blustealer | 7bd15f22d0da7a1c042f50925778bcb0e8e90397ca578cb1cd2d2cff07c28b97

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

f02928ac338e079f9392afded9cf036b
SHA1

6044a58728a468376fe00802bc5617bc1cf1f6b1
SHA256

7bd15f22d0da7a1c042f50925778bcb0e8e90397ca578cb1cd2d2cff07c28b97
SHA512

b24aa1acfa14f89ef6945946eec192d34a7fe9ce352f6007bafcfde0860b46403799538a1e4853463afe618bbd40f601ed133fb4bb48aa357a162f302cb9df05
SSDEEP

24576:IxgsRftD0C2nKG80Djsf9nz4mloFQnpXUMPQDR6q79dA:IaSftDnGfDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 42 IoCs

pid	Process
480	Process not Found
2644	alg.exe
2656	aspnet_state.exe
2476	mscorsvw.exe
2128	mscorsvw.exe
1252	mscorsvw.exe
2244	mscorsvw.exe
1560	ehRecvr.exe
332	mscorsvw.exe
2864	mscorsvw.exe
600	mscorsvw.exe
3000	mscorsvw.exe
1892	mscorsvw.exe
1940	ehsched.exe
2448	mscorsvw.exe
2528	mscorsvw.exe
2624	elevation_service.exe
1912	IEEtwCollector.exe
2752	GROOVE.EXE
488	maintenanceservice.exe
2892	msdtc.exe
1644	msiexec.exe
1796	OSE.EXE
356	OSPPSVC.EXE
2812	perfhost.exe
1868	locator.exe
2968	mscorsvw.exe
2340	snmptrap.exe
1604	vds.exe
1528	vssvc.exe
2316	wbengine.exe
2964	WmiApSrv.exe
2148	wmpnetwk.exe
3016	SearchIndexer.exe
1792	mscorsvw.exe
1200	mscorsvw.exe
2064	mscorsvw.exe
1444	mscorsvw.exe
2840	mscorsvw.exe
1316	mscorsvw.exe
1552	mscorsvw.exe
1560	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1644	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4cdff42a78a61a12.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\alg.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{0E87E2DD-77B5-4830-A4DF-6ABC1793A962}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{0E87E2DD-77B5-4830-A4DF-6ABC1793A962}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	1252	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	1644	msiexec.exe
Token: SeBackupPrivilege	2316	wbengine.exe
Token: SeRestorePrivilege	2316	wbengine.exe
Token: SeSecurityPrivilege	2316	wbengine.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeManageVolumePrivilege	3016	SearchIndexer.exe
Token: 33	2148	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2148	wmpnetwk.exe
Token: 33	3016	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3016	SearchIndexer.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeDebugPrivilege	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	2244	mscorsvw.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1952 wrote to memory of 2896	1952	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 2244 wrote to memory of 332	2244	mscorsvw.exe	36
PID 2244 wrote to memory of 332	2244	mscorsvw.exe	36
PID 2244 wrote to memory of 332	2244	mscorsvw.exe	36
PID 2244 wrote to memory of 2864	2244	mscorsvw.exe	37
PID 2244 wrote to memory of 2864	2244	mscorsvw.exe	37
PID 2244 wrote to memory of 2864	2244	mscorsvw.exe	37
