blustealer | 2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d

Analysis

max time kernel
152s
max time network
185s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchaseorder3500354689.exe
Size

1.4MB
MD5

54449cb838ba6a7de0d11f73de31c1af
SHA1

4fa134aaab1517fc86d77de166e8cb5dc65943df
SHA256

2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
SHA512

d9177818bf33a55fda1a4dadd98db20c8f72bea1ee3d43d707ef3ddaaed7af944cc97dfb14d649f916573f201730d6bd39d51506ae314cb38882f59d7be19bc4
SSDEEP

24576:KRmht8BU5wGMUq6HxSzB793rWyxLV08a5XwE7uWhDVzeWhWGAUlCwUY/l:3l5MUqF99TxLG8aJ3lZLeUlv/l

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 53 IoCs

pid	Process
464	Process not Found
1684	alg.exe
1936	aspnet_state.exe
1992	mscorsvw.exe
1592	mscorsvw.exe
1760	mscorsvw.exe
268	mscorsvw.exe
948	dllhost.exe
904	ehRecvr.exe
952	ehsched.exe
580	elevation_service.exe
1924	mscorsvw.exe
564	IEEtwCollector.exe
2064	mscorsvw.exe
2180	GROOVE.EXE
2312	maintenanceservice.exe
2416	msdtc.exe
2484	mscorsvw.exe
2548	msiexec.exe
2700	OSE.EXE
2740	OSPPSVC.EXE
2860	perfhost.exe
2896	locator.exe
2988	snmptrap.exe
1572	vds.exe
2152	vssvc.exe
2140	wbengine.exe
2368	WmiApSrv.exe
2520	wmpnetwk.exe
2728	SearchIndexer.exe
2072	mscorsvw.exe
2788	mscorsvw.exe
1412	mscorsvw.exe
824	mscorsvw.exe
1580	mscorsvw.exe
1320	mscorsvw.exe
2016	mscorsvw.exe
1732	mscorsvw.exe
1744	mscorsvw.exe
1988	mscorsvw.exe
2108	mscorsvw.exe
1504	mscorsvw.exe
1724	mscorsvw.exe
2156	mscorsvw.exe
1160	mscorsvw.exe
2584	mscorsvw.exe
1876	mscorsvw.exe
1960	mscorsvw.exe
2604	mscorsvw.exe
1520	mscorsvw.exe
2056	mscorsvw.exe
2824	mscorsvw.exe
564	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2548	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f85924787693df14.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchaseorder3500354689.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 868	916	Purchaseorder3500354689.exe	30
PID 868 set thread context of 1544	868	Purchaseorder3500354689.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DAC84675-37FF-4FBE-B599-BD322F822B5F}\chrome_installer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Purchaseorder3500354689.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B7F0A130-F05B-41C0-8ED5-F514CA2CDD03}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchaseorder3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B7F0A130-F05B-41C0-8ED5-F514CA2CDD03}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchaseorder3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchaseorder3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F6339559-6290-4A85-9D4F-7ADBEBC822E6}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F6339559-6290-4A85-9D4F-7ADBEBC822E6}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
916	Purchaseorder3500354689.exe
916	Purchaseorder3500354689.exe
1588	ehRec.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe
868	Purchaseorder3500354689.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	Purchaseorder3500354689.exe
Token: SeTakeOwnershipPrivilege	868	Purchaseorder3500354689.exe
Token: SeShutdownPrivilege	1760	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	1760	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	1760	mscorsvw.exe
Token: SeShutdownPrivilege	1760	mscorsvw.exe
Token: 33	1584	EhTray.exe
Token: SeIncBasePriorityPrivilege	1584	EhTray.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeDebugPrivilege	1588	ehRec.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeSecurityPrivilege	2548	msiexec.exe
Token: 33	1584	EhTray.exe
Token: SeIncBasePriorityPrivilege	1584	EhTray.exe
Token: SeBackupPrivilege	2152	vssvc.exe
Token: SeRestorePrivilege	2152	vssvc.exe
Token: SeAuditPrivilege	2152	vssvc.exe
Token: SeBackupPrivilege	2140	wbengine.exe
Token: SeRestorePrivilege	2140	wbengine.exe
Token: SeSecurityPrivilege	2140	wbengine.exe
Token: 33	2520	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2520	wmpnetwk.exe
Token: SeManageVolumePrivilege	2728	SearchIndexer.exe
Token: 33	2728	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2728	SearchIndexer.exe
Token: SeDebugPrivilege	868	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	868	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	868	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	868	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	868	Purchaseorder3500354689.exe
Token: SeShutdownPrivilege	1760	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1584	EhTray.exe
