blustealer | 66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Size

1.4MB
MD5

348bfc0c42d7254bc63e482c4173fea8
SHA1

ef6a18df4c2d04c6c194c5cd959e714114a402ab
SHA256

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8
SHA512

ebabb70e503b8631210ce53d89c03275b190823e85fb1591216022c575b271cb981b2c93f63989b0179bfa6fbd807c11d1cafd43d335d2010d35b9ae9f21be43
SSDEEP

24576:+3y9ZjI1Uw2ojP1WQ4C8KJ/Ixl2KVpLNzwOKb3uR/kCrVKoNZXgUFqssP:B9Z0xWQTJ/uAWp53R/k+VdQW6

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
1888	alg.exe
1352	aspnet_state.exe
1532	mscorsvw.exe
1688	mscorsvw.exe
960	mscorsvw.exe
1580	mscorsvw.exe
1540	dllhost.exe
888	ehRecvr.exe
1636	ehsched.exe
1696	elevation_service.exe
2028	IEEtwCollector.exe
632	GROOVE.EXE
1316	maintenanceservice.exe
1296	msdtc.exe
2132	mscorsvw.exe
2192	msiexec.exe
2364	mscorsvw.exe
2412	OSE.EXE
2508	OSPPSVC.EXE
2612	perfhost.exe
2644	locator.exe
2720	snmptrap.exe
2776	mscorsvw.exe
2920	vds.exe
3000	vssvc.exe
2064	wbengine.exe
2188	WmiApSrv.exe
2444	wmpnetwk.exe
2572	SearchIndexer.exe
2852	mscorsvw.exe
3056	mscorsvw.exe
2312	mscorsvw.exe
2372	mscorsvw.exe
2716	mscorsvw.exe
2936	mscorsvw.exe
2120	mscorsvw.exe
1688	mscorsvw.exe
876	mscorsvw.exe
2028	mscorsvw.exe
2880	mscorsvw.exe
2112	mscorsvw.exe
2284	mscorsvw.exe
1688	mscorsvw.exe
924	mscorsvw.exe
2876	mscorsvw.exe
3052	mscorsvw.exe
2300	mscorsvw.exe
3012	mscorsvw.exe
1224	mscorsvw.exe
2632	mscorsvw.exe
1984	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2192	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
772	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\locator.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\vds.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\94dc23f447bf3ad0.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1652 set thread context of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B2710FDB-9311-46CA-8BA9-36F0F509DCD6}\chrome_installer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9B1E77DF-B0F8-4AFA-9D7F-09D7A53AEB48}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9B1E77DF-B0F8-4AFA-9D7F-09D7A53AEB48}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{46391D80-853D-4386-B204-E55D1DC9D5FF}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1436	ehRec.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeShutdownPrivilege	960	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: 33	1584	EhTray.exe
Token: SeIncBasePriorityPrivilege	1584	EhTray.exe
Token: SeShutdownPrivilege	960	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: SeDebugPrivilege	1436	ehRec.exe
Token: SeShutdownPrivilege	960	mscorsvw.exe
Token: SeShutdownPrivilege	960	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeSecurityPrivilege	2192	msiexec.exe
Token: 33	1584	EhTray.exe
Token: SeIncBasePriorityPrivilege	1584	EhTray.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeBackupPrivilege	2064	wbengine.exe
Token: SeRestorePrivilege	2064	wbengine.exe
Token: SeSecurityPrivilege	2064	wbengine.exe
Token: 33	2444	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2444	wmpnetwk.exe
Token: SeManageVolumePrivilege	2572	SearchIndexer.exe
Token: 33	2572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2572	SearchIndexer.exe
Token: SeDebugPrivilege	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeShutdownPrivilege	960	mscorsvw.exe