PID 1252 wrote to memory of 600	1252	mscorsvw.exe	39
PID 1252 wrote to memory of 600	1252	mscorsvw.exe	39
PID 1252 wrote to memory of 600	1252	mscorsvw.exe	39
PID 1252 wrote to memory of 600	1252	mscorsvw.exe	39
PID 1252 wrote to memory of 3000	1252	mscorsvw.exe	40
PID 1252 wrote to memory of 3000	1252	mscorsvw.exe	40
PID 1252 wrote to memory of 3000	1252	mscorsvw.exe	40
PID 1252 wrote to memory of 3000	1252	mscorsvw.exe	40
PID 1252 wrote to memory of 1892	1252	mscorsvw.exe	41
PID 1252 wrote to memory of 1892	1252	mscorsvw.exe	41
PID 1252 wrote to memory of 1892	1252	mscorsvw.exe	41
PID 1252 wrote to memory of 1892	1252	mscorsvw.exe	41
PID 1252 wrote to memory of 2448	1252	mscorsvw.exe	44
PID 1252 wrote to memory of 2448	1252	mscorsvw.exe	44
PID 1252 wrote to memory of 2448	1252	mscorsvw.exe	44
PID 1252 wrote to memory of 2448	1252	mscorsvw.exe	44
PID 1252 wrote to memory of 2528	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 2528	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 2528	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 2528	1252	mscorsvw.exe	45
PID 1252 wrote to memory of 2968	1252	mscorsvw.exe	58
PID 1252 wrote to memory of 2968	1252	mscorsvw.exe	58
PID 1252 wrote to memory of 2968	1252	mscorsvw.exe	58
PID 1252 wrote to memory of 2968	1252	mscorsvw.exe	58
PID 3016 wrote to memory of 2492	3016	SearchIndexer.exe	67
PID 3016 wrote to memory of 2492	3016	SearchIndexer.exe	67
PID 3016 wrote to memory of 2492	3016	SearchIndexer.exe	67
PID 3016 wrote to memory of 2184	3016	SearchIndexer.exe	69
PID 3016 wrote to memory of 2184	3016	SearchIndexer.exe	69
PID 3016 wrote to memory of 2184	3016	SearchIndexer.exe	69
PID 1252 wrote to memory of 1792	1252	mscorsvw.exe	70
PID 1252 wrote to memory of 1792	1252	mscorsvw.exe	70
PID 1252 wrote to memory of 1792	1252	mscorsvw.exe	70
PID 1252 wrote to memory of 1792	1252	mscorsvw.exe	70
PID 1252 wrote to memory of 1200	1252	mscorsvw.exe	71
PID 1252 wrote to memory of 1200	1252	mscorsvw.exe	71
PID 1252 wrote to memory of 1200	1252	mscorsvw.exe	71
PID 1252 wrote to memory of 1200	1252	mscorsvw.exe	71
PID 1252 wrote to memory of 2064	1252	mscorsvw.exe	72
PID 1252 wrote to memory of 2064	1252	mscorsvw.exe	72
PID 1252 wrote to memory of 2064	1252	mscorsvw.exe	72
PID 1252 wrote to memory of 2064	1252	mscorsvw.exe	72
PID 1252 wrote to memory of 1444	1252	mscorsvw.exe	74
PID 1252 wrote to memory of 1444	1252	mscorsvw.exe	74
PID 1252 wrote to memory of 1444	1252	mscorsvw.exe	74
PID 1252 wrote to memory of 1444	1252	mscorsvw.exe	74
PID 1252 wrote to memory of 2840	1252	mscorsvw.exe	75
PID 1252 wrote to memory of 2840	1252	mscorsvw.exe	75
PID 1252 wrote to memory of 2840	1252	mscorsvw.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\3040-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\3040-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:2896

