blustealer | 2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d

Analysis

max time kernel
104s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase order 3500354689.exe
Size

1.4MB
MD5

54449cb838ba6a7de0d11f73de31c1af
SHA1

4fa134aaab1517fc86d77de166e8cb5dc65943df
SHA256

2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
SHA512

d9177818bf33a55fda1a4dadd98db20c8f72bea1ee3d43d707ef3ddaaed7af944cc97dfb14d649f916573f201730d6bd39d51506ae314cb38882f59d7be19bc4
SSDEEP

24576:KRmht8BU5wGMUq6HxSzB793rWyxLV08a5XwE7uWhDVzeWhWGAUlCwUY/l:3l5MUqF99TxLG8aJ3lZLeUlv/l

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 31 IoCs

pid	Process
464	Process not Found
1444	alg.exe
788	aspnet_state.exe
1736	mscorsvw.exe
1544	mscorsvw.exe
1200	mscorsvw.exe
268	mscorsvw.exe
1728	dllhost.exe
292	ehRecvr.exe
1208	ehsched.exe
1060	elevation_service.exe
1488	mscorsvw.exe
1272	mscorsvw.exe
2044	IEEtwCollector.exe
1448	GROOVE.EXE
1272	mscorsvw.exe
2168	maintenanceservice.exe
2312	msdtc.exe
2396	mscorsvw.exe
2452	msiexec.exe
2584	OSE.EXE
2672	OSPPSVC.EXE
2796	perfhost.exe
2828	locator.exe
2912	snmptrap.exe
3008	vds.exe
2052	vssvc.exe
2216	wbengine.exe
2364	WmiApSrv.exe
2488	wmpnetwk.exe
2552	SearchIndexer.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2452	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
736	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\238b208ba5fe7035.bin	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 300	1728	Purchase order 3500354689.exe	28
PID 300 set thread context of 528	300	Purchase order 3500354689.exe	34

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase order 3500354689.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase order 3500354689.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E71AFFCD-1C2A-4720-8086-C8BD9A7C1C4D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E71AFFCD-1C2A-4720-8086-C8BD9A7C1C4D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase order 3500354689.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1872	ehRec.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	300	Purchase order 3500354689.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: 33	1544	EhTray.exe
Token: SeIncBasePriorityPrivilege	1544	EhTray.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	1200	mscorsvw.exe
Token: SeDebugPrivilege	1872	ehRec.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: 33	1544	EhTray.exe
Token: SeIncBasePriorityPrivilege	1544	EhTray.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeSecurityPrivilege	2452	msiexec.exe
Token: SeBackupPrivilege	2052	vssvc.exe
Token: SeRestorePrivilege	2052	vssvc.exe
Token: SeAuditPrivilege	2052	vssvc.exe
Token: SeBackupPrivilege	2216	wbengine.exe
Token: SeRestorePrivilege	2216	wbengine.exe
Token: SeSecurityPrivilege	2216	wbengine.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
300	Purchase order 3500354689.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 1728 wrote to memory of 300	1728	Purchase order 3500354689.exe	28
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 300 wrote to memory of 528	300	Purchase order 3500354689.exe	34
PID 268 wrote to memory of 1488	268	mscorsvw.exe	42
PID 268 wrote to memory of 1488	268	mscorsvw.exe	42
PID 268 wrote to memory of 1488	268	mscorsvw.exe	42
PID 268 wrote to memory of 1272	268	mscorsvw.exe	46
PID 268 wrote to memory of 1272	268	mscorsvw.exe	46
PID 268 wrote to memory of 1272	268	mscorsvw.exe	46
PID 1200 wrote to memory of 1272	1200	mscorsvw.exe	46
PID 1200 wrote to memory of 1272	1200	mscorsvw.exe	46
PID 1200 wrote to memory of 1272	1200	mscorsvw.exe	46
PID 1200 wrote to memory of 1272	1200	mscorsvw.exe	46
PID 1200 wrote to memory of 2396	1200	mscorsvw.exe	49
PID 1200 wrote to memory of 2396	1200	mscorsvw.exe	49
PID 1200 wrote to memory of 2396	1200	mscorsvw.exe	49
PID 1200 wrote to memory of 2396	1200	mscorsvw.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:528

