blustealer | 6bd883240fc97aff61fdafa84f6b28ac22849b0097dc80c3a4cfa75611cf14b6

Analysis

max time kernel
132s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.5MB
MD5

50815feaceafebb93a883fd6790af856
SHA1

9eee055af8be7bc6de2b6a3b869b553758ca741f
SHA256

a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3
SHA512

08fedff0fca35a0be3201f41e2583089284640e98f8597d4b33582e3b0b7157db4d7da0b1587deccd69564911b702fe159e9de9700cf6edee875cbf191d64e0d
SSDEEP

24576:EMQt9u/6kEu3h2ZuJPsbIf0O9AXpTHH6yTuEBEel9DWtJ/qBcME7W+DUn+GOaHjR:Wt9u/6kzwu7sjFpBEeritJ4QB0ZljJ

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 29 IoCs

pid	Process
464	Process not Found
1228	alg.exe
908	aspnet_state.exe
1736	mscorsvw.exe
2044	mscorsvw.exe
1996	mscorsvw.exe
1068	mscorsvw.exe
772	dllhost.exe
1528	ehRecvr.exe
584	ehsched.exe
1872	elevation_service.exe
960	IEEtwCollector.exe
580	mscorsvw.exe
1436	GROOVE.EXE
1640	maintenanceservice.exe
2136	msdtc.exe
2244	msiexec.exe
2264	mscorsvw.exe
2488	OSE.EXE
2544	OSPPSVC.EXE
2672	perfhost.exe
2700	locator.exe
2784	snmptrap.exe
2892	vds.exe
2984	vssvc.exe
2108	wbengine.exe
2116	WmiApSrv.exe
2396	wmpnetwk.exe
1488	SearchIndexer.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2244	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
764	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc618e47a5fe7035.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 472	1716	Purchase Order.exe	28
PID 472 set thread context of 1992	472	Purchase Order.exe	32

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase Order.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Purchase Order.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{48C92478-6581-42D1-A34D-B40C7C621BB0}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{48C92478-6581-42D1-A34D-B40C7C621BB0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase Order.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1864	ehRec.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	472	Purchase Order.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: 33	1360	EhTray.exe
Token: SeIncBasePriorityPrivilege	1360	EhTray.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeDebugPrivilege	1864	ehRec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeSecurityPrivilege	2244	msiexec.exe
Token: 33	1360	EhTray.exe
Token: SeIncBasePriorityPrivilege	1360	EhTray.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeBackupPrivilege	2984	vssvc.exe
Token: SeRestorePrivilege	2984	vssvc.exe
Token: SeAuditPrivilege	2984	vssvc.exe
Token: SeBackupPrivilege	2108	wbengine.exe
Token: SeRestorePrivilege	2108	wbengine.exe
Token: SeSecurityPrivilege	2108	wbengine.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
472	Purchase Order.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 1716 wrote to memory of 472	1716	Purchase Order.exe	28
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 472 wrote to memory of 1992	472	Purchase Order.exe	32
PID 1068 wrote to memory of 580	1068	mscorsvw.exe	43
PID 1068 wrote to memory of 580	1068	mscorsvw.exe	43
PID 1068 wrote to memory of 580	1068	mscorsvw.exe	43
PID 1068 wrote to memory of 2264	1068	mscorsvw.exe	48
PID 1068 wrote to memory of 2264	1068	mscorsvw.exe	48
PID 1068 wrote to memory of 2264	1068	mscorsvw.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:772

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1528

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:584

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:960

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1640

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2488

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
56b26fce6ca0fa9d0792e2110eb0dd46

SHA1
dad1d5377a3fc58204eb2b407db983b22732c3db

SHA256
7b29abfed61b0bdf98133ffa52a92be1f5b83b34a52e6666e18400c50473d444

SHA512
41811c081cff29d3f07ae82fe6148b0de87a8e9545317a534689b560589d8507fed95b91fba7c09ae11de1c8ae34bbe491f1a6b099be1c8a74e602b56ee50d31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ac37c3cee36c93395487fdd28ee3eadf

SHA1
5ba5089fe2d55f94179f8c9a1cd4016247690180

SHA256
289983ab9d037246f567cb7c5bc0cd5b47d7fef432cd2da45fc9788d03435d61

SHA512
e7c9aa94daf6787227fa0b5ec42e9f5e89bb74c4c9b8b33258d424db4593a9de4facf58e5ccc25c64d5ec9dc7693168850cb7d56bd42c681aacf6983aaca5907

