blustealer | e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-04-2023 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmprwm0tnp5.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 45 IoCs

pid	Process
460	Process not Found
1236	alg.exe
1720	aspnet_state.exe
1692	mscorsvw.exe
956	mscorsvw.exe
948	mscorsvw.exe
520	mscorsvw.exe
776	dllhost.exe
764	ehRecvr.exe
1536	ehsched.exe
1472	elevation_service.exe
1320	IEEtwCollector.exe
572	GROOVE.EXE
1968	mscorsvw.exe
2012	maintenanceservice.exe
2152	msdtc.exe
2248	msiexec.exe
2360	OSE.EXE
2404	OSPPSVC.EXE
2520	perfhost.exe
2556	locator.exe
2652	snmptrap.exe
2748	vds.exe
2852	vssvc.exe
2940	wbengine.exe
3028	WmiApSrv.exe
1808	wmpnetwk.exe
2104	SearchIndexer.exe
2860	mscorsvw.exe
904	mscorsvw.exe
1476	mscorsvw.exe
1352	mscorsvw.exe
2500	mscorsvw.exe
1640	mscorsvw.exe
2880	mscorsvw.exe
1940	mscorsvw.exe
2280	mscorsvw.exe
940	mscorsvw.exe
1968	mscorsvw.exe
1012	mscorsvw.exe
1680	mscorsvw.exe
2796	mscorsvw.exe
3056	mscorsvw.exe
1092	mscorsvw.exe
576	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2248	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
768	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\760caf887693df14.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\vds.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\alg.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmprwm0tnp5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 268	1760	tmprwm0tnp5.exe	28
PID 268 set thread context of 1200	268	tmprwm0tnp5.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	tmprwm0tnp5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	tmprwm0tnp5.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	tmprwm0tnp5.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	tmprwm0tnp5.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	tmprwm0tnp5.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	tmprwm0tnp5.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	tmprwm0tnp5.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{999C00B7-4AB6-45A5-9357-2660F06FD5BE}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{999C00B7-4AB6-45A5-9357-2660F06FD5BE}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5BAB32EA-4F6E-4374-AAA6-57A061032240}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5BAB32EA-4F6E-4374-AAA6-57A061032240}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2016	ehRec.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe
268	tmprwm0tnp5.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	268	tmprwm0tnp5.exe
Token: SeShutdownPrivilege	948	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	948	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: 33	956	EhTray.exe
Token: SeIncBasePriorityPrivilege	956	EhTray.exe
Token: SeShutdownPrivilege	948	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeShutdownPrivilege	948	mscorsvw.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeDebugPrivilege	2016	ehRec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2852	vssvc.exe
Token: SeRestorePrivilege	2852	vssvc.exe
Token: SeAuditPrivilege	2852	vssvc.exe
Token: SeBackupPrivilege	2940	wbengine.exe
Token: SeRestorePrivilege	2940	wbengine.exe
Token: SeSecurityPrivilege	2940	wbengine.exe
Token: 33	956	EhTray.exe
Token: SeIncBasePriorityPrivilege	956	EhTray.exe
Token: 33	1808	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1808	wmpnetwk.exe
Token: SeManageVolumePrivilege	2104	SearchIndexer.exe
Token: 33	2104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2104	SearchIndexer.exe
Token: SeShutdownPrivilege	520	mscorsvw.exe
Token: SeDebugPrivilege	268	tmprwm0tnp5.exe
Token: SeDebugPrivilege	268	tmprwm0tnp5.exe
Token: SeDebugPrivilege	268	tmprwm0tnp5.exe
Token: SeDebugPrivilege	268	tmprwm0tnp5.exe