1584	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1584	EhTray.exe
1584	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
868	Purchaseorder3500354689.exe
2856	SearchProtocolHost.exe
2856	SearchProtocolHost.exe
2856	SearchProtocolHost.exe
2856	SearchProtocolHost.exe
2856	SearchProtocolHost.exe
1028	SearchProtocolHost.exe
1028	SearchProtocolHost.exe
1028	SearchProtocolHost.exe
1028	SearchProtocolHost.exe
2856	SearchProtocolHost.exe
1028	SearchProtocolHost.exe
1028	SearchProtocolHost.exe
1028	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 432	916	Purchaseorder3500354689.exe	28
PID 916 wrote to memory of 432	916	Purchaseorder3500354689.exe	28
PID 916 wrote to memory of 432	916	Purchaseorder3500354689.exe	28
PID 916 wrote to memory of 432	916	Purchaseorder3500354689.exe	28
PID 916 wrote to memory of 568	916	Purchaseorder3500354689.exe	29
PID 916 wrote to memory of 568	916	Purchaseorder3500354689.exe	29
PID 916 wrote to memory of 568	916	Purchaseorder3500354689.exe	29
PID 916 wrote to memory of 568	916	Purchaseorder3500354689.exe	29
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 916 wrote to memory of 868	916	Purchaseorder3500354689.exe	30
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 868 wrote to memory of 1544	868	Purchaseorder3500354689.exe	34
PID 268 wrote to memory of 1924	268	mscorsvw.exe	44
PID 268 wrote to memory of 1924	268	mscorsvw.exe	44
PID 268 wrote to memory of 1924	268	mscorsvw.exe	44
PID 268 wrote to memory of 2064	268	mscorsvw.exe	46
PID 268 wrote to memory of 2064	268	mscorsvw.exe	46
PID 268 wrote to memory of 2064	268	mscorsvw.exe	46
PID 1760 wrote to memory of 2484	1760	mscorsvw.exe	50
PID 1760 wrote to memory of 2484	1760	mscorsvw.exe	50
PID 1760 wrote to memory of 2484	1760	mscorsvw.exe	50
PID 1760 wrote to memory of 2484	1760	mscorsvw.exe	50
PID 2728 wrote to memory of 2856	2728	SearchIndexer.exe	63
PID 2728 wrote to memory of 2856	2728	SearchIndexer.exe	63
PID 2728 wrote to memory of 2856	2728	SearchIndexer.exe	63
PID 2728 wrote to memory of 2136	2728	SearchIndexer.exe	64
PID 2728 wrote to memory of 2136	2728	SearchIndexer.exe	64
PID 2728 wrote to memory of 2136	2728	SearchIndexer.exe	64
PID 2728 wrote to memory of 1028	2728	SearchIndexer.exe	65
PID 2728 wrote to memory of 1028	2728	SearchIndexer.exe	65
PID 2728 wrote to memory of 1028	2728	SearchIndexer.exe	65
PID 1760 wrote to memory of 2072	1760	mscorsvw.exe	66
PID 1760 wrote to memory of 2072	1760	mscorsvw.exe	66
PID 1760 wrote to memory of 2072	1760	mscorsvw.exe	66
PID 1760 wrote to memory of 2072	1760	mscorsvw.exe	66
PID 1760 wrote to memory of 2788	1760	mscorsvw.exe	67
PID 1760 wrote to memory of 2788	1760	mscorsvw.exe	67
PID 1760 wrote to memory of 2788	1760	mscorsvw.exe	67
PID 1760 wrote to memory of 2788	1760	mscorsvw.exe	67
PID 1760 wrote to memory of 1412	1760	mscorsvw.exe	68
PID 1760 wrote to memory of 1412	1760	mscorsvw.exe	68
PID 1760 wrote to memory of 1412	1760	mscorsvw.exe	68
PID 1760 wrote to memory of 1412	1760	mscorsvw.exe	68
PID 1760 wrote to memory of 824	1760	mscorsvw.exe	69
PID 1760 wrote to memory of 824	1760	mscorsvw.exe	69
PID 1760 wrote to memory of 824	1760	mscorsvw.exe	69
PID 1760 wrote to memory of 824	1760	mscorsvw.exe	69
PID 1760 wrote to memory of 1580	1760	mscorsvw.exe	70
PID 1760 wrote to memory of 1580	1760	mscorsvw.exe	70
PID 1760 wrote to memory of 1580	1760	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe
"C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe"
  2⤵
  PID:432
- C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe"
  2⤵
  PID:568
- C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1ac -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 268 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 24c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1e4 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 278 -NGENProcess 24c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 1ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1ec -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 1ac -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 25c -NGENProcess 1ec -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 1ac -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 274 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 1ac -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 1ec -NGENProcess 1cc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:948