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e3f51255a5c3ea175e265793de1bc4d1

SHA1
ecee72240a0167d6f39f8f42686e31ce378d87d3

SHA256
5c0ea4febc81e2e17af61ef6668c3515ef57e8879848718e8586482d49f0b45c

SHA512
326f4b59691bcdedf36ba3614975a413ef115068a04e8c2da4fdcb5015fde7f3ee21c7fa283386217b050c789c88c9dfadfbeed33b7c97efd5a21a39f5039010

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
59fe8a5aac91fb97770245c5c5c669be

SHA1
5599559b92f73ba2e40f9b957183e6bf0cfc069f

SHA256
99284268180f30dc414f1bb530268aa850e15f87c5cce31f71d61b03c9281a62

SHA512
5aa3dc5ed1cca330ce4c8e4e9bb35024623d5ed220fbf7d77b10b50ec07809b43d54e93c0d9582487107b679b49e62d544fbb46f17b5b269741abd825ed1912d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7063a7583b8a369a7e0d1992c0db50b3

SHA1
7b0b30bb87ac5b52fc382ec61f9653e91e5a1940

SHA256
2c9879b42c78f893f1091e3dbfb88b441549e7cdbc49bb45963201c69850f617

SHA512
92aef8f9112feb3eb8caf6c8b1d24f08a0b5a9559dc1a2a61826d1805a82764384c3917733668b227298ce6748d19ba87dfd409fcd5fb4ef01119b2522e68fae

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3f9698f2b753a2ac2161922bf4908202

SHA1
c66cf2a380dc4b54c47a9ef232d215582e1c7d58

SHA256
d4a8b6dee0414e18bfbe810d63d12e57b12fca39232fe5c84a1e32566f7b0bcc

SHA512
9817d34fa2d05b9a8baed8b9f299a6230248d6da90cbaf2ea1ddc2e3656a8e6a6b501d284598af5ad3a679a99fb394cbba9441b6e7d1411655fffcc27ed3c34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
371e093a8719dc02c9bdf5671969652f

SHA1
0c02ea226764fb29b5315956b25871a6dc8d28c7

SHA256
208c30a8cc437c100fdef8a493f589dbf69728c54d014521ded300b128cd9e22

SHA512
16d9521d648409e724f0bfa3c034fb58d971a651b616b290b944d433b606a0a3eaf188ddc81f843a2e73312380a800ad8834b9a714b42d22ee35aaab071689c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
371e093a8719dc02c9bdf5671969652f

SHA1
0c02ea226764fb29b5315956b25871a6dc8d28c7

SHA256
208c30a8cc437c100fdef8a493f589dbf69728c54d014521ded300b128cd9e22

SHA512
16d9521d648409e724f0bfa3c034fb58d971a651b616b290b944d433b606a0a3eaf188ddc81f843a2e73312380a800ad8834b9a714b42d22ee35aaab071689c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
bfc2dd52752ee25abd546adc4de9e823

SHA1
4036faecea1ef9c31bc0b191bd51d8bdfccb43b5

SHA256
01d82d3d41c753704253a5ee2d2b97d2bf8df3ec380f65d33e435f298f163be4

SHA512
d61b7fd2c9ca9406f3ee6d4b454caeb23a928efa40a83588788b0736624f23d2950faf4f9cd8dc96a6a8120aeb32449b74c18730f0c6cf237bf55eff820088a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
743a5c1141005c5d1fa9ce41c0c1ad19

SHA1
af57cfb480b4e3c573f9eae23232487b35da1cbb

SHA256
87e5aea3ec7ce0a9db650fda205239915f854738dbb558914da55536a78123d8

SHA512
a1b6f3dcb6c496645ac8a128e6f5c74afd000c04691511a970067128b21553f301636a54cd18da5ba295556718e2db7928a847f80b554d4115a91d466d6e769e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9454ccba56fd8b8692fa713ea0ac3d24