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:1272

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1728

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:292

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
08104ecc419dfe8960e92551c78e7a32

SHA1
c4f1961a9830aa2879170e8df076c20232562a07

SHA256
e8576e4af01a5f1b90a0b53a9b1e92fbb9525fc27c03e45ec2befd1af75fd307

SHA512
0d695e8029ba27807a45944616ad1d0699c32524a32b129b4efff4f7c342a2026abf95cc65a6a4a39872c91b7c845d49082b25df5bd4bb1b55ba966d470b8000

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bfb4fdcaa617549b770bc13630825cc5

SHA1
0ba8b95a5428fa5d5a595640f0cf16a0d270fbb2

SHA256
894db36660c95505ce7bc62a60f179ddcad4cc297be35036da34781822130644

SHA512
bdaafe9792b99228e277384c6a8ea834c54c03558abc678a5e9cc4b46052f158c37ffbd04fcc4b5a07a8b31e6e3d3f5947b0d1905f2ccbebaf7e38874ef376f3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
50d029408876473afa2229a17e9a4237

SHA1
a8d15f954047dc944925b91807aa27c2176c8ec5

SHA256
5ff02d5235206601808b9bf50120573b799809c834d63d26a7c6895312795228

SHA512
20dc0d2725d0c365d99f981d77ccb303a5028773e2e08c60095043f858937c6de996d77f7203392675db5fcc4373330d813ee5d985c7804cbe478a2280de518a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
33482b52653d28eb15239527f00cd2b7

SHA1
e051d22fa7bfaf3afe4cd05ef8255f185ed8538e

SHA256
bfbdeee82af050508486892d5b2bf3f2661f182b43a8c41f7b397c604eb5b694

SHA512
3726e257d0f2dea65e27d2a87a2d88e3d7ac4b1a08ea4d46ca2f2a0d0dda4b7eecc01b78031817b729d0e6068581d13e148746b239e3dd9186d0229c319456fd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f5130d4dc4f21c64ee4127a8038a93d5

SHA1
bf8cade1cad7f2a1336e13baac119c340d4febb5

SHA256
edd92946b26af0273b42e4e1adff4e85fe31f82560a92c9627b2d8e4d24602af

SHA512
c984bc140e24564fd565401cdd830eb54fed3402de1b3426dc3e7b1ded823157b15d0de51f927972ee6c1898607720df92ce3b231ecd4dd21006fe04e4d20617

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
636377f53bcded2956d518121003f6f8

SHA1
cd81d80987306ee9286ad77a9ebafd876a897653

SHA256
7723e4cb2d06800e5cc1075cc39ecdfc203ca8dc9b04f465271f0ca5b021880f

SHA512
c210c2a5d756ac3a1c3afefc4ef438fb766a6981e05da1f0036be243d4222e8af205e42a5d5557a7c9d2206a8a476ff87e708c863e71531d3d300faec12e8a7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05a42127ecd23b221138cb3f8bfcb399

SHA1
4755b97f49cb0d0d02b27337897729119b4dc94f

SHA256
a5415cb8bf2991077245b259a3db3545423810fe271661c076e0f20c99d02f7e

SHA512
679f1cf7763563734b1bc9ad4ded2ca10a553b4b066356aff0823c615a01cb77a5c720458660025b670bbd1ff963f8a2e8daa0a609f44f1dd8a89086bc8e0136

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05a42127ecd23b221138cb3f8bfcb399

SHA1
4755b97f49cb0d0d02b27337897729119b4dc94f

SHA256
a5415cb8bf2991077245b259a3db3545423810fe271661c076e0f20c99d02f7e

SHA512
679f1cf7763563734b1bc9ad4ded2ca10a553b4b066356aff0823c615a01cb77a5c720458660025b670bbd1ff963f8a2e8daa0a609f44f1dd8a89086bc8e0136

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d9550152aa0c81181b573f8f95fef1b9