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e0 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e0 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e0 -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 284 -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 1ac -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1e0 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 280 -NGENProcess 1ac -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 27c -NGENProcess 290 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1912

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:488

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1796

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
50fd69d64db322469aa97c2b71a30d2a

SHA1
fbcba801bcb58ee6695b4f099b7c94750edc8fc1

SHA256
efeacfd6f23b7bf26398177ffa1e959fdf8e47eaeca128fc3c64cd3e746941dc

SHA512
35eef43a3f1f2dbe1850fcb29a8a3bdd6b50e0455a19a75884865c9bd7044c7efb742c1179bb4fc1bc3ad3db91f6484788b8e056c37a9c56e5ec0a1ce77f2b87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.0MB

MD5
15e47b19bc5af02cd262eefbfe4e6744

SHA1
140927c38d2c0575030bbeed15a709b5508226d2

SHA256
32dfdf76df03435553a51ec0796b24da1570870b5f7705a5c614c965306c67ec

SHA512
491abec1c41fa36b4be4dbda70f264dfbc649a4fe8248daafa3bd73e3189ee04c78b3b0e4e53fa9e104e00e8bb67185718ade1413e790a6856a13e207383fcab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6d211a90d83772ffa7a8eeceb9b672d7

SHA1
ded66136393bd6d1c90f01a4f056ebc574b555ef

SHA256
60565bae819c8a4143312cd0628c548a9958fd1b84a3de9bfc1997070d7b9dd7

SHA512
e72a0a282f88b7376cd12636d2e8a5848df498736d70b54c60e7f03291e1d9ee16bbeb94b092ad730838d6e4227c84c174e82d4cdc370e395a0f5b6916bb2c6e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
4.6MB

MD5
0acb32cc621e54788ff7266e6eeadc88

SHA1
28770fc108fb4ecdc7ad91b4c0ba547a2dc5cb38

SHA256
f2ff54d3c1228cda85d3270cb9ab776b36a0ac8f587c531511b5035b2cd5839c

SHA512
8f0c4781f66d5a046bd24e30aca3dc70bad87222ab067bb1d19d516832464eb91f21596b1e15692cfb1bd7720cff747385e3b9113f74fb40c330116311ae9d53

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
466b950cd804d44b780eaef7e9b9541d

SHA1
20894d2529788b46c3c08ffd18bf128a1425477b

SHA256
c7578352b656c0426347ceae029bf353c9670b7bb9b85284651cd3a3fb0a42b0

SHA512
3d19954b246568c4dd9c759659029fef9723899364ab8da3d9a3e996bb1973f1df3044b4f33b78a0fe220c055b0b896e0f2740dddeb7a1768c6edea739f55be5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
320KB

MD5
76a32a41ebce031425551f434d67f6db

SHA1
23164a952dbf6cae2c39bc4e9c238f07a544b81c

SHA256
c8718851c312d3b50f613bcda7268589baf067b88b7082c42e67fd44491484a1

SHA512
3823583ef6c60f4fc70ad4e78f4d2c933bfc8de8a90e29fb87a35c9ee0e9d691d152773d98ddd0cd8b9c4becc975b3555d29e3226568b39b5440f907559e9d42

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
206KB

MD5
9d1529c73335b940de7c6dcdf1a14d57

SHA1
0806eb789a15d16c1953096e137100ea0d2e6d30

SHA256
51fbe5a84b5b812ca28455fb62ee751d898e20540a44677726e3aa235bef1f00

SHA512
d51f3ba3805361f2c98f99e7a82608adfd1621f176cd6d3e3358af62a2e991ac6b455367524fe2b2decf73cc47d691e8230ac1dd8f668a97c7db6a5e95933e2d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
162KB

MD5
f8e5b3e118733ce07a96b4dd5a113854

SHA1
759edaaf5a8ccf92b0d515ea6a754c4e4de0e6da

SHA256
e7100d9710ec81ac955679a0ec81e726cb26718c12633c23468a10af9287f110

SHA512
1ff002e6bd3dac932f5336469adc0ee687e92f921ab07b92296ab10b07355d0c55e501142b0c7d9e4d9045e328d9f6d313d244b48d9e34defca3299a27d241cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
153KB

MD5
9be84db78b43d6b12f64bce2db281eb9

SHA1
8613da3c1dbf4cb37d3da8a0e83b702e72701b45

SHA256
d51e3045ea56d20db4eeaff66fa161030a57eac1036395ab46ea695bc4341cff

SHA512
36e9e3b0c3935a558b683c185230b47303c8f262d700e5327a0533bc99aededc2b211410fefc477895273b99e07801f943616ddb0c1427bd70670fd74d0866e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
409KB

MD5
da81ac5b7523704d836f14c94631a0d2

SHA1
98ffe76e9a204e311462211c58d8fd3f450d913a

SHA256
98673bc591d778d09645085c09dd9ef06d62548b3701e82c6b7e99f2f7380c44

SHA512
be1df2cf5b99a692aa9a29bf7a820a145cec9a94b771b15f5771b0b6cdb2de5a8b5942fdc78a2afb2aeb5baa8ef7d838b4ec97fbb68f4c72ebede2c0c71ca5ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
209KB

MD5
6c0e3180ead1a6b66a06c0b3587011e3

SHA1
55422ad1c6e9170e2afe3f132b7b6583e84dba1c

SHA256
cb9264f84c06690d177a381be7a5ef398b332f7e61d414c452ea6ccc1b416e44

SHA512
7d7725f223d1d30550eb3cafb5a771c43fff1be39226017048f461cb3f92341fcebdff97dd35b832570ab638f083d728e6d88d598ab8e53f6d0ee34f87181ac4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
150KB

