blustealer | 6bd883240fc97aff61fdafa84f6b28ac22849b0097dc80c3a4cfa75611cf14b6

Analysis

max time kernel
133s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/05/2023, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.5MB
MD5

50815feaceafebb93a883fd6790af856
SHA1

9eee055af8be7bc6de2b6a3b869b553758ca741f
SHA256

a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3
SHA512

08fedff0fca35a0be3201f41e2583089284640e98f8597d4b33582e3b0b7157db4d7da0b1587deccd69564911b702fe159e9de9700cf6edee875cbf191d64e0d
SSDEEP

24576:EMQt9u/6kEu3h2ZuJPsbIf0O9AXpTHH6yTuEBEel9DWtJ/qBcME7W+DUn+GOaHjR:Wt9u/6kzwu7sjFpBEeritJ4QB0ZljJ

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 37 IoCs

pid	Process
468	Process not Found
1408	alg.exe
1468	aspnet_state.exe
1120	mscorsvw.exe
1816	mscorsvw.exe
1908	mscorsvw.exe
1464	mscorsvw.exe
1072	dllhost.exe
464	ehRecvr.exe
1640	ehsched.exe
1696	elevation_service.exe
1824	IEEtwCollector.exe
1724	GROOVE.EXE
1752	mscorsvw.exe
1924	maintenanceservice.exe
2100	mscorsvw.exe
2196	msdtc.exe
2320	mscorsvw.exe
2372	msiexec.exe
2544	OSE.EXE
2628	OSPPSVC.EXE
2744	mscorsvw.exe
2788	perfhost.exe
2904	locator.exe
2932	mscorsvw.exe
2084	snmptrap.exe
2244	vds.exe
2072	vssvc.exe
2356	wbengine.exe
2536	mscorsvw.exe
2796	WmiApSrv.exe
2664	wmpnetwk.exe
2648	mscorsvw.exe
2248	SearchIndexer.exe
2212	mscorsvw.exe
2328	mscorsvw.exe
2824	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2372	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
732	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5aa98ac47bf3ad0.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1132	1980	Purchase Order.exe	26
PID 1132 set thread context of 1532	1132	Purchase Order.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Purchase Order.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6A45526A-4BEE-4E48-AC93-DEB48D0EAF87}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6A45526A-4BEE-4E48-AC93-DEB48D0EAF87}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase Order.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{A9EBD3B1-574D-44EE-BA64-6E6A2492EB76}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{A9EBD3B1-574D-44EE-BA64-6E6A2492EB76}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1920	ehRec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1132	Purchase Order.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeShutdownPrivilege	1464	mscorsvw.exe
Token: 33	2004	EhTray.exe
Token: SeIncBasePriorityPrivilege	2004	EhTray.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeShutdownPrivilege	1464	mscorsvw.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeShutdownPrivilege	1464	mscorsvw.exe
Token: SeShutdownPrivilege	1464	mscorsvw.exe
Token: SeDebugPrivilege	1920	ehRec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: 33	2004	EhTray.exe
Token: SeIncBasePriorityPrivilege	2004	EhTray.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe
Token: SeBackupPrivilege	2356	wbengine.exe
Token: SeRestorePrivilege	2356	wbengine.exe
Token: SeSecurityPrivilege	2356	wbengine.exe
Token: 33	2664	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2664	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2004	EhTray.exe
2004	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2004	EhTray.exe
2004	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1132	Purchase Order.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1980 wrote to memory of 1132	1980	Purchase Order.exe	26
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1132 wrote to memory of 1532	1132	Purchase Order.exe	29
PID 1908 wrote to memory of 1752	1908	mscorsvw.exe	42
PID 1908 wrote to memory of 1752	1908	mscorsvw.exe	42
PID 1908 wrote to memory of 1752	1908	mscorsvw.exe	42
PID 1908 wrote to memory of 1752	1908	mscorsvw.exe	42
PID 1908 wrote to memory of 2100	1908	mscorsvw.exe	44
PID 1908 wrote to memory of 2100	1908	mscorsvw.exe	44
PID 1908 wrote to memory of 2100	1908	mscorsvw.exe	44
PID 1908 wrote to memory of 2100	1908	mscorsvw.exe	44
PID 1908 wrote to memory of 2320	1908	mscorsvw.exe	46
PID 1908 wrote to memory of 2320	1908	mscorsvw.exe	46
PID 1908 wrote to memory of 2320	1908	mscorsvw.exe	46
PID 1908 wrote to memory of 2320	1908	mscorsvw.exe	46
PID 1908 wrote to memory of 2744	1908	mscorsvw.exe	50
PID 1908 wrote to memory of 2744	1908	mscorsvw.exe	50
PID 1908 wrote to memory of 2744	1908	mscorsvw.exe	50
PID 1908 wrote to memory of 2744	1908	mscorsvw.exe	50
PID 1908 wrote to memory of 2932	1908	mscorsvw.exe	53
PID 1908 wrote to memory of 2932	1908	mscorsvw.exe	53
PID 1908 wrote to memory of 2932	1908	mscorsvw.exe	53
PID 1908 wrote to memory of 2932	1908	mscorsvw.exe	53
PID 1908 wrote to memory of 2536	1908	mscorsvw.exe	58
PID 1908 wrote to memory of 2536	1908	mscorsvw.exe	58
PID 1908 wrote to memory of 2536	1908	mscorsvw.exe	58
PID 1908 wrote to memory of 2536	1908	mscorsvw.exe	58
PID 1908 wrote to memory of 2648	1908	mscorsvw.exe	62
PID 1908 wrote to memory of 2648	1908	mscorsvw.exe	62
PID 1908 wrote to memory of 2648	1908	mscorsvw.exe	62
PID 1908 wrote to memory of 2648	1908	mscorsvw.exe	62
PID 1908 wrote to memory of 2212	1908	mscorsvw.exe	64
PID 1908 wrote to memory of 2212	1908	mscorsvw.exe	64
PID 1908 wrote to memory of 2212	1908	mscorsvw.exe	64
PID 1908 wrote to memory of 2212	1908	mscorsvw.exe	64
PID 1908 wrote to memory of 2328	1908	mscorsvw.exe	65
PID 1908 wrote to memory of 2328	1908	mscorsvw.exe	65
PID 1908 wrote to memory of 2328	1908	mscorsvw.exe	65
PID 1908 wrote to memory of 2328	1908	mscorsvw.exe	65
PID 1908 wrote to memory of 2824	1908	mscorsvw.exe	66
PID 1908 wrote to memory of 2824	1908	mscorsvw.exe	66
PID 1908 wrote to memory of 2824	1908	mscorsvw.exe	66
PID 1908 wrote to memory of 2824	1908	mscorsvw.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1120