Token: SeDebugPrivilege	268	tmprwm0tnp5.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
956	EhTray.exe
956	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
956	EhTray.exe
956	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
268	tmprwm0tnp5.exe
2884	SearchProtocolHost.exe
2884	SearchProtocolHost.exe
2884	SearchProtocolHost.exe
2884	SearchProtocolHost.exe
2884	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 1760 wrote to memory of 268	1760	tmprwm0tnp5.exe	28
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 268 wrote to memory of 1200	268	tmprwm0tnp5.exe	30
PID 520 wrote to memory of 1968	520	mscorsvw.exe	44
PID 520 wrote to memory of 1968	520	mscorsvw.exe	44
PID 520 wrote to memory of 1968	520	mscorsvw.exe	44
PID 2104 wrote to memory of 2884	2104	SearchIndexer.exe	60
PID 2104 wrote to memory of 2884	2104	SearchIndexer.exe	60
PID 2104 wrote to memory of 2884	2104	SearchIndexer.exe	60
PID 520 wrote to memory of 2860	520	mscorsvw.exe	59
PID 520 wrote to memory of 2860	520	mscorsvw.exe	59
PID 520 wrote to memory of 2860	520	mscorsvw.exe	59
PID 2104 wrote to memory of 2292	2104	SearchIndexer.exe	61
PID 2104 wrote to memory of 2292	2104	SearchIndexer.exe	61
PID 2104 wrote to memory of 2292	2104	SearchIndexer.exe	61
PID 948 wrote to memory of 904	948	mscorsvw.exe	62
PID 948 wrote to memory of 904	948	mscorsvw.exe	62
PID 948 wrote to memory of 904	948	mscorsvw.exe	62
PID 948 wrote to memory of 904	948	mscorsvw.exe	62
PID 948 wrote to memory of 1476	948	mscorsvw.exe	63
PID 948 wrote to memory of 1476	948	mscorsvw.exe	63
PID 948 wrote to memory of 1476	948	mscorsvw.exe	63
PID 948 wrote to memory of 1476	948	mscorsvw.exe	63
PID 948 wrote to memory of 1352	948	mscorsvw.exe	64
PID 948 wrote to memory of 1352	948	mscorsvw.exe	64
PID 948 wrote to memory of 1352	948	mscorsvw.exe	64
PID 948 wrote to memory of 1352	948	mscorsvw.exe	64
PID 948 wrote to memory of 2500	948	mscorsvw.exe	65
PID 948 wrote to memory of 2500	948	mscorsvw.exe	65
PID 948 wrote to memory of 2500	948	mscorsvw.exe	65
PID 948 wrote to memory of 2500	948	mscorsvw.exe	65
PID 948 wrote to memory of 1640	948	mscorsvw.exe	66
PID 948 wrote to memory of 1640	948	mscorsvw.exe	66
PID 948 wrote to memory of 1640	948	mscorsvw.exe	66
PID 948 wrote to memory of 1640	948	mscorsvw.exe	66
PID 948 wrote to memory of 2880	948	mscorsvw.exe	67
PID 948 wrote to memory of 2880	948	mscorsvw.exe	67
PID 948 wrote to memory of 2880	948	mscorsvw.exe	67
PID 948 wrote to memory of 2880	948	mscorsvw.exe	67
PID 948 wrote to memory of 1940	948	mscorsvw.exe	68
PID 948 wrote to memory of 1940	948	mscorsvw.exe	68
PID 948 wrote to memory of 1940	948	mscorsvw.exe	68
PID 948 wrote to memory of 1940	948	mscorsvw.exe	68
PID 948 wrote to memory of 2280	948	mscorsvw.exe	69
PID 948 wrote to memory of 2280	948	mscorsvw.exe	69
PID 948 wrote to memory of 2280	948	mscorsvw.exe	69
PID 948 wrote to memory of 2280	948	mscorsvw.exe	69
PID 948 wrote to memory of 940	948	mscorsvw.exe	70
PID 948 wrote to memory of 940	948	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
  "C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 278 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 278 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 308 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 300 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f4 -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 278 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 318 -NGENProcess 304 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 318 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 184 -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 278 -NGENProcess 2f4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:776