MD5
ea08cec832b348dc816b98d9b9921c4b

SHA1
fd44540a0dd539b10d2215045f2bd765e914d9cf

SHA256
e40d0c035919bd06477ecbd6956038056ada3e0b76d261d7e4c418e0f5d8e48b

SHA512
fb2bee51d1ec5445e0974b59dc24ea333fbd8634df03140b005b8a701d7689a451b26c1fdb8a4e8979c97a49588cf9730f4d610092c3a23a3995407f2d2dc8d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
118KB

MD5
64b6d12363640c864c78319563717f28

SHA1
8e9472b7e9d974bc372b032a085d26531117b121

SHA256
6a35442b1353b0b31095ae3f0d2b48ab5a66085d7d2ed8b380b15d636d8802a9

SHA512
a0fbb57f617bc95839e3a589807aedfad97ff2b16fe81c5628ed69aca3de7ae43c18e3c37a406feb7992a7a26314c499a91e79424e4d6bdc359662fa057e44f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
126KB

MD5
4d12b9932f0c0b9e33f934963d1dd614

SHA1
8a48ad265ec88370cfc70b8c3c9b1a07c7f1dbfb

SHA256
ef68194e73afcf1534b7f2e76366a643af080ec1a594ef5f3599608761968b66

SHA512
c285ac155d2bf56fd866b0900c86b0354fa3ac06d94c01afe9131c611a7fdef8538edf97613580ff6a2c54b0309b2fb54900f5f15fbe7c37d860d9b0f98cb95e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
133KB

MD5
13883dbdab64bafa5ff386f8734a260c

SHA1
a38b218a904f5de759dccb626338121da86cbbfa

SHA256
2e5d366e72528ac03e506bec52abb36a519b0df71fa0eef6095c02d31e4e949e

SHA512
e7c30e750bf8bdfe765121584730ad84f79983f9e0c14207532f683a356d7f4991cc9f72531449e5edcdc00da94a69a597af26b5996d6028afe9438a71f78bbb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
115KB

MD5
82a6ffcc4f2f804f504bd89311b3ad8e

SHA1
161ffcc02fe5a4de3222bada3f424f99c7fc3bfc

SHA256
f5d16cdcbbb91412e7274dbb511d91d661742cd32937bbdce82ffa4dab42196e

SHA512
2e46ad2f0b177e19879b24334104051a72643013967a6bda9cea6fc45452f8104a3f59b7a392dfff7c2e04b4d89f291f8b6a35f2b35d9b8b0ca18c6ca580e6a5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
138KB

MD5
92478ec0d16d813cb661c7f8deb6f418

SHA1
44197d1a9b3b848b5006138150a8b4186a406a1a

SHA256
e9ef1d966a4bfbfa93708d9aef876ef99382f91cd5ef0560e33d7a8c85647a89

SHA512
f32ec8618b7e14a9f0460793360be8234448920cee2d6ea21cf54692499af478fb84afc81a4230ff895ed3f90c47a47b5d8d374c17279db03f2f5fd1be9c060b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
158KB

MD5
9ae1ed53604429b2e09d8d502a973922

SHA1
f9c09589077f19eae05b134c702688775475c358

SHA256
6682ad8c15a9a6497a9b1b6250cfa878327b2eef3956f10a39e147e35a3b2eef

SHA512
44d6e279eadeba9d497d1991d15fab1a3bd797b78107915898d69f0d94223e8ddc8775bcadd177183d26907cc3bd1516539a7cb3e0f6337081be956eed5e487e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
96KB

MD5
88a5d4ea403c4715617f7ea26e9cb6ff

SHA1
4e7319dbe11c5adac7ae7e7da5852deacf65fb80

SHA256
d21a914409542ef7f9551ab833789498aad10fced493e812f98751c07ee307dd

SHA512
a7271bb48332a18aca7832ac6de0b72e5bde77620e83b708007d96445db9242654ffe0c347ed637c4e8d52d81c76ee80c61ea4386e71444f0a67944dc627f0c0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
24KB