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1072

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:464

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2544

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
07f04c08a75c351aae7a37a277a0b875

SHA1
fa70a6dd699c3df7eb659b36dad1c729aede60d7

SHA256
6bab8fbccaab60f8fc6fa055752f5cb95983ff71f25a417213042a235c7e7805

SHA512
9283661ee743d052f3abc2cbca6edd3a8b428ca7c355e60da29fdfd477a074afe4ad90de8277f86e6b312cea02108e3166569848ae79e73f03fcc03818c9d9b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
934764ebbd711aa7775e5187c62717a6

SHA1
fed83255178a4296d70352523c033795c78d7f77

SHA256
f0261988d056e5aa2601cad29f2857b59e2247d47c53acf12159512a7dadef87

SHA512
cb13ecb71b380ed5de1c3ba3c323d47fa9f0f26ca527294e333a918674e0f71cc961a8edffa90bc462edb27bbfdcef4f0fb5b7f2b147254ea9052f796bf9a496

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
238d6759f9dbbbea4cf55c5108314682

SHA1
6ffc273c900dc11023df61bbaff36d9e6d32d1ba

SHA256
a9b5c1182878de9f9ee105cfb09b400338dc0579a4dfed895fee4348a2f97e0a

SHA512
54ad7e5852f6aabab21f8c1cf4a9ff474ab6562ecc34a07d8d0d280e33db587a02a831e5c6b306ef6f57acf0bc90b61201297f4e4beb9d7cad7dc2cef0a26573