Token: SeShutdownPrivilege	1580	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1584	EhTray.exe
1584	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1584	EhTray.exe
1584	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
2292	SearchProtocolHost.exe
1144	SearchProtocolHost.exe
1144	SearchProtocolHost.exe
1144	SearchProtocolHost.exe
1144	SearchProtocolHost.exe
1144	SearchProtocolHost.exe
1144	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1780 wrote to memory of 1652	1780	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	26
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 1652 wrote to memory of 1972	1652	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	30
PID 960 wrote to memory of 2132	960	mscorsvw.exe	44
PID 960 wrote to memory of 2132	960	mscorsvw.exe	44
PID 960 wrote to memory of 2132	960	mscorsvw.exe	44
PID 960 wrote to memory of 2132	960	mscorsvw.exe	44
PID 960 wrote to memory of 2364	960	mscorsvw.exe	46
PID 960 wrote to memory of 2364	960	mscorsvw.exe	46
PID 960 wrote to memory of 2364	960	mscorsvw.exe	46
PID 960 wrote to memory of 2364	960	mscorsvw.exe	46
PID 960 wrote to memory of 2776	960	mscorsvw.exe	52
PID 960 wrote to memory of 2776	960	mscorsvw.exe	52
PID 960 wrote to memory of 2776	960	mscorsvw.exe	52
PID 960 wrote to memory of 2776	960	mscorsvw.exe	52
PID 2572 wrote to memory of 2292	2572	SearchIndexer.exe	60
PID 2572 wrote to memory of 2292	2572	SearchIndexer.exe	60
PID 2572 wrote to memory of 2292	2572	SearchIndexer.exe	60
PID 2572 wrote to memory of 2804	2572	SearchIndexer.exe	61
PID 2572 wrote to memory of 2804	2572	SearchIndexer.exe	61
PID 2572 wrote to memory of 2804	2572	SearchIndexer.exe	61
PID 960 wrote to memory of 2852	960	mscorsvw.exe	62
PID 960 wrote to memory of 2852	960	mscorsvw.exe	62
PID 960 wrote to memory of 2852	960	mscorsvw.exe	62
PID 960 wrote to memory of 2852	960	mscorsvw.exe	62
PID 960 wrote to memory of 3056	960	mscorsvw.exe	63
PID 960 wrote to memory of 3056	960	mscorsvw.exe	63
PID 960 wrote to memory of 3056	960	mscorsvw.exe	63
PID 960 wrote to memory of 3056	960	mscorsvw.exe	63
PID 960 wrote to memory of 2312	960	mscorsvw.exe	64
PID 960 wrote to memory of 2312	960	mscorsvw.exe	64
PID 960 wrote to memory of 2312	960	mscorsvw.exe	64
PID 960 wrote to memory of 2312	960	mscorsvw.exe	64
PID 960 wrote to memory of 2372	960	mscorsvw.exe	65
PID 960 wrote to memory of 2372	960	mscorsvw.exe	65
PID 960 wrote to memory of 2372	960	mscorsvw.exe	65
PID 960 wrote to memory of 2372	960	mscorsvw.exe	65
PID 960 wrote to memory of 2716	960	mscorsvw.exe	66
PID 960 wrote to memory of 2716	960	mscorsvw.exe	66
PID 960 wrote to memory of 2716	960	mscorsvw.exe	66
PID 960 wrote to memory of 2716	960	mscorsvw.exe	66
PID 960 wrote to memory of 2936	960	mscorsvw.exe	67
PID 960 wrote to memory of 2936	960	mscorsvw.exe	67
PID 960 wrote to memory of 2936	960	mscorsvw.exe	67
PID 960 wrote to memory of 2936	960	mscorsvw.exe	67
PID 960 wrote to memory of 2120	960	mscorsvw.exe	68
PID 960 wrote to memory of 2120	960	mscorsvw.exe	68
PID 960 wrote to memory of 2120	960	mscorsvw.exe	68
PID 960 wrote to memory of 2120	960	mscorsvw.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
"C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
  "C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1532

