blustealer | 7a62f4e361c2f327d6d3949e1d05ba5a9d36bf88e25a1fe567e037bbc8943a94

Analysis

max time kernel
141s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Size

1.6MB
MD5

e90e41677f6030ffc3eac62929ced1d9
SHA1

edb0a2acdec33328a864ac178bfb0b42a2e0d444
SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
SHA512

a2e20c8b160c366baed60adca173587e5c3b94b811f4f52ac3aaab01a0301716e30cc7c7d2a426ee32a6df651021717e4fe097073610860a949e7933468e10fa
SSDEEP

24576:KRKQxWUF61/J27K4mgZB67gTsD6RROjiDefziWX2GDjGBXtnZYx:K4QcUFO34mg367gTOwMMohjw9Z+

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 30 IoCs

pid	Process
460	Process not Found
1296	alg.exe
2024	aspnet_state.exe
1780	mscorsvw.exe
1944	mscorsvw.exe
1676	mscorsvw.exe
1688	mscorsvw.exe
908	dllhost.exe
1700	ehRecvr.exe
1864	mscorsvw.exe
2032	mscorsvw.exe
1600	mscorsvw.exe
656	mscorsvw.exe
316	mscorsvw.exe
956	mscorsvw.exe
1284	ehsched.exe
960	elevation_service.exe
1540	IEEtwCollector.exe
1332	GROOVE.EXE
1524	maintenanceservice.exe
1748	msdtc.exe
2028	msiexec.exe
2112	OSE.EXE
2152	OSPPSVC.EXE
2240	perfhost.exe
2272	locator.exe
2348	snmptrap.exe
2448	vds.exe
2524	vssvc.exe
2600	wbengine.exe

Loads dropped DLL 13 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2028	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b349862347bf3ad0.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\locator.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\vds.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\alg.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1480 set thread context of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BE3DB381-14B4-4E51-8443-A128B60F5D6E}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BE3DB381-14B4-4E51-8443-A128B60F5D6E}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1824	ehRec.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: 33	1692	EhTray.exe
Token: SeIncBasePriorityPrivilege	1692	EhTray.exe
Token: SeDebugPrivilege	1824	ehRec.exe
Token: 33	1692	EhTray.exe
Token: SeIncBasePriorityPrivilege	1692	EhTray.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1372 wrote to memory of 1480	1372	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	27
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1480 wrote to memory of 1532	1480	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	31
PID 1676 wrote to memory of 1864	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 1864	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 1864	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 1864	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 2032	1676	mscorsvw.exe	38
PID 1676 wrote to memory of 2032	1676	mscorsvw.exe	38
PID 1676 wrote to memory of 2032	1676	mscorsvw.exe	38
PID 1676 wrote to memory of 2032	1676	mscorsvw.exe	38
PID 1676 wrote to memory of 1600	1676	mscorsvw.exe	39
PID 1676 wrote to memory of 1600	1676	mscorsvw.exe	39
PID 1676 wrote to memory of 1600	1676	mscorsvw.exe	39
PID 1676 wrote to memory of 1600	1676	mscorsvw.exe	39
PID 1676 wrote to memory of 656	1676	mscorsvw.exe	40
PID 1676 wrote to memory of 656	1676	mscorsvw.exe	40
PID 1676 wrote to memory of 656	1676	mscorsvw.exe	40
PID 1676 wrote to memory of 656	1676	mscorsvw.exe	40
PID 1676 wrote to memory of 316	1676	mscorsvw.exe	41
PID 1676 wrote to memory of 316	1676	mscorsvw.exe	41
PID 1676 wrote to memory of 316	1676	mscorsvw.exe	41
PID 1676 wrote to memory of 316	1676	mscorsvw.exe	41
PID 1676 wrote to memory of 956	1676	mscorsvw.exe	42
PID 1676 wrote to memory of 956	1676	mscorsvw.exe	42
PID 1676 wrote to memory of 956	1676	mscorsvw.exe	42
PID 1676 wrote to memory of 956	1676	mscorsvw.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
"C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
  "C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1780

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:908

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1540

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2112

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2692

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
51bb5b3f46c9e43aac396ddf6677be58