MD5
e566a843b0bcdcfc0d6021273e946ac2

SHA1
786e254136dee0424618c8d9010270a504a1bd14

SHA256
267da8279fd6909a00f466f07da08d43b1e6f27cd8bef56681657b1aa6d3eb90

SHA512
f08e956eeb2c075aa83d405dd6c558164d9636b7244593fa2da12344445480c499941a84b8353b6e67cb9144ff01ab19916b2f4bbef6a5cb05f8d318fb55daa6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
677KB

MD5
762682ca416af6981de8f3124d13cfc7

SHA1
5b98be48b93ab614960009dce5f58684cab044ce

SHA256
c9738361e51638ac6bd39270eded0503660f647b996ce09221985699a89128fe

SHA512
9dcf0f53432745ee190c15f74cc9a12520c712d0dea1df4a8a0d0e0c341a0c9b753f5ec0c38eaaea5d68194e965870b8d50ebe03ffbb1a3c69936eac19b9977c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0e38a1d7f935784e8bc2445d0e31e609

SHA1
e5b703c5b043c11cf708359480fed54a33c534ae

SHA256
9d8611972538faae0011f99004c10036cfd83e90c0fd9124dcb011620c905092

SHA512
20b34c17ea901e5f9634787424b8dc725881e13b3e7bcde15af2b2c1fad95dd1310283359d83555652f1862c4cfe3e23c2bb99d835065a1af36c2549da26b4cc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
960KB

MD5
758bbd487c54a682064303b3a64cb79e

SHA1
e62c3d63a0afd87b87a1acff878bbcb0f29d50e7

SHA256
e5fd50a6b7a82fb2fcf436e9b7fd95176116b7e77bff7a3552c930d2a0edcf24

SHA512
da5fcc552e8a630223ffcb5977dba4a146bf1ce22ffbaecdcbb9110a1c7188f4148e57c91b8a62cc576321d666102601c12483e731e1052274f1a7454c052f1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
237KB

MD5
e9d76e2e48e1f81782956ea3f65b2e66

SHA1
092ee30623ca6de8fe94101532cb24aec047a56b

SHA256
a5daa1d82356ef64ddf0b7e8c9d74def30dbc665a82ce4cb2590e79273f84aef

SHA512
c05284e31d3432426bca2e73aed29971e8c6965bf82274b24cbc809e6e72955bcc1d60f6d9b6dac1f97b10da0b22dd6635b512fadc6ff77704f0ea974d7d3d14

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
a96e74199f65b1715124cf03f35cce69

SHA1
27e41617651847637c42575ba7b58d65fd1612f4

SHA256
2b15bc8f56360c205a31f2a60d3bc7ce5d983bcf934b51a707b0bf2adfdd4beb

SHA512
9002f89e722e6ab57f9327fb66eaa13f2f138ec818237d60811b19c42e5a3e7c8846bacee2de7c539c0ea5f9cddfb434859253ea6bc37c67e178a71184ccc414

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
123KB

MD5
189565149eba9aaffa62a0a06ac9307f

SHA1
46004829ae3502370f3c266d5d51667208f38741

SHA256
e6c6f9dd22e3e5b9ee21c1427f31d034f2dcd1467a99729e68dab1fb1bd4ade7

SHA512
bb74b1ffe61c394ed72b09e4763122b919af2638c8740344a0a2a90a281a86aa67d55764cf081a085fa8d1e3999d805de97d2534b0952c2a464afcd8149e2c2d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
3b5ee2657d4c70853a086874b75d92a2

SHA1
51159001c1ec5324569effb655dfa545a0b04ef2

SHA256
673ab1affcc5cda9985fec322704e29f4d24059b0f414b94836c3f69e6e8e447

SHA512
c205b8914180ce8f618253526885da827fa14a606298165db02d348d603d8832a43c7b18a1453da74770450a60d5f8e40130688cd80c7d88c2da82d25cc4134b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d1b765cd0f11349f90068c9225c1aac0

SHA1
79c6f9267e5e3c09e4613bc0fd92c137f7317dc8

SHA256
f411ae4d88434565658b87dcf0eb1739bfc7c5dd6f4a4143a2de7aec69a3e8d6

SHA512
de27c3f4ab311f2494552c07f6aa2284dc31ff15a600693a1e395d6e2dd24a0ed799ac6781e48bed9869cdb584be98ed574039d577fa26a98e928df225e635cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
566KB