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e4 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e4 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 27c -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 25c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 248 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 248 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 264 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 264 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 278 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 25c -NGENProcess 2a4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1540

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:888

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2508

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1563773381-2037468142-1146002597-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1563773381-2037468142-1146002597-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c8d539f8d84ffe8c2f795fe14afa3e46

SHA1
ddf962a5ec7bc1fa4f08f40dfc20e6772d78feb5

SHA256
3cb4efe621d2c2e54bdc683f4f98b4ff0d5fcccfb6a7a2f7ead49b904b904b77

SHA512
53ba4d35a5ec55d905a9924f67d5aa6d5bb9dfcb88c6c9fba7855972dfb7f0940162295d0f45384dac4e89699bf6b4f19ab2ae34d1afc67e3ce5dc94c4ef5c91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
194dd7d2561b82aefe0cfe16f58585df

SHA1
2830a5c165bd93c2a32d784143e61518aa7ebcf8

SHA256
964553bfd6b32f61eeedfdf68fb1cb120a962ae1c0670bdf8e7900e8af4a4467

SHA512
69c22f4608fad948163db712ec22e897656ea721388fb7e36150d8cb31965702fe5a9280dc849f030fd91d1c26d87a1dc8e357d7e81557bef66ecb576b213834

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7621fba73ac4735381bdca6ff478d1ad

SHA1
38d6fbe426acfe7d4344e37a335b83d75894fa72

SHA256
58387970635de0bae095484c37d764c21b4bad61238e103f14760b5557386175

SHA512
1e889a9e7ad01ab81c52a820e72a5977907452675dfdad246a644e839536d4e92394c97635e84486d1bd9bcd74fa4dbb14389368c7a32ad46eecc89a96ace246

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
a462db3d1d36b31326b17b5c1da9fa5e

SHA1
653a6e4d522d51a8d810bb75e7ce458298d60eda

SHA256
a9c19e2331acc018eea41067801834cf0b0a48bec7b41c53bea5ac737caad96e

SHA512
935b2ffc6745d7254703ca4a65934e1b72f61b777029bb3fcd4b423b2ca67a6dd1a4b672c2ed0df25d7e16b3d6f035f8988e00520a2499fe3f43804d7ec252e8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7a3ca6e9f9254d7ab093a1c2ce702fcc

SHA1
59674301f08c85dd015eda8be6b818d71bad7eab

SHA256
daff14693431d150d45196befcdcb0d5eccbb3074e8363493555f2ba2a246a61

SHA512
d061defdb84debfa856fd0d585cc33a6e596c314d977e7e78e86a030232316a6883750d41037a83f025d055b3792a54e23eee13eb4714f4364ff7a0b1a2c2f55

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ed0ec4756141fe26db7b6e51960b02bf

SHA1
a69344bcd1aac16af11580c2051347db2ec2c15c

SHA256
b06e213f11283b84991d6e4df895dff48448f5d77b788b06a65e12041a694ed0

SHA512
83a428b96b4ecd9ba98ef6510c393fb7f07ec4637f0f028d86a040fb4093057a66d9028f9338dd5bf929b95a3495f97a32d85907e9adb70387dcd29f266d9010

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
db00eba02cdd2eadb056f64e63d3f6e4

SHA1
793ff1fb71239093af61d34f5e69ac1550842482

SHA256
1def3fabc184cc09761c5987a01358840cf126b30a17d3bacbd5906275c94f44

SHA512
b2504024342805748bcbe54b21d664560df24470b121115b6af0770ef44fc14193e4d19f0fe01f23be7451fdca85e61397c9746edcbddf2e7650e62c8f9065a4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
924438f3823a54ef84e0147e5cd85758

SHA1
0f8a8c052444375f8cc635d02cf3fdfaeb750cf8

SHA256
46f4b56c87224fd0a6b5251b2408b47b9abf89b5b771941f71291d9c049ccedf

SHA512
40609a205d94330210b9d76af3c8d54029f10aa3d9b76dd45ea6b57b6696a0fe9b0307a35e8d08f37567a1ef5d44a8bc2a7be6043a4587ae4f969820ec763b0f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
924438f3823a54ef84e0147e5cd85758

SHA1
0f8a8c052444375f8cc635d02cf3fdfaeb750cf8

SHA256
46f4b56c87224fd0a6b5251b2408b47b9abf89b5b771941f71291d9c049ccedf

SHA512
40609a205d94330210b9d76af3c8d54029f10aa3d9b76dd45ea6b57b6696a0fe9b0307a35e8d08f37567a1ef5d44a8bc2a7be6043a4587ae4f969820ec763b0f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
cf17186cf645fdf43b9567f1b1ef4780

SHA1
59347eb0ac87cb1bd69f5f3a3d4e56a7001ed084

SHA256
ecef4665635816757c27284eb84d1c184badd1d41dc7682300b540f6d139490e

SHA512
7790a9c4f787beb5a0495b9c69dda8ff46e000af10e9666cd92780e60f2fa5fc7d4c4f1cf87f40232400377f45c4fd1b83b9a36c27e3e1a05e8ab2459de61bfd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
6ed3ec95542b588569e0cf5471b20a50