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:904

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:580

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:564

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2700

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2136
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2e91c432e9746aea85fc64d28b1c5132

SHA1
5f256597868178b59384a469fd8b6f151f4d420b

SHA256
95d93b3375346b18e47468e47224dfd4e1fd1835dfe4fe5952d09ff0f6ece937

SHA512
14034c196459c624d68a8d375bc3e16199632dab0355734bc471a7819bda34090b17d003cf788faee4de0d14a61eb7ba7539089db4dbb1cc3307cadd24a865b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
46154ac807c8c5a6c054d5c62424d389

SHA1
b0543d14cf2001e0b777b3c0e6df1ed3d398f782

SHA256
7d5a6fe3a62b560940f559666007a1649a390ac1dc78f3a87beb70ff6890e99f

SHA512
882e33c62f74d405ef29e7b7ca6a284898d3a6ca6bc278810919c576a1fd76ec0364f202dfc2054f4f00f0420c482069311dbbb2073d698d6e8e6b98c5ef7212

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b077c2c0ce93ac9e2e26066f155d1aad

SHA1
84e1b3109bd11eec9148638359cbd18a55b09f92

SHA256
0319b22ff4c5e8fd65efaf4f60b86e51315e7c7a2f604cb514731b2ec0c08c96

SHA512
324129c7e4aa56d3da49c5fc68e9c0733c0b1203c859cb5f4df8ae182dc4f09888a9f1c2906651b292f63274f9acb2b7ee14a2888f487769adb7a05f8e4aba8a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
25ae9af7a1adb7c60fc3f61e7f01012f

SHA1
c211cdbee7f4f73876745353731a667b14ce40f5

SHA256
1444183e964c22331e4a0639b010e1539e6f77612a6cd2165681a26b43200970

SHA512
e7d3957e5bb7bf34f3b143a353e8c3eb4c13cea017930bdbd6a65e82f2f957e07cf3c32775a463741add0f57ed18dca52fbef712f41f523b8105aef540eecb2c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
458754e171fbba0af149ff050e0cbb46

SHA1
faac52ccd12c7f1de0c85ec347cc540d73614f0f

SHA256
ae61a361a293bb83bc84ea600219bde5adb7a203e405eee519f5ddd92ef10035

SHA512
1edcc8aad03cd4895d697c42eeb735ef5571b9ad8fd5659d9e8484efcf8b182a73827110104b46d9d74d7d44b77303dac178926b430f1e90f3cd9a5bd8cfb85d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
275ca1b04e104879bb5463e100f87662

SHA1
ae4a5e3a8d60b7cd5f56b4e921d18c3145730f00

SHA256
23f1db25b6698226297f1aaa60de2f653a737a2a23d292d49698046ffb19e19f

SHA512
55b0b087e9f07d1c96884c4aa496e3bb3b8e34a9b628fe0f42a38bd07ad7c63964121bed016472ae1676c24f097f7f6ef40c01a3317a1e9e2f88c00556261d1f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d29973db8cc9986b245bce0a21d3fa5b

SHA1
591fb6a0f026503992e830a354f44b4a9692a401

SHA256
cd6ea3a57abbed894ce5e6ce51f0132238e09fb13a624d17898a9e92323fdf6c

SHA512
9e7a605768eefaf8e254c2b26bc985becec0888d5403203bc8ae39220ac684e22d2b217eea0e5ab7a2588b7bf0ec73e4381239cbec50522f0ae3cbcea97194d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c6529b5c21333ba8c7a81be1d7c6c58b

SHA1
740ed37890f7416c529d5eecf8bb67e56360ee3a

SHA256
5852e7b7ddd9ee1ea321e35289fb5b23b5a0d433697a59acd0b513ef57a6c23a

SHA512
f0a57111d3f62693bb42b76d5a3814f678618c289480b469740ee83be91bb500010cb71f5a0620195ed7ad023776bc940d4a63ad96c94a1beb1cb0a4b1ed471a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c6529b5c21333ba8c7a81be1d7c6c58b

SHA1
740ed37890f7416c529d5eecf8bb67e56360ee3a

SHA256
5852e7b7ddd9ee1ea321e35289fb5b23b5a0d433697a59acd0b513ef57a6c23a

SHA512
f0a57111d3f62693bb42b76d5a3814f678618c289480b469740ee83be91bb500010cb71f5a0620195ed7ad023776bc940d4a63ad96c94a1beb1cb0a4b1ed471a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
78b272c4a8cc5b3fb2f04bad3379508d