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1320

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2360

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2404

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
42096e78e07ea705a0806690375b0228

SHA1
1e1b0cad2c0f786b535170f6bba112ef883d6f90

SHA256
c3ba4a62c4f28336cd9f272032a1af9aa185c9905a2421d34058b04d4e0bbd40

SHA512
6fd3aef1e26b53a34e91db20f11189d6cf7224e98f33575265ecae4e32ba97792ad35d2156da4af679cb121c02d34908adbac74a83a0401997a5815330e6dcb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d18bc13bf1c695e84b82743c427159eb

SHA1
4a02f861449210f395047b6c3c81b9c1d1c18c75

SHA256
3b50a9c0086fd181a6b3200a6a3f1922ce704c909fb506fc9953eb7167ef3197

SHA512
98b2dbc26509d7ddbf14704f64c383790935b46b1fb95878d7f3fb808ebfddeaa3f429bfc5c80342b4dbfdf8fb358d747483d076a6d8bed1bc05987eabde42db

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
efa70ec9c4228f16f95f0c035bc0c875

SHA1
cabfaf8d32be9c3423a9eaa33a6fbe8887394b0e

SHA256
a8b0543181ff82980d5333aeba4384f83abad005ee473343c4b95bf8e3f12505

SHA512
495ea9017a7de6c556fab15b11690542b3c3a708c53ee0d971135e164eacb99deee5e908e3d9be6cf6a9d859a902517851c63c280a3b540d93fab4d9041b5e3f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
99ff659dee451bbd0d52d9f3f5edf03a

SHA1
3b00587c6895a91fca7673f6e4f58703265c295b

SHA256
48125dc97593f03dee9bd8a695fc61f1bbdb7c795601c7b49d05460e02c0f196

SHA512
88a654ff2ba64ab46c8b6acb24ba872cd22d96afde7fe80dcce1fa1bb3e3ac8a2eb8c6451cae97787ba7c8fb8cd08797d98935ecffc00a1811bf702f9b2253ec

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ae78995deda201a2e780e83cb2903521

SHA1
3d50fabfbe65ccefc738fcdcf00b3dd5fac6cb82

SHA256
294fe768b2ccb8f303cb4f824cb0a7b5351f7d98d9670b5e37af50d17f21fd16

SHA512
bceeb2d0e8e7f8ff7bcfa8706959263ccdc75facd68551b397c0b026617926e7f504ec46eec416530e924bf001493872b9638fa4d976c1961f9fe54c308016fc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a10096bc54ce7c39338a36abc6e38ff1

SHA1
8b268f9a41107bb968e9222ca2407eea23a8d672

SHA256
fcc05bdd54b5d65e9aa8737b34d490c0977655d1a76d1ac26bb4ab29e817fcdd

SHA512
3a48407ac44c1e6f422bb8a71d1683475c378385d66499abd9d6cca14c65c45da152fc2ad1c73060080b3ff4b725119cc27123c7d9dc75dcb9a19df5ff3b3f9e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d29973db8cc9986b245bce0a21d3fa5b

SHA1
591fb6a0f026503992e830a354f44b4a9692a401

SHA256
cd6ea3a57abbed894ce5e6ce51f0132238e09fb13a624d17898a9e92323fdf6c

SHA512
9e7a605768eefaf8e254c2b26bc985becec0888d5403203bc8ae39220ac684e22d2b217eea0e5ab7a2588b7bf0ec73e4381239cbec50522f0ae3cbcea97194d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
34ed5d4891d0a4c0ab9aec75b017e832

SHA1
b16556dc9c06451566e195f71e2dbb6a89c30cf6

SHA256
72786e012584b9e0c73663d15bdf414fc5f6569a7b5f6264d3a4a17171435e5a

SHA512
143f14042ad0c6463011baa32c35b0457968228ba40b8d64c982ae15dfc518eeb7ac83811c8ac6110fb316f2473f83bbfd8df49ebed8858d231064e3b6b5bb19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
34ed5d4891d0a4c0ab9aec75b017e832

SHA1
b16556dc9c06451566e195f71e2dbb6a89c30cf6

SHA256
72786e012584b9e0c73663d15bdf414fc5f6569a7b5f6264d3a4a17171435e5a

SHA512
143f14042ad0c6463011baa32c35b0457968228ba40b8d64c982ae15dfc518eeb7ac83811c8ac6110fb316f2473f83bbfd8df49ebed8858d231064e3b6b5bb19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
afa080fbffd896a8d525182fb3e14dc0

SHA1
27578ead5e3a9af6a31d486a07e87b2e5c48e6c3

SHA256
3a7987a29ad4c90f89f4f66f504a45e8d9ea726924ada2b435c7555cd3e63303

SHA512
7e49762989f92b6dd520591d714662988f4a4f96fd8a1f32d28c935eb02d9d58983a1c81b6425ff294e2f8d3fcee0111c4a1fe1f673cf8e9029d28f96e51ab31

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
91b9581371df080c47eedc2d0f6bece9

SHA1
5a2cd3827915edc36bd827d9595cfc0d90419cf8

SHA256
d85420fc4709014b6e12f6900005a6a7c6dd5a4abae269a992910fc6ec1cd8f5

SHA512
ecb120d0c0ce18f838c7bcf652001332ae78ed3dc7ac0aa08cc37a5418da4adf1db376465a0b821443761b15eb6e78ef4b044bf307f3802664db3e71bf1b6b41