SHA1
27e73d92d3ab182a967c70a18adecb588da9a9f3

SHA256
870f023d3c528b1e5abc7bb064062f652ec884737a5e39ea060ced47590dff29

SHA512
e7fe71b4f185bd2f50279eed284f4fe658757b68e91f22e979ed9521030c9e24050947d87716434b2160079947e22062a768dc8752793f792e90e84560161acf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
8608664ecbb36f18dc8ce84512f3cf58

SHA1
6b57e73ae55dde1a91c8ca9bbcf788ff8e22abc9

SHA256
28b94e0e7c34f2833e999dd0033ddeec784567fe6087e221baa2f6d91f1332f4

SHA512
430dedefe7a70f94062e92b763154c13a7e06fb26720f5f31cd167ffbd071b0acfb50eba9f43172138052fc792dbeb195a0f066617c93e8d0c79f3ed2377c9f1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd4d88ab72220ccba941669b4b637bdd

SHA1
07fd7405656d448a13a6d5e0101836a8e45654de

SHA256
36e25fe0dc49f20c2f9639a0f1967d3393b6edfbb76b2d3f811373d2bcf7e161

SHA512
342bbc47f8cc9b0f0665a27f74d7716b7546689ab8ee5f0fe0390c50aa566708f0ce2382e581b355339e9d24594b0eb3f60108315255ff2f9d9ab0ef002cc858

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd4d88ab72220ccba941669b4b637bdd

SHA1
07fd7405656d448a13a6d5e0101836a8e45654de

SHA256
36e25fe0dc49f20c2f9639a0f1967d3393b6edfbb76b2d3f811373d2bcf7e161

SHA512
342bbc47f8cc9b0f0665a27f74d7716b7546689ab8ee5f0fe0390c50aa566708f0ce2382e581b355339e9d24594b0eb3f60108315255ff2f9d9ab0ef002cc858

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd4d88ab72220ccba941669b4b637bdd

SHA1
07fd7405656d448a13a6d5e0101836a8e45654de

SHA256
36e25fe0dc49f20c2f9639a0f1967d3393b6edfbb76b2d3f811373d2bcf7e161

SHA512
342bbc47f8cc9b0f0665a27f74d7716b7546689ab8ee5f0fe0390c50aa566708f0ce2382e581b355339e9d24594b0eb3f60108315255ff2f9d9ab0ef002cc858

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cd4d88ab72220ccba941669b4b637bdd

SHA1
07fd7405656d448a13a6d5e0101836a8e45654de

SHA256
36e25fe0dc49f20c2f9639a0f1967d3393b6edfbb76b2d3f811373d2bcf7e161

SHA512
342bbc47f8cc9b0f0665a27f74d7716b7546689ab8ee5f0fe0390c50aa566708f0ce2382e581b355339e9d24594b0eb3f60108315255ff2f9d9ab0ef002cc858

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c342182e65c056377e07aa7afaa429c2

SHA1
5c1162f954896782a123d09744dbd48796906507

SHA256
cc8df198e6994a7fc38c46df6ae4f2ff9c4fd1a5154bdefac08ff60cf36c93b8

SHA512
160ee32500c75083977b4a0ab0866f2e94f95c6e547c7d501707c4ea98f0060471163deb82ece9339cfa47d4b3395fbe4e5627863b563fb687113f92a1942330

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c342182e65c056377e07aa7afaa429c2

SHA1
5c1162f954896782a123d09744dbd48796906507

SHA256
cc8df198e6994a7fc38c46df6ae4f2ff9c4fd1a5154bdefac08ff60cf36c93b8

SHA512
160ee32500c75083977b4a0ab0866f2e94f95c6e547c7d501707c4ea98f0060471163deb82ece9339cfa47d4b3395fbe4e5627863b563fb687113f92a1942330

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1a62cd03ad543e2c29858e78a9c25e22

SHA1
468234c6b04d286238138de1eb4d8b8299cc3022

SHA256
8b21c2d49e2e4f46594b7098f042de8f4732583baaf9083d0a69ff84d2f50542

SHA512
b232b9b05e93274b4ae180aa225fede12afe1fde2eb3b51cfc645701c3c3eb7822f65f036a3c0e51508fed2a233157ec0633380c47b8ac87473aa99c85c08acd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cf5de4d5d9f9c3df681fe668d170f837