SHA1
1b642358a1ce6fd946c7be320dff0d982cf4ba98

SHA256
4bdff679b5c33b4b4ea981057251aa0aa837c3c17a83b475ade574cef2c75d38

SHA512
b60f35a570226a5afa59b76e38addd8d63e92167bd47aaac914addf79fb7da2b7958b0e02ece3b3926906bc34d7c6cb64621f9a2d7d7ca0fb7b9c472edcd5489

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
843b928325e57cb7dd01439bbe6a7cc4

SHA1
8e8ae68c3e4cbc829f47f790fbcc12f808d5c426

SHA256
65a8af12385bb7aae5b030804641d534d90b51dc465b0ca1461bd4512ecdae07

SHA512
7d973b98cdd5ed88655b7e826974be38ce467304c9aea6d4920d256cc1b264de77a1ea2a4188d8c71cea3eb0d58e15159fddf1f87b264b091ace72c7fa986e54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
52f68ccc3a463e7e6c2c1cd0b28b34e2

SHA1
7be2739741dbe0240166dd3328435cab6757b312

SHA256
2300a53348c30b74703e88346594559296935a9f07424a7463f8db5b67dfe0ff

SHA512
8b00cb64d00805409f2130e8e2f223c59de7b5a7e662fc63b7682cd36ec483f8350d1d40c397afcb1c239a3fa3af2d9c4df2a5f1fda79a011a1f2df637ff0179

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
cad0a0231d3d9ec9223b4322eed6eca6

SHA1
5738406feebfd51aee9f2c2d998240bc3a8ec329

SHA256
b71fe685883e1011c3fc42f2fac7e533abe519f02ff5a5c185b7c64e26b98a74

SHA512
db791229190b2b46e08faf25431544332cb009050d0f4ad7d21505078920a63e3ad871a9f5a53b5cfdf8b0ffea26f2ff6a549f9bbf4003423d63269d90b3d0bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3b980e7837ae73b66a9a2ac0f41ab6d1

SHA1
425be7e62569c1666355e9b401d01b47e3bdff15

SHA256
1021868230f67ae89ce83dbab105fa0f61e3885f1e88a731b9f4cd2bf1ddea86

SHA512
e6815c0b434db7c0f9275968022fffe9ac56e455f38cf5049aaf9805adf0f556341ebb305d246b11ad0f75e45273c7d33f738db57ef5699df1be6e0980cb5b22

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b8a3c94bee9a913f9f1de5ef2eaf997a

SHA1
40baf6386d6ac4e7bae57f31dd182b3da79eb2de

SHA256
c9ef2d298d94214c780e63d4bcbb4cc99579c4dc09d6050d4486ae9d2321998b

SHA512
f146a0e2347089cd165686785fd7be0fddecc48c82cd4081252c2d0cf00a8bd974e1593561a99df38fffd104db730e1b2639b67752fa91d5a27008050599d705

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e6a9adc57d6c2ffdbadc6abeab233e89

SHA1
76dc0b6822f3e72b1cff9ec954eb7b94b532f5d7

SHA256
9b6439bd2b285a5a091a7ce680aafe91102801dd0a30eed0be7f30d557786805

SHA512
c2fe650b87754614ffb6951986865f9c9a7911757596fb1ee4bf5de8fd555f7bdc3985136e8afa0ece1b4ef6b9045d53b9079bfd95bd5131eaaa7244673b87b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e6a9adc57d6c2ffdbadc6abeab233e89

SHA1
76dc0b6822f3e72b1cff9ec954eb7b94b532f5d7

SHA256
9b6439bd2b285a5a091a7ce680aafe91102801dd0a30eed0be7f30d557786805

SHA512
c2fe650b87754614ffb6951986865f9c9a7911757596fb1ee4bf5de8fd555f7bdc3985136e8afa0ece1b4ef6b9045d53b9079bfd95bd5131eaaa7244673b87b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
46a526f05cc9948a1002e58efb63a2cf

SHA1
1e4351f892617414e941af9273fa74ad22055acc

SHA256
39bf731c8f3a6338de533ac67ad4df8617fd8939f3d1140efc3aa01740c0868e

SHA512
a068ce3944648264ebad8e499a79891be75986dbd902ae72c19e0c0f270e171ef6b218071bafc23765371698532cfa50033d7d57ce92e191084006449153fd7f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
4226a6a6c6f182328dc05c06d10741d3

