blustealer | a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.5MB
MD5

50815feaceafebb93a883fd6790af856
SHA1

9eee055af8be7bc6de2b6a3b869b553758ca741f
SHA256

a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3
SHA512

08fedff0fca35a0be3201f41e2583089284640e98f8597d4b33582e3b0b7157db4d7da0b1587deccd69564911b702fe159e9de9700cf6edee875cbf191d64e0d
SSDEEP

24576:EMQt9u/6kEu3h2ZuJPsbIf0O9AXpTHH6yTuEBEel9DWtJ/qBcME7W+DUn+GOaHjR:Wt9u/6kzwu7sjFpBEeritJ4QB0ZljJ

Score

10^/10

blustealer spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 38 IoCs

pid	Process
468	Process not Found
944	alg.exe
1252	aspnet_state.exe
608	mscorsvw.exe
1748	mscorsvw.exe
1756	mscorsvw.exe
1496	mscorsvw.exe
1144	dllhost.exe
1860	ehRecvr.exe
1732	ehsched.exe
1672	elevation_service.exe
1160	IEEtwCollector.exe
1612	GROOVE.EXE
880	mscorsvw.exe
1040	maintenanceservice.exe
2188	msdtc.exe
2328	msiexec.exe
2460	OSE.EXE
2516	OSPPSVC.EXE
2620	perfhost.exe
2648	locator.exe
2720	snmptrap.exe
2820	vds.exe
2892	vssvc.exe
2984	wbengine.exe
2052	WmiApSrv.exe
2248	wmpnetwk.exe
2136	SearchIndexer.exe
2264	mscorsvw.exe
2100	mscorsvw.exe
2316	mscorsvw.exe
2912	mscorsvw.exe
1708	mscorsvw.exe
2104	mscorsvw.exe
2280	mscorsvw.exe
2728	mscorsvw.exe
268	mscorsvw.exe
2208	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2328	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e9dab804328eb3a2.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 920 set thread context of 528	920	Purchase Order.exe	28
PID 528 set thread context of 1960	528	Purchase Order.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Purchase Order.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90888C36-2A12-459D-B5BE-466E973AEED0}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{90888C36-2A12-459D-B5BE-466E973AEED0}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{95E7EECE-B8B0-4AD9-8C48-D7DC8C54A980}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{95E7EECE-B8B0-4AD9-8C48-D7DC8C54A980}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2156	ehRec.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe
528	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	528	Purchase Order.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: 33	1224	EhTray.exe
Token: SeIncBasePriorityPrivilege	1224	EhTray.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeSecurityPrivilege	2328	msiexec.exe
Token: SeBackupPrivilege	2892	vssvc.exe
Token: SeRestorePrivilege	2892	vssvc.exe
Token: SeAuditPrivilege	2892	vssvc.exe
Token: SeDebugPrivilege	2156	ehRec.exe
Token: SeBackupPrivilege	2984	wbengine.exe
Token: SeRestorePrivilege	2984	wbengine.exe
Token: SeSecurityPrivilege	2984	wbengine.exe
Token: 33	2248	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2248	wmpnetwk.exe
Token: 33	1224	EhTray.exe
Token: SeIncBasePriorityPrivilege	1224	EhTray.exe
Token: SeManageVolumePrivilege	2136	SearchIndexer.exe
Token: 33	2136	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2136	SearchIndexer.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeDebugPrivilege	528	Purchase Order.exe
Token: SeDebugPrivilege	528	Purchase Order.exe
Token: SeDebugPrivilege	528	Purchase Order.exe
Token: SeDebugPrivilege	528	Purchase Order.exe