SHA1
9d2d29e098597ff5c480295a46c7cb8d4db895b6

SHA256
9a1f17f55a726d662461c6ffac427f2a19997f772d242f35cc26ef9f8abf33c5

SHA512
23787361da39c4cadbea260fa95c78f3319ac4063e975df6aef05b85143b0a007c6efca334b0efee15e647561d40e84941b9272cd20ca49685dc5759620da47e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9454ccba56fd8b8692fa713ea0ac3d24

SHA1
9d2d29e098597ff5c480295a46c7cb8d4db895b6

SHA256
9a1f17f55a726d662461c6ffac427f2a19997f772d242f35cc26ef9f8abf33c5

SHA512
23787361da39c4cadbea260fa95c78f3319ac4063e975df6aef05b85143b0a007c6efca334b0efee15e647561d40e84941b9272cd20ca49685dc5759620da47e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9454ccba56fd8b8692fa713ea0ac3d24

SHA1
9d2d29e098597ff5c480295a46c7cb8d4db895b6

SHA256
9a1f17f55a726d662461c6ffac427f2a19997f772d242f35cc26ef9f8abf33c5

SHA512
23787361da39c4cadbea260fa95c78f3319ac4063e975df6aef05b85143b0a007c6efca334b0efee15e647561d40e84941b9272cd20ca49685dc5759620da47e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9454ccba56fd8b8692fa713ea0ac3d24

SHA1
9d2d29e098597ff5c480295a46c7cb8d4db895b6

SHA256
9a1f17f55a726d662461c6ffac427f2a19997f772d242f35cc26ef9f8abf33c5

SHA512
23787361da39c4cadbea260fa95c78f3319ac4063e975df6aef05b85143b0a007c6efca334b0efee15e647561d40e84941b9272cd20ca49685dc5759620da47e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ca4e3e7e70f66b8c2af0e9d90d74121c

SHA1
056270d306f036e0308b983dabdf9292e9b6b8dc

SHA256
f8c01788215ec9c36488580025394093fcde60e9f3801119eb5ac43345de7492

SHA512
35269518388960950ae52e687f3a777c18b74d8168fd8fd31b38b4820a31202f59be2c9e80f6e305b1579658b219ca297465dbf956b813fd70b3c794d919b3ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ca4e3e7e70f66b8c2af0e9d90d74121c

SHA1
056270d306f036e0308b983dabdf9292e9b6b8dc

SHA256
f8c01788215ec9c36488580025394093fcde60e9f3801119eb5ac43345de7492

SHA512
35269518388960950ae52e687f3a777c18b74d8168fd8fd31b38b4820a31202f59be2c9e80f6e305b1579658b219ca297465dbf956b813fd70b3c794d919b3ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
162e08f6daf582b527273eec1f51c418

SHA1
8b5ad862c7892a6691e309ffa2f5fa1635931a6c

SHA256
0e8103bffd89531bd260c248e59b20d210231b5c179e4082438222de6f980269

SHA512
5ba056e5043c7e61f53636f04fddacee8ec4f213083773acfd1aee8d2770c415dd907db64749f1a143d6b8a0dfc65d54d0fb1e77bf54b1039757760b12d715f9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1ee502b4e04ee6063f8f57c05fa11e99

SHA1
daa83a467972846164bd9a32ea80f83ef76c12b9

SHA256
eaca079f486ef5c5225b29bb74e13c17695d920246ef6dec17f09f1047a3a436

SHA512
18c65f06b4dcbe779ebc14736ba4c9746afb945a839e167bdb75ef0a99ddf870a8672e1e5b5cef768b2439ea9fce702af2cd876d8e47c736338c931164eebcc9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
519394e742e9644a3572558efcd9d760

SHA1
056ccf0aeb96625b40f990aa498ff201c7e6b73e

SHA256
2e97a589451544cf72c532d4b3bdce60a88a5649950f49be403b0a5e50ece1da

SHA512
e5b94481e10a36819773361c8199788a99a4a4369a20408d8ab00e6594969462c306a842aa4d21421a6deb5527cd0853a3e04a5a52ab8d590dd5d60bb6a6ed99

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
aa9f95fff967a5c95128051028e1c606

SHA1
34a74325928fffea04b6941437d18abdf1b38244

SHA256
a9fce91ecede54a6edea99a3ca4090167798ac1a820bada26696ae064e576c18

SHA512
b06199fc42a2d14fee5ee6656f7fd0333bc9f5d0c6afbfced7fed6ced8d0d119112c2ef4c7059e0f088667cf158b8cf9fa5dfb1babf2e6dc5e3f1c9c4dc7df4c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
f4b0715689c0eaa446342789a1d43762