MD5
b214a294390950ff8717244c10b4dd3f

SHA1
dd9a6e7ecf9eb25f64d702fdff947d004730b039

SHA256
2d9364ba69eb5786b8da10619ec28297c6dd1a87c4545dee57c6687e57e78054

SHA512
2c00e4294647ee0ab80433129e4005531d9b82a8cb800ff54d5f673d43a1d1ffd1d2f742072752190090512609952185e3c12d5d925046c99ca06f3dd5caeb6e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1024KB

MD5
5d249bb7dfe2845df8448bf7c08f75fb

SHA1
d4c3a43eaf79f024fe579675a7fb8efa6d777e0e

SHA256
2164dd7de5578a936ba56e76a3d190538ba92e6d95487fe1d48155de67a52252

SHA512
b5887153eb4a671adc42ed2f76df0ce8603ba3cc42b740858e855cd3b0540555a664b93a3defc8055c05c25dfa8dee8dc0c1431f975b3f1849e3a51e79a34884

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c27649013ab7e135093069f5cb43f3de

SHA1
de112f41a4fe9f692d3b3c760bb34c1c7b845137

SHA256
29b32af617ff203149888c59acd2faff94675f6b1fdddcc250588cff6708b5ae

SHA512
5a99a7bb9f112018e93ff5b0eaa8fec7b0ca496fa21d8c07e3d10539247d98f5f2e8f9a1516e659770da7390f8aae9b582faf841aff2bf63cbcd0d530e84e30f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
e831fa0d972734a9727308afe14760e7

SHA1
25c51c09d4375f5b3825c409efe845e6211bab6c

SHA256
955ff376c6cebff804c32d882787197426dce213f93acc9da90dc68e90ae8c78

SHA512
cce1eb19a687c0683c522c94ff82ebcac1fbae7efe5eac0435f77b8cd761955fbb735d64c1f3a1e49c1293addcc5cf6f36a4371445034e03c454987abd9ce1a7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
4d8de7b6640a903610594343dafaa0e6

SHA1
e1eb0fa410d2837ef9f35cda182baa53780f1f9f

SHA256
635b706a997343653a4415f90f4d427cb1abb6daa014f2589c68f3e302935f85

SHA512
5cffbd3a77e9237f53a50f136b635b60d608f11cc309e47c3467c9ce2ec4b5c1b9a4c58c93f96ac17e1b871288036d82214d0428501c607deb5b91edb095cf19

Download Submit
C:\Windows\System32\alg.exe

Filesize
109KB

MD5
481a73f00f493a4db11a7318ea9078c2

SHA1
2ee4a5886fff06d4aed5736bd5a2843c328feceb

SHA256
dfeb56020ef5d56a0a2bf0aca38eca6c28a0473c913fdea4172147722bbc1b83

SHA512
bc0dc5c8f1ba17a3accc9c7849a5e2a85f372d5cf7bb9207321895e4f4e66810fd3fddc0183ef66018bc0874b3c287d5c9d9ab58a1058c674ad4dad9a666b855

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a689e448cca2e2c1782449e606bf50a2

SHA1
64c5370376c8d71af665c1c227fdb0cbcceb3899

SHA256
70a0cd3877e26537572bbf4894719be0498c86366088cfdecf5b4b48a434a4ad

SHA512
16bdca10e929e65452b5bb3bbb788c08e837aea9c02bba8146c2951da3f96f733c860c506b4ab4d32a0e7f9215d181a19124c6041d4aef9ef66f8a5b00e4b642

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dac2cc6c4af79b49605201b305a8026b

SHA1
dec5727bb18251073d57ffce01f62c7b3bfbd2f5

SHA256
184ce21d1d4ee283d7b981974bfa93da4c49b3dd119266ec692fff8d065bc331

SHA512
dc451a877220ab31418a584734ee0f1bf58e193384ff242acdcb73fceabcdb2ed8de8cdec9c228cb3ad9f187dbbd1efb3a86869d8f374401356110bb1779820d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
e6c68d6ed1ce49d31ab42c41a4d89f07