SHA1
0c68e9751abf2b36716118dc69f8f44111752e60

SHA256
00654fe7807d72e3a46fa512f8458a211c96e96cfd55cccaf00e12a4f414890e

SHA512
0dcc970b9b7d73dbad97ddfa0ca51ec2f3a4093fb5d770cd5a692e4a6a663a9cc75846af7c7cee5336e4939e09dba5134d6017d158b07c582b37aed0b1240cb1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e1a7430df2ca882e2a82c9561957eb7d

SHA1
e08c4cc6c6a1115cd03e7518623cf0d6c5662f6b

SHA256
7b93e4b6e39a04fc5bf8eb0a318c06bc90b1cd9353ed5ba3e97b03bdb0718cca

SHA512
e26bbd8a3cedd175083826eecc82abd1f893c1034526161bc756f8fd2e5028cb724b27cf9a54e61635ae93a1a49a960c93531e91fd3eb641d6249d98963e94d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e1a7430df2ca882e2a82c9561957eb7d

SHA1
e08c4cc6c6a1115cd03e7518623cf0d6c5662f6b

SHA256
7b93e4b6e39a04fc5bf8eb0a318c06bc90b1cd9353ed5ba3e97b03bdb0718cca

SHA512
e26bbd8a3cedd175083826eecc82abd1f893c1034526161bc756f8fd2e5028cb724b27cf9a54e61635ae93a1a49a960c93531e91fd3eb641d6249d98963e94d8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d49f679c67e943848ef9867187f89692

SHA1
1b916768d2bde465bee0e7dae1586bc361193208

SHA256
52e1a0f459f67d420c3ea776c948e32c331f576f183f59bd468cce0a988313b8

SHA512
118cef139d666a7dd1d400f89cd076822d1541b8cbaf0404238add9c97dd6a68de102558985f5357913aad13e623e0592c84249b0e55a2ceef41ac9f3db4b1da

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d49f679c67e943848ef9867187f89692

SHA1
1b916768d2bde465bee0e7dae1586bc361193208

SHA256
52e1a0f459f67d420c3ea776c948e32c331f576f183f59bd468cce0a988313b8

SHA512
118cef139d666a7dd1d400f89cd076822d1541b8cbaf0404238add9c97dd6a68de102558985f5357913aad13e623e0592c84249b0e55a2ceef41ac9f3db4b1da

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
6e11b8c0e7a0936a1234ba394ea4d395

SHA1
30506a58e29eb375c4b7a96e0945a093260a5752

SHA256
72af7b34e7a55554547cbdda1f0dff46c2d35ed9797cc382a42f4932bc1ab59b

SHA512
e98d3f7481a13316f1efd7ce5b75ba75d280b64b3b1037d3f32fcf747e544270d76ca02e0d4dbbb5e0e3cd88b4709f11ed01d0ac644cefe1f1bdc20aae1f727d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
797eb12c5cdfa21e0710d201eed138c5

SHA1
7bded604c773e5fca788133e8dda13dd73656f3d

SHA256
50cabce5e24700cdec24653f73fe751586d95c321b6afdb3f29ca5710c546ae0

SHA512
e9e3f2d16d07ce040d2dbe90bac5784547d98c00376e652ba9f851ffc29cd327f269aad27688a6e395a46595f35a893a458f381d9882de6e338cd88e9edd6f70

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3fce56f666ea3c9930a15867d89600ae

SHA1
e028b71d245bed502ad7461c1abc05a5c53a9ab9

SHA256
bf34749f4d01c4fc3591688f0a7327e83b39c580bd4d3f02a7fe1d7e264dc8c5

SHA512
773c7badeba39c7891e3587f04ad0a54308fbe23cdd6d395a9957fe6699b36f78a541b893ac50d18d70bdc82bd77720ac7c5e72e013843ee191c4cbd267f11d5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
05367c0060b375a044a76370519f9640

SHA1
9ec7924922026323bca44ff9c0f639fd128b227d

SHA256
cc6bf91aee2cd296d984b6e3e214fb08e8252c5901fee951e0b41e40676b6782

SHA512
66cd9f64af70f9e7a029d3016f1fec9756e91428f01f2af62e56b9c7e347a0820438e15d0e456fa99cef916145415bcdedbd55c7e2ed38a9a6eb04505d60eb28

