12034dca5b1e79b23b9a3939ff70a10dac78287

SHA256
81c4a300f4b44643026963979366854bbd9e538635dd364cfa5310cf00e54e9a

SHA512
be276e82306a0643777fe32e50438c0aecd1a3bb5f09eec73c3780c5752249065f5141948266546281734323fdabb4d6d5480d4cf38ada82e0fb8d489b585ad3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d1402b514e4c03072bb261c604a71af5

SHA1
3a5cde5b2013410cd4919f983ed0c110d9429cdc

SHA256
1168d9d1372f47a9bc913f562c4ced596c147a029d23bfc950482cfc50e2cbe8

SHA512
d6aa5f0c20fdf18cbfaab2986f96895a64ffb96cc9d15c43649bc4e56c3a86a383c81433b3813a45d93eef637825abdc9a3eefcc452533de38fb367f247917ae

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
06e16e1a0008dab1d2036e5b3d361af0

SHA1
e8ba074b5955509826219fd3bc7580ecbd2b5b3e

SHA256
765bfc531bedca3040eccea71a5efb4373d5daa1c4035833df6afdcdd25b1e7c

SHA512
88dcff59a9b105d2210cd9b21d522633169e150d9dab301ea53c2684910e3fdf250bb54af238fe2603629d9b4dcb4f4fd1244583e025ce265ac759aa674a0ff9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
06e16e1a0008dab1d2036e5b3d361af0

SHA1
e8ba074b5955509826219fd3bc7580ecbd2b5b3e

SHA256
765bfc531bedca3040eccea71a5efb4373d5daa1c4035833df6afdcdd25b1e7c

SHA512
88dcff59a9b105d2210cd9b21d522633169e150d9dab301ea53c2684910e3fdf250bb54af238fe2603629d9b4dcb4f4fd1244583e025ce265ac759aa674a0ff9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3aee7f4d16edc2eedfb0538d5b6e6e2a

SHA1
6532e9a971cc26796233ce8dd05b48facac249d5

SHA256
ff17387f67b2151593556032ffe98b525469cd3bf737a9c4e077716f7072b534

SHA512
a7a4997d4a6e009fc340286ea2d3e7c923e396b2c9547756506a3f0a9eab2d7ac22cff4c475137fa31d9abb9d4c19d4c715c27f3b3f4033aea6a87d826fa875b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
dfed8ea6d5c5fe7285825cbe73632581

SHA1
bd15489d8d2d39ee54cea6251d57d05b880c0542

SHA256
9bb3d0d436a042c936c2030bdea32c9b7fdf43c59365b5c571fef9fd8f716f0d

SHA512
ce7518fd7783044a2532522e99053410b30fb1f40d6a9e955886d8b2306accf73bd0c332b688a208abc9dc569205ec1583e668bc5aa1744a52a6a04682083782

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
01a9ba431c85b6876cdad9e2bf0b6801

SHA1
6133cab28c3dbf15ba28703379bd9f49cf3a44ff

SHA256
958d97d09f932e8eaadc73924d9911af2881ded846d77c6d4b2a2d6c92d4fede

SHA512
d5094c4e07ec522b41c9e65080f2a897dbc566ee1812074f2d683c0c7559dedbeada67dfb7ec54b25cdc3967a5d8c6f596c6b2543e984803d2bf6013e6ce0b7e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
01a9ba431c85b6876cdad9e2bf0b6801

SHA1
6133cab28c3dbf15ba28703379bd9f49cf3a44ff

SHA256
958d97d09f932e8eaadc73924d9911af2881ded846d77c6d4b2a2d6c92d4fede

SHA512
d5094c4e07ec522b41c9e65080f2a897dbc566ee1812074f2d683c0c7559dedbeada67dfb7ec54b25cdc3967a5d8c6f596c6b2543e984803d2bf6013e6ce0b7e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0e0c11f2de6f0977d59c77d2a0901faa