Token: SeDebugPrivilege	528	Purchase Order.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1224	EhTray.exe
1224	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1224	EhTray.exe
1224	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
528	Purchase Order.exe
2424	SearchProtocolHost.exe
2424	SearchProtocolHost.exe
2424	SearchProtocolHost.exe
2424	SearchProtocolHost.exe
2424	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 920 wrote to memory of 528	920	Purchase Order.exe	28
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 528 wrote to memory of 1960	528	Purchase Order.exe	34
PID 1496 wrote to memory of 880	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 880	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 880	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 2264	1496	mscorsvw.exe	59
PID 1496 wrote to memory of 2264	1496	mscorsvw.exe	59
PID 1496 wrote to memory of 2264	1496	mscorsvw.exe	59
PID 2136 wrote to memory of 2424	2136	SearchIndexer.exe	60
PID 2136 wrote to memory of 2424	2136	SearchIndexer.exe	60
PID 2136 wrote to memory of 2424	2136	SearchIndexer.exe	60
PID 2136 wrote to memory of 2556	2136	SearchIndexer.exe	61
PID 2136 wrote to memory of 2556	2136	SearchIndexer.exe	61
PID 2136 wrote to memory of 2556	2136	SearchIndexer.exe	61
PID 1756 wrote to memory of 2100	1756	mscorsvw.exe	62
PID 1756 wrote to memory of 2100	1756	mscorsvw.exe	62
PID 1756 wrote to memory of 2100	1756	mscorsvw.exe	62
PID 1756 wrote to memory of 2100	1756	mscorsvw.exe	62
PID 1756 wrote to memory of 2316	1756	mscorsvw.exe	63
PID 1756 wrote to memory of 2316	1756	mscorsvw.exe	63
PID 1756 wrote to memory of 2316	1756	mscorsvw.exe	63
PID 1756 wrote to memory of 2316	1756	mscorsvw.exe	63
PID 1756 wrote to memory of 2912	1756	mscorsvw.exe	64
PID 1756 wrote to memory of 2912	1756	mscorsvw.exe	64
PID 1756 wrote to memory of 2912	1756	mscorsvw.exe	64
PID 1756 wrote to memory of 2912	1756	mscorsvw.exe	64
PID 1756 wrote to memory of 1708	1756	mscorsvw.exe	65
PID 1756 wrote to memory of 1708	1756	mscorsvw.exe	65
PID 1756 wrote to memory of 1708	1756	mscorsvw.exe	65
PID 1756 wrote to memory of 1708	1756	mscorsvw.exe	65
PID 1756 wrote to memory of 2104	1756	mscorsvw.exe	66
PID 1756 wrote to memory of 2104	1756	mscorsvw.exe	66
PID 1756 wrote to memory of 2104	1756	mscorsvw.exe	66
PID 1756 wrote to memory of 2104	1756	mscorsvw.exe	66
PID 1756 wrote to memory of 2280	1756	mscorsvw.exe	67
PID 1756 wrote to memory of 2280	1756	mscorsvw.exe	67
PID 1756 wrote to memory of 2280	1756	mscorsvw.exe	67
PID 1756 wrote to memory of 2280	1756	mscorsvw.exe	67
PID 1756 wrote to memory of 2728	1756	mscorsvw.exe	68
PID 1756 wrote to memory of 2728	1756	mscorsvw.exe	68
PID 1756 wrote to memory of 2728	1756	mscorsvw.exe	68
PID 1756 wrote to memory of 2728	1756	mscorsvw.exe	68
PID 1756 wrote to memory of 268	1756	mscorsvw.exe	69
PID 1756 wrote to memory of 268	1756	mscorsvw.exe	69
PID 1756 wrote to memory of 268	1756	mscorsvw.exe	69
PID 1756 wrote to memory of 268	1756	mscorsvw.exe	69
PID 1756 wrote to memory of 2208	1756	mscorsvw.exe	70
PID 1756 wrote to memory of 2208	1756	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:1960