SHA1
bdddf16ae871a39f4bb8e37cd5157c35cf2a32bc

SHA256
ab574b34acf64152f02b763759e12c06e8c4667af0fdb3fe701dcd1012c7b1fd

SHA512
07d32d8f5eba2c94f6387e37e2e560861b77468f60c1ca7b29d61f677fb5213c7bc759b11cc67a77ff313bc41431154666424e791507140978ed7eb4054ec3a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0391324c591d45ee07e650fc147bc5e8

SHA1
a87d39c4ba87cddd3c5153563347fddfe66675a1

SHA256
677463c11ec27ec5e4d5c2544ba4e8ed50415a699f3b1ecbf8465605204b06e2

SHA512
17a6ebe9f9a2907f841a14f09938c2d8855bb15a793c8ed8a6fc91057c56f688d41329898781fcbaa11bdaa8f47f9000f15e2948f68d19d1757c93c1c2eb5db1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0391324c591d45ee07e650fc147bc5e8

SHA1
a87d39c4ba87cddd3c5153563347fddfe66675a1

SHA256
677463c11ec27ec5e4d5c2544ba4e8ed50415a699f3b1ecbf8465605204b06e2

SHA512
17a6ebe9f9a2907f841a14f09938c2d8855bb15a793c8ed8a6fc91057c56f688d41329898781fcbaa11bdaa8f47f9000f15e2948f68d19d1757c93c1c2eb5db1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6719e7c166498838d43176b170f135b1

SHA1
9cacbbb2f06b939adfb5cf1b0cc5469af4fd1458

SHA256
4276368633acc1fcc45d09d573f02bf8a35d5cb63e48fb65f11bad4e38a26814

SHA512
f378a48db232504b4dbb2be5475f4ec0d0e6c1792500223a73f26efb4a427ff372fa911b1782b63345be10c4b0ee25a176918a7222256135b0fc076ab90b59e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6719e7c166498838d43176b170f135b1

SHA1
9cacbbb2f06b939adfb5cf1b0cc5469af4fd1458

SHA256
4276368633acc1fcc45d09d573f02bf8a35d5cb63e48fb65f11bad4e38a26814

SHA512
f378a48db232504b4dbb2be5475f4ec0d0e6c1792500223a73f26efb4a427ff372fa911b1782b63345be10c4b0ee25a176918a7222256135b0fc076ab90b59e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
df5f01dad022dcf99c6ef4c98d711b51

SHA1
e36a46fababc69cd454da3282495ccfaa60d22ee

SHA256
c682bdd07f298b75019db8aaa2eb9f883b2ba9dac78f0c108caafe8a1153d251

SHA512
2a03bc1019d8c25516caada57adc4455430dd664007ae51b83b3d317ab145b46428616746658884cbfcf1a1be626c412963ce4ab00108adccf085a8288f22644

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9123de2bb9257ea19d36c4753547cac8

SHA1
d80f6879b6b12fc51c9fb7c84e4cf2215d5d20fb

SHA256
d057384f28db0e87ac245fd4da6b03d80e78393ec9dd13e40a7742b8bcdcdc62

SHA512
9a4a901dcd278afc7604315d78d746193022c27682b3baac37e33a4cc791d515e7f1789bc3721c68b870bd9d4f30de88acfdaa51f1c130061f77c5f5bf019a6a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
99ee3a773bf51a58f84289c82d60b6b8

SHA1
fc3a78132b27dd4e2c4b82ec11d812f52148c66d

SHA256
6c2b592f3341334b02bb31a7307b14c13f762c34db5cf661df97e731f442d2a2

SHA512
752d04bd738f5df098a3f74f3e97a483fa839954166e329ae23b877c03164350216f10074bb86e2ac3667a4682a5b983308603aadfd4316951c58cbbd6632741

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5edfa3554d72f832a363ae920c5bdcbe

SHA1
4560585a0ed40f12b8a392a150497377665c12a8

SHA256
4ba05af64fedbac2453bac756081677f4d5265d158ce9e6a10a3983c45f023da

SHA512
e740468cbeace0c23ccebdcbc2642deae6d4cfd1a16fd0547a6e1fd2da1b91411202f1069da7b6d472add0e1e1e8ec0662c087a110063158df5e9ac806f97bd5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d256de2aec5de3221075c70842fbacb4