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
0e5f1ef3319522f617b4da4ea2127d99

SHA1
abe9257c66a577aa64e0489266fe3e1327dac583

SHA256
9da9c8fde67d33f4b068ebc7807af4e090da269445bcbda2a084aea8246e10ed

SHA512
fb7443dd35ea3bedf12a1a1db2cb351bb322ec8522be55cecc1f844b52990967e4164f506a2387f706acad3d1791f67fdcf385a180b1dd0cae9afcb614f059a5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
eb2c326ebc20048f7dd859722f54263e

SHA1
0b18603cec966acdcf41f1291625fb0006d969cf

SHA256
d0bf8e9461a121efc9d87c0f4eb4124a26822b6a94016e550a811937333914c5

SHA512
ffe97f9c3129172b872e7cf49a4c6d2f74079c1d1484467fd764ca067f5070bf2df17a572de90ec0e7f03a5823de9a7f729e4a4dce8c5110050a692c95fa63ae

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b7f25901d2b787b9ddc73fda5983a601

SHA1
ee3ff0ef815c19d96ef746aa6dfdbbf3cf2b55d4

SHA256
6b5bb011fb173e0f25126e90b8cd5abc65e930c71437f295db6645a941e32405

SHA512
94de0f6552798991f0ae3baf14f24fa317f06b6e9a58e7b2a2a6c30d6881b4ff5a2c1dc369df9fda97c6573ccc0a20d074cda29e85249d503bca6eed6486441f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a8fe9f10b1c9941fe7a47e0d96a7994a

SHA1
5c724ba1183969f2c756d6e6faa23176a147fe36

SHA256
a71b289ab5c12c8c33211d23d11704fbbe54c0aaa143fc70d9b214e1bf498c7d

SHA512
7f47647b1ba38ee19ef5093607f50968dc57695aa836e8352f10ff9105850e3970fce404f6e59ffbad3e0ef8ca39e30203276be0fcf08c2b8fd54926b68f7e94

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a8fe9f10b1c9941fe7a47e0d96a7994a

SHA1
5c724ba1183969f2c756d6e6faa23176a147fe36

SHA256
a71b289ab5c12c8c33211d23d11704fbbe54c0aaa143fc70d9b214e1bf498c7d

SHA512
7f47647b1ba38ee19ef5093607f50968dc57695aa836e8352f10ff9105850e3970fce404f6e59ffbad3e0ef8ca39e30203276be0fcf08c2b8fd54926b68f7e94

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8d8dfd70d1b443243a56d30ebbc8fdaf

SHA1
186fe16e9af61a9d99597f1786c6c58242c8bb1e

SHA256
02cf42508c7545157128d408e0a25acddba345220e3c512bdd398851a2fe05bb

SHA512
50f869999e8ea99630b5beb34ca09ff894c3349dd9c4b3f885913e170be10ae3be59d7e85098d384f5fdecbb434a37193fdb1e635d80c64b7b3254474624a56d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
f30a2723bc3a581fd891427673185f8c

SHA1
7d3c0b60f0c3f244b79bd1d8698d4bb2e3f09948

SHA256
38832af5ee621e8636c5a2a64afa9e67f132dbdc5efb302fa9f5e46b4fe4fc0b

SHA512
76fab7dbd15e8f8ff8bbe88aac9a78203576436a9a6d5792687478268fd034e46e3a3648704623ca8757241c0731debecf65bb012698d6428a2df9aec7b0e547

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc0f1aef998cdd8858cb911fb2cb45a7

SHA1
f6c33205975c5b832c36839072fdc98fbfea7101

SHA256
1d3b01fa2baf02ac697a8e252da9661622d56a1920d2e94303e598bcf1ae6d99

SHA512
a160997838b8624c306c6a3909f6df509cbcd8ee28dcfbcec58ef30006c97e598afea1240e4dd963bf649cdb03a229ad86c9ea169e8245bc5f8daa28da13adc1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc0f1aef998cdd8858cb911fb2cb45a7