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1f4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e4 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 238 -NGENProcess 268 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1a8 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 244 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1e8 -NGENProcess 1c8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1144

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1612

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2460

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3948302646-268491222-1934009652-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3948302646-268491222-1934009652-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b13efb2c879b6051e820db2d76ea9ed5

SHA1
3a793bb705e8fe6e30eef8ce0a95f530048cec15

SHA256
58e34a7384dcc0f92335613ac5b3a8de743188b7fb846d54f2295fb68f9de741

SHA512
30febf148b51daf9e11470cf95d67f9aab0838764ab85164a413a31ea7d24f2c18e889925db87731f074c46786ab413edc2e808046c86ad8d84662051a979cbe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bfb952ef0eb4100e6d0af6d7706a51b0

SHA1
e9da28f62cee65ae165d9060da515c0172f119c1

SHA256
0bdd84c7f9347a795a116eaa975516931dfb86ec3f6a1c958bf7c263acb6f7a0

SHA512
67b748fbf0b04d55a5c51a5478bfbe757c0757d771b651e73dfadc6ca15faf6459a02e0f5aafa80c1fa8e43245e7c00005d37da86bdfe0afc72b9c17adc412c4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9773ec4f027a3334b99201bde7c63369

SHA1
b6a79846999dd5268b194c091f293e71c7b7efd1

SHA256
5af84542a2463ab0ecde118c14247cf8299490a82e0e2f1dc0241245a73e2ff9

SHA512
85d013464eeffa27b5e183925ff3812ace71eef28991ad4f0c3f158cd6a8a59b913edd69393469169666ae89745d60c8c6cf481c54b9a624b2e5dc5c946d0004

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
23ca10c22baffcde72ef8189b2205f49

SHA1
574fd962d41a00fa679632cbda440ff294256dfb

SHA256
45dee01d2621bc7d879e4334e9a70b3b8d2ceba50a508cb67485814f41c0624c

SHA512
8db14a43693aa7ec313f73e15b4e0e508b7aec026533dd9cb83fcf6df855adccd902a11932b6364a60bc641a4a1e1b9da4dbfbc53fca37238d109a29aef6b313

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7e24460254d8e1d336b30ccb9e30c1ef

SHA1
adf93dd6bdc0360379bc51d111bbf2762752df23

SHA256
ce5b39491619419ae142d17f0a8a6785f17054c7af37dd2eab195a03499f6328

SHA512
5051b6ae8e0f4e4a575f57d8d36006e6c7de6de70bf06a25b94808fd5d076d4f5a96cfad9746b027ec2db49446e6fb38efeacd311d9932b5fb465fe0969ef650

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
13a88fbca7be372094fb4eabe320a928

SHA1
3ff8cc2e1ac6e635a43f0bb30043220a672a3272

SHA256
02335205a027a375677b01d4a27cfc53d150a717ddabd2949dd4bdaebc59284a

SHA512
6b549e6ea92a10ce5a508b3701645f7ea4bcf1ff0873611c0556a665fccf40aae227aece9182b7317a42f5f0959cd3abc60bfe0de7082639302612f4904b5b4c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
603b03cd3fb07d905d5bd2baf23e77c6

SHA1
1dfd2c27609d2a35612a38632b2cdb8d9659d40a

SHA256
8b6f97b1a606204d4b4ed9f377d34afbfd67c6fdf2fa09bdf806668c763b8782

SHA512
4e70e5bf808bb642b039711cf31c8843e481cb861fd27872ac489a1fe8b49d991cd2b101052225c168359a631934338d6e1fb579b560e1f3313129fcd070d19d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f2e3ba5dd3f7e0b6280635a074d0848d

SHA1
650f67202e8b5be5d8b226b6fd86af0c3fd8abb7

SHA256
fb314cd2553cd34795b4b58bdb8275ac04dedf313f91e7f8bf22c9c7a0912895

SHA512
99aaa4063d14e267f5ddc23467c70c59a74914c4947c6c64c206f9e88f15bb964e80219c860e2f4c438a676521a634510cc607cfe52f0cca3fc39b3855a5e5f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f2e3ba5dd3f7e0b6280635a074d0848d

SHA1
650f67202e8b5be5d8b226b6fd86af0c3fd8abb7

SHA256
fb314cd2553cd34795b4b58bdb8275ac04dedf313f91e7f8bf22c9c7a0912895

SHA512
99aaa4063d14e267f5ddc23467c70c59a74914c4947c6c64c206f9e88f15bb964e80219c860e2f4c438a676521a634510cc607cfe52f0cca3fc39b3855a5e5f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0a899774f94f263a7506bbd7049c9c2a

SHA1
72fa175d00a0188f4266f9f48958a313a8dd07a7

SHA256
931c8cf420d62e65ec65158f38235273ee9c4c8c436b0c8dea6ec290941df5f6

SHA512
ff8dbb5d3ab2bb0c19edddae48f38dd3f99d77e75037548e3349fd20802ad55c021492289a2690d01665c706bda8487e920acf40596fba7675221619208c49dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
cd244432f5fd737caae3b64229fa2302

SHA1
90ad1cb80f578bb631d689c6ef68c88b6f21daf1

SHA256
dadbf8e436891bd84dba8454aec20c46205126c0bfc205d83975727c42fda037

SHA512
9cc7594c3817a4bd3bbaf494d7b06cb8036e4af0ea3cdc8df1914d03235603781655d849e335c800f63a63baa8678985afdcc94171f8d457a46fdc6e566cc702

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
97cd2f3403cefd65e63c618ab6b39fa4