SHA1
a908cb9faa39036cc0c5246f3f3a2921657f2b73

SHA256
d431e9ef14692f6282350f428f77d559139ee151e8d7e084aaef6568b1bea76d

SHA512
8b781302b2ebcebbf85bab4e052cf7e8aa6bd7a44f40ad03a0631ef1ab8071e6d4d736d9f8ac03ab027015c087c2691becea241a384ea635ede5efa343ebe029

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
d6d38a8fc2312a99a8a8c2d0c0f49588

SHA1
dc944f79fb827e589327e6d41592b7ac79eb83a2

SHA256
1fa659cdffcf4a37a289727ee6355b5fa095065d162bdd1e5aa032b4cec52d86

SHA512
dbe7fa7d3a35ff696475f5f971529f45377f8079ec9f2bedaa0430d66d8230ae49ecb502feec74f690f71bc626fb48c83d779c24a80d523295f6e49b05ce60fb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d930ddafce9f6646ee2177f5c3e02226

SHA1
624ca553414760d5625bfc27b2b25d139de2fc1b

SHA256
4515ad22cae30f6024eac98561d22341f0019a42dea1ac7bf41b649a9659fdf1

SHA512
9d4902561c2b64a9994115a591262d068610f480f0ceec85115a59dacede98def0b6f2018bd16c26502be3c148e9199e5ea21ba7d30722074d355039331219c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d930ddafce9f6646ee2177f5c3e02226

SHA1
624ca553414760d5625bfc27b2b25d139de2fc1b

SHA256
4515ad22cae30f6024eac98561d22341f0019a42dea1ac7bf41b649a9659fdf1

SHA512
9d4902561c2b64a9994115a591262d068610f480f0ceec85115a59dacede98def0b6f2018bd16c26502be3c148e9199e5ea21ba7d30722074d355039331219c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d930ddafce9f6646ee2177f5c3e02226

SHA1
624ca553414760d5625bfc27b2b25d139de2fc1b

SHA256
4515ad22cae30f6024eac98561d22341f0019a42dea1ac7bf41b649a9659fdf1

SHA512
9d4902561c2b64a9994115a591262d068610f480f0ceec85115a59dacede98def0b6f2018bd16c26502be3c148e9199e5ea21ba7d30722074d355039331219c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d930ddafce9f6646ee2177f5c3e02226

SHA1
624ca553414760d5625bfc27b2b25d139de2fc1b

SHA256
4515ad22cae30f6024eac98561d22341f0019a42dea1ac7bf41b649a9659fdf1

SHA512
9d4902561c2b64a9994115a591262d068610f480f0ceec85115a59dacede98def0b6f2018bd16c26502be3c148e9199e5ea21ba7d30722074d355039331219c7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
54c0575a250d29d650eb37aa0057e1d7

SHA1
e5c6bab4669cf0cfb1c8ecb69b0d7b670aed0f4e

SHA256
f60e9d2cc42c1822eaf51abd6ae4d57195e98d2990a9d2fbbd91c91d1d61d565

SHA512
3922effb7097fcd0c5d8f73944eef2b58e1c8afeadd11071d85ea6592742ac34bd09929ba44b52660a6712a01d59ba2b735a1bd5ce3c730a7821aa21c7cb1b19

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
54c0575a250d29d650eb37aa0057e1d7

SHA1
e5c6bab4669cf0cfb1c8ecb69b0d7b670aed0f4e

SHA256
f60e9d2cc42c1822eaf51abd6ae4d57195e98d2990a9d2fbbd91c91d1d61d565

SHA512
3922effb7097fcd0c5d8f73944eef2b58e1c8afeadd11071d85ea6592742ac34bd09929ba44b52660a6712a01d59ba2b735a1bd5ce3c730a7821aa21c7cb1b19

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
dadb2583afa3fc19eb531a1847fead7d

SHA1
56796c64346a241c5c769763154dd82a0719402f

SHA256
a4d6d7a448f84b451181060b4f5fafd81fd6ba7ed2dba4f944db14b241729414

SHA512
0f03a51f3ad7f768ffe0f53cca495f7ad9e8af43ef2e11a573ea0cc92dea845489bae2daa73f42c338ec529e23358d9a80f93c589cd0421c9122a6ebc3aa7a58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d44de405f6566cf0b51092412de4cbd2