SHA1
d70b890309d61d010348d496761d31c9654d9dc3

SHA256
1a9b8d50b5905fc96888416c0ffac519384b8e8079f3ab25f894528f94a9df72

SHA512
d5da8a35dfa72af8cf16c140f6971caecea9ef39b03ef6479168772cb84f202d386d90bd63c92def24c927081cbd57c816f2f92f333dd0b03ecdfb0ad2ede07d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
7f084c310408af94cb35eaaa1d0a4ddd

SHA1
3343349b0db87a8a425aa1645cf43ad0668a9f2b

SHA256
b7c6b610c75a64d8b258359f386cca43ece6daa38640e3a73597c62c4a702646

SHA512
31a536a0cd25deb8cb1185e190bb64820efeebb29235321c2318ace2ddfa98db2defb87ef1311940a5fb7883ea357d718980345705745bb02fc1cb1022871ef9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
51b5c0f0da185b01a524ed52a7468074

SHA1
67ff5e0e0cd674a54159ab265ef2207dc89c8b16

SHA256
121a805fa7405560a206deb72159fdea3e2788d79dbb32d547332e1918a7dc73

SHA512
55bacebc0c476c912bf6f049e7ae27709e24a1b3f02331712dcf06ffdb6c6ba7c590f0b53530b4a75f531f7ef0cd141614ad7c0680b742a75c746e9e6244518f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
167ebf0e9fd50afb83a71ca32c564142

SHA1
0bbf09b95117fae040713c12d8f3b7a69132d6ab

SHA256
778ec6c148cadfc4243aaa4e324d439d7963b4ed799ceb6122e0e297392a429a

SHA512
cae809c55cd2cabef43c46c19241dc133e6b13f93aeff1a47f6b7e228e160658c2f48548bfe31925dbfeeefa4cd30af3eaae12193b777e6afe8ade3a2828a5dd

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
4181e8b8f5c0ac474f070e281674e883

SHA1
94c0c1a4ed498e396708ba7f205c23268f78e5ae

SHA256
f632288a2b4c4b616b2d0ef644203facc1771b14def7fb1cb5c129f40ac886fe

SHA512
d76027a2d98c1ccde692a2dacf38e4179f349661e22579ab5a1de4b1e36bbd0b73adf40d5785c9024a80850fe47394f1baf20ee3be3db4efd9cb85225f5bd047

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5fd459e70721c4ee7b6c0f270dec24fa

SHA1
e3e2a5816fbeec407f2988c57191d1770f88adc0

SHA256
ab2213a94f09040f68ccc78db4d2e7ffbc090836e21c78c04c394e2cdc56956f

SHA512
620416b3ceab2e498420116d4621c91cdb05cd488f10d5b25e3ad1a19f23afa8f3150e8797bd53023e926262ba82336abb09d9664785f9f389eba7761874808f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9a14665f6e2d19012d216a55f142c18a

SHA1
bc63c8f5f5745d26e22b5950a38a7daedf1d24bb

SHA256
3a663feef0565291bff7b4963f09655b73831164ac9286c5570ec613c5d7cf43

SHA512
450c557587648719caa8abcc245462989a315f21c54b80a498bafcd9101a9faebf1386305c5d5faff4976779c8502cde5905a824eb3cddab9b2905e25fa3176c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dec8bb0b6964aebfa869b2e0c44bf06f

SHA1
381868a70b428bbd7e047e836e7e632fd1ae4477

SHA256
404933e6cb2ef86ee5dc51926340c3d9d49b9a45397c93022297890909af68f6

SHA512
3c88fed0eb0c4a4562f5d7fc365ba88d7e8598b3e0ec18bdf232687c421483cd86aff17ab8e525f23afaf72dae9f34e562b6a6597ad73ba20cd041595dd38ed5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d957a05e1a772791f6efaa8c33e89961

SHA1
22bb31e464a7b180b8bec08bed0254ee14d16274

SHA256
65db24ee5e6d5d8b8678bab56cb2cd5ffeb0c48cbfcc91fe3ee46cbb0f8280e6

SHA512
b5a0bea33099be23f20925aea82190a2f0df3e33cd17b4b0dcd639d4098380d253721e4215d86a013b70d7e1f478ea113874baa87d16cf7779109985edee7717