SHA1
f6c33205975c5b832c36839072fdc98fbfea7101

SHA256
1d3b01fa2baf02ac697a8e252da9661622d56a1920d2e94303e598bcf1ae6d99

SHA512
a160997838b8624c306c6a3909f6df509cbcd8ee28dcfbcec58ef30006c97e598afea1240e4dd963bf649cdb03a229ad86c9ea169e8245bc5f8daa28da13adc1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a6ea8cfe3585bd6bce6f1539d2983177

SHA1
2b851ee5549f1f04b6f83a0f496c43d4cf4d75c7

SHA256
a8fa9dd8c9c9e3f9889f4d6f3193c5a9cb505c927d0faf8d8cb878413c7ac1cf

SHA512
8d9f754008f5f7faacd60dfee135e25f6130ed35d03588a3d1345b534faa9e3ab5d6a72fd0de3be0f0a072b695c0e29e0720fc7a6e4e0fdb5f6aa837aa8bb978

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a6ea8cfe3585bd6bce6f1539d2983177

SHA1
2b851ee5549f1f04b6f83a0f496c43d4cf4d75c7

SHA256
a8fa9dd8c9c9e3f9889f4d6f3193c5a9cb505c927d0faf8d8cb878413c7ac1cf

SHA512
8d9f754008f5f7faacd60dfee135e25f6130ed35d03588a3d1345b534faa9e3ab5d6a72fd0de3be0f0a072b695c0e29e0720fc7a6e4e0fdb5f6aa837aa8bb978

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ab7f9ed3405ec1e051f3cf63d915a5e8

SHA1
740f16ffcffbc6502f17e3ccd7de3ae095a6eeb9

SHA256
0eb589ebdce75bdbf09f0c038779c1d635acfba7b17669ce7832cd6cd39430f7

SHA512
2221327b4662fef28eae0af5126063832de345014934f24122ebe91d87d5e425c9f519e53230968268e2391219cb4114cb3c3285bcf2c292bb5c7074d10c8956

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
48fcab49fb17f0fcb761bff2a4b52960

SHA1
9b56c110dbaf812a64ce7d55f704b0c9ec5b99b8

SHA256
b691f39f5d7ea5b5085bce9db9e05ee5d3f5f8fa9d156e48b75fee7f0da2e9d0

SHA512
7567512a2ed38776044298f692bf20043c770243104148ddb64a29cf1733b8b65a79a8eb69cf0f843a9bae70531f791db225a63062ba5515197d5311ebd3a590

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
df2700324114bdf97932c5d07605b137

SHA1
aedf63eaa10400e2e3349e69056113c23d0c5c51

SHA256
00a454c0fb8f35e28331d912244c1c743ab4734697bf43a67274321d2bb507f2

SHA512
b37f8a13ab5aaf8c10be8adb3848aa7f91c8aa595992bbd5619f02298722c5ebd77737c3a5ca422094d47b793e65265b516c454c802539be918b7f7c2bb86b6d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
83d588ec853c1b81da5885b5e8b7bc4e

SHA1
b4465b13ba2f7480ac7dfcb48479b60e30c41bbd

SHA256
7bca7e273ce87e728443d8057d9a48e3122e22cb06cc691d6600622a59e9ec9a

SHA512
f2958ae58ff905a4b6669a0f7271a70f15b0c4c78ab37c1b57f2e0a5ae2b79f8983008de841c42c5ea7365686d4cc8c6a6ba9da43c3fd30867614d8232e43db6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5f9c5ab213c558defdbab3e6e824efd4

SHA1
280574155898076d0f3954a3212d727367562c76

SHA256
d9e6f7e2c942451b0a64767c565e66d1ca9225b80327641286213c46a0610489

SHA512
773a8608cd844506c97c79470b0e09236c0f998a97d585485eecfa897c93cb3c4ef728baf772d4cd6668216df204bacb5a27160f5629f53939cf34a7ccdfe424

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
66d4dd7501105ce6d1a2c241cd075b92

SHA1
82fd9bd5f1898122da764a3de6035eb26e4f2e14

SHA256
f2ad40bddf7320c007c08e4df7290ed398ffd189b2345e3892deddd303ea3663

SHA512
3e7b4f1e3ea133138805715e2906d49a5d446714a96fa98a434b93583c1b3cbe08f93dd1eecb4ddd8a1f88caf18014a59d04286f4a6e98304a75d61285f9432b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
28ebc15a327b674bfcb0ce9ef5af35ce