SHA1
9afe776a68bd785567b77b98dd229f405f6f02f0

SHA256
6ba8af67285ff03a1a795bb5f272fc67b8785aac84c62454e6236946027054fc

SHA512
7fa4a9b957a76d6b628fdeeda04d5159762840923a26d61a67b02b1905b81937b54aad737797eea8bd2d7653a5d684338b653511e843eea8f9edc891441b1808

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4afb820ddaf38d1757638ff00ff36bb5

SHA1
f4bf4e50924329c968efe80cc0bbe9a9e33ee14f

SHA256
bec3a46aab5b07c15e148b94d937e65c88283fbeeea808b096f5445e8fb9040b

SHA512
c6d68029f48f6900b46864ad96983468663c815d570eabc2c27c18df6e0dd2ab0c62b93be79f559913c753ed4190582aa745b58bd8cf8f5ecbf4a2623e590e52

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a0373cd6da178a6e470fc8ae57dd11b6

SHA1
9d0f42b00e5cbff04d44a4c7087c5b82f5b63776

SHA256
343aa01f5926659a8b395af16caa44241d4c0c05e8c146967f6dc0602085dbd1

SHA512
bb7e46e2cf2d0545e044798e6f1ed8edcac95c779897243a6ff2e252b5fd49aa7489a2eb24700cf727fe8beb0821aa44da0ae6dcdaf2b9a5dedd4d5131fc0abc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
fa0fc734eaf35c6efed9e0ea4fd0c067

SHA1
bc2c6ce93224f0bdfa4b904f017130733311040c

SHA256
1907e1f4b60b423071c7b61b8d308ab0684598b14943cb644e79df583cf0ab78

SHA512
40e2df765f70c991d9a5ab9917ab70e364e0946ec0b778262fd252f2eb9c0827e85c8876212a2d4fa11bd11d5be9748769595e1ec35317e199c9f15b2127142c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f7c6f2423a3b019feacf7e19cac79f43

SHA1
70a50f5afd8892497edce34c7b75679b0e5a3302

SHA256
f8ade6b8d3f7f5703a9bfcf869b8ba20e7131bb82042bd069655b1bcc715e034

SHA512
ae764f1b96ddc76f5a8da884a68d7728dee89ea745eeef8ede9381f0f5d08cb402d00e6d35410ed238a64629f7b0346980ceb1280937cc7f181267870941a50c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c9bf9241411d78a763060f4545b51954

SHA1
3cdf7ae0637e9b9ffdfe2ee303f152bc3bc2f2e2

SHA256
6e153693ff7955e7295fc6453bef70d9c9bac349076fb997267c5d23f0282229

SHA512
3f46db2a9e0d3176574c22a6cf6a021be117671b561b04d0d62056607045c0ed2a1054d4b70c3a35502f540e67cb5a85071210cacf5ee55dc690847104d7357c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
d3b821851774c7c5e168888d60c890f5

SHA1
29f84d4ee61fdc2d4687a9ba4df36cf08c70246b

SHA256
76b11e5f8b13f34377cf207279369ae7d7814e610c79ca8ffd46e8d8669c6806

SHA512
553ac4a5e2bc9c13366757a254edbb71b865c90776c8b70d53f5b0ec6e2dbe23dcb207989843366034f3ea98b76c420d1ac85e09fbec30b7a94c711b2ec3d074

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c39c7ce8a07ca82e6a899991d9755656

SHA1
aac82c0e2dfb88145d6edadd8aea53763dbc512e

SHA256
326021b85a9248e3c9a72bdbf9ca47eb7e8374370f954e3360cac3938f0ee981

SHA512
53f758dd805bfa7e274caffc3fe0ec103a591dcdddfff61cded1ee847d52ec92f505b9c8be15b9549b1115747b466bb25dd3e88bbf60ab3919f57dd7b3bb8e6a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4779ede9c6a926fa53ff23db3d1ec4f5

SHA1
d4316567c10ce4896a2ba0271efafeaedac1cdf2

SHA256
ce85436685d39ac2eb7b8512653c42e07d90cd23898e894b2552113787065d18

SHA512
fa65f9ccfa7678446b101cf04deda99f56939f41928eba2ca781f64d7882b488755b74485e362ae245b0ff156795dfa74c353479b15e11f532a48f0c9f1fb618

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3858bedec7aa6f94b1237998085a7db4

SHA1
d97f2c1d26b7c545fa2561aea0afc8f44b0e9170

SHA256
ac31ded6c216685485ec7c6a75789388fc9bc6228d7e87e31280f9814436e130

SHA512
dec38cc1169ff468826cd857a402e9cb6960831debcbd9b7d8f2566007ea1503e556cb1ceabeee1d07c038715beb0917546842dcb380282ffc65a4fa52fab61c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3a42b339d33852701995a00761797620