SHA1
fa54d47ed9a95a2ffe9937af35943658e33e6f00

SHA256
6fe96e822eb15fea66a1df636e33bf6bf16fa6814352e9756754ef722f41dc20

SHA512
4af22913e375d228572a440711afcd71c511d0ef4f1d1cd9201d2e21030637dcfc2fd8d8fda369539dfba26ba0154a9cd4fb58b41302440e848ab7222f0351e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0e0c11f2de6f0977d59c77d2a0901faa

SHA1
fa54d47ed9a95a2ffe9937af35943658e33e6f00

SHA256
6fe96e822eb15fea66a1df636e33bf6bf16fa6814352e9756754ef722f41dc20

SHA512
4af22913e375d228572a440711afcd71c511d0ef4f1d1cd9201d2e21030637dcfc2fd8d8fda369539dfba26ba0154a9cd4fb58b41302440e848ab7222f0351e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
51ab981155b4eda5f02e221966c8b7ef

SHA1
4550e99d8420fd65b1e16b594f195a19eae948a5

SHA256
b4c87576fd7591857e40daf707b2b7645c61bdfaa5a0e2ebafa8598f31a76b3e

SHA512
069d36a40932b24698294cabd3241a91706aeb02f99f2f5d8517a264df9be9aa03c3a6493520f0807af4f0b5347b739ca5ae841fec20d5059813dd79c4a49ff8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8314f12c7248830a23fe88d97f78c381

SHA1
54e7f318f626bffc661e8508fb0466d31d916d3d

SHA256
8ba0e1fa421413c10f0a361c6a85f3114b74a9403959a2fd9ac125032d0bdaca

SHA512
d8f36943ffc04f233a2f73498a3280d113e616382a2d4cee7ac2617ae19b20a554eb51f180d1be5ec8dc25100f207e4a4cf868a7d86c3f9fafc1530202665125

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
da9baa292bf288fe80d6f1635ec9a0b3

SHA1
f2e833d557d38d1a74462d8245705cbaeb341d79

SHA256
a00a00c32af61b6b6379f5e68435c7ab1744034017ff6473842265d3bfa672e0

SHA512
1141d7378baecf5e6cbc898c9fc2827d7d02c498bd39477bec231e57134039374ddd5b240ca062769338358ea96fe6d8d23effa1ac0ac6f822013752d4c9fff4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
327cfa9d9d8b9fc97b04403ac36cab74

SHA1
562f702cf556210f3e1e1f2c6786f0c337d85e9e

SHA256
a8150907e72840d7e430b48c9f8be1a6bbd9cfce750ac18e422eef24fa8319a7

SHA512
75dcfc48e908c050f80923ae8a5584f4110107e4b1a62cb5cf926d8159ecf868620557c02e1ac898f029ffad283a4728b424a1afb461f8bb086c0dba6c13f4e9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
dcb2e945340f3f6071c8ff9c687d05dc

SHA1
2f2c534cf6709a0d98c46928fea5720b8aad0712

SHA256
ac601423d2ef0ec9daf39dba9b0fe5f02303d50a37af425d603a5976c1eecc4e

SHA512
70c2047c58cff8f7617d461a96cde7af5bcbd580a04867981a4b8d821b9fadb378c9bbf7bf997a8ea44f70df32db71829af4facfe417ca405b13a6e5f5f5f75a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
24ac4036fccf3da843cab26490eaa010

SHA1
54a548b2efe7b4f6f95c5acf857ea9ec2a931837

SHA256
005a2571e7213d5914a4a61b8bcbd38895e129a351debde95ccfe6445699e7e7

SHA512
a771fbb74794a2e1ebd1a7450a2982b3f8e081b0cf55fde89a0360bc8e12e797a1ea5e57205c2f79aca32de1fcaad7b9b81b6786a7ee08ea1f2d374d5592b370

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1080daf54a448abc3f4e9ac020fb1a20