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cb7a11adf8ddcac0f44ee5012fb10dd2

SHA1
37825010cd8ccac429934ad5bb8899141c4ed13c

SHA256
e2240fc17b9639bc3be8454a1b07e615372a5db71a6552a894ed2f5ba3c18830

SHA512
4bf81983dde81f65e0ed21e0b19960ed45a79b1a4a9eca29be35ea8cd27f36da164597239c6b2123a31459a3442b703a1d036eba08e2f6676a9dd603766f3e89

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cb7a11adf8ddcac0f44ee5012fb10dd2

SHA1
37825010cd8ccac429934ad5bb8899141c4ed13c

SHA256
e2240fc17b9639bc3be8454a1b07e615372a5db71a6552a894ed2f5ba3c18830

SHA512
4bf81983dde81f65e0ed21e0b19960ed45a79b1a4a9eca29be35ea8cd27f36da164597239c6b2123a31459a3442b703a1d036eba08e2f6676a9dd603766f3e89

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cb7a11adf8ddcac0f44ee5012fb10dd2

SHA1
37825010cd8ccac429934ad5bb8899141c4ed13c

SHA256
e2240fc17b9639bc3be8454a1b07e615372a5db71a6552a894ed2f5ba3c18830

SHA512
4bf81983dde81f65e0ed21e0b19960ed45a79b1a4a9eca29be35ea8cd27f36da164597239c6b2123a31459a3442b703a1d036eba08e2f6676a9dd603766f3e89

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
cb7a11adf8ddcac0f44ee5012fb10dd2

SHA1
37825010cd8ccac429934ad5bb8899141c4ed13c

SHA256
e2240fc17b9639bc3be8454a1b07e615372a5db71a6552a894ed2f5ba3c18830

SHA512
4bf81983dde81f65e0ed21e0b19960ed45a79b1a4a9eca29be35ea8cd27f36da164597239c6b2123a31459a3442b703a1d036eba08e2f6676a9dd603766f3e89

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b3681741bd671b5b9acde103844138d2

SHA1
0423353cec5acd55a2a738cfa94c1350a7781353

SHA256
286bad40ef5971dac8f3a3f84663fc41f80fee56e41b31b68f9680ad5b7356ef

SHA512
4e1e5f3f8f7c4783c20da4dbb15f42f95cd70baa035c6a4a7e0192261d90c4234744ac844a5ecabb5cc2cabf0c66279bd85a64b31211edad63940ad3d68830f0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b3681741bd671b5b9acde103844138d2

SHA1
0423353cec5acd55a2a738cfa94c1350a7781353

SHA256
286bad40ef5971dac8f3a3f84663fc41f80fee56e41b31b68f9680ad5b7356ef

SHA512
4e1e5f3f8f7c4783c20da4dbb15f42f95cd70baa035c6a4a7e0192261d90c4234744ac844a5ecabb5cc2cabf0c66279bd85a64b31211edad63940ad3d68830f0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
fcf64699ec54766ee7634d555152828d

SHA1
e1bdca73f2d4e56d92ba7aa8b671696c30dcf39b

SHA256
9227ac746ce4071709277c15997870f02382399ef8dc7efe4ecf7548fa8e7232

SHA512
f74e73b32371c231f50fb2ed403247647f26ef0baea60d4e2af134bb532a281ea7f5bc854ed5624d2f7ac2bc5c7476adb11d7c946f810809c33a25f5be38e2f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
523efc95e15db11852dcd6b6d55bd6d5

SHA1
ee788db8a664ff0436561e700acd7b9e16c99096

SHA256
cee92d318f978907925cd6504944440d2b70f8edba61ac05203d92648351a11c

SHA512
b8ec3fcc63a5726fb1347d20d3245078a81623817564e8ec6b5de8dbb438fee921098875dd9e2ff740717f966504d534087019e7aaa5ffb69e7bb9bdd383737c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
51599572789865822c9dedb37427cfcd

SHA1
2e15fc1f24eda0a4b0bb582039f73bc65b09d57f

SHA256
af108991e4b0a90c553911ef4a72c3281d4e8a71934f2b0bb97fa925cec7d68e

SHA512
a293edb0fd1093d66f1234242938e812334c903b0b2cf6d1ba93a335f7788690b2318747acb42c7d53ecf76d81d9a9033e575fab52486e67afce255cf79f8e32

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
16acea7710a5335df08a617c3aabd7b9