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3ef294a3167d5fabcaf02ec7ba7045bc

SHA1
a6676b8991e5ec8eea16b15cfca5910fcef52dac

SHA256
f0249565e5d9a36a2a085c54af01e7c9f39fbba2728fcf83884063833cb27083

SHA512
d8179eac81ebccf53d04f0a099327b01d3f60e6f017315b3a50d704de2a0bf7768188a5e60842073f36771eb1cdc53a3bc9d813a49ebb01ed98f84fc2933865f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
654f00e20eec734dab9e838a14c6c30a

SHA1
6ffcc46e4c165c07c912e818201cbaf76e785176

SHA256
4ce89e4bedf54da711270ae1c9a3aa5e082e89efab82536e3e9c60e193ba4fd9

SHA512
c47759a014a6be49e2ba652a1ea260e0b22f4325a137ca6e181885967592d0c958dfe7b6be2451103d3825a40cc0bebf2f362835893936503400a422804572cf

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ce49feafe58db65412940ad5db04a3a1

SHA1
6f226c38b45cc007df34e8fe1c2b2e1f82537c3e

SHA256
cb30922a38056301c5b3138d7a10bc1e2c55a5ab5f0fd2d1b6d9cc481df7ab22

SHA512
b652ec4b4712641b4306d795b1745b324778d2ccc8d3a61bbab35f32be6fd6e5ab1ebbcacf3f078bc482b84ce938e3d8e14cee402428f145abbf6d6572a675af

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
0291df5d8dda00609b88ebdf38ee389f

SHA1
e12d8edec9f791b0c47c478a1f6c7ef9e372eb17

SHA256
8c04901a325145fc5775cefd8e44ab431f6ee9a8e8d5561be9f6bf364e3c03a6

SHA512
212471414f8e27489b68e9aae34fabda37d3346c2d0415ea308ec743a3130cfcfb9efd0f21971f5c58239df226d3003063efdf413df63cbe413e9e37f6ea7b6d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
9a14665f6e2d19012d216a55f142c18a

SHA1
bc63c8f5f5745d26e22b5950a38a7daedf1d24bb

SHA256
3a663feef0565291bff7b4963f09655b73831164ac9286c5570ec613c5d7cf43

SHA512
450c557587648719caa8abcc245462989a315f21c54b80a498bafcd9101a9faebf1386305c5d5faff4976779c8502cde5905a824eb3cddab9b2905e25fa3176c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3f9698f2b753a2ac2161922bf4908202

SHA1
c66cf2a380dc4b54c47a9ef232d215582e1c7d58

SHA256
d4a8b6dee0414e18bfbe810d63d12e57b12fca39232fe5c84a1e32566f7b0bcc

SHA512
9817d34fa2d05b9a8baed8b9f299a6230248d6da90cbaf2ea1ddc2e3656a8e6a6b501d284598af5ad3a679a99fb394cbba9441b6e7d1411655fffcc27ed3c34f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3f9698f2b753a2ac2161922bf4908202

SHA1
c66cf2a380dc4b54c47a9ef232d215582e1c7d58

SHA256
d4a8b6dee0414e18bfbe810d63d12e57b12fca39232fe5c84a1e32566f7b0bcc

SHA512
9817d34fa2d05b9a8baed8b9f299a6230248d6da90cbaf2ea1ddc2e3656a8e6a6b501d284598af5ad3a679a99fb394cbba9441b6e7d1411655fffcc27ed3c34f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
371e093a8719dc02c9bdf5671969652f

SHA1
0c02ea226764fb29b5315956b25871a6dc8d28c7

SHA256
208c30a8cc437c100fdef8a493f589dbf69728c54d014521ded300b128cd9e22

SHA512
16d9521d648409e724f0bfa3c034fb58d971a651b616b290b944d433b606a0a3eaf188ddc81f843a2e73312380a800ad8834b9a714b42d22ee35aaab071689c9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
743a5c1141005c5d1fa9ce41c0c1ad19