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
ec130848895f0ce3610661dd87e5fc7f

SHA1
7129988dfe7d562f089231b904613cfcd0bb7ab9

SHA256
4bd9a5d8260c2135e8cabfb0aaebb97408e8386697255e72e7eef7dc6ed190f5

SHA512
b847db4a95bea28c5744887a193e7a9e00d60070ca090c52adaeb44af1d4609a108fc480ab930c189cecbd1ff057d66741c3d4f467566f49933683d49850576a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
bfb893087f5dfedc3ec193e2fc271d66

SHA1
3c967909ec45624fdc7698933cc8f502b3818647

SHA256
7777a58d37b4814d4f5dcf8a28113b461a2de063bee8f9cc8c2994b8c76298e8

SHA512
71a4a08eff77b32a3b6b331bfc1c31c6ddb741095229e9824b7c21c92a657072ce5062e43389500a78f9bdfae8a2d17fa1477cd6c9e493e8794214b78ea7968d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cb7168d07085cd6c7b7a7404fc6228ba

SHA1
1fcd7e81627d773ac40b5030704dec11f658d114

SHA256
58539244a39b7606591a9d467e9a75fcd514340461bdbf41d4181e033b5cd081

SHA512
0dbf2e6afe1f72e0d7e8d265404cc902c0c495d0a6d5bdd7e0eff9fcb14f7d8cdf87009d144864ed9f75325a651c362f89d7294ae9cdb01e18f0069c9f664e2a

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
ea8c8df3e5b11ee75c51586b753e6c25

SHA1
39e7a5259c9255c470c7d758fea7ea6c91bd2006

SHA256
49a9fe15c68553882c314c19b01097dca05ba31b7bc1e56380eef8509ca0d2c4

SHA512
d0a9d15002a6d3ae161c581e26d49a8e0da9f4879b31bc1de066939ebbacc6d00818a15d7e09d0c3ebf60cd2ec70d50ea6c181e1df4b3c80fa7eed0e1750d985

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
9cec86bf8f51f9b022966ab3b8d3ea5e

SHA1
185da81796e32d1434a1981a420b313d46c0753d

SHA256
a5644b882b752adcc2d750e6f046047feafababa871353692a3f0d02d139755f

SHA512
505af076ddea55777dac6328c956685573e8c1d7f45da7447f3a04a82ef5d98f5030d8207af464fb307773d0d16e93d24e5cb46930af01949adeaf9e946acf9f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6b27d8141ca2d3a922800c99f275aa84

SHA1
61de664eac868b03891c90efb71a63a00120e09b

SHA256
e4f58c4e175bfe5c51fcddb23dc484093b8ca9bc59ab659397159080aff8b7b0

SHA512
5ed76bfe25960d841aeab8774c81f43bb996339be67321bc32a908664596c990a4d9f83a500f2b4313144322fd42e3da11ae03e9dd2e5bd116c225f2fc4b347e

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
582cb548806e48c28ddf40d78c74dce7

SHA1
5813114c4677985307b6301b98ddc588a4d91323

SHA256
faaec7c4ddd5bd4b50c4fee6b2e4d86aff8520dee91fb095c1f2b20519d294db

SHA512
e92d02e2c53cde29070cd5ea9e83966d5fdc04ca25e242aa55fdf7777320ebe1b723e727012cf217c1768e6d32a64134b124a7341e2ff929a63e30d1b904ba70

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b5eb807e3358ab4d8deb781fd203870e

SHA1
12c817ab8a30a9025d62c9392978c26f92f4908c

SHA256
5a27cb30280aa7e494d6ed2c758a09597397ddb0c9017dfc80257b9936f675de

SHA512
2161ba05cb840a130ac570a368d8472a569f156d8a3c85c4fbe0178195d696a092ebe9f9bbe2792306c1606c69cc3cf8cb2abe68bee0eb1bfd6abd7757514195

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
26c00a58aa7a147ee77c0351d8883479

SHA1
38957192079734c8e6326ed43c93f28db2fb8429

SHA256
fe745e44d1101fb0aaf9d51812bffba20a17dded65a38d77ab3bc28f96aec76f

SHA512
6b981c42111dd5dd1984866299e0cc9781b0d53efc08910b901072717e08a85d5a5cbb80e9f070d135480256c1f36ba687d8f268bb27a1779a4c70bc5b3cacc6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
aac6d9647d1dae1e280a9f92d1ab527f