SHA1
019fe646a3ab33e06e5f5a3e8f30b1c8db5a6d91

SHA256
25c6a67390d3f0f3c3db1162cf983e61ceb50e4aa3e7c3768bc3b1829ca853b0

SHA512
01cfeac9e9517cbc290fd705e918209cf356522d0847d9b4ccc38415f24f7dab874d682c629d0be0a7a73d9c668a97d6e136315f0207125b0821bfef4fe8b727

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
97cd2f3403cefd65e63c618ab6b39fa4

SHA1
019fe646a3ab33e06e5f5a3e8f30b1c8db5a6d91

SHA256
25c6a67390d3f0f3c3db1162cf983e61ceb50e4aa3e7c3768bc3b1829ca853b0

SHA512
01cfeac9e9517cbc290fd705e918209cf356522d0847d9b4ccc38415f24f7dab874d682c629d0be0a7a73d9c668a97d6e136315f0207125b0821bfef4fe8b727

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
97cd2f3403cefd65e63c618ab6b39fa4

SHA1
019fe646a3ab33e06e5f5a3e8f30b1c8db5a6d91

SHA256
25c6a67390d3f0f3c3db1162cf983e61ceb50e4aa3e7c3768bc3b1829ca853b0

SHA512
01cfeac9e9517cbc290fd705e918209cf356522d0847d9b4ccc38415f24f7dab874d682c629d0be0a7a73d9c668a97d6e136315f0207125b0821bfef4fe8b727

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
97cd2f3403cefd65e63c618ab6b39fa4

SHA1
019fe646a3ab33e06e5f5a3e8f30b1c8db5a6d91

SHA256
25c6a67390d3f0f3c3db1162cf983e61ceb50e4aa3e7c3768bc3b1829ca853b0

SHA512
01cfeac9e9517cbc290fd705e918209cf356522d0847d9b4ccc38415f24f7dab874d682c629d0be0a7a73d9c668a97d6e136315f0207125b0821bfef4fe8b727

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
97b049a19c7155458c9c650cd72f115d

SHA1
b0f7b717e4019a21abfd77c3e3c589e7f201b31c

SHA256
033ca3e1eb0fa4a51fe586ba1a8cae00a90c76e95a31c49967d60ac0ec8e67ee

SHA512
605023fe2a7e91af42db2c65659662dd2a8110ed9fa68a03da511b265b140cb7613975d670a5779f77d860baedb3af48c0ad2ceaf4e8e7eb3b1a2633a037796d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
97b049a19c7155458c9c650cd72f115d

SHA1
b0f7b717e4019a21abfd77c3e3c589e7f201b31c

SHA256
033ca3e1eb0fa4a51fe586ba1a8cae00a90c76e95a31c49967d60ac0ec8e67ee

SHA512
605023fe2a7e91af42db2c65659662dd2a8110ed9fa68a03da511b265b140cb7613975d670a5779f77d860baedb3af48c0ad2ceaf4e8e7eb3b1a2633a037796d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d479680cc1b0af3592c9ca0e07244892

SHA1
aaf9ffe0e9c1dbf02b9316e8f96899cef03c08f3

SHA256
8e48d10a48c411fc08023e2c93bea24fc1f3f59bb1c134bf7573e8fa249b539a

SHA512
c80b6c1695c75d5ce6207b125e0eb251ed28e74190b41fac20680cea2510f220d1a9f41aada6f433674d9f5155cba6ff1a394c42c1ff1bb866c3badd93a3df3a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd5921d4afd33f6f78ba22750623282a

SHA1
b509bb92799093fdf0b3a2c475805570c8c95ad0

SHA256
49e03a45bc5eb7df89bf83290857ef60cce138521ac98f36471b85c8e6fce218

SHA512
6542ee4c2d58701b2181ad17a535dcc384fff50d63515f4be9db27ceb7223b2bf69815340fb6d12fb4427375623ccb130570c0b7472b30f7e9a976fb34c2be91

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d6d2ec681a17380fc44e7c46c949dab6

SHA1
a019d0ef97e75a1e6e623a758f38215fe62ec9cc

SHA256
cd498670f0a48d87236124574e9bae4143f181dc29e98ae1f86adb54a99033e1

SHA512
d3c659e6f3d12c1092443b0e2036e93c590e3279307c92f6e37d1faa7bed34a31ff1d83f2cb43d3d41688fafae12f3c39c3161281a2fd77fbaabfcbab56450ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
860530733f0cb0930f3c36a79ca6b4d9