SHA1
c16d7a7dd0fc0f966f13b481b1e1f29766c8022f

SHA256
db4a6f28be0c2c010465939a7a590d6cd28a71fd661111b598fa0bb03b78ace1

SHA512
43b7c033ba67b4f81ea5f2756b0ab6e8b12cff0333ede00ad86d2255b3b0f1a34909f8e5aba05da1ce676988735dd35780f4f06d779f3d2286f24972efce1936

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ca657823638257c09b195e41ce052a8e

SHA1
b9fd6e9e19ebd12ed9bc3980cd9f4254474b0b0c

SHA256
ea91d7f295b1d38f58be3e87812232830e34f3ac524e0f666b790451a843c7ac

SHA512
0c639cf9c8a89afcdd5a08336c59227473f23ec68d84dac1d5d88367c480a8291a0dc8985210ef5c2c50e61aca394d6d43b557a3c569fa2f2a0c4790888e6bd5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
665763116b66de3d198d7cb8ffcde13c

SHA1
ee4563cd1d3d7d0f178822a56e0ced621627b81e

SHA256
08e336c4f52aef5239c83b950f580d3dd0ab191dcbaacbaef3a90da0e3a31530

SHA512
10ee18ae5f783e86f088f55306425a67d98efd71da5d7f0d5e4d24571956bd7855c6d589c122d9cdc3f91e0ff449528d87f986e19262340a997f4c1d0d2165be

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
a99925660c2f74a5d2fa359053c7ac5a

SHA1
25278411c55519a74cd9ca7b9edd124cbd798dff

SHA256
95df0918bd470ad2b1cd9d592c5195a162942e72f27933a7f27eb8c07b0f1bee

SHA512
96fe6dc45e7604674550d0825c5664266081bf9185f961f65225f3a4d3d7f10f5ba0544d2df39134a22d2d20c122f362375ead276629558f905e1ed30301d268

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9fa149066b1ff70e8304589c77277d06

SHA1
b5df8f1ae3121aa478d81bbf833187726cf15917

SHA256
895eb72934b285478a69e3507ccb04b1b62db3ed0fa3627384de5cea83b97a98

SHA512
5da476e5ad9af60e77053df1d1ac3d3ba45ed9e3645aa7a08565b59226e4994147dd1cb2bf03e56654baae88e66daa43e9f4be55276bd61f4f953994f49bb0d9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d4acc738bf0217d006ab73b16d521f0d

SHA1
c14b3ae7aeb2e5aa5bd735bb801e533010e8f5c4

SHA256
490b402fdd6a0accf4f7a80c369060199d9deb422aba16a8d73b350388e9f514

SHA512
7ed072922662caf701b43b5eed562f54b9151b4206a896ecd02ffabeac738d16cd7e2c34e4fbec083d82312fe024de5a2607e9c295301f920d0e12a3e7d84f4c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3858bedec7aa6f94b1237998085a7db4

SHA1
d97f2c1d26b7c545fa2561aea0afc8f44b0e9170

SHA256
ac31ded6c216685485ec7c6a75789388fc9bc6228d7e87e31280f9814436e130

SHA512
dec38cc1169ff468826cd857a402e9cb6960831debcbd9b7d8f2566007ea1503e556cb1ceabeee1d07c038715beb0917546842dcb380282ffc65a4fa52fab61c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
275ca1b04e104879bb5463e100f87662

SHA1
ae4a5e3a8d60b7cd5f56b4e921d18c3145730f00

SHA256
23f1db25b6698226297f1aaa60de2f653a737a2a23d292d49698046ffb19e19f

SHA512
55b0b087e9f07d1c96884c4aa496e3bb3b8e34a9b628fe0f42a38bd07ad7c63964121bed016472ae1676c24f097f7f6ef40c01a3317a1e9e2f88c00556261d1f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
275ca1b04e104879bb5463e100f87662

SHA1
ae4a5e3a8d60b7cd5f56b4e921d18c3145730f00

SHA256
23f1db25b6698226297f1aaa60de2f653a737a2a23d292d49698046ffb19e19f

SHA512
55b0b087e9f07d1c96884c4aa496e3bb3b8e34a9b628fe0f42a38bd07ad7c63964121bed016472ae1676c24f097f7f6ef40c01a3317a1e9e2f88c00556261d1f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c6529b5c21333ba8c7a81be1d7c6c58b