SHA1
d62736d334baea3bdd855305661e5ba25d343da9

SHA256
592a058d16120477497cf0105caacc6c4d951f9b368addfc7f0033f850e16b14

SHA512
30edb7de7262bae5fd57ec249454ff387114f5e036bb2a7d5eff726c99aac377c539c6e280d99f6c417985a388a6f1c3073612ac610cdc174047c97a7e2abb5f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
57d1be5339d6e8eb4796918b0eab2271

SHA1
08b8ae25ca3f0b627d505a4a78045734478779eb

SHA256
f99a371e5a2c02d34caaf3e576e19144195d1ffcbf2341ae6c73da7d0595cbae

SHA512
3106ad737dd928ff250d9d1aa82099f0efc23fe1c6353c9a8ae5b303f6d7887e5f397a538bab0da78f099b0a69bd5205114162c0d22991d4680aff957c625a3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
29f4f3c234be14b9747790d0136a01c5

SHA1
c03a246d5c2b8262bfbd542b4343b486a17c972a

SHA256
0e6c51d6ef532d0a4467b468f74171b0361520b8cb719940492a9483ca9c5b01

SHA512
4e271a0ac273c1af0d78d7146dd925c184dcf0b80fd0487b83a18eabaa8bb047f5ad021895bfa43ae7096e1f4d73a6b40f20ad112833dd61569d312d6edc7be7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d37f8e8704f6d1d1f5a5b4e60bc59e8e

SHA1
4441610026c31a242f95fcc38cff46f1d7ce802a

SHA256
32f1d140ee0b915cdc1d8491664c55df7ada0797b26f1b7f10de51bede8d6433

SHA512
cab38ac37fc34023c0c6fef044882c1981bf88b6aad4a36bd4b33cb641c9dfb2f9fca35b4067fe18eba1b023f7378b46159a86f0f2e984e4a399cb153869d9d1

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b62ab2157606716f9e8ba76492af056a

SHA1
4b41b7e06a2b3f818a3880a356ea6c65c253e3c0

SHA256
1258415d4f61f9791f2e96b110010f2e878d01188652d6171aaefc48e0839bda

SHA512
a1010227d05771860a2d5a622a1a01fb5082d7ecb92fc46964bec9780293dc3d976e8b22b97264b756d0095a6e2d5f066c3a98f1aea5e9fed1039921cebfc421

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c8f899f9b91a18ee29d1342cb40e4290

SHA1
ebeaed37f5b90dfa07f80f0323f454955df9ae26

SHA256
3ae91bd7f1da6051c50410fc00ed111eb7ab3339ba20f54fa1d04f68e14a26d2

SHA512
7b317caa85e4dd78bbcf8f121b0b16b49d5c08f2ea98070937c4bd2724f690be16c83e4ac50bf3993f65faa43001dabc4f44e3476c459211af7efff79daaf550

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5d8ceacd7bffb1b2e670482d7184a322

SHA1
ad40b07881989f15adab69e8e4ee5e32458d7c20

SHA256
cc0794c28f06f5c9f800a0291b7bb2b5271c05b9547a0ac350947ca88a59d439

SHA512
ac3659a319c33bffe7b67b27edaa0169db5a7d3b1b36d733a1443583d47b7f246d8b59c4febf45bacc2ff47e2a71fcceee85ce12f4e0a6883a9a4f0f9cd62610

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4b4b775040d01faa1277d6f04d807e35

SHA1
136fa72fb1f9a994f8b2de63b6ad93f6acca2c0f

SHA256
7d09b63f60d17062c84168d2ffe484370bfeef85e63292500ece43831c445029

SHA512
f81d4fa1f954efa5a539a21cffec3ca721f16dbd50f88864c788f8d18f84760d1c1f428904e2ccbc0562996dd974bc5f9da14fe55362f98e44a4e17304b51a15

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
165930d806d0b58eae9aaeff90b7ff17

SHA1
9f30831ce9bce730a0036f5e83c246324c394deb

SHA256
45c74c7096bae040afe48c8706b7db7043d49e312df41c976f1543a836d492fd

SHA512
0b483b86814c1f77850ca12b439439f55862f2b9cb23c7106efa06970fabf8b1407ac8363da18ed60030692908025ddffcd3cb2ff19869d810b40cc877fb1293

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
9a7a58afc11eec88bdf2d06b60668bd2