SHA1
8361d0523e9614746b38da636bc6b8ad2bc7e39a

SHA256
fac4be76bace4201b7c3ef3cc1a41d8211a11d38f1a39c71a1452549a834207a

SHA512
4e2edf69bc5273377c51bc22ebf9050d09466796d8c5bb066ba464afeb7298e9c77cbe00779e4309b6ca31dd10b9caa503be69b562921a8ff2063805107fa7b5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
8174b54e1051773cd3fa0cd3bfc94913

SHA1
52ddeac644e085cb982bacbea2d3929d7e0dbae1

SHA256
38b517e5bfdbe7e23476e70a414a2a5ad6288be466f6b3fb08c10d1f76e80cc1

SHA512
09e048cb9eabd2ec69cb6d3d98953b90f32d574c6ce9efff8cc86c8993f24dfcdba8000c0abe7269a7c77bb34e338d66582cb7d73fbd41f6400f264e5799f52a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
64ea3141f8aa35369f7a6cc6b23c46e5

SHA1
2eb80c50396157f3a02d0e73d71963584f676674

SHA256
2bbe4dfb0528f5e206049b4bd22422cb851a2a0e9217a332f26fa21fdac4746f

SHA512
37de85dcf0b4715b04479d02c4905baa1e1d1ec9f32aa4e2eaec022628183baf44db80feda9d69f19c13cb3c5a8f02d2c256c5c396659b7f6836f8959700e0a8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9997e5455486d54b5e32c9996804a653

SHA1
4e0d4bbca4daa91b4ce71cb631297143231d401d

SHA256
f042d9cd593979db3df67b58e2a6bbb4caa9872c089cbb275fed17aa387c3fc5

SHA512
8385fbeb8bde23b698b6ae0fdf110d2ba691fb0b156caa7188bf7cd051276b4e74021216bdfc5914a468f36d39e0867b77a68048dd0c47fd77be9274fa8d614f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1eb50eeb78939bf46454890d1ca5248b

SHA1
1977dd70a90c4d96682458e8b262655f790f62c2

SHA256
246a81d63a9be951c4d3650733fdbdc2ad936dd9bfd1f86d0556de78870dd5d5

SHA512
1604b32cb88c09b9c488d3e8a13047403fe947d22ba23e45f2a9632b5f0a090b7a60c608727b77ee6a98e9d3447ff327f212f8d7598c407d5a9eb1ae89908f3d

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
4133af2f0b94e08de191714396f2d952

SHA1
c1369edb744e729aac93658866f0f974b2306d21

SHA256
fc14e0001222df543d50c657ad5c35a6b373f3ae0e9e99ea0bbd3a1e430e0002

SHA512
e2744f05ba889eef5cfc9180cdfec12eb3bec223698277d7c0ae617ab2da3071271df8d195322b5052f52c9a7a6b48752d85907a3aee488b7ccdd97d8958b2d0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a0ee2e02d40d4e1671a94f31c8baddce

SHA1
cb69526c335917b8c36eab7d0a6b8da03df46ec0

SHA256
e5f6d7329a6df5c1c00c8dfc15c4808e6d1321eab2520ccfe66e0fb14ad5bc5b

SHA512
212d884953bbb3ea7982047c261393be8c126a436b6bc8a40d928e96b0478bebdb107c8325a646870ff544afe673bbf80ff8cd08012d4a548838aa762dd1270c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7d635b37ab73cd363c9f6c6f7e22a984

SHA1
5bffa8e6fdab586512436c99ca2929641ea3d98a

SHA256
df24eb659b530857446ed8f3ce7c46692b6cec068012014f0b2d5d52e2a0ed45

SHA512
ba2a413af4ed777c306c5af0963a014c6671bd2792a12845668f6b6960c811f8b4e031dea1022144b0cb0c62d4d76625508fff35e95bcce182e0a19795a6b4f4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7ed47182a70eda6f6d823daaf89178ee

SHA1
762ecfae68e762a736b5998ce6d7052baa2d47f2

SHA256
7bf85d9e37b9cd11b88de5c478d925f5258dc90365af9b59dcbe81cb96d60b70

SHA512
6dbdc95a27fb69aedce63f3f2730f1ac67fa006bf902a6553789e1a627581fd2f621142b184b30be5f5e386f066e82585e177b4e3d345d15a4de18829457aa4e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
e3b15cef735e339b5579e5e3ad4df755