SHA1
ef7cc72287ab755a3e9934969ee2ce91f35dae77

SHA256
f5c6a89aa58868410ce186e202281bc12266ac45336a7f9f14685fbcaa441fde

SHA512
bd674318f9ca140fdab7cbee3bffc0c7eaae937490f731a05cd99d5c8b170be3603160de7e3250a03a9fc874dcf3e85542d05cef43a7ea4fb6d32e4ade324fdd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
320KB

MD5
d47845b91bb55d6670c3ba48e8080f7f

SHA1
041f9a44c404ff5ad61d586a4de01283130cf7f3

SHA256
203e31818e106e3ef95610b262d52cc5dec5a39fb99ae2b51e61eeb8ac53287a

SHA512
76da2e177d7c154cbc2b6e1c49a82ef777c47cef84842256c30291f12b51728af484c3042bc8b88c6a8d115bb21eee8b62c84a6101b143b0b8345de1ef1c0f7f

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
97KB

MD5
51b0b2f91f425fed6f161f46bb269fe7

SHA1
3e192a705ad77fece3fc300fa0edf4240a1fc456

SHA256
58bce2d52c3a5ab5c12a6bd45675fe8597e14e399ce9c41fbdc42652dda2bcda

SHA512
23e5ba0f14aa5fed9b42095f2d28ebe2bec1168bd3d2404acf82759f9c47936ca8a67d9ce05262ddb2c7d342f481bb31bdb2f8f53bbdf522471d68f384cebe3f

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
97KB

MD5
2c714b6ebe0c8581c6b2eb65baafe7ce

SHA1
b50faec6a412accc4b7ae9f3b6d6c7e899f5b5f0

SHA256
74110a6263f554d7084315503d38f6baad561a804b845b53d1df6d9f4ec2c065

SHA512
804b07be1f707afc609c5332991905f8891a1a49ffe4a45782497798e820714a0210ba1f982aeb24c0e3a1cbcd2409f831b27821b0e29fe7db485954c4a4e171

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
cb63094f928e738befae896b826fafaa

SHA1
9b8038b01a6c26fd91c0bb7ac7f1bc4c7eb08ad2

SHA256
19895f7d2e901e1b11911c317ed7b8500872e07dc44397875b84c3c713b4c769

SHA512
179e0918dd3d518708d2dc06f8c9ad0b509acf22e7cdfaf54bcb8b095302457225432827a43fb26392ab6cc8a3cceeaeb43b8fe79d0fe52fafc944333b829844

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
198KB

MD5
b10d82e32d6feed2c848b6389efec269

SHA1
a8fa8e23bb126f677a210737bdaf338454e80038

SHA256
594877da124765770a4fc359053598d95a3dcfad6bff9d5e77b9edb743fcc49e

SHA512
dcf482f26a9cb31f6936d1e1bd65654234ab9edb7120a390e26b45b4c24cb1e30ee112c9a156bf186a347b4953e204bc1865de68df63959a1999aae2060d42dc

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
232KB

MD5
9889be04d0a1059885f9a043953ce68a

SHA1
f3735d905eab783dde9e3752c7b94ed6deeabde6

SHA256
16f9c380bc4c7a308b763f86738eb6642e7bbd7f031e1f436abeb10cc4b25720

SHA512
75e26cad9f18693627da31c8cac599c378e094a570e3ce94abfd257eed09c3d5746033980a178314885b73f21205a00ec2c68d07cc89a2df9bdfbca45d72566b

Download Submit
\Windows\System32\alg.exe

Filesize
346KB

MD5
94b586d1b7aec5ff7526eb0e549a7597

SHA1
e1b30189602660c7e4cf74c3528a0cc02c45625d

SHA256
d5af4093aa85f044fe3d04f4640cf634dec806901b4cd1b71d7f4334216fa0f0

SHA512
1a304a4d0e1fcc2d926f0cb9bbaff8764c5dae5c93d4f2e70b58651bbd20327898801323ce9bd98fcfad96845e01103ec34b0e56f6e1ec3b05a27282ffc9910d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7ab3e44e81305266421a002d2570b876