SHA1
6ab9decc46a6fbc38cfcdb7e7fc650c7af3e2c55

SHA256
4f536a64124005337a0a069bb6647b8b708370bd71f1573fb7af57add3f8c0b1

SHA512
3b714449065f02c98414c7804f9f4ce615469b21f2cc7d6495a95d0f62011736e8141ecae04862d8e87c3a192873475759f1caeadde9d3850c2c316b69d53741

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
482c14b93cb66ca3245e919a4f420829

SHA1
2e8ab0399e0d874933e1b05a7f4a81ec8a9f8079

SHA256
31cac9b27561a3ec71333d27dc32f63dec8b1a9cdc76a0477daba14f0f98e361

SHA512
4c9478f54f36d9a2212141544bd1ed703a7b69ab8f9941bfebe3e17212969d35ae4aa3126582b87bd145c792b7b9f066f6894c29aecbdc92b1cf755284cb43ed

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
81a6f7a58eb6b4b310f1e529ea51afb7

SHA1
aa38cf7b462c94464bcd12ff362a34d403a6ee91

SHA256
925cf7f6bdf628b8b3c096fc63058e474a3b41208f811642244d474f898071f8

SHA512
213e07b534cac86cd34d5d039816dd33ddc4cbab884da488bfd8c34f0d3563115b8f53ee1b7c4355d77d1a36a6d8d78e5613d05cb2be22c898e348162fc3db93

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
49cd7412a7642505eb0a59bf6883ad4a

SHA1
ec52629fc76f12cd743fee12adaa6eba495bbbc8

SHA256
2f154f64e2ff211c00f7d6170dd082e762400471c5873f0fbd31a7bd5971d1b9

SHA512
4d27b58e88da5a8a552f42e37cd9d4222592373f4c275c1581c4ccdefb24e0b07ab15c018a1bd72b0fff8a38f22166f65534bc9f551214fb722be74615c3b1b5

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3d6684f6ad731f848867ed08ed370f8e

SHA1
833a9aadd2c333c77fec43b03dc0222ebc426aaa

SHA256
27291c2d7472a9a1853904bdd7284f66f6338a2708df9401f315e7d87c847479

SHA512
565068c091e0e17f496c5770ff8964f6b6fd8591accf1f184e0e1baea710273c473dfd39c231d0ab12f7122a3aa85eb07c8a6747931e59d819ad5e565880f1e9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
58c058dbd4adbed1fa28b3a0706c06d3

SHA1
9b32d792ca379b8e5c4b6cef5915975eb887ef74

SHA256
75ee8d41850072740286d58137fbda04227ecaa9a0bbe31b249437d8d112e17c

SHA512
56be2108fc5ca9889beef6b06378d10c052bb0349a16214ec56d2447a09d43d167799aed771ea14ab6f7a99a975a95a3656eea4a8b6904aeae4fce2b8d1b43e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
5bfb3c8c2489f9042d91e68854f97f22

SHA1
e350e2260604f5fb7010186b50d809ae673070c4

SHA256
192c51a2be4d5427e21892c05cae92e807d5133a538c22748a2a5c9a661b24f3

SHA512
86f365e6b201e5d6ee8a5f3b3b3c1edd6548e26d54b8df344a4a945752355333e98b42f6b1d03a96f152df6900e72b81dc72d6f97c8a25867984f263d9f9bcf0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d05b4acab0fe61ee50f26e5be371e85e

SHA1
ee247ac2da44de7c7aa2f65d486cb18f7b581598

SHA256
bd2dd010e11be5a74d7e7858d02be2bfaea7eb9d085eb35066e6681adf7acecc

SHA512
449dfbdc03fc86ad7a8fd9c24a8c935dfae747fdeb651e4377dea9bc07cd8a6c3184515d1159667a683647b43f17e9c6d2e52fae340d6cd061720de63c555d42

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5f69d7750747bad876be10759ca15876

SHA1
80ee53b34c0034f4378f22c5cf7d81d1aebe172f

SHA256
81aea4bc03139ed88e00d07d4b95828a294c23e469b2c32b9b53bed35e360ede

SHA512
f2f3e4bc8cbf7fd0b3832835810931a4f691af8c3d56ef3207a1e0f0bcdbdaa2bd317d6ab43e76d82af8306df5537a81a0420182dd6aaca17d51d759627dd889