SHA1
a195bd90f76ca66b676762bec36307702d9ca067

SHA256
c9689c5f21f41ee9b0d8f22e95aaa14478e8f99e312d76f98e10aaaa0d06d31d

SHA512
157cb2043e99c76811849dae28f2bdd3b78da0eeb648bbc1d1f90ea54f00869a85f423f644ab5176e5ae0cf26ec223e11d027dc9bbdd471d8a3ce3e38082dc3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c3057b7d21f049eaa64ab7f677c2f50a

SHA1
08325e8c97dfe29b20e7ce60d14c92972caf2194

SHA256
0548248969c2ff4a0da7c85cebebb8f26c3c026ca6dd241aec2e9d559996bca8

SHA512
5ba1dca3e0b1b623364cf91848a53d996fb995784c938c32f273786d930e9a83e2958543abe4502e8d7591d673407512a7c88310f5fe32a43ecb16869f51f0a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6eca596a45bfe921d80d3b2220cb4aa2

SHA1
1ffcf11bc1100856bba922b88d8ade1703827940

SHA256
7f9e29d45075a48836434820f6f169dd0bcc13e377447c1af13b41e539bedb46

SHA512
30f612ef8189c2cf8c092aee792a775f7780a62f9c7909b3cc779b1dadb590b9ad9a7016c8221d8952e8ecd416d135b20d16e41a461f9f716e221ee71d77612a

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
77b8d2d6931f8f6adb1b76db0dce5280

SHA1
694a22c259f7c3c6ce66609a1ac07847699d8008

SHA256
b05da08ae5e591e0a19d6978fa8c7ac4685bfcfe8fd1136482289e6ad1157dbc

SHA512
3ca31b92c13dc6ad739f5179804e5848fe84bdcd71084aff489cf81c239bd6f978827e3eb923b712db922fc7c42c746d26696d8830fb9ea600e9e65ea6529b20

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
ce9afb63280636b0ee737193c16340b8

SHA1
c2f7e69f7d2ba62b27cbb0e63577a28abb302807

SHA256
2cacaaa321b36916a51375568fd34a4d6dc67e1501b807f337745122ac5c123c

SHA512
fd2e84f65603f14aaa6ec9bbe5ccd92449e55570cf13180cbd9c79621cf01463c36c2013ae21797619a0b2e3b30d4d2233d06fbe6f4f03d22ac35e85e664b82d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3afa2228f5c652ea210aa33ec91feafd

SHA1
d58d7fe18cf7f1078a6d3bd16288663d9a49f315

SHA256
9e993ebdcc822bddd72f03ec95e0dab59be6ef53ef05b13c767e6c571519a781

SHA512
c71904001835e9837304d83fb4f3970c06e4f5527c3dd917c640898da05275245d2a6690b04c2f35629587f8086bbcb5f477b5e2ac7103fd64729c5349a820f5

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0484e6dfc96eaad7081ff8dcfed2bdf9

SHA1
317c64c47025660e99b26ba5be57fd563531dcfc

SHA256
51736795d4725c7951e931998c7e1ac777930605c1f0485480ec5584cd1bd50c

SHA512
2b457317f88e9917dda56c6fb78626e1f617c750a789410dd5733e05392b1fa3efedb1628d81a5d95f9bdd58e9766c4ce8c87be4359b4b5d48cfe8deee1b2eb2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d8899b7fa7096bd8aa4213812c664519

SHA1
c68888ffbe8ed5fd043a8ecacfb493767d66fb4a

SHA256
02aa46b4f865207936f64c493ad2880ca7d6f7c722faa444bba20c15ca3254c7

SHA512
a1236232350bf7c9a3e89a325bd01600e639b1e7ff090cc79b2839fff6ab901d1c00a77bd5cdc4b7c19f420196a716805ea8248b1d43f5028c76c0d387f9e00a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
6f24af2b5ec587ebdea1fc2db9477c9c

SHA1
edfc59456f790c8afe1162633378fba389396bcf

SHA256
f82bc47c60b08b519c5c1c89459842c1f0ee5cd94ec43e7f14e9957f8e02b0e1

SHA512
5d7d4c418830b5160104c7cdd8e204f257e657cb0d626841e25742824ad8b98b7af8f50b1406cfd0d702e467f9ba1c107cabaa42fadfed1f74ee5d7f443a816d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4e790eb9335c3d94593acb1246d28f2d