SHA1
505ba1a67135614e47df3efbc21399761e308975

SHA256
5642d84c8af1db6df304e55b9c1a0d16c2d5eaea84063d32686c9e0f89e2cd63

SHA512
04426b1544ac9628a9c4fc76473c01bc6a2c326a08bce638815b04afde0002e1bfd95447b93ee62fa5fc83b3435dba907551f90ee4e0fde9dabef1306e26504e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b0ddea6a831e83df3613fe03c6d0d2fd

SHA1
23344a89c86d8851c7edd82d642d5d10a0ab3c0f

SHA256
34485d9b3aae76357849860915b0d969c449fe4e0aa6c4143cd43aa77deb1d8b

SHA512
e36388a61c5131c79b7b4a7cc53037a3cd67cfc1c24bff2bf4f7ebbb90d186d9d04bf5b0abef81502b6db599825f037f04f98ad4b45deaf57b8df5e33ee5eee7

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
cde9a427769d2fdb21af48dbb5ca5fc3

SHA1
43eb1dd9cf500dba528f6710c021e815111b1093

SHA256
da72a62d0634646739c15b1e22b9b0832a0cd8689ccc68b7eda0c90726e36b99

SHA512
c647bc1fde9205b43e0e6e2291a768d99c6acb59bc0d4c06f1648f47d91b599dd27389061b8ad842838aede32b23881234ac09b574bbcd2e28ca8bc57c1a1535

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
83dd2fb13e970bcca64bb18ba1aca478

SHA1
b9ee53832350aa01dfc66f348541487a1f38b8c9

SHA256
69419b3c8bc203dbb7f5129d08aacc397ca3f087373a23ed16a80cc87ff5dead

SHA512
76c75d8c57e6eadb819cb1286be5ba0f2c0ad34993e12deae994952c84aac908d327c61433c11cdd33b73e4e040bb695d596b18dfcb69eeda803c32ca90a6672

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
edc52bb63419bc8f793f8da0e25048b2

SHA1
5e68a8008bc49883fcb4190f01f7f108910d7503

SHA256
217d26bff59aca39324cfbbb248c2ff0ff5c2d54af1f8ea3047709aba404a053

SHA512
9495a1d0eb92095b5c0c9259ea6cd94f51a2096c534cdb02d3e7c35cb9cb65d7ce384fee4589a76fad8deac5402e66886896cb6798a9f8326c927dc69976df10

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa6ab0bcef5d938a86d0e6e8d3fd7b4c

SHA1
0738365cb03904837024111442462bf3378ada71

SHA256
f8d084a73b424874022e570373b3bae530429ed0cf924611a48c8083e23421ee

SHA512
3713d4f2fb1b0e5ff9877a89230415492849efa2e91d6de1c8767fab3486e97a21b18c914a324d846ba8dc5b2379ac812cb430a1e355e6cc94a24c45cb5305fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
bb35b57aa2ac9d2b7643a408b8725e68

SHA1
acd77b6b1aa940e843f06acc99d572585423cb25

SHA256
a5dad1f670a83d06c85df2898ba98bfaf6527ca47e8efac2e16ebd680fa8c34c

SHA512
47e3e9ed0aacf7a7b1740dd5c1ac92cd194d76a3f1c6805d430b047857c87932474181b0503f275f2ddc5620ef307c3f5d1f071c6e7a02c15a0911664a16012c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
54ac1842de1dcb6c0093ca5244a04b8b

SHA1
54a48bdb8b47a5316803132e1aa0da6b0fcfbabd

SHA256
1565083888683c99b60c25b0a68e11bc968d4d3e02b7983e4e1306870de75257

SHA512
7562a8d79a59fa508cf901ec2a443debe1bb1038d614b96be90a9f6b3c07abd86ff3714cd43fc42db4b74c083d796940e14c79a2b29c94d3e308d0afbfe8776e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3b2cc7ad8422f9c2fc9a659b9596785d