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a83f736b51f31827b2964281eb085274

SHA1
5bf8aa4947600323162139437d186400078f19d2

SHA256
63ada4f5e28beb7e428b591a2529afcf2e9921ee3b72df033390b6cbd61e6257

SHA512
5eda5f95422fd926cc1d1498d9e26459e6e25e62b17045bbdeaa4648d70d45dfb718f6efbb612a9578f33a214ac767a9f1adf916fec41fe8845ecd093bd84b31

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
7ffe0f2a60efd1d2d3d32925bab197b2

SHA1
092f5dea2399b5e5ae717ab9d7f7c1d5ef301824

SHA256
a65fce8dcd91cd233f11655d07ca2f485ce2942a5123f6b9a73c9b06f4e6d621

SHA512
39f1196c4af7010ee87097e1b9b82df1cadf76a27b692f04d2a238d0601943465fda8d9e5950077e87583b63beb7c0afe38014368671cbf37fcb333158a83107

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3d6684f6ad731f848867ed08ed370f8e

SHA1
833a9aadd2c333c77fec43b03dc0222ebc426aaa

SHA256
27291c2d7472a9a1853904bdd7284f66f6338a2708df9401f315e7d87c847479

SHA512
565068c091e0e17f496c5770ff8964f6b6fd8591accf1f184e0e1baea710273c473dfd39c231d0ab12f7122a3aa85eb07c8a6747931e59d819ad5e565880f1e9

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d1402b514e4c03072bb261c604a71af5

SHA1
3a5cde5b2013410cd4919f983ed0c110d9429cdc

SHA256
1168d9d1372f47a9bc913f562c4ced596c147a029d23bfc950482cfc50e2cbe8

SHA512
d6aa5f0c20fdf18cbfaab2986f96895a64ffb96cc9d15c43649bc4e56c3a86a383c81433b3813a45d93eef637825abdc9a3eefcc452533de38fb367f247917ae

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
d1402b514e4c03072bb261c604a71af5

SHA1
3a5cde5b2013410cd4919f983ed0c110d9429cdc

SHA256
1168d9d1372f47a9bc913f562c4ced596c147a029d23bfc950482cfc50e2cbe8

SHA512
d6aa5f0c20fdf18cbfaab2986f96895a64ffb96cc9d15c43649bc4e56c3a86a383c81433b3813a45d93eef637825abdc9a3eefcc452533de38fb367f247917ae

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
06e16e1a0008dab1d2036e5b3d361af0

SHA1
e8ba074b5955509826219fd3bc7580ecbd2b5b3e

SHA256
765bfc531bedca3040eccea71a5efb4373d5daa1c4035833df6afdcdd25b1e7c

SHA512
88dcff59a9b105d2210cd9b21d522633169e150d9dab301ea53c2684910e3fdf250bb54af238fe2603629d9b4dcb4f4fd1244583e025ce265ac759aa674a0ff9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
dfed8ea6d5c5fe7285825cbe73632581

SHA1
bd15489d8d2d39ee54cea6251d57d05b880c0542

SHA256
9bb3d0d436a042c936c2030bdea32c9b7fdf43c59365b5c571fef9fd8f716f0d

SHA512
ce7518fd7783044a2532522e99053410b30fb1f40d6a9e955886d8b2306accf73bd0c332b688a208abc9dc569205ec1583e668bc5aa1744a52a6a04682083782

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
327cfa9d9d8b9fc97b04403ac36cab74

SHA1
562f702cf556210f3e1e1f2c6786f0c337d85e9e

SHA256
a8150907e72840d7e430b48c9f8be1a6bbd9cfce750ac18e422eef24fa8319a7

SHA512
75dcfc48e908c050f80923ae8a5584f4110107e4b1a62cb5cf926d8159ecf868620557c02e1ac898f029ffad283a4728b424a1afb461f8bb086c0dba6c13f4e9