SHA1
c0e0f37bfcadd9a4cb7f71780d9be200041c5b7a

SHA256
584014f167c8eacda720ce4bd14c3789b872eb6154c53a8f61d4c247a873e2d6

SHA512
2dac12a639a0125d9d29adb036776d15e0b4e86701aad052d2cc03c83f3de5df4a5d561893978825f66527dee90485c6a0874aca2ce82e280823e49f6a8913df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cf5de4d5d9f9c3df681fe668d170f837

SHA1
c0e0f37bfcadd9a4cb7f71780d9be200041c5b7a

SHA256
584014f167c8eacda720ce4bd14c3789b872eb6154c53a8f61d4c247a873e2d6

SHA512
2dac12a639a0125d9d29adb036776d15e0b4e86701aad052d2cc03c83f3de5df4a5d561893978825f66527dee90485c6a0874aca2ce82e280823e49f6a8913df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cf5de4d5d9f9c3df681fe668d170f837

SHA1
c0e0f37bfcadd9a4cb7f71780d9be200041c5b7a

SHA256
584014f167c8eacda720ce4bd14c3789b872eb6154c53a8f61d4c247a873e2d6

SHA512
2dac12a639a0125d9d29adb036776d15e0b4e86701aad052d2cc03c83f3de5df4a5d561893978825f66527dee90485c6a0874aca2ce82e280823e49f6a8913df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cf5de4d5d9f9c3df681fe668d170f837

SHA1
c0e0f37bfcadd9a4cb7f71780d9be200041c5b7a

SHA256
584014f167c8eacda720ce4bd14c3789b872eb6154c53a8f61d4c247a873e2d6

SHA512
2dac12a639a0125d9d29adb036776d15e0b4e86701aad052d2cc03c83f3de5df4a5d561893978825f66527dee90485c6a0874aca2ce82e280823e49f6a8913df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cf5de4d5d9f9c3df681fe668d170f837

SHA1
c0e0f37bfcadd9a4cb7f71780d9be200041c5b7a

SHA256
584014f167c8eacda720ce4bd14c3789b872eb6154c53a8f61d4c247a873e2d6

SHA512
2dac12a639a0125d9d29adb036776d15e0b4e86701aad052d2cc03c83f3de5df4a5d561893978825f66527dee90485c6a0874aca2ce82e280823e49f6a8913df

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7473aebd8e515f8eb2d48f33a0bfd5a8

SHA1
4e9bd8bad03728771bbef7ab0d49298212501cd6

SHA256
de1a1288bcc42cce0953324c36f40ec549b90ea8467a26ad9ce87ecbaac95643

SHA512
23eb5438ea26fc87d12bed6cc9872c3b55b57adf4a263e8c7a4e9743e0a29b3fbebfcdec1a144ff6e9db2d17518111eb5b29edffcd01d847f1fb525f1429c4e9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
88fa83119f8184e4a322a18b4940124e

SHA1
204f0d8cb4d00f94d26386568dd79bff08e06996

SHA256
97deac31d56e3ab5fecd7db25a4efc110dad97683b40d9771f5d8db254f5954a

SHA512
014872dbb9541a7817949a7e56d9ce96add4042c3fa74397488322bb068b46c7a724dbc4a82ace8be077202c5aa2670a39882606f78b51ccf263a0e5c7b9c0f3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
846b46c374a6506ba554dbce3cb5217d

SHA1
e93e869969877460fdad58af6afbfbd44bf0b291

SHA256
a65bf64d97e43da4cc030307c0c6503fbeddb154ec77e3e9dbe5a5070daae0c2

SHA512
0ffcb11724a7bc0fd9548177c0b08420cae0d71d5152f4778d9052bfc722ff92762fb84d3022fbcbd46585e642c6791c91c4abdd91fafb3a1c522cc617eede3f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
dffa33d8f8e610bd8a72e00aa31b3ecd