SHA1
2cd2c64346ab858ac9a70f360e3548a614c03f09

SHA256
72f3302cba43c943ee4606b20dd94d1f14e624ad07cc4f34c7249610cf292a83

SHA512
003102160b60ecce1395175b3ab6fd7ce006faaa8847c1a73c05eef2458ed817f6ed01805282dc37faf57ddddd33df99a01b2073735f7628347cc6299130f975

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e9a8f9ea8edf1096760a51000b17f259

SHA1
9720413bdbd2e4efaa07ac454953b17a2363604a

SHA256
42f226540ff644b4f5dba14761f30863bd3871ccb8a14aac89dd23c2f29047e0

SHA512
be55683d6137e6a88e31515dfa6b2243d6d944b8f3dd034e7fd86658cfc69ecdd06a952aa4242472bf2ee003f33d862ad96aa982d43463c863b8d7526eefa43e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
307c70c2ae0066e944b17f4535c8fc89

SHA1
703459594cf181c5b7f8b1876e0e762e47cd4d88

SHA256
152dc3ff03a38802d4fd03076d7193a8124972ad7ef7b91be87c014f1c90bf45

SHA512
11f23295748e801ba2757dc4eba4d333883b368cf0499eb2416cf26754610d048c2aaa3a66164f747a2695fccdb1c2361bcbc7f1b997c3ffc614759d00501d32

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
333c00e8d7496bce393299b50b526748

SHA1
360a5ba249a1a8f3040babc5043f458c38e0884a

SHA256
c8a176e5b39903bae91fdd8d1673cfe22f45af22f45ef0fc40f2dfb28c39ed04

SHA512
d35469152d857356dd73de6792136b73012f1fd5ee9eff5a3af4d0dc1d4209605f417ec095136cf753013b1487ba08d5152b04b46c340807e8e479e2aff15d31

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
1eeee6ae2d622a7176c7cd4cf65bbae5

SHA1
4f825936e053a05fce4cfdc15095c2ce0defdb18

SHA256
6a2f12f3b241e972753538de5c1781494436f13419d87c583d1ac67c70c47b18

SHA512
b4c2ee4f96a0fa2aefb79d7864551ebc70469551a289b616fa358a0aaf21ca3fb132f595ff3c82f72987e0e18547f56ee23b834f2aee2046d3b351f717c67c97

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4b4b775040d01faa1277d6f04d807e35

SHA1
136fa72fb1f9a994f8b2de63b6ad93f6acca2c0f

SHA256
7d09b63f60d17062c84168d2ffe484370bfeef85e63292500ece43831c445029

SHA512
f81d4fa1f954efa5a539a21cffec3ca721f16dbd50f88864c788f8d18f84760d1c1f428904e2ccbc0562996dd974bc5f9da14fe55362f98e44a4e17304b51a15

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a10096bc54ce7c39338a36abc6e38ff1

SHA1
8b268f9a41107bb968e9222ca2407eea23a8d672

SHA256
fcc05bdd54b5d65e9aa8737b34d490c0977655d1a76d1ac26bb4ab29e817fcdd

SHA512
3a48407ac44c1e6f422bb8a71d1683475c378385d66499abd9d6cca14c65c45da152fc2ad1c73060080b3ff4b725119cc27123c7d9dc75dcb9a19df5ff3b3f9e

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a10096bc54ce7c39338a36abc6e38ff1

SHA1
8b268f9a41107bb968e9222ca2407eea23a8d672

SHA256
fcc05bdd54b5d65e9aa8737b34d490c0977655d1a76d1ac26bb4ab29e817fcdd

SHA512
3a48407ac44c1e6f422bb8a71d1683475c378385d66499abd9d6cca14c65c45da152fc2ad1c73060080b3ff4b725119cc27123c7d9dc75dcb9a19df5ff3b3f9e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
34ed5d4891d0a4c0ab9aec75b017e832

SHA1
b16556dc9c06451566e195f71e2dbb6a89c30cf6

SHA256
72786e012584b9e0c73663d15bdf414fc5f6569a7b5f6264d3a4a17171435e5a

SHA512
143f14042ad0c6463011baa32c35b0457968228ba40b8d64c982ae15dfc518eeb7ac83811c8ac6110fb316f2473f83bbfd8df49ebed8858d231064e3b6b5bb19

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
91b9581371df080c47eedc2d0f6bece9