SHA1
1e9bcea962223a893ae27bf7ea57aeb2c680ad74

SHA256
4221443e99f48fcac37f6f8ac0365c22a32155457a5be8b464879400fb286c12

SHA512
438abb48a080581c98cc861c7fa99978b95b08901de3bec89bb9d2e0e9c601736d21ca6f9b6dc9389b6af1f50820a4cdaa2c47075c7420ad02ced4f582bbc33a

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
78c41170d1dfc832e6f86cb9167d242b

SHA1
5aa4955d174efcafae731864bbd87809ce20ee76

SHA256
9728135221915d9b880af2652ad7a794ec6be458bdd32bbd5c571305a455f918

SHA512
c8e6ea25c031dd50936bd166b3377e4b709ba39bb4829c6c320af25cc2f3d5c7e82d4cad74cb7c42e4fc280121535626059074ca4d3c59ad5010bbf82ff91f3a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
34548f1387ca94727203156a60919fda

SHA1
53d8558fb71a3116faebc62278f53367a04d6662

SHA256
01b68fce10fa662f03eb96d03c59e79fcb18c4878251c5d1598acd875f19fcdf

SHA512
2b03e69ae599156758412a4db726f00c8c5cab65927de6135cb2174cbcdcfecefd34913c2609b075d89754522432afb88392f3a0526b04eba0374096f94f40f8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
edc52bb63419bc8f793f8da0e25048b2

SHA1
5e68a8008bc49883fcb4190f01f7f108910d7503

SHA256
217d26bff59aca39324cfbbb248c2ff0ff5c2d54af1f8ea3047709aba404a053

SHA512
9495a1d0eb92095b5c0c9259ea6cd94f51a2096c534cdb02d3e7c35cb9cb65d7ce384fee4589a76fad8deac5402e66886896cb6798a9f8326c927dc69976df10

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b7f25901d2b787b9ddc73fda5983a601

SHA1
ee3ff0ef815c19d96ef746aa6dfdbbf3cf2b55d4

SHA256
6b5bb011fb173e0f25126e90b8cd5abc65e930c71437f295db6645a941e32405

SHA512
94de0f6552798991f0ae3baf14f24fa317f06b6e9a58e7b2a2a6c30d6881b4ff5a2c1dc369df9fda97c6573ccc0a20d074cda29e85249d503bca6eed6486441f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b7f25901d2b787b9ddc73fda5983a601

SHA1
ee3ff0ef815c19d96ef746aa6dfdbbf3cf2b55d4

SHA256
6b5bb011fb173e0f25126e90b8cd5abc65e930c71437f295db6645a941e32405

SHA512
94de0f6552798991f0ae3baf14f24fa317f06b6e9a58e7b2a2a6c30d6881b4ff5a2c1dc369df9fda97c6573ccc0a20d074cda29e85249d503bca6eed6486441f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a8fe9f10b1c9941fe7a47e0d96a7994a

SHA1
5c724ba1183969f2c756d6e6faa23176a147fe36

SHA256
a71b289ab5c12c8c33211d23d11704fbbe54c0aaa143fc70d9b214e1bf498c7d

SHA512
7f47647b1ba38ee19ef5093607f50968dc57695aa836e8352f10ff9105850e3970fce404f6e59ffbad3e0ef8ca39e30203276be0fcf08c2b8fd54926b68f7e94

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
f30a2723bc3a581fd891427673185f8c

SHA1
7d3c0b60f0c3f244b79bd1d8698d4bb2e3f09948

SHA256
38832af5ee621e8636c5a2a64afa9e67f132dbdc5efb302fa9f5e46b4fe4fc0b

SHA512
76fab7dbd15e8f8ff8bbe88aac9a78203576436a9a6d5792687478268fd034e46e3a3648704623ca8757241c0731debecf65bb012698d6428a2df9aec7b0e547

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
83d588ec853c1b81da5885b5e8b7bc4e

SHA1
b4465b13ba2f7480ac7dfcb48479b60e30c41bbd

SHA256
7bca7e273ce87e728443d8057d9a48e3122e22cb06cc691d6600622a59e9ec9a

SHA512
f2958ae58ff905a4b6669a0f7271a70f15b0c4c78ab37c1b57f2e0a5ae2b79f8983008de841c42c5ea7365686d4cc8c6a6ba9da43c3fd30867614d8232e43db6