SHA1
4137b0963d382dcf49fe9c9fd4761537934b16b2

SHA256
c6b6e3bc7f9320bafb84a01292a300edc36ab4439decee0ef1fee8f40fb5e0f2

SHA512
2e1692af94364be5be6e70c62b095a57ffbc4b4f42f7d88a92e8e565b727eaa81fb4c01f554085212e91cc5b2404db0e37bebec256a3980c2b5bad3b4d5c1fc7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
782d9e3791c728970e9398872cbd3700

SHA1
3bdadf703af7cf71d6038a1b4ca83dba8a30a7d3

SHA256
9e9ab7f0e0ca59638c9314d88c608b203cc2c29ea62868f9361d0472fe532e7f

SHA512
282f22e7f58d5daa3cd07a640f0023256888269b566a24b918feba391da005b6993dae36b98758a721e461d8ee4ca78952a7b3368346028b66aa67137b78835c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
14ce5d8d42250f00ab1b788b12ebf4df

SHA1
1ff9407262e33efd384829778b55ec31f6904c0c

SHA256
662910b61bcc944d86bd0a0bb617bf86d257bb53d4b372765502250a25fb7be3

SHA512
42a0f78009711c0d3225ea318abcfe18e9baadf4519ecc75cdfb2e5be3192c792f9fb6964fce44e3db2f935e5c6c484b035f94773e6462fcf15d3152ad9285e0

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6ac1fc9590eaa126a1e5361bf0fe5e70

SHA1
588bfca1d0aaa232f279f722147031c09ea1630a

SHA256
269e30184f5a52762bb2b88246a8a53adb6f3536542f82d5db62bf9a1fd4d219

SHA512
ac59f8fbb84baeca5afe568dec012458636ed9ef2058fca8cb7300b8b87a219692490b1b2a6c5a1d3b08b25eab599103e7c1cce5ce0c1baf6d8d06ca94e16e85

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e2f348ab6b71e7e117773884ca2ad693

SHA1
4f22fe09b9c07ee9931324d272f4af113b9a6d56

SHA256
edc55788cdce72ad7bd9d4d1732294a1059037a0a4c94bdb623b394b5b24d3f5

SHA512
9ad54eaa42aebd50c71c4a7eb860a719ea94843eb5a18eaa8298a801a97ead25aaa6cf102155b85e9ffb7379d02a2c662f65c159426743a805bf1eec76462b20

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1f44abe9cb24521cf08e1dad21251f3c

SHA1
d6ae903fe26cdd18ee36b55cf1d47b33ff2303d3

SHA256
eedc81068f7451f93583fdcd937cb96d03c6160d766df67724f78664a81c01ea

SHA512
fcd534242efc86a97bafcff154747bb63b4eb677174a8524f01ba9ecfbaf534223af9fe292b0fa364271a531531babe7880077bf3ea8e5843f438f6775dd961f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5c0f9be6e47588fc3690384197ea32a1

SHA1
28ec4f5f4c77e62b2d74a7abeb3b7852e23b0f5d

SHA256
8ac547e86c831b24dc1a03d1571a1b4be8595c284290774c7cd3d7db4721fc34

SHA512
b3784ccb38de3088fd82154fbb9ac99baf4dac324540e5d15f00a02f024bc0745cb1791a3c850a82a4e9dc7f9322c54b6b17f96558e188d42febdc5c0bf80d81

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
5d4b37e32b45acc897946dda2d7fd94c

SHA1
8658afa39f56a6a2dd6cf1b1c843545d88ade347

SHA256
cd75f7534aa743be20ec8e6593594007919cd0c4360145e7513e83ca2ac7453d

SHA512
d8f657cadb08f585df4649202481486ebaa7711274361eb7df2a712cac3629eed3e053bd3573e8932791c417a0575f265219902af6305c24f0af183c09862098

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bcea16420de092c74876fcc2266d5c28

SHA1
1bb1afd9a1efec279abace3afb12e6ff9442c124

SHA256
6a1607ae672ac5b10e55493b50cafc9722e39e20ac8b0ba198d20dba4814674b

SHA512
d73a0be5bbb728d07e85a360fb577fb80e34f75fbb7f162f398b75401e6c3da527e4f38f373ab9f971f07281354dabb48a91a6f9b55504910cec92546da742d5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e2dbfa036634fcde56ae963a52d6d57e