SHA1
ab90f752b00420384a9b4bea1aa0bf5868e97259

SHA256
924159fbf700dfdeffdbabee9f37ecd040a22d0124b9e72b5cb0cfd617f8e40a

SHA512
e96447dcf17f009bdf09e7a1df681ed312002ac6eb1a60d07255aa07066fd7cd2496932037357392b9c63925ea9e8db8f8ad6934c75013f15d81d99ffd1d4e2d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d522e1a0a703240de9a0061d0913d1f2

SHA1
e73f7d6a88811f8d1b77b8ee5e74b68ce019e953

SHA256
3fcd79c21e6e9bca70d21c5c7edbf86d19f8dd71b2e3777b3517c8424767ac0b

SHA512
b2267ed7ef4526a8693abde4add908705d3d7382faa4c236102138721512a2917a259641d03dfb6f91479d11a103e361f94adb56bdf95893e91acd07ab98352f

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
188a65d0e41c87f1177a8f84163e5c8d

SHA1
bc37b692f34adf5817ffe10c83e157aefdacf1f4

SHA256
d0d7dbfcda47baf86406c60532beffde8e51d3ee8205ca89d9ec60fc00bb6106

SHA512
369e6fda86b3a85b2e07615e32eb153a112cb1fdf52972f353824045248f52df0573a7ad28d3de7a75228d5e677bc0ed43a585175b1d8c553721d66e2e8b4d6d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
95809d1f1fa9758c62a84e64ef2e7baf

SHA1
2022313ab1addf0089f1605e7a18593e0049f1ed

SHA256
5c7157a46e1e0ed875a7752e4c1cd44b8923aa4f238ae97543a7f84542ad433b

SHA512
be6d92e018aa08b02d1807b6c9265cb165e22c9bbc7326a304a4273762bfc5607c24f6e315eeda428a2f8a298efdec7b0425e9be8117cf03bc8e0267d2a6f809

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
0484e6dfc96eaad7081ff8dcfed2bdf9

SHA1
317c64c47025660e99b26ba5be57fd563531dcfc

SHA256
51736795d4725c7951e931998c7e1ac777930605c1f0485480ec5584cd1bd50c

SHA512
2b457317f88e9917dda56c6fb78626e1f617c750a789410dd5733e05392b1fa3efedb1628d81a5d95f9bdd58e9766c4ce8c87be4359b4b5d48cfe8deee1b2eb2

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b8a3c94bee9a913f9f1de5ef2eaf997a

SHA1
40baf6386d6ac4e7bae57f31dd182b3da79eb2de

SHA256
c9ef2d298d94214c780e63d4bcbb4cc99579c4dc09d6050d4486ae9d2321998b

SHA512
f146a0e2347089cd165686785fd7be0fddecc48c82cd4081252c2d0cf00a8bd974e1593561a99df38fffd104db730e1b2639b67752fa91d5a27008050599d705

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b8a3c94bee9a913f9f1de5ef2eaf997a

SHA1
40baf6386d6ac4e7bae57f31dd182b3da79eb2de

SHA256
c9ef2d298d94214c780e63d4bcbb4cc99579c4dc09d6050d4486ae9d2321998b

SHA512
f146a0e2347089cd165686785fd7be0fddecc48c82cd4081252c2d0cf00a8bd974e1593561a99df38fffd104db730e1b2639b67752fa91d5a27008050599d705

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e6a9adc57d6c2ffdbadc6abeab233e89

SHA1
76dc0b6822f3e72b1cff9ec954eb7b94b532f5d7

SHA256
9b6439bd2b285a5a091a7ce680aafe91102801dd0a30eed0be7f30d557786805

SHA512
c2fe650b87754614ffb6951986865f9c9a7911757596fb1ee4bf5de8fd555f7bdc3985136e8afa0ece1b4ef6b9045d53b9079bfd95bd5131eaaa7244673b87b7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
4226a6a6c6f182328dc05c06d10741d3