SHA1
bd31186a479a004f2e538f464fb1c02f29ea5362

SHA256
84f855327138f25a9171a3de8ac28728628ed591e92a16ba1eacbbc3d19886d5

SHA512
0bbfa59d0b7bb3f40866e558571ec6d2b4891b0d6b639c7a66777bbb4833003b2ed6a1b242c13cfc3de5efff5d1aad32e46f2b83763a2b6ddae07a924516c7c5

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
2fec6ce8b44539d439c83c5899895296

SHA1
a2347398c68b334465a7d35e28981668b50e67bb

SHA256
e1fd3cf112738d940968e7fca80b66b4a3285e980f640e7054c657b4fa52b81c

SHA512
90903ceef2b0005489d9321a35f6f83de120133b6d49ab74b72947d8f1eccdd51d5f982d70f7fb0a3ee35b87438d56c5397a8e85ef60675e332370434f4677e8

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ec8f957cef2bc77e2d98e8932bfaad28

SHA1
9ec5c07c6b826a88477eafa8abfc21719a37cbf1

SHA256
f8f3ca17f6f91258c7b963163680b43d9e21c2e6889520f149ce3850f5990a33

SHA512
9595be9d1c3ab8aeda069eea28587ab01801f60f49e52a454f1590fc9ef0790a090a8dd558d0283cf4067adeb2358a87d4fbabc25221d86fd5e4c01e310e1b53

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4765f9b918428d49f90e89601b76e6c7

SHA1
c7add4d98c27bbbbca802eed1ee61cbae0151d65

SHA256
6e288756c87929cb5069865f3a28694375c753c36ab3536c6f6ed4e3067de56b

SHA512
1df122a984c24688cbeb0c16bb628787aab3d1b01d5a7043ccf7f1a02b537b018da67bab6892fa9d8745d287263fbb25e50dac3445066761030d7f22fc7f0ec8

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
194KB

MD5
99be3b9251ebcf88460c389a2c50344a

SHA1
aad90637ce1e53f1defdf6e730b16f06d0122796

SHA256
ad2bac3ddebf4556158bbb6ffe2276fb52a9e5ee98c02efc324beb4e0c1db2e0

SHA512
6ff7c7ddcd71d4c747b36d6a6878bab0b75aa4214813d8ec8ff488de280e623dcaab889b4a9df233b51c22eeb88ea36a6d2e057779be1110348f36128d628d4a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
192KB

MD5
18c20ddc039675835fd4b464399c155a

SHA1
9e69589937bb889a623d608438c99760e3a21a38

SHA256
b054375e9aa2d21e822496c5b282964d22582e4ceda07a8b9d788307207b739d

SHA512
a4c9133aa9346c0176c47bf7aaca0e1fb739134b26e988abe626d749711ecd0f537e2b0b1f8b8f34e7044b3bc3a1f3ac28e71a0b6879923d6e7d55ef3e529ea8

Download Submit
memory/332-96-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/332-109-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/332-102-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/332-119-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/332-121-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/332-95-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/332-120-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/488-261-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/488-267-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/488-291-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/600-138-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/600-150-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/600-136-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/600-130-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/600-151-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/1252-111-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1252-62-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1252-56-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1252-57-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1560-84-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1560-184-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1560-170-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1560-81-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1560-215-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1892-201-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1892-163-0x0000000000970000-0x00000000009D6000-memory.dmp

Filesize
408KB

Download
memory/1892-211-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/1892-168-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/1912-237-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1912-243-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1940-177-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1940-185-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1940-212-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1952-0-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1952-6-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1952-82-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1952-1-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2128-64-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2128-45-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2244-78-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2448-198-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-213-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2448-214-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-196-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/2476-32-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2528-249-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-222-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2528-216-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-209-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2624-231-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2624-292-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2624-225-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2644-91-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2644-14-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2644-21-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2644-15-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2656-103-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2656-27-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2752-256-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2752-255-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2864-106-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2864-132-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2864-113-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2864-127-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-122-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-129-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2864-116-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2892-281-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2892-275-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2896-38-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/2896-89-0x00000000007E0000-0x000000000089C000-memory.dmp

Filesize
752KB

Download
memory/2896-71-0x0000000073D70000-0x000000007445E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-90-0x0000000073D70000-0x000000007445E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-86-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2896-42-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/2896-31-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/2896-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-40-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/3000-165-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3000-148-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/3000-152-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-164-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-141-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download