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
28ebc15a327b674bfcb0ce9ef5af35ce

SHA1
505ba1a67135614e47df3efbc21399761e308975

SHA256
5642d84c8af1db6df304e55b9c1a0d16c2d5eaea84063d32686c9e0f89e2cd63

SHA512
04426b1544ac9628a9c4fc76473c01bc6a2c326a08bce638815b04afde0002e1bfd95447b93ee62fa5fc83b3435dba907551f90ee4e0fde9dabef1306e26504e

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b0ddea6a831e83df3613fe03c6d0d2fd

SHA1
23344a89c86d8851c7edd82d642d5d10a0ab3c0f

SHA256
34485d9b3aae76357849860915b0d969c449fe4e0aa6c4143cd43aa77deb1d8b

SHA512
e36388a61c5131c79b7b4a7cc53037a3cd67cfc1c24bff2bf4f7ebbb90d186d9d04bf5b0abef81502b6db599825f037f04f98ad4b45deaf57b8df5e33ee5eee7

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
cde9a427769d2fdb21af48dbb5ca5fc3

SHA1
43eb1dd9cf500dba528f6710c021e815111b1093

SHA256
da72a62d0634646739c15b1e22b9b0832a0cd8689ccc68b7eda0c90726e36b99

SHA512
c647bc1fde9205b43e0e6e2291a768d99c6acb59bc0d4c06f1648f47d91b599dd27389061b8ad842838aede32b23881234ac09b574bbcd2e28ca8bc57c1a1535

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
83dd2fb13e970bcca64bb18ba1aca478

SHA1
b9ee53832350aa01dfc66f348541487a1f38b8c9

SHA256
69419b3c8bc203dbb7f5129d08aacc397ca3f087373a23ed16a80cc87ff5dead

SHA512
76c75d8c57e6eadb819cb1286be5ba0f2c0ad34993e12deae994952c84aac908d327c61433c11cdd33b73e4e040bb695d596b18dfcb69eeda803c32ca90a6672

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
edc52bb63419bc8f793f8da0e25048b2

SHA1
5e68a8008bc49883fcb4190f01f7f108910d7503

SHA256
217d26bff59aca39324cfbbb248c2ff0ff5c2d54af1f8ea3047709aba404a053

SHA512
9495a1d0eb92095b5c0c9259ea6cd94f51a2096c534cdb02d3e7c35cb9cb65d7ce384fee4589a76fad8deac5402e66886896cb6798a9f8326c927dc69976df10

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
edc52bb63419bc8f793f8da0e25048b2

SHA1
5e68a8008bc49883fcb4190f01f7f108910d7503

SHA256
217d26bff59aca39324cfbbb248c2ff0ff5c2d54af1f8ea3047709aba404a053

SHA512
9495a1d0eb92095b5c0c9259ea6cd94f51a2096c534cdb02d3e7c35cb9cb65d7ce384fee4589a76fad8deac5402e66886896cb6798a9f8326c927dc69976df10

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa6ab0bcef5d938a86d0e6e8d3fd7b4c

SHA1
0738365cb03904837024111442462bf3378ada71

SHA256
f8d084a73b424874022e570373b3bae530429ed0cf924611a48c8083e23421ee

SHA512
3713d4f2fb1b0e5ff9877a89230415492849efa2e91d6de1c8767fab3486e97a21b18c914a324d846ba8dc5b2379ac812cb430a1e355e6cc94a24c45cb5305fd

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
bb35b57aa2ac9d2b7643a408b8725e68

SHA1
acd77b6b1aa940e843f06acc99d572585423cb25

SHA256
a5dad1f670a83d06c85df2898ba98bfaf6527ca47e8efac2e16ebd680fa8c34c

SHA512
47e3e9ed0aacf7a7b1740dd5c1ac92cd194d76a3f1c6805d430b047857c87932474181b0503f275f2ddc5620ef307c3f5d1f071c6e7a02c15a0911664a16012c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
54ac1842de1dcb6c0093ca5244a04b8b