SHA1
d939c558faf38167f0c0d64ce28589c363a9978b

SHA256
74fb16efb4e312ae48fde4f2ad9c087657513a0ae2eddd288aa959efa725eef5

SHA512
92ad3cd5d6c3169b5f036e91920cee1da38f8ad5af0230c3b95093795cd18369b4188106c3ac30d5efe12a5e7e857c75d4e2a2a13a274a4446d0cfcadd47c376

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
eb3bbb79bb5937a04dca545fc8bb4223

SHA1
3caa9b845809126b13f6a51044bd10667429a2bd

SHA256
e9dbe8e87ad1bf1db4fc14e579cf6db7008cb2e3467154aed194205cc28745bd

SHA512
bc2d47042a7a9826c71f6a0109a2518ad54e2a9721e20fb198188606cba87816f60dd3d437ed8fca80a4fb75a0e0b79cb99b5e7995c24c6e2d71e72ec693efcd

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f6c4a5bd79e04282ddd90c88eac33d32

SHA1
b8a848fcd6633906905d09a0f70b970015e1aa8d

SHA256
f5c91efcd78e9b6c3f1e106745de5004af0185efa7f62d251cb45bd6e9e08d78

SHA512
cbe97d0e9b39b6f289d2641eecf3de026fd55c4224add4ddbe1af3785392eec870f3fd0d7ce0a40a1c10bc654eb50e2722b518265824e7b4d76aba3e6224bf98

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6c655986dc039f75bbfe59a9933bb891

SHA1
681560e67914b82ddbf8b9f1109a4a058d799d10

SHA256
66e992d30d4afe4de3832695726ad92f2b5a84b5707ad0b6b9de2698ea608a1e

SHA512
849c0aa8d4398e783da723d6e72a528eac5f8839cb0a2316e3bbfab2c5827ea0d289799767fdf3fd6ac78a04260b16cc98d43ef561c5b64f28b9c3609d22a5b2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
582cb548806e48c28ddf40d78c74dce7

SHA1
5813114c4677985307b6301b98ddc588a4d91323

SHA256
faaec7c4ddd5bd4b50c4fee6b2e4d86aff8520dee91fb095c1f2b20519d294db

SHA512
e92d02e2c53cde29070cd5ea9e83966d5fdc04ca25e242aa55fdf7777320ebe1b723e727012cf217c1768e6d32a64134b124a7341e2ff929a63e30d1b904ba70

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ed0ec4756141fe26db7b6e51960b02bf

SHA1
a69344bcd1aac16af11580c2051347db2ec2c15c

SHA256
b06e213f11283b84991d6e4df895dff48448f5d77b788b06a65e12041a694ed0

SHA512
83a428b96b4ecd9ba98ef6510c393fb7f07ec4637f0f028d86a040fb4093057a66d9028f9338dd5bf929b95a3495f97a32d85907e9adb70387dcd29f266d9010

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ed0ec4756141fe26db7b6e51960b02bf

SHA1
a69344bcd1aac16af11580c2051347db2ec2c15c

SHA256
b06e213f11283b84991d6e4df895dff48448f5d77b788b06a65e12041a694ed0

SHA512
83a428b96b4ecd9ba98ef6510c393fb7f07ec4637f0f028d86a040fb4093057a66d9028f9338dd5bf929b95a3495f97a32d85907e9adb70387dcd29f266d9010

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
924438f3823a54ef84e0147e5cd85758

SHA1
0f8a8c052444375f8cc635d02cf3fdfaeb750cf8

SHA256
46f4b56c87224fd0a6b5251b2408b47b9abf89b5b771941f71291d9c049ccedf

SHA512
40609a205d94330210b9d76af3c8d54029f10aa3d9b76dd45ea6b57b6696a0fe9b0307a35e8d08f37567a1ef5d44a8bc2a7be6043a4587ae4f969820ec763b0f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
6ed3ec95542b588569e0cf5471b20a50

SHA1
0c68e9751abf2b36716118dc69f8f44111752e60

SHA256
00654fe7807d72e3a46fa512f8458a211c96e96cfd55cccaf00e12a4f414890e

SHA512
0dcc970b9b7d73dbad97ddfa0ca51ec2f3a4093fb5d770cd5a692e4a6a663a9cc75846af7c7cee5336e4939e09dba5134d6017d158b07c582b37aed0b1240cb1