SHA1
5a2cd3827915edc36bd827d9595cfc0d90419cf8

SHA256
d85420fc4709014b6e12f6900005a6a7c6dd5a4abae269a992910fc6ec1cd8f5

SHA512
ecb120d0c0ce18f838c7bcf652001332ae78ed3dc7ac0aa08cc37a5418da4adf1db376465a0b821443761b15eb6e78ef4b044bf307f3802664db3e71bf1b6b41

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
16acea7710a5335df08a617c3aabd7b9

SHA1
d62736d334baea3bdd855305661e5ba25d343da9

SHA256
592a058d16120477497cf0105caacc6c4d951f9b368addfc7f0033f850e16b14

SHA512
30edb7de7262bae5fd57ec249454ff387114f5e036bb2a7d5eff726c99aac377c539c6e280d99f6c417985a388a6f1c3073612ac610cdc174047c97a7e2abb5f

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d37f8e8704f6d1d1f5a5b4e60bc59e8e

SHA1
4441610026c31a242f95fcc38cff46f1d7ce802a

SHA256
32f1d140ee0b915cdc1d8491664c55df7ada0797b26f1b7f10de51bede8d6433

SHA512
cab38ac37fc34023c0c6fef044882c1981bf88b6aad4a36bd4b33cb641c9dfb2f9fca35b4067fe18eba1b023f7378b46159a86f0f2e984e4a399cb153869d9d1

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b62ab2157606716f9e8ba76492af056a

SHA1
4b41b7e06a2b3f818a3880a356ea6c65c253e3c0

SHA256
1258415d4f61f9791f2e96b110010f2e878d01188652d6171aaefc48e0839bda

SHA512
a1010227d05771860a2d5a622a1a01fb5082d7ecb92fc46964bec9780293dc3d976e8b22b97264b756d0095a6e2d5f066c3a98f1aea5e9fed1039921cebfc421

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c8f899f9b91a18ee29d1342cb40e4290

SHA1
ebeaed37f5b90dfa07f80f0323f454955df9ae26

SHA256
3ae91bd7f1da6051c50410fc00ed111eb7ab3339ba20f54fa1d04f68e14a26d2

SHA512
7b317caa85e4dd78bbcf8f121b0b16b49d5c08f2ea98070937c4bd2724f690be16c83e4ac50bf3993f65faa43001dabc4f44e3476c459211af7efff79daaf550

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5d8ceacd7bffb1b2e670482d7184a322

SHA1
ad40b07881989f15adab69e8e4ee5e32458d7c20

SHA256
cc0794c28f06f5c9f800a0291b7bb2b5271c05b9547a0ac350947ca88a59d439

SHA512
ac3659a319c33bffe7b67b27edaa0169db5a7d3b1b36d733a1443583d47b7f246d8b59c4febf45bacc2ff47e2a71fcceee85ce12f4e0a6883a9a4f0f9cd62610

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4b4b775040d01faa1277d6f04d807e35

SHA1
136fa72fb1f9a994f8b2de63b6ad93f6acca2c0f

SHA256
7d09b63f60d17062c84168d2ffe484370bfeef85e63292500ece43831c445029

SHA512
f81d4fa1f954efa5a539a21cffec3ca721f16dbd50f88864c788f8d18f84760d1c1f428904e2ccbc0562996dd974bc5f9da14fe55362f98e44a4e17304b51a15

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4b4b775040d01faa1277d6f04d807e35

SHA1
136fa72fb1f9a994f8b2de63b6ad93f6acca2c0f

SHA256
7d09b63f60d17062c84168d2ffe484370bfeef85e63292500ece43831c445029

SHA512
f81d4fa1f954efa5a539a21cffec3ca721f16dbd50f88864c788f8d18f84760d1c1f428904e2ccbc0562996dd974bc5f9da14fe55362f98e44a4e17304b51a15

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
165930d806d0b58eae9aaeff90b7ff17

SHA1
9f30831ce9bce730a0036f5e83c246324c394deb

SHA256
45c74c7096bae040afe48c8706b7db7043d49e312df41c976f1543a836d492fd

SHA512
0b483b86814c1f77850ca12b439439f55862f2b9cb23c7106efa06970fabf8b1407ac8363da18ed60030692908025ddffcd3cb2ff19869d810b40cc877fb1293

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
9a7a58afc11eec88bdf2d06b60668bd2

SHA1
2cd2c64346ab858ac9a70f360e3548a614c03f09

SHA256
72f3302cba43c943ee4606b20dd94d1f14e624ad07cc4f34c7249610cf292a83

SHA512
003102160b60ecce1395175b3ab6fd7ce006faaa8847c1a73c05eef2458ed817f6ed01805282dc37faf57ddddd33df99a01b2073735f7628347cc6299130f975