SHA1
bdddf16ae871a39f4bb8e37cd5157c35cf2a32bc

SHA256
ab574b34acf64152f02b763759e12c06e8c4667af0fdb3fe701dcd1012c7b1fd

SHA512
07d32d8f5eba2c94f6387e37e2e560861b77468f60c1ca7b29d61f677fb5213c7bc759b11cc67a77ff313bc41431154666424e791507140978ed7eb4054ec3a2

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5edfa3554d72f832a363ae920c5bdcbe

SHA1
4560585a0ed40f12b8a392a150497377665c12a8

SHA256
4ba05af64fedbac2453bac756081677f4d5265d158ce9e6a10a3983c45f023da

SHA512
e740468cbeace0c23ccebdcbc2642deae6d4cfd1a16fd0547a6e1fd2da1b91411202f1069da7b6d472add0e1e1e8ec0662c087a110063158df5e9ac806f97bd5

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6eca596a45bfe921d80d3b2220cb4aa2

SHA1
1ffcf11bc1100856bba922b88d8ade1703827940

SHA256
7f9e29d45075a48836434820f6f169dd0bcc13e377447c1af13b41e539bedb46

SHA512
30f612ef8189c2cf8c092aee792a775f7780a62f9c7909b3cc779b1dadb590b9ad9a7016c8221d8952e8ecd416d135b20d16e41a461f9f716e221ee71d77612a

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
77b8d2d6931f8f6adb1b76db0dce5280

SHA1
694a22c259f7c3c6ce66609a1ac07847699d8008

SHA256
b05da08ae5e591e0a19d6978fa8c7ac4685bfcfe8fd1136482289e6ad1157dbc

SHA512
3ca31b92c13dc6ad739f5179804e5848fe84bdcd71084aff489cf81c239bd6f978827e3eb923b712db922fc7c42c746d26696d8830fb9ea600e9e65ea6529b20

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
ce9afb63280636b0ee737193c16340b8

SHA1
c2f7e69f7d2ba62b27cbb0e63577a28abb302807

SHA256
2cacaaa321b36916a51375568fd34a4d6dc67e1501b807f337745122ac5c123c

SHA512
fd2e84f65603f14aaa6ec9bbe5ccd92449e55570cf13180cbd9c79621cf01463c36c2013ae21797619a0b2e3b30d4d2233d06fbe6f4f03d22ac35e85e664b82d

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3afa2228f5c652ea210aa33ec91feafd

SHA1
d58d7fe18cf7f1078a6d3bd16288663d9a49f315

SHA256
9e993ebdcc822bddd72f03ec95e0dab59be6ef53ef05b13c767e6c571519a781

SHA512
c71904001835e9837304d83fb4f3970c06e4f5527c3dd917c640898da05275245d2a6690b04c2f35629587f8086bbcb5f477b5e2ac7103fd64729c5349a820f5

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0484e6dfc96eaad7081ff8dcfed2bdf9

SHA1
317c64c47025660e99b26ba5be57fd563531dcfc

SHA256
51736795d4725c7951e931998c7e1ac777930605c1f0485480ec5584cd1bd50c

SHA512
2b457317f88e9917dda56c6fb78626e1f617c750a789410dd5733e05392b1fa3efedb1628d81a5d95f9bdd58e9766c4ce8c87be4359b4b5d48cfe8deee1b2eb2

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0484e6dfc96eaad7081ff8dcfed2bdf9

SHA1
317c64c47025660e99b26ba5be57fd563531dcfc

SHA256
51736795d4725c7951e931998c7e1ac777930605c1f0485480ec5584cd1bd50c

SHA512
2b457317f88e9917dda56c6fb78626e1f617c750a789410dd5733e05392b1fa3efedb1628d81a5d95f9bdd58e9766c4ce8c87be4359b4b5d48cfe8deee1b2eb2

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d8899b7fa7096bd8aa4213812c664519

SHA1
c68888ffbe8ed5fd043a8ecacfb493767d66fb4a

SHA256
02aa46b4f865207936f64c493ad2880ca7d6f7c722faa444bba20c15ca3254c7

SHA512
a1236232350bf7c9a3e89a325bd01600e639b1e7ff090cc79b2839fff6ab901d1c00a77bd5cdc4b7c19f420196a716805ea8248b1d43f5028c76c0d387f9e00a

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
6f24af2b5ec587ebdea1fc2db9477c9c