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
05367c0060b375a044a76370519f9640

SHA1
9ec7924922026323bca44ff9c0f639fd128b227d

SHA256
cc6bf91aee2cd296d984b6e3e214fb08e8252c5901fee951e0b41e40676b6782

SHA512
66cd9f64af70f9e7a029d3016f1fec9756e91428f01f2af62e56b9c7e347a0820438e15d0e456fa99cef916145415bcdedbd55c7e2ed38a9a6eb04505d60eb28

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cb7168d07085cd6c7b7a7404fc6228ba

SHA1
1fcd7e81627d773ac40b5030704dec11f658d114

SHA256
58539244a39b7606591a9d467e9a75fcd514340461bdbf41d4181e033b5cd081

SHA512
0dbf2e6afe1f72e0d7e8d265404cc902c0c495d0a6d5bdd7e0eff9fcb14f7d8cdf87009d144864ed9f75325a651c362f89d7294ae9cdb01e18f0069c9f664e2a

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
ea8c8df3e5b11ee75c51586b753e6c25

SHA1
39e7a5259c9255c470c7d758fea7ea6c91bd2006

SHA256
49a9fe15c68553882c314c19b01097dca05ba31b7bc1e56380eef8509ca0d2c4

SHA512
d0a9d15002a6d3ae161c581e26d49a8e0da9f4879b31bc1de066939ebbacc6d00818a15d7e09d0c3ebf60cd2ec70d50ea6c181e1df4b3c80fa7eed0e1750d985

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
9cec86bf8f51f9b022966ab3b8d3ea5e

SHA1
185da81796e32d1434a1981a420b313d46c0753d

SHA256
a5644b882b752adcc2d750e6f046047feafababa871353692a3f0d02d139755f

SHA512
505af076ddea55777dac6328c956685573e8c1d7f45da7447f3a04a82ef5d98f5030d8207af464fb307773d0d16e93d24e5cb46930af01949adeaf9e946acf9f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6b27d8141ca2d3a922800c99f275aa84

SHA1
61de664eac868b03891c90efb71a63a00120e09b

SHA256
e4f58c4e175bfe5c51fcddb23dc484093b8ca9bc59ab659397159080aff8b7b0

SHA512
5ed76bfe25960d841aeab8774c81f43bb996339be67321bc32a908664596c990a4d9f83a500f2b4313144322fd42e3da11ae03e9dd2e5bd116c225f2fc4b347e

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
582cb548806e48c28ddf40d78c74dce7

SHA1
5813114c4677985307b6301b98ddc588a4d91323

SHA256
faaec7c4ddd5bd4b50c4fee6b2e4d86aff8520dee91fb095c1f2b20519d294db

SHA512
e92d02e2c53cde29070cd5ea9e83966d5fdc04ca25e242aa55fdf7777320ebe1b723e727012cf217c1768e6d32a64134b124a7341e2ff929a63e30d1b904ba70

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
582cb548806e48c28ddf40d78c74dce7

SHA1
5813114c4677985307b6301b98ddc588a4d91323

SHA256
faaec7c4ddd5bd4b50c4fee6b2e4d86aff8520dee91fb095c1f2b20519d294db

SHA512
e92d02e2c53cde29070cd5ea9e83966d5fdc04ca25e242aa55fdf7777320ebe1b723e727012cf217c1768e6d32a64134b124a7341e2ff929a63e30d1b904ba70

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b5eb807e3358ab4d8deb781fd203870e

SHA1
12c817ab8a30a9025d62c9392978c26f92f4908c

SHA256
5a27cb30280aa7e494d6ed2c758a09597397ddb0c9017dfc80257b9936f675de

SHA512
2161ba05cb840a130ac570a368d8472a569f156d8a3c85c4fbe0178195d696a092ebe9f9bbe2792306c1606c69cc3cf8cb2abe68bee0eb1bfd6abd7757514195

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
26c00a58aa7a147ee77c0351d8883479

SHA1
38957192079734c8e6326ed43c93f28db2fb8429

SHA256
fe745e44d1101fb0aaf9d51812bffba20a17dded65a38d77ab3bc28f96aec76f

SHA512
6b981c42111dd5dd1984866299e0cc9781b0d53efc08910b901072717e08a85d5a5cbb80e9f070d135480256c1f36ba687d8f268bb27a1779a4c70bc5b3cacc6