SHA1
54a48bdb8b47a5316803132e1aa0da6b0fcfbabd

SHA256
1565083888683c99b60c25b0a68e11bc968d4d3e02b7983e4e1306870de75257

SHA512
7562a8d79a59fa508cf901ec2a443debe1bb1038d614b96be90a9f6b3c07abd86ff3714cd43fc42db4b74c083d796940e14c79a2b29c94d3e308d0afbfe8776e

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3b2cc7ad8422f9c2fc9a659b9596785d

SHA1
1e9bcea962223a893ae27bf7ea57aeb2c680ad74

SHA256
4221443e99f48fcac37f6f8ac0365c22a32155457a5be8b464879400fb286c12

SHA512
438abb48a080581c98cc861c7fa99978b95b08901de3bec89bb9d2e0e9c601736d21ca6f9b6dc9389b6af1f50820a4cdaa2c47075c7420ad02ced4f582bbc33a

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
78c41170d1dfc832e6f86cb9167d242b

SHA1
5aa4955d174efcafae731864bbd87809ce20ee76

SHA256
9728135221915d9b880af2652ad7a794ec6be458bdd32bbd5c571305a455f918

SHA512
c8e6ea25c031dd50936bd166b3377e4b709ba39bb4829c6c320af25cc2f3d5c7e82d4cad74cb7c42e4fc280121535626059074ca4d3c59ad5010bbf82ff91f3a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
34548f1387ca94727203156a60919fda

SHA1
53d8558fb71a3116faebc62278f53367a04d6662

SHA256
01b68fce10fa662f03eb96d03c59e79fcb18c4878251c5d1598acd875f19fcdf

SHA512
2b03e69ae599156758412a4db726f00c8c5cab65927de6135cb2174cbcdcfecefd34913c2609b075d89754522432afb88392f3a0526b04eba0374096f94f40f8

Download Submit
memory/464-173-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/464-334-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/464-175-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/464-153-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/464-188-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/464-154-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/464-160-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1072-152-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1120-114-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1132-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1132-250-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1132-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1132-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1132-69-0x0000000000200000-0x0000000000266000-memory.dmp

Filesize
408KB

Download
memory/1132-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1132-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1132-74-0x0000000000200000-0x0000000000266000-memory.dmp

Filesize
408KB

Download
memory/1132-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1132-87-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1408-89-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1408-90-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1408-251-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1408-82-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1464-146-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1468-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1468-272-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1532-131-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1532-107-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1532-103-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1532-125-0x0000000004B20000-0x0000000004BDC000-memory.dmp

Filesize
752KB

Download
memory/1532-109-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1532-105-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1532-104-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1640-176-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1640-360-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1640-165-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1640-171-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1696-374-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-179-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1696-185-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1696-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1724-229-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1752-248-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1752-231-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1816-115-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1824-192-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1824-203-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1908-296-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1908-124-0x0000000000BB0000-0x0000000000C16000-memory.dmp

Filesize
408KB

Download
memory/1908-132-0x0000000000BB0000-0x0000000000C16000-memory.dmp

Filesize
408KB

Download
memory/1908-130-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1920-335-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1920-202-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1920-274-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1924-233-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1924-265-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1980-58-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1980-54-0x0000000000B20000-0x0000000000CAE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-59-0x0000000005ED0000-0x000000000601E000-memory.dmp

Filesize
1.3MB

Download
memory/1980-55-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1980-57-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1980-56-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1980-60-0x0000000006020000-0x00000000061E6000-memory.dmp

Filesize
1.8MB

Download
memory/2072-399-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2084-375-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2100-281-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2100-253-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2196-252-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2196-429-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2212-492-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2244-398-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2248-467-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2320-333-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2356-434-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2372-291-0x0000000000600000-0x0000000000809000-memory.dmp

Filesize
2.0MB

Download
memory/2372-508-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2372-507-0x0000000000600000-0x0000000000809000-memory.dmp

Filesize
2.0MB

Download
memory/2372-292-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2536-435-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2536-460-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2544-299-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2628-305-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2648-465-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2664-462-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2744-336-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2788-338-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2796-432-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2904-361-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2932-362-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2932-421-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download