SHA1
684f0ff822d7396cfddf3b0217248d1e1eeb0a05

SHA256
597009b8c3ccebfee97f5ba534be4020e2a8d7b5b75469e01c6c937b264774a7

SHA512
9ed77f95d3de1ddd02c644c9e9b7a69d0359fa0fb5a1884e5e5a4b96b6d98558ac315c918e43611e853ecb4fed426a8cef76e80ef763e75527d64d050566cc98

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c671defa8819a47b74c2aa3f6787660d

SHA1
bfb8674b65ba61625bfee35a4f46602ad19e8aa9

SHA256
d1334f99b922a8e6855e0b09df677e10833fe35d5b0cd1c6b1b09e0054d6a8e1

SHA512
0674b8600b0048000b9d47f9db87264326062e85c398c5f23db9564464900298716853b2927cfe070f35a1959906cd5b1985751a91e5cf46d0b4331aad81f63f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6d8bac5e679c38609b76a30054573cf7

SHA1
36c86f77f0701e25bf1d4ffaae64874391f2ed5b

SHA256
adcf3a705f5f045d2c0146446004d55986d44fea80542cfe48722778f10e0808

SHA512
49d13e105a879e2725c5e84c09253f6b94fc5dd06729ff4b2ca5582b8d497ed9b6b926a11b2d79216f73f1a96cef70046fe70c4df5bfa61e4f8fa19669b524df

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
0e0b61840b870dca1e5feccb0889042d

SHA1
773d960f33ff0f67b702cf6dca707c2d98d2ef63

SHA256
2fb40d93fb1a623f5bcb0b4c9f72c1889e1d7bd650856ea7f2add37f06e394da

SHA512
42864b0a828c1164e6279edbcf6e2aea71ec918ce70c3dd5deee88efe4b7573b97ad27c3bd5a87ffca3c55084156b1d15b4fc7d1b8dafe49f61dfab8e4595402

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
7fc15e06d9ac60826b9d1d39e20dd939

SHA1
0899dd55de1d2e6998f0f66342592a199d93554c

SHA256
382f60d31ad670c6ff7582146dc540d0a4d0ffba3ee63df8d374b91ba7af6b23

SHA512
cc4960bba548579e555ac4ff7c297bfeedbfed3559ac285f5aaccaad8f87782160e51766052d80a3472d64e788386449f9f9d4fc213bd8bbe02fa83a9278f36e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
7d635b37ab73cd363c9f6c6f7e22a984

SHA1
5bffa8e6fdab586512436c99ca2929641ea3d98a

SHA256
df24eb659b530857446ed8f3ce7c46692b6cec068012014f0b2d5d52e2a0ed45

SHA512
ba2a413af4ed777c306c5af0963a014c6671bd2792a12845668f6b6960c811f8b4e031dea1022144b0cb0c62d4d76625508fff35e95bcce182e0a19795a6b4f4

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
13a88fbca7be372094fb4eabe320a928

SHA1
3ff8cc2e1ac6e635a43f0bb30043220a672a3272

SHA256
02335205a027a375677b01d4a27cfc53d150a717ddabd2949dd4bdaebc59284a

SHA512
6b549e6ea92a10ce5a508b3701645f7ea4bcf1ff0873611c0556a665fccf40aae227aece9182b7317a42f5f0959cd3abc60bfe0de7082639302612f4904b5b4c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
13a88fbca7be372094fb4eabe320a928

SHA1
3ff8cc2e1ac6e635a43f0bb30043220a672a3272

SHA256
02335205a027a375677b01d4a27cfc53d150a717ddabd2949dd4bdaebc59284a

SHA512
6b549e6ea92a10ce5a508b3701645f7ea4bcf1ff0873611c0556a665fccf40aae227aece9182b7317a42f5f0959cd3abc60bfe0de7082639302612f4904b5b4c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f2e3ba5dd3f7e0b6280635a074d0848d

SHA1
650f67202e8b5be5d8b226b6fd86af0c3fd8abb7

SHA256
fb314cd2553cd34795b4b58bdb8275ac04dedf313f91e7f8bf22c9c7a0912895

SHA512
99aaa4063d14e267f5ddc23467c70c59a74914c4947c6c64c206f9e88f15bb964e80219c860e2f4c438a676521a634510cc607cfe52f0cca3fc39b3855a5e5f4