SHA1
af57cfb480b4e3c573f9eae23232487b35da1cbb

SHA256
87e5aea3ec7ce0a9db650fda205239915f854738dbb558914da55536a78123d8

SHA512
a1b6f3dcb6c496645ac8a128e6f5c74afd000c04691511a970067128b21553f301636a54cd18da5ba295556718e2db7928a847f80b554d4115a91d466d6e769e

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
aa9f95fff967a5c95128051028e1c606

SHA1
34a74325928fffea04b6941437d18abdf1b38244

SHA256
a9fce91ecede54a6edea99a3ca4090167798ac1a820bada26696ae064e576c18

SHA512
b06199fc42a2d14fee5ee6656f7fd0333bc9f5d0c6afbfced7fed6ced8d0d119112c2ef4c7059e0f088667cf158b8cf9fa5dfb1babf2e6dc5e3f1c9c4dc7df4c

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
51b5c0f0da185b01a524ed52a7468074

SHA1
67ff5e0e0cd674a54159ab265ef2207dc89c8b16

SHA256
121a805fa7405560a206deb72159fdea3e2788d79dbb32d547332e1918a7dc73

SHA512
55bacebc0c476c912bf6f049e7ae27709e24a1b3f02331712dcf06ffdb6c6ba7c590f0b53530b4a75f531f7ef0cd141614ad7c0680b742a75c746e9e6244518f

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
167ebf0e9fd50afb83a71ca32c564142

SHA1
0bbf09b95117fae040713c12d8f3b7a69132d6ab

SHA256
778ec6c148cadfc4243aaa4e324d439d7963b4ed799ceb6122e0e297392a429a

SHA512
cae809c55cd2cabef43c46c19241dc133e6b13f93aeff1a47f6b7e228e160658c2f48548bfe31925dbfeeefa4cd30af3eaae12193b777e6afe8ade3a2828a5dd

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
4181e8b8f5c0ac474f070e281674e883

SHA1
94c0c1a4ed498e396708ba7f205c23268f78e5ae

SHA256
f632288a2b4c4b616b2d0ef644203facc1771b14def7fb1cb5c129f40ac886fe

SHA512
d76027a2d98c1ccde692a2dacf38e4179f349661e22579ab5a1de4b1e36bbd0b73adf40d5785c9024a80850fe47394f1baf20ee3be3db4efd9cb85225f5bd047

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5fd459e70721c4ee7b6c0f270dec24fa

SHA1
e3e2a5816fbeec407f2988c57191d1770f88adc0

SHA256
ab2213a94f09040f68ccc78db4d2e7ffbc090836e21c78c04c394e2cdc56956f

SHA512
620416b3ceab2e498420116d4621c91cdb05cd488f10d5b25e3ad1a19f23afa8f3150e8797bd53023e926262ba82336abb09d9664785f9f389eba7761874808f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9a14665f6e2d19012d216a55f142c18a

SHA1
bc63c8f5f5745d26e22b5950a38a7daedf1d24bb

SHA256
3a663feef0565291bff7b4963f09655b73831164ac9286c5570ec613c5d7cf43

SHA512
450c557587648719caa8abcc245462989a315f21c54b80a498bafcd9101a9faebf1386305c5d5faff4976779c8502cde5905a824eb3cddab9b2905e25fa3176c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9a14665f6e2d19012d216a55f142c18a

SHA1
bc63c8f5f5745d26e22b5950a38a7daedf1d24bb

SHA256
3a663feef0565291bff7b4963f09655b73831164ac9286c5570ec613c5d7cf43

SHA512
450c557587648719caa8abcc245462989a315f21c54b80a498bafcd9101a9faebf1386305c5d5faff4976779c8502cde5905a824eb3cddab9b2905e25fa3176c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dec8bb0b6964aebfa869b2e0c44bf06f

SHA1
381868a70b428bbd7e047e836e7e632fd1ae4477

SHA256
404933e6cb2ef86ee5dc51926340c3d9d49b9a45397c93022297890909af68f6

SHA512
3c88fed0eb0c4a4562f5d7fc365ba88d7e8598b3e0ec18bdf232687c421483cd86aff17ab8e525f23afaf72dae9f34e562b6a6597ad73ba20cd041595dd38ed5

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d957a05e1a772791f6efaa8c33e89961