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
aac6d9647d1dae1e280a9f92d1ab527f

SHA1
d939c558faf38167f0c0d64ce28589c363a9978b

SHA256
74fb16efb4e312ae48fde4f2ad9c087657513a0ae2eddd288aa959efa725eef5

SHA512
92ad3cd5d6c3169b5f036e91920cee1da38f8ad5af0230c3b95093795cd18369b4188106c3ac30d5efe12a5e7e857c75d4e2a2a13a274a4446d0cfcadd47c376

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
eb3bbb79bb5937a04dca545fc8bb4223

SHA1
3caa9b845809126b13f6a51044bd10667429a2bd

SHA256
e9dbe8e87ad1bf1db4fc14e579cf6db7008cb2e3467154aed194205cc28745bd

SHA512
bc2d47042a7a9826c71f6a0109a2518ad54e2a9721e20fb198188606cba87816f60dd3d437ed8fca80a4fb75a0e0b79cb99b5e7995c24c6e2d71e72ec693efcd

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f6c4a5bd79e04282ddd90c88eac33d32

SHA1
b8a848fcd6633906905d09a0f70b970015e1aa8d

SHA256
f5c91efcd78e9b6c3f1e106745de5004af0185efa7f62d251cb45bd6e9e08d78

SHA512
cbe97d0e9b39b6f289d2641eecf3de026fd55c4224add4ddbe1af3785392eec870f3fd0d7ce0a40a1c10bc654eb50e2722b518265824e7b4d76aba3e6224bf98

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6c655986dc039f75bbfe59a9933bb891

SHA1
681560e67914b82ddbf8b9f1109a4a058d799d10

SHA256
66e992d30d4afe4de3832695726ad92f2b5a84b5707ad0b6b9de2698ea608a1e

SHA512
849c0aa8d4398e783da723d6e72a528eac5f8839cb0a2316e3bbfab2c5827ea0d289799767fdf3fd6ac78a04260b16cc98d43ef561c5b64f28b9c3609d22a5b2

Download Submit
memory/632-214-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/888-154-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/888-181-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/888-150-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/888-163-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/888-399-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/888-162-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/888-159-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/960-129-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/960-371-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/960-122-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/960-131-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1296-247-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1316-240-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1316-222-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1352-104-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1436-209-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1436-330-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1436-269-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1532-105-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1540-156-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1580-151-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1636-645-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1636-179-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1636-166-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1636-481-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1636-172-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1652-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1652-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-74-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/1652-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-92-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-325-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-69-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/1652-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1688-106-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1696-177-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1696-183-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-486-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-186-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1780-58-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1780-55-0x0000000005250000-0x0000000005290000-memory.dmp

Filesize
256KB

Download
memory/1780-60-0x000000000DB90000-0x000000000DD40000-memory.dmp

Filesize
1.7MB

Download
memory/1780-54-0x0000000001370000-0x00000000014E8000-memory.dmp

Filesize
1.5MB

Download
memory/1780-56-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/1780-59-0x000000000AA50000-0x000000000AB88000-memory.dmp

Filesize
1.2MB

Download
memory/1780-57-0x0000000005250000-0x0000000005290000-memory.dmp

Filesize
256KB

Download
memory/1888-93-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1888-88-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1888-82-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1972-123-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1972-115-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-127-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1972-113-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1972-119-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1972-138-0x00000000047E0000-0x000000000489C000-memory.dmp

Filesize
752KB

Download
memory/2028-208-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2028-644-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2064-378-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2132-280-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2188-405-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2192-636-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2192-276-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2192-279-0x0000000000630000-0x0000000000839000-memory.dmp

Filesize
2.0MB

Download
memory/2192-635-0x0000000000630000-0x0000000000839000-memory.dmp

Filesize
2.0MB

Download
memory/2312-696-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2364-282-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2364-638-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2372-705-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2412-293-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2444-417-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2508-639-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2508-295-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2572-401-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2612-329-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2644-331-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2716-717-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2720-333-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2720-666-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2776-658-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2776-334-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2852-669-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2920-691-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2920-356-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/3000-694-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3000-357-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3056-679-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download