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1080daf54a448abc3f4e9ac020fb1a20

SHA1
6ab9decc46a6fbc38cfcdb7e7fc650c7af3e2c55

SHA256
4f536a64124005337a0a069bb6647b8b708370bd71f1573fb7af57add3f8c0b1

SHA512
3b714449065f02c98414c7804f9f4ce615469b21f2cc7d6495a95d0f62011736e8141ecae04862d8e87c3a192873475759f1caeadde9d3850c2c316b69d53741

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
482c14b93cb66ca3245e919a4f420829

SHA1
2e8ab0399e0d874933e1b05a7f4a81ec8a9f8079

SHA256
31cac9b27561a3ec71333d27dc32f63dec8b1a9cdc76a0477daba14f0f98e361

SHA512
4c9478f54f36d9a2212141544bd1ed703a7b69ab8f9941bfebe3e17212969d35ae4aa3126582b87bd145c792b7b9f066f6894c29aecbdc92b1cf755284cb43ed

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
81a6f7a58eb6b4b310f1e529ea51afb7

SHA1
aa38cf7b462c94464bcd12ff362a34d403a6ee91

SHA256
925cf7f6bdf628b8b3c096fc63058e474a3b41208f811642244d474f898071f8

SHA512
213e07b534cac86cd34d5d039816dd33ddc4cbab884da488bfd8c34f0d3563115b8f53ee1b7c4355d77d1a36a6d8d78e5613d05cb2be22c898e348162fc3db93

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
49cd7412a7642505eb0a59bf6883ad4a

SHA1
ec52629fc76f12cd743fee12adaa6eba495bbbc8

SHA256
2f154f64e2ff211c00f7d6170dd082e762400471c5873f0fbd31a7bd5971d1b9

SHA512
4d27b58e88da5a8a552f42e37cd9d4222592373f4c275c1581c4ccdefb24e0b07ab15c018a1bd72b0fff8a38f22166f65534bc9f551214fb722be74615c3b1b5

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3d6684f6ad731f848867ed08ed370f8e

SHA1
833a9aadd2c333c77fec43b03dc0222ebc426aaa

SHA256
27291c2d7472a9a1853904bdd7284f66f6338a2708df9401f315e7d87c847479

SHA512
565068c091e0e17f496c5770ff8964f6b6fd8591accf1f184e0e1baea710273c473dfd39c231d0ab12f7122a3aa85eb07c8a6747931e59d819ad5e565880f1e9

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3d6684f6ad731f848867ed08ed370f8e

SHA1
833a9aadd2c333c77fec43b03dc0222ebc426aaa

SHA256
27291c2d7472a9a1853904bdd7284f66f6338a2708df9401f315e7d87c847479

SHA512
565068c091e0e17f496c5770ff8964f6b6fd8591accf1f184e0e1baea710273c473dfd39c231d0ab12f7122a3aa85eb07c8a6747931e59d819ad5e565880f1e9

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
58c058dbd4adbed1fa28b3a0706c06d3

SHA1
9b32d792ca379b8e5c4b6cef5915975eb887ef74

SHA256
75ee8d41850072740286d58137fbda04227ecaa9a0bbe31b249437d8d112e17c

SHA512
56be2108fc5ca9889beef6b06378d10c052bb0349a16214ec56d2447a09d43d167799aed771ea14ab6f7a99a975a95a3656eea4a8b6904aeae4fce2b8d1b43e9

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
5bfb3c8c2489f9042d91e68854f97f22

SHA1
e350e2260604f5fb7010186b50d809ae673070c4

SHA256
192c51a2be4d5427e21892c05cae92e807d5133a538c22748a2a5c9a661b24f3

SHA512
86f365e6b201e5d6ee8a5f3b3b3c1edd6548e26d54b8df344a4a945752355333e98b42f6b1d03a96f152df6900e72b81dc72d6f97c8a25867984f263d9f9bcf0