SHA1
edfc59456f790c8afe1162633378fba389396bcf

SHA256
f82bc47c60b08b519c5c1c89459842c1f0ee5cd94ec43e7f14e9957f8e02b0e1

SHA512
5d7d4c418830b5160104c7cdd8e204f257e657cb0d626841e25742824ad8b98b7af8f50b1406cfd0d702e467f9ba1c107cabaa42fadfed1f74ee5d7f443a816d

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4e790eb9335c3d94593acb1246d28f2d

SHA1
ab90f752b00420384a9b4bea1aa0bf5868e97259

SHA256
924159fbf700dfdeffdbabee9f37ecd040a22d0124b9e72b5cb0cfd617f8e40a

SHA512
e96447dcf17f009bdf09e7a1df681ed312002ac6eb1a60d07255aa07066fd7cd2496932037357392b9c63925ea9e8db8f8ad6934c75013f15d81d99ffd1d4e2d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d522e1a0a703240de9a0061d0913d1f2

SHA1
e73f7d6a88811f8d1b77b8ee5e74b68ce019e953

SHA256
3fcd79c21e6e9bca70d21c5c7edbf86d19f8dd71b2e3777b3517c8424767ac0b

SHA512
b2267ed7ef4526a8693abde4add908705d3d7382faa4c236102138721512a2917a259641d03dfb6f91479d11a103e361f94adb56bdf95893e91acd07ab98352f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
188a65d0e41c87f1177a8f84163e5c8d

SHA1
bc37b692f34adf5817ffe10c83e157aefdacf1f4

SHA256
d0d7dbfcda47baf86406c60532beffde8e51d3ee8205ca89d9ec60fc00bb6106

SHA512
369e6fda86b3a85b2e07615e32eb153a112cb1fdf52972f353824045248f52df0573a7ad28d3de7a75228d5e677bc0ed43a585175b1d8c553721d66e2e8b4d6d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
95809d1f1fa9758c62a84e64ef2e7baf

SHA1
2022313ab1addf0089f1605e7a18593e0049f1ed

SHA256
5c7157a46e1e0ed875a7752e4c1cd44b8923aa4f238ae97543a7f84542ad433b

SHA512
be6d92e018aa08b02d1807b6c9265cb165e22c9bbc7326a304a4273762bfc5607c24f6e315eeda428a2f8a298efdec7b0425e9be8117cf03bc8e0267d2a6f809

Download Submit
memory/316-215-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/316-230-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/656-216-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/908-157-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/956-274-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/956-229-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/960-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/960-277-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1284-243-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1284-276-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1284-422-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1296-88-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1296-82-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1296-95-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1332-273-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1372-58-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1372-54-0x0000000001240000-0x00000000013E0000-memory.dmp

Filesize
1.6MB

Download
memory/1372-60-0x0000000007EF0000-0x00000000080A0000-memory.dmp

Filesize
1.7MB

Download
memory/1372-59-0x0000000007DB0000-0x0000000007EE8000-memory.dmp

Filesize
1.2MB

Download
memory/1372-55-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/1372-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-57-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/1480-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1480-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1480-217-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1480-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1480-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1480-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1480-69-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/1480-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1480-74-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/1480-94-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1524-311-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1524-295-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1532-126-0x0000000000A40000-0x0000000000AFC000-memory.dmp

Filesize
752KB

Download
memory/1532-114-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1532-108-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1532-107-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1532-106-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1532-139-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/1532-116-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1540-284-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1540-266-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1600-204-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1600-192-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1600-183-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/1676-120-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/1676-125-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/1676-138-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-158-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1700-151-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1700-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1748-308-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1780-103-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1824-280-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1824-279-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1824-275-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1824-364-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1864-181-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1864-170-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1864-163-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/1864-168-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/1944-136-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2024-96-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2024-218-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2028-463-0x00000000004E0000-0x00000000006E9000-memory.dmp

Filesize
2.0MB

Download
memory/2028-324-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2028-328-0x00000000004E0000-0x00000000006E9000-memory.dmp

Filesize
2.0MB

Download
memory/2028-462-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2032-172-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2032-193-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2032-177-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2112-339-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2152-486-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2152-342-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2240-493-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2240-349-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2272-366-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2348-369-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2448-381-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2524-396-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2600-409-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2692-431-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2812-427-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2900-443-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download