SHA1
6e79e9eaa3638d686d66fbd34fd9bc6417bc7c06

SHA256
e020af44a08bfafdd1950ceb5d48c75ca68daceca2f8b12f21a90c6e101b7869

SHA512
f6c8d9c1b106ff9cb8c88a606b164353b1bb2538e5f385f5037fb22d0d16a83ba4871d241c35688ec9b2adfbaa7f6287911d25694e4a92e46a97a5004b2461d8

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
895ca2d1b08fdbcd2a1a2c92f593a755

SHA1
c717347fb39f465be03a3c81849b7bcc01a83841

SHA256
a02a947fe6e15e37b212947017a1aaca68f65b23e9386a698761e79e99377e71

SHA512
492f2f7b2f2cb6a712b0344ffe1bd8aab0a217258c416536ee62018c1943e2e1f82203b12d6499cc9c82e4acd8d4520bf5861b525fee73df611f129fffd5105f

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f4357ceec2c638d1a22a674fd5038e83

SHA1
8c844b4eb72e4864ab0d485d40c6ba0c9faf11cc

SHA256
ae32a6d7d650d6e49864d048e412e573e089ec7c25d79a578823435feea88d55

SHA512
bc266476a19be9519c0b117e4837f07afe041936810b5ae46605680cf8e082f8fb8e860bf0b7cd4d83d44b1588c032c46e9f6895f36d8a25cb0b15627a805764

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
1f44abe9cb24521cf08e1dad21251f3c

SHA1
d6ae903fe26cdd18ee36b55cf1d47b33ff2303d3

SHA256
eedc81068f7451f93583fdcd937cb96d03c6160d766df67724f78664a81c01ea

SHA512
fcd534242efc86a97bafcff154747bb63b4eb677174a8524f01ba9ecfbaf534223af9fe292b0fa364271a531531babe7880077bf3ea8e5843f438f6775dd961f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
636377f53bcded2956d518121003f6f8

SHA1
cd81d80987306ee9286ad77a9ebafd876a897653

SHA256
7723e4cb2d06800e5cc1075cc39ecdfc203ca8dc9b04f465271f0ca5b021880f

SHA512
c210c2a5d756ac3a1c3afefc4ef438fb766a6981e05da1f0036be243d4222e8af205e42a5d5557a7c9d2206a8a476ff87e708c863e71531d3d300faec12e8a7e

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
636377f53bcded2956d518121003f6f8

SHA1
cd81d80987306ee9286ad77a9ebafd876a897653

SHA256
7723e4cb2d06800e5cc1075cc39ecdfc203ca8dc9b04f465271f0ca5b021880f

SHA512
c210c2a5d756ac3a1c3afefc4ef438fb766a6981e05da1f0036be243d4222e8af205e42a5d5557a7c9d2206a8a476ff87e708c863e71531d3d300faec12e8a7e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05a42127ecd23b221138cb3f8bfcb399

SHA1
4755b97f49cb0d0d02b27337897729119b4dc94f

SHA256
a5415cb8bf2991077245b259a3db3545423810fe271661c076e0f20c99d02f7e

SHA512
679f1cf7763563734b1bc9ad4ded2ca10a553b4b066356aff0823c615a01cb77a5c720458660025b670bbd1ff963f8a2e8daa0a609f44f1dd8a89086bc8e0136

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
8608664ecbb36f18dc8ce84512f3cf58

SHA1
6b57e73ae55dde1a91c8ca9bbcf788ff8e22abc9

SHA256
28b94e0e7c34f2833e999dd0033ddeec784567fe6087e221baa2f6d91f1332f4

SHA512
430dedefe7a70f94062e92b763154c13a7e06fb26720f5f31cd167ffbd071b0acfb50eba9f43172138052fc792dbeb195a0f066617c93e8d0c79f3ed2377c9f1

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
88fa83119f8184e4a322a18b4940124e