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
cd244432f5fd737caae3b64229fa2302

SHA1
90ad1cb80f578bb631d689c6ef68c88b6f21daf1

SHA256
dadbf8e436891bd84dba8454aec20c46205126c0bfc205d83975727c42fda037

SHA512
9cc7594c3817a4bd3bbaf494d7b06cb8036e4af0ea3cdc8df1914d03235603781655d849e335c800f63a63baa8678985afdcc94171f8d457a46fdc6e566cc702

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
860530733f0cb0930f3c36a79ca6b4d9

SHA1
8361d0523e9614746b38da636bc6b8ad2bc7e39a

SHA256
fac4be76bace4201b7c3ef3cc1a41d8211a11d38f1a39c71a1452549a834207a

SHA512
4e2edf69bc5273377c51bc22ebf9050d09466796d8c5bb066ba464afeb7298e9c77cbe00779e4309b6ca31dd10b9caa503be69b562921a8ff2063805107fa7b5

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9997e5455486d54b5e32c9996804a653

SHA1
4e0d4bbca4daa91b4ce71cb631297143231d401d

SHA256
f042d9cd593979db3df67b58e2a6bbb4caa9872c089cbb275fed17aa387c3fc5

SHA512
8385fbeb8bde23b698b6ae0fdf110d2ba691fb0b156caa7188bf7cd051276b4e74021216bdfc5914a468f36d39e0867b77a68048dd0c47fd77be9274fa8d614f

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1eb50eeb78939bf46454890d1ca5248b

SHA1
1977dd70a90c4d96682458e8b262655f790f62c2

SHA256
246a81d63a9be951c4d3650733fdbdc2ad936dd9bfd1f86d0556de78870dd5d5

SHA512
1604b32cb88c09b9c488d3e8a13047403fe947d22ba23e45f2a9632b5f0a090b7a60c608727b77ee6a98e9d3447ff327f212f8d7598c407d5a9eb1ae89908f3d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
4133af2f0b94e08de191714396f2d952

SHA1
c1369edb744e729aac93658866f0f974b2306d21

SHA256
fc14e0001222df543d50c657ad5c35a6b373f3ae0e9e99ea0bbd3a1e430e0002

SHA512
e2744f05ba889eef5cfc9180cdfec12eb3bec223698277d7c0ae617ab2da3071271df8d195322b5052f52c9a7a6b48752d85907a3aee488b7ccdd97d8958b2d0

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a0ee2e02d40d4e1671a94f31c8baddce

SHA1
cb69526c335917b8c36eab7d0a6b8da03df46ec0

SHA256
e5f6d7329a6df5c1c00c8dfc15c4808e6d1321eab2520ccfe66e0fb14ad5bc5b

SHA512
212d884953bbb3ea7982047c261393be8c126a436b6bc8a40d928e96b0478bebdb107c8325a646870ff544afe673bbf80ff8cd08012d4a548838aa762dd1270c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7d635b37ab73cd363c9f6c6f7e22a984

SHA1
5bffa8e6fdab586512436c99ca2929641ea3d98a

SHA256
df24eb659b530857446ed8f3ce7c46692b6cec068012014f0b2d5d52e2a0ed45

SHA512
ba2a413af4ed777c306c5af0963a014c6671bd2792a12845668f6b6960c811f8b4e031dea1022144b0cb0c62d4d76625508fff35e95bcce182e0a19795a6b4f4

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7d635b37ab73cd363c9f6c6f7e22a984

SHA1
5bffa8e6fdab586512436c99ca2929641ea3d98a

SHA256
df24eb659b530857446ed8f3ce7c46692b6cec068012014f0b2d5d52e2a0ed45

SHA512
ba2a413af4ed777c306c5af0963a014c6671bd2792a12845668f6b6960c811f8b4e031dea1022144b0cb0c62d4d76625508fff35e95bcce182e0a19795a6b4f4

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7ed47182a70eda6f6d823daaf89178ee

SHA1
762ecfae68e762a736b5998ce6d7052baa2d47f2

SHA256
7bf85d9e37b9cd11b88de5c478d925f5258dc90365af9b59dcbe81cb96d60b70

SHA512
6dbdc95a27fb69aedce63f3f2730f1ac67fa006bf902a6553789e1a627581fd2f621142b184b30be5f5e386f066e82585e177b4e3d345d15a4de18829457aa4e