SHA1
22bb31e464a7b180b8bec08bed0254ee14d16274

SHA256
65db24ee5e6d5d8b8678bab56cb2cd5ffeb0c48cbfcc91fe3ee46cbb0f8280e6

SHA512
b5a0bea33099be23f20925aea82190a2f0df3e33cd17b4b0dcd639d4098380d253721e4215d86a013b70d7e1f478ea113874baa87d16cf7779109985edee7717

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3ef294a3167d5fabcaf02ec7ba7045bc

SHA1
a6676b8991e5ec8eea16b15cfca5910fcef52dac

SHA256
f0249565e5d9a36a2a085c54af01e7c9f39fbba2728fcf83884063833cb27083

SHA512
d8179eac81ebccf53d04f0a099327b01d3f60e6f017315b3a50d704de2a0bf7768188a5e60842073f36771eb1cdc53a3bc9d813a49ebb01ed98f84fc2933865f

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
654f00e20eec734dab9e838a14c6c30a

SHA1
6ffcc46e4c165c07c912e818201cbaf76e785176

SHA256
4ce89e4bedf54da711270ae1c9a3aa5e082e89efab82536e3e9c60e193ba4fd9

SHA512
c47759a014a6be49e2ba652a1ea260e0b22f4325a137ca6e181885967592d0c958dfe7b6be2451103d3825a40cc0bebf2f362835893936503400a422804572cf

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ce49feafe58db65412940ad5db04a3a1

SHA1
6f226c38b45cc007df34e8fe1c2b2e1f82537c3e

SHA256
cb30922a38056301c5b3138d7a10bc1e2c55a5ab5f0fd2d1b6d9cc481df7ab22

SHA512
b652ec4b4712641b4306d795b1745b324778d2ccc8d3a61bbab35f32be6fd6e5ab1ebbcacf3f078bc482b84ce938e3d8e14cee402428f145abbf6d6572a675af

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
0291df5d8dda00609b88ebdf38ee389f

SHA1
e12d8edec9f791b0c47c478a1f6c7ef9e372eb17

SHA256
8c04901a325145fc5775cefd8e44ab431f6ee9a8e8d5561be9f6bf364e3c03a6

SHA512
212471414f8e27489b68e9aae34fabda37d3346c2d0415ea308ec743a3130cfcfb9efd0f21971f5c58239df226d3003063efdf413df63cbe413e9e37f6ea7b6d

Download Submit
memory/472-74-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/472-69-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/472-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/472-95-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/472-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/472-129-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/472-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/472-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/472-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/472-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-275-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/580-214-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/584-166-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/584-160-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/584-315-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/772-150-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/908-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/960-192-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/960-517-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/960-182-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/960-342-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1068-290-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1068-133-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1228-82-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1228-96-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1228-88-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1436-382-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1436-215-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1488-401-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1488-523-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1528-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1528-157-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1528-144-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1528-152-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1528-190-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1528-292-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1528-159-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1640-222-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1640-244-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1716-54-0x0000000001170000-0x00000000012FE000-memory.dmp

Filesize
1.6MB

Download
memory/1716-58-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1716-57-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/1716-56-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1716-59-0x0000000005DF0000-0x0000000005F3E000-memory.dmp

Filesize
1.3MB

Download
memory/1716-55-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/1716-60-0x0000000007DF0000-0x0000000007FB6000-memory.dmp

Filesize
1.8MB

Download
memory/1736-122-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1864-264-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1864-213-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1864-379-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1864-348-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1872-171-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1872-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1872-317-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1872-177-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1992-104-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-101-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1992-107-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1992-109-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1992-118-0x0000000001130000-0x00000000011EC000-memory.dmp

Filesize
752KB

Download
memory/1992-127-0x0000000005040000-0x0000000005080000-memory.dmp

Filesize
256KB

Download
memory/1992-105-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1996-128-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1996-124-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/2044-125-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2108-384-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2116-385-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2116-521-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2136-240-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2244-267-0x0000000000560000-0x0000000000769000-memory.dmp

Filesize
2.0MB

Download
memory/2244-262-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2244-472-0x0000000000560000-0x0000000000769000-memory.dmp

Filesize
2.0MB

Download
memory/2244-469-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2264-266-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2264-337-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2396-398-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2396-522-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2488-288-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2544-511-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2544-289-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2672-319-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2700-320-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2784-322-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2784-518-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2892-345-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2892-520-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2984-344-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2984-519-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download