SHA1
204f0d8cb4d00f94d26386568dd79bff08e06996

SHA256
97deac31d56e3ab5fecd7db25a4efc110dad97683b40d9771f5d8db254f5954a

SHA512
014872dbb9541a7817949a7e56d9ce96add4042c3fa74397488322bb068b46c7a724dbc4a82ace8be077202c5aa2670a39882606f78b51ccf263a0e5c7b9c0f3

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
782d9e3791c728970e9398872cbd3700

SHA1
3bdadf703af7cf71d6038a1b4ca83dba8a30a7d3

SHA256
9e9ab7f0e0ca59638c9314d88c608b203cc2c29ea62868f9361d0472fe532e7f

SHA512
282f22e7f58d5daa3cd07a640f0023256888269b566a24b918feba391da005b6993dae36b98758a721e461d8ee4ca78952a7b3368346028b66aa67137b78835c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
14ce5d8d42250f00ab1b788b12ebf4df

SHA1
1ff9407262e33efd384829778b55ec31f6904c0c

SHA256
662910b61bcc944d86bd0a0bb617bf86d257bb53d4b372765502250a25fb7be3

SHA512
42a0f78009711c0d3225ea318abcfe18e9baadf4519ecc75cdfb2e5be3192c792f9fb6964fce44e3db2f935e5c6c484b035f94773e6462fcf15d3152ad9285e0

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6ac1fc9590eaa126a1e5361bf0fe5e70

SHA1
588bfca1d0aaa232f279f722147031c09ea1630a

SHA256
269e30184f5a52762bb2b88246a8a53adb6f3536542f82d5db62bf9a1fd4d219

SHA512
ac59f8fbb84baeca5afe568dec012458636ed9ef2058fca8cb7300b8b87a219692490b1b2a6c5a1d3b08b25eab599103e7c1cce5ce0c1baf6d8d06ca94e16e85

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e2f348ab6b71e7e117773884ca2ad693

SHA1
4f22fe09b9c07ee9931324d272f4af113b9a6d56

SHA256
edc55788cdce72ad7bd9d4d1732294a1059037a0a4c94bdb623b394b5b24d3f5

SHA512
9ad54eaa42aebd50c71c4a7eb860a719ea94843eb5a18eaa8298a801a97ead25aaa6cf102155b85e9ffb7379d02a2c662f65c159426743a805bf1eec76462b20

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1f44abe9cb24521cf08e1dad21251f3c

SHA1
d6ae903fe26cdd18ee36b55cf1d47b33ff2303d3

SHA256
eedc81068f7451f93583fdcd937cb96d03c6160d766df67724f78664a81c01ea

SHA512
fcd534242efc86a97bafcff154747bb63b4eb677174a8524f01ba9ecfbaf534223af9fe292b0fa364271a531531babe7880077bf3ea8e5843f438f6775dd961f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1f44abe9cb24521cf08e1dad21251f3c

SHA1
d6ae903fe26cdd18ee36b55cf1d47b33ff2303d3

SHA256
eedc81068f7451f93583fdcd937cb96d03c6160d766df67724f78664a81c01ea

SHA512
fcd534242efc86a97bafcff154747bb63b4eb677174a8524f01ba9ecfbaf534223af9fe292b0fa364271a531531babe7880077bf3ea8e5843f438f6775dd961f

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5c0f9be6e47588fc3690384197ea32a1

SHA1
28ec4f5f4c77e62b2d74a7abeb3b7852e23b0f5d

SHA256
8ac547e86c831b24dc1a03d1571a1b4be8595c284290774c7cd3d7db4721fc34

SHA512
b3784ccb38de3088fd82154fbb9ac99baf4dac324540e5d15f00a02f024bc0745cb1791a3c850a82a4e9dc7f9322c54b6b17f96558e188d42febdc5c0bf80d81

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
5d4b37e32b45acc897946dda2d7fd94c