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d05b4acab0fe61ee50f26e5be371e85e

SHA1
ee247ac2da44de7c7aa2f65d486cb18f7b581598

SHA256
bd2dd010e11be5a74d7e7858d02be2bfaea7eb9d085eb35066e6681adf7acecc

SHA512
449dfbdc03fc86ad7a8fd9c24a8c935dfae747fdeb651e4377dea9bc07cd8a6c3184515d1159667a683647b43f17e9c6d2e52fae340d6cd061720de63c555d42

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5f69d7750747bad876be10759ca15876

SHA1
80ee53b34c0034f4378f22c5cf7d81d1aebe172f

SHA256
81aea4bc03139ed88e00d07d4b95828a294c23e469b2c32b9b53bed35e360ede

SHA512
f2f3e4bc8cbf7fd0b3832835810931a4f691af8c3d56ef3207a1e0f0bcdbdaa2bd317d6ab43e76d82af8306df5537a81a0420182dd6aaca17d51d759627dd889

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a83f736b51f31827b2964281eb085274

SHA1
5bf8aa4947600323162139437d186400078f19d2

SHA256
63ada4f5e28beb7e428b591a2529afcf2e9921ee3b72df033390b6cbd61e6257

SHA512
5eda5f95422fd926cc1d1498d9e26459e6e25e62b17045bbdeaa4648d70d45dfb718f6efbb612a9578f33a214ac767a9f1adf916fec41fe8845ecd093bd84b31

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
7ffe0f2a60efd1d2d3d32925bab197b2

SHA1
092f5dea2399b5e5ae717ab9d7f7c1d5ef301824

SHA256
a65fce8dcd91cd233f11655d07ca2f485ce2942a5123f6b9a73c9b06f4e6d621

SHA512
39f1196c4af7010ee87097e1b9b82df1cadf76a27b692f04d2a238d0601943465fda8d9e5950077e87583b63beb7c0afe38014368671cbf37fcb333158a83107

Download Submit
memory/316-106-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/316-129-0x0000000004300000-0x00000000043BC000-memory.dmp

Filesize
752KB

Download
memory/316-116-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/316-118-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/316-108-0x0000000000140000-0x00000000001A6000-memory.dmp

Filesize
408KB

Download
memory/316-107-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/332-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-67-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-75-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/332-64-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-70-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/332-220-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-96-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/332-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/920-149-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1040-120-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/1040-135-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1040-125-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/1300-175-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1300-248-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1300-170-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1300-224-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1316-61-0x000000000D120000-0x000000000D2D0000-memory.dmp

Filesize
1.7MB

Download
memory/1316-147-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1316-60-0x0000000009FE0000-0x000000000A118000-memory.dmp

Filesize
1.2MB

Download
memory/1316-59-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/1316-58-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1316-57-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/1316-56-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/1316-54-0x00000000000E0000-0x0000000000260000-memory.dmp

Filesize
1.5MB

Download
memory/1316-55-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/1368-388-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/1368-187-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1368-183-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/1568-222-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1568-172-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1568-181-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1568-153-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1568-174-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1568-173-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1568-159-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1608-98-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1624-208-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1624-189-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/1624-194-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/1692-97-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1692-89-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1692-83-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1724-179-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1724-182-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1724-225-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1772-237-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1772-209-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1888-128-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1936-127-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2096-221-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2096-238-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2132-385-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2216-236-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2216-443-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2332-390-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2360-616-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2360-701-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2408-271-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2428-412-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2484-686-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2484-274-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-683-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2520-285-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2548-416-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2584-693-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2652-292-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2652-307-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2724-446-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2736-316-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2760-448-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2840-321-0x0000000000590000-0x0000000000799000-memory.dmp

Filesize
2.0MB

Download
memory/2840-314-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2840-703-0x0000000000590000-0x0000000000799000-memory.dmp

Filesize
2.0MB

Download
memory/2840-702-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2940-345-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2952-449-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2980-349-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2980-704-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3056-355-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/3068-612-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3068-358-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download