SHA1
740ed37890f7416c529d5eecf8bb67e56360ee3a

SHA256
5852e7b7ddd9ee1ea321e35289fb5b23b5a0d433697a59acd0b513ef57a6c23a

SHA512
f0a57111d3f62693bb42b76d5a3814f678618c289480b469740ee83be91bb500010cb71f5a0620195ed7ad023776bc940d4a63ad96c94a1beb1cb0a4b1ed471a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
d6d38a8fc2312a99a8a8c2d0c0f49588

SHA1
dc944f79fb827e589327e6d41592b7ac79eb83a2

SHA256
1fa659cdffcf4a37a289727ee6355b5fa095065d162bdd1e5aa032b4cec52d86

SHA512
dbe7fa7d3a35ff696475f5f971529f45377f8079ec9f2bedaa0430d66d8230ae49ecb502feec74f690f71bc626fb48c83d779c24a80d523295f6e49b05ce60fb

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a0373cd6da178a6e470fc8ae57dd11b6

SHA1
9d0f42b00e5cbff04d44a4c7087c5b82f5b63776

SHA256
343aa01f5926659a8b395af16caa44241d4c0c05e8c146967f6dc0602085dbd1

SHA512
bb7e46e2cf2d0545e044798e6f1ed8edcac95c779897243a6ff2e252b5fd49aa7489a2eb24700cf727fe8beb0821aa44da0ae6dcdaf2b9a5dedd4d5131fc0abc

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c9bf9241411d78a763060f4545b51954

SHA1
3cdf7ae0637e9b9ffdfe2ee303f152bc3bc2f2e2

SHA256
6e153693ff7955e7295fc6453bef70d9c9bac349076fb997267c5d23f0282229

SHA512
3f46db2a9e0d3176574c22a6cf6a021be117671b561b04d0d62056607045c0ed2a1054d4b70c3a35502f540e67cb5a85071210cacf5ee55dc690847104d7357c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
d3b821851774c7c5e168888d60c890f5

SHA1
29f84d4ee61fdc2d4687a9ba4df36cf08c70246b

SHA256
76b11e5f8b13f34377cf207279369ae7d7814e610c79ca8ffd46e8d8669c6806

SHA512
553ac4a5e2bc9c13366757a254edbb71b865c90776c8b70d53f5b0ec6e2dbe23dcb207989843366034f3ea98b76c420d1ac85e09fbec30b7a94c711b2ec3d074

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c39c7ce8a07ca82e6a899991d9755656

SHA1
aac82c0e2dfb88145d6edadd8aea53763dbc512e

SHA256
326021b85a9248e3c9a72bdbf9ca47eb7e8374370f954e3360cac3938f0ee981

SHA512
53f758dd805bfa7e274caffc3fe0ec103a591dcdddfff61cded1ee847d52ec92f505b9c8be15b9549b1115747b466bb25dd3e88bbf60ab3919f57dd7b3bb8e6a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4779ede9c6a926fa53ff23db3d1ec4f5

SHA1
d4316567c10ce4896a2ba0271efafeaedac1cdf2

SHA256
ce85436685d39ac2eb7b8512653c42e07d90cd23898e894b2552113787065d18

SHA512
fa65f9ccfa7678446b101cf04deda99f56939f41928eba2ca781f64d7882b488755b74485e362ae245b0ff156795dfa74c353479b15e11f532a48f0c9f1fb618

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3858bedec7aa6f94b1237998085a7db4

SHA1
d97f2c1d26b7c545fa2561aea0afc8f44b0e9170

SHA256
ac31ded6c216685485ec7c6a75789388fc9bc6228d7e87e31280f9814436e130

SHA512
dec38cc1169ff468826cd857a402e9cb6960831debcbd9b7d8f2566007ea1503e556cb1ceabeee1d07c038715beb0917546842dcb380282ffc65a4fa52fab61c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3858bedec7aa6f94b1237998085a7db4

SHA1
d97f2c1d26b7c545fa2561aea0afc8f44b0e9170

SHA256
ac31ded6c216685485ec7c6a75789388fc9bc6228d7e87e31280f9814436e130

SHA512
dec38cc1169ff468826cd857a402e9cb6960831debcbd9b7d8f2566007ea1503e556cb1ceabeee1d07c038715beb0917546842dcb380282ffc65a4fa52fab61c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3a42b339d33852701995a00761797620