SHA1
8658afa39f56a6a2dd6cf1b1c843545d88ade347

SHA256
cd75f7534aa743be20ec8e6593594007919cd0c4360145e7513e83ca2ac7453d

SHA512
d8f657cadb08f585df4649202481486ebaa7711274361eb7df2a712cac3629eed3e053bd3573e8932791c417a0575f265219902af6305c24f0af183c09862098

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bcea16420de092c74876fcc2266d5c28

SHA1
1bb1afd9a1efec279abace3afb12e6ff9442c124

SHA256
6a1607ae672ac5b10e55493b50cafc9722e39e20ac8b0ba198d20dba4814674b

SHA512
d73a0be5bbb728d07e85a360fb577fb80e34f75fbb7f162f398b75401e6c3da527e4f38f373ab9f971f07281354dabb48a91a6f9b55504910cec92546da742d5

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e2dbfa036634fcde56ae963a52d6d57e

SHA1
6e79e9eaa3638d686d66fbd34fd9bc6417bc7c06

SHA256
e020af44a08bfafdd1950ceb5d48c75ca68daceca2f8b12f21a90c6e101b7869

SHA512
f6c8d9c1b106ff9cb8c88a606b164353b1bb2538e5f385f5037fb22d0d16a83ba4871d241c35688ec9b2adfbaa7f6287911d25694e4a92e46a97a5004b2461d8

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
895ca2d1b08fdbcd2a1a2c92f593a755

SHA1
c717347fb39f465be03a3c81849b7bcc01a83841

SHA256
a02a947fe6e15e37b212947017a1aaca68f65b23e9386a698761e79e99377e71

SHA512
492f2f7b2f2cb6a712b0344ffe1bd8aab0a217258c416536ee62018c1943e2e1f82203b12d6499cc9c82e4acd8d4520bf5861b525fee73df611f129fffd5105f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f4357ceec2c638d1a22a674fd5038e83

SHA1
8c844b4eb72e4864ab0d485d40c6ba0c9faf11cc

SHA256
ae32a6d7d650d6e49864d048e412e573e089ec7c25d79a578823435feea88d55

SHA512
bc266476a19be9519c0b117e4837f07afe041936810b5ae46605680cf8e082f8fb8e860bf0b7cd4d83d44b1588c032c46e9f6895f36d8a25cb0b15627a805764

Download Submit
memory/268-149-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/292-163-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/292-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/292-167-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/292-158-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/292-152-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/292-179-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/292-336-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/300-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-81-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-268-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-74-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/300-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/300-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/300-69-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/528-138-0x0000000004D90000-0x0000000004E4C000-memory.dmp

Filesize
752KB

Download
memory/528-122-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/528-128-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/528-126-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/528-124-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/528-123-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/788-106-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1060-362-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1060-181-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1060-178-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1060-188-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1200-120-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1200-115-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1200-135-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1208-338-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1208-164-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-565-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1208-173-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-170-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1272-301-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1272-227-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1272-251-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1272-224-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1444-83-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1444-89-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1444-105-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1448-425-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1448-250-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1488-211-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1488-191-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1544-110-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1728-57-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/1728-148-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1728-54-0x00000000008A0000-0x0000000000A10000-memory.dmp

Filesize
1.4MB

Download
memory/1728-55-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/1728-56-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1728-58-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/1728-59-0x0000000008290000-0x00000000083C8000-memory.dmp

Filesize
1.2MB

Download
memory/1728-60-0x00000000085C0000-0x0000000008770000-memory.dmp

Filesize
1.7MB

Download
memory/1736-107-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1872-223-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/1872-323-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/1872-248-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/1872-393-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2044-222-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2044-560-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2044-391-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2052-397-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2052-561-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2168-265-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2216-399-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2216-562-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2312-455-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2312-269-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2364-418-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2364-566-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2396-302-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2452-555-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2452-303-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2452-304-0x00000000005F0000-0x00000000007F9000-memory.dmp

Filesize
2.0MB

Download
memory/2452-556-0x00000000005F0000-0x00000000007F9000-memory.dmp

Filesize
2.0MB

Download
memory/2488-420-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2488-567-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2552-438-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2552-568-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2584-322-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2672-324-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2672-557-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2796-341-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2828-361-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2912-365-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/3008-395-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download