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
e3b15cef735e339b5579e5e3ad4df755

SHA1
684f0ff822d7396cfddf3b0217248d1e1eeb0a05

SHA256
597009b8c3ccebfee97f5ba534be4020e2a8d7b5b75469e01c6c937b264774a7

SHA512
9ed77f95d3de1ddd02c644c9e9b7a69d0359fa0fb5a1884e5e5a4b96b6d98558ac315c918e43611e853ecb4fed426a8cef76e80ef763e75527d64d050566cc98

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c671defa8819a47b74c2aa3f6787660d

SHA1
bfb8674b65ba61625bfee35a4f46602ad19e8aa9

SHA256
d1334f99b922a8e6855e0b09df677e10833fe35d5b0cd1c6b1b09e0054d6a8e1

SHA512
0674b8600b0048000b9d47f9db87264326062e85c398c5f23db9564464900298716853b2927cfe070f35a1959906cd5b1985751a91e5cf46d0b4331aad81f63f

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6d8bac5e679c38609b76a30054573cf7

SHA1
36c86f77f0701e25bf1d4ffaae64874391f2ed5b

SHA256
adcf3a705f5f045d2c0146446004d55986d44fea80542cfe48722778f10e0808

SHA512
49d13e105a879e2725c5e84c09253f6b94fc5dd06729ff4b2ca5582b8d497ed9b6b926a11b2d79216f73f1a96cef70046fe70c4df5bfa61e4f8fa19669b524df

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
0e0b61840b870dca1e5feccb0889042d

SHA1
773d960f33ff0f67b702cf6dca707c2d98d2ef63

SHA256
2fb40d93fb1a623f5bcb0b4c9f72c1889e1d7bd650856ea7f2add37f06e394da

SHA512
42864b0a828c1164e6279edbcf6e2aea71ec918ce70c3dd5deee88efe4b7573b97ad27c3bd5a87ffca3c55084156b1d15b4fc7d1b8dafe49f61dfab8e4595402

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
7fc15e06d9ac60826b9d1d39e20dd939

SHA1
0899dd55de1d2e6998f0f66342592a199d93554c

SHA256
382f60d31ad670c6ff7582146dc540d0a4d0ffba3ee63df8d374b91ba7af6b23

SHA512
cc4960bba548579e555ac4ff7c297bfeedbfed3559ac285f5aaccaad8f87782160e51766052d80a3472d64e788386449f9f9d4fc213bd8bbe02fa83a9278f36e

Download Submit
memory/528-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-98-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-322-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/528-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-69-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/528-74-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/608-103-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/880-230-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/880-559-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/880-542-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/920-57-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/920-54-0x0000000000970000-0x0000000000AFE000-memory.dmp

Filesize
1.6MB

Download
memory/920-55-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/920-58-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/920-59-0x0000000005EA0000-0x0000000005FEE000-memory.dmp

Filesize
1.3MB

Download
memory/920-60-0x0000000007E90000-0x0000000008056000-memory.dmp

Filesize
1.8MB

Download
memory/920-56-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/944-82-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/944-88-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/944-101-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1040-248-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1040-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1144-162-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1160-201-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1160-188-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1160-547-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1252-102-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1496-130-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1612-541-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1612-229-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1672-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1672-175-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1672-181-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1672-438-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1732-167-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1732-160-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1732-629-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1732-375-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1732-169-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1748-129-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1756-132-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1756-119-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/1756-114-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/1860-197-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1860-172-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1860-183-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1860-155-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1860-149-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1860-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1860-373-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1960-143-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1960-139-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1960-140-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1960-141-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/2052-663-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2052-351-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2100-622-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2136-380-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2156-515-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/2156-544-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/2156-237-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/2188-235-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2188-543-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2248-378-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2264-574-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2264-599-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2316-623-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2316-666-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2328-262-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2328-587-0x0000000000670000-0x0000000000879000-memory.dmp

Filesize
2.0MB

Download
memory/2328-582-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2328-278-0x0000000000670000-0x0000000000879000-memory.dmp

Filesize
2.0MB

Download
memory/2460-279-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2516-591-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2516-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2620-299-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2648-302-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2720-305-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2720-601-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2820-616-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2820-325-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2892-619-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2892-327-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2912-661-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2984-348-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download