SHA1
c16d7a7dd0fc0f966f13b481b1e1f29766c8022f

SHA256
db4a6f28be0c2c010465939a7a590d6cd28a71fd661111b598fa0bb03b78ace1

SHA512
43b7c033ba67b4f81ea5f2756b0ab6e8b12cff0333ede00ad86d2255b3b0f1a34909f8e5aba05da1ce676988735dd35780f4f06d779f3d2286f24972efce1936

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ca657823638257c09b195e41ce052a8e

SHA1
b9fd6e9e19ebd12ed9bc3980cd9f4254474b0b0c

SHA256
ea91d7f295b1d38f58be3e87812232830e34f3ac524e0f666b790451a843c7ac

SHA512
0c639cf9c8a89afcdd5a08336c59227473f23ec68d84dac1d5d88367c480a8291a0dc8985210ef5c2c50e61aca394d6d43b557a3c569fa2f2a0c4790888e6bd5

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
665763116b66de3d198d7cb8ffcde13c

SHA1
ee4563cd1d3d7d0f178822a56e0ced621627b81e

SHA256
08e336c4f52aef5239c83b950f580d3dd0ab191dcbaacbaef3a90da0e3a31530

SHA512
10ee18ae5f783e86f088f55306425a67d98efd71da5d7f0d5e4d24571956bd7855c6d589c122d9cdc3f91e0ff449528d87f986e19262340a997f4c1d0d2165be

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
a99925660c2f74a5d2fa359053c7ac5a

SHA1
25278411c55519a74cd9ca7b9edd124cbd798dff

SHA256
95df0918bd470ad2b1cd9d592c5195a162942e72f27933a7f27eb8c07b0f1bee

SHA512
96fe6dc45e7604674550d0825c5664266081bf9185f961f65225f3a4d3d7f10f5ba0544d2df39134a22d2d20c122f362375ead276629558f905e1ed30301d268

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9fa149066b1ff70e8304589c77277d06

SHA1
b5df8f1ae3121aa478d81bbf833187726cf15917

SHA256
895eb72934b285478a69e3507ccb04b1b62db3ed0fa3627384de5cea83b97a98

SHA512
5da476e5ad9af60e77053df1d1ac3d3ba45ed9e3645aa7a08565b59226e4994147dd1cb2bf03e56654baae88e66daa43e9f4be55276bd61f4f953994f49bb0d9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d4acc738bf0217d006ab73b16d521f0d

SHA1
c14b3ae7aeb2e5aa5bd735bb801e533010e8f5c4

SHA256
490b402fdd6a0accf4f7a80c369060199d9deb422aba16a8d73b350388e9f514

SHA512
7ed072922662caf701b43b5eed562f54b9151b4206a896ecd02ffabeac738d16cd7e2c34e4fbec083d82312fe024de5a2607e9c295301f920d0e12a3e7d84f4c

Download Submit
memory/268-150-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/564-213-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/564-333-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/580-200-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/580-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/580-188-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/580-182-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/868-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/868-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/868-215-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/868-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/868-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/868-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/868-69-0x00000000006D0000-0x0000000000736000-memory.dmp

Filesize
408KB

Download
memory/868-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/868-74-0x00000000006D0000-0x0000000000736000-memory.dmp

Filesize
408KB

Download
memory/868-87-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/904-229-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/904-159-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/904-180-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/904-671-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/904-164-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/904-167-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/904-165-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/916-58-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/916-54-0x0000000000040000-0x00000000001B0000-memory.dmp

Filesize
1.4MB

Download
memory/916-60-0x0000000008860000-0x0000000008A10000-memory.dmp

Filesize
1.7MB

Download
memory/916-59-0x0000000008570000-0x00000000086A8000-memory.dmp

Filesize
1.2MB

Download
memory/916-57-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/916-56-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/916-55-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/948-152-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/952-173-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/952-230-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/952-664-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/952-175-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/952-166-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1544-125-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1544-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1544-113-0x0000000004B70000-0x0000000004C2C000-memory.dmp

Filesize
752KB

Download
memory/1544-108-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1544-106-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1544-104-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1544-102-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1572-359-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1572-660-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1588-373-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1588-202-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1588-234-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1588-306-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1592-124-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1684-214-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1684-82-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1684-85-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1684-90-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1760-127-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1760-132-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1760-154-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1924-201-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1924-192-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1924-231-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1936-122-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1992-118-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2064-228-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2064-246-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2140-667-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2140-386-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2152-372-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2152-661-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2180-358-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2180-235-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2312-260-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2368-415-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2416-280-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2484-585-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2484-282-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-675-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2520-417-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-304-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2548-621-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/2548-308-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/2700-310-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2728-450-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2740-655-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2740-318-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2860-319-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2896-341-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2988-659-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2988-338-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download