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e9a8f9ea8edf1096760a51000b17f259

SHA1
9720413bdbd2e4efaa07ac454953b17a2363604a

SHA256
42f226540ff644b4f5dba14761f30863bd3871ccb8a14aac89dd23c2f29047e0

SHA512
be55683d6137e6a88e31515dfa6b2243d6d944b8f3dd034e7fd86658cfc69ecdd06a952aa4242472bf2ee003f33d862ad96aa982d43463c863b8d7526eefa43e

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
307c70c2ae0066e944b17f4535c8fc89

SHA1
703459594cf181c5b7f8b1876e0e762e47cd4d88

SHA256
152dc3ff03a38802d4fd03076d7193a8124972ad7ef7b91be87c014f1c90bf45

SHA512
11f23295748e801ba2757dc4eba4d333883b368cf0499eb2416cf26754610d048c2aaa3a66164f747a2695fccdb1c2361bcbc7f1b997c3ffc614759d00501d32

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
333c00e8d7496bce393299b50b526748

SHA1
360a5ba249a1a8f3040babc5043f458c38e0884a

SHA256
c8a176e5b39903bae91fdd8d1673cfe22f45af22f45ef0fc40f2dfb28c39ed04

SHA512
d35469152d857356dd73de6792136b73012f1fd5ee9eff5a3af4d0dc1d4209605f417ec095136cf753013b1487ba08d5152b04b46c340807e8e479e2aff15d31

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
1eeee6ae2d622a7176c7cd4cf65bbae5

SHA1
4f825936e053a05fce4cfdc15095c2ce0defdb18

SHA256
6a2f12f3b241e972753538de5c1781494436f13419d87c583d1ac67c70c47b18

SHA512
b4c2ee4f96a0fa2aefb79d7864551ebc70469551a289b616fa358a0aaf21ca3fb132f595ff3c82f72987e0e18547f56ee23b834f2aee2046d3b351f717c67c97

Download Submit
memory/268-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-99-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-69-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/268-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-74-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/268-88-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/520-155-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/572-465-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/572-222-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/764-166-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/764-159-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/764-158-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/764-191-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/764-168-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/764-150-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/764-362-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/776-157-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/904-643-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/904-663-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/948-128-0x0000000000BA0000-0x0000000000C06000-memory.dmp

Filesize
408KB

Download
memory/948-123-0x0000000000BA0000-0x0000000000C06000-memory.dmp

Filesize
408KB

Download
memory/948-137-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/956-132-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1200-94-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1200-92-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1200-97-0x00000000047D0000-0x000000000488C000-memory.dmp

Filesize
752KB

Download
memory/1200-98-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/1200-96-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1200-90-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1200-91-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1236-82-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1236-89-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1320-611-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1320-198-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1320-189-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1320-406-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1472-178-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1472-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1472-402-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1472-184-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1536-380-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1536-170-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1536-173-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1536-164-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1536-616-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1692-134-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1720-104-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1760-56-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1760-54-0x0000000000CE0000-0x0000000000E76000-memory.dmp

Filesize
1.6MB

Download
memory/1760-55-0x0000000005010000-0x0000000005050000-memory.dmp

Filesize
256KB

Download
memory/1760-59-0x0000000005D70000-0x0000000005EA8000-memory.dmp

Filesize
1.2MB

Download
memory/1760-58-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1760-60-0x000000000A4F0000-0x000000000A6A0000-memory.dmp

Filesize
1.7MB

Download
memory/1760-57-0x0000000005010000-0x0000000005050000-memory.dmp

Filesize
256KB

Download
memory/1808-366-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1968-223-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1968-408-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1968-594-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2012-238-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2012-249-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2016-306-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2016-404-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2016-195-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2104-382-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2152-262-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2248-264-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2248-267-0x0000000000510000-0x0000000000719000-memory.dmp

Filesize
2.0MB

Download
memory/2248-515-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2248-517-0x0000000000510000-0x0000000000719000-memory.dmp

Filesize
2.0MB

Download
memory/2360-287-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2404-290-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2404-553-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2520-292-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2556-294-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2556-593-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2652-309-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2652-610-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2748-326-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2748-644-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2852-329-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2852-645-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2860-603-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2860-555-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2940-346-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3028-364-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download