blustealer | bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-04-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpj_mcuumo.exe
Size

1.5MB
MD5

39810b7912907fc879004874df0e9e9e
SHA1

f2e51d5e9f644058a8ff4d64458e2914ddf2a364
SHA256

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
SHA512

abd49e8623428a399f665e2157522b6d285cb6c1f77c043eb22038df2ebbfbb21f3823c08dd781be5df043f1ab9b514990ab890bc80086cf33860aa6f4e75b5d
SSDEEP

24576:molqfbt8n/WmtqmZfq/ppZge1+qWMZukXfRtgyCrWw:sxgWm8m+Zj+qbZuq

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 47 IoCs

pid	Process
460	Process not Found
292	alg.exe
2044	aspnet_state.exe
608	mscorsvw.exe
636	mscorsvw.exe
1316	mscorsvw.exe
1572	mscorsvw.exe
1684	dllhost.exe
1320	ehRecvr.exe
1636	ehsched.exe
1596	elevation_service.exe
2020	IEEtwCollector.exe
1324	mscorsvw.exe
1508	mscorsvw.exe
428	GROOVE.EXE
1880	mscorsvw.exe
2212	maintenanceservice.exe
2320	msdtc.exe
2444	msiexec.exe
2472	mscorsvw.exe
2692	mscorsvw.exe
2772	OSE.EXE
2848	OSPPSVC.EXE
2928	perfhost.exe
2964	mscorsvw.exe
2980	locator.exe
2116	snmptrap.exe
2264	vds.exe
2412	vssvc.exe
2216	mscorsvw.exe
2176	mscorsvw.exe
2660	wbengine.exe
2948	WmiApSrv.exe
2744	mscorsvw.exe
608	mscorsvw.exe
2060	wmpnetwk.exe
2152	SearchIndexer.exe
1148	mscorsvw.exe
2920	mscorsvw.exe
1728	mscorsvw.exe
2896	mscorsvw.exe
2736	mscorsvw.exe
1252	mscorsvw.exe
2340	mscorsvw.exe
1492	mscorsvw.exe
2956	mscorsvw.exe
1428	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2444	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\968642126401d5da.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\alg.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\vds.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	tmpj_mcuumo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 268	1856	tmpj_mcuumo.exe	27
PID 268 set thread context of 936	268	tmpj_mcuumo.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DD62BD56-530A-4B64-8A6D-04FEE2038985}\chrome_installer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	tmpj_mcuumo.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	tmpj_mcuumo.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	tmpj_mcuumo.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{529E67C4-AB7E-48FD-9165-0D67753666C4}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	tmpj_mcuumo.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	tmpj_mcuumo.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	tmpj_mcuumo.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{529E67C4-AB7E-48FD-9165-0D67753666C4}.crmlog	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{CF47542D-9EFC-4163-980A-F56286316DB2}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1176	ehRec.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe
268	tmpj_mcuumo.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	268	tmpj_mcuumo.exe
Token: SeShutdownPrivilege	1316	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1316	mscorsvw.exe
Token: SeShutdownPrivilege	1316	mscorsvw.exe
Token: SeShutdownPrivilege	1316	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: 33	1592	EhTray.exe
Token: SeIncBasePriorityPrivilege	1592	EhTray.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeDebugPrivilege	1176	ehRec.exe
Token: 33	1592	EhTray.exe
Token: SeIncBasePriorityPrivilege	1592	EhTray.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeSecurityPrivilege	2444	msiexec.exe
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe
Token: SeBackupPrivilege	2660	wbengine.exe
Token: SeRestorePrivilege	2660	wbengine.exe
Token: SeSecurityPrivilege	2660	wbengine.exe
Token: SeManageVolumePrivilege	2152	SearchIndexer.exe
Token: 33	2152	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2152	SearchIndexer.exe
Token: 33	2060	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2060	wmpnetwk.exe
Token: SeDebugPrivilege	268	tmpj_mcuumo.exe
Token: SeDebugPrivilege	268	tmpj_mcuumo.exe
Token: SeDebugPrivilege	268	tmpj_mcuumo.exe
Token: SeDebugPrivilege	268	tmpj_mcuumo.exe
Token: SeDebugPrivilege	268	tmpj_mcuumo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1592	EhTray.exe
1592	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1592	EhTray.exe
1592	EhTray.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
268	tmpj_mcuumo.exe
2120	SearchProtocolHost.exe
2120	SearchProtocolHost.exe
2120	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 1856 wrote to memory of 268	1856	tmpj_mcuumo.exe	27
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 268 wrote to memory of 936	268	tmpj_mcuumo.exe	31
PID 1316 wrote to memory of 1324	1316	mscorsvw.exe	42
PID 1316 wrote to memory of 1324	1316	mscorsvw.exe	42
PID 1316 wrote to memory of 1324	1316	mscorsvw.exe	42
PID 1316 wrote to memory of 1324	1316	mscorsvw.exe	42
PID 1316 wrote to memory of 1508	1316	mscorsvw.exe	43
PID 1316 wrote to memory of 1508	1316	mscorsvw.exe	43
PID 1316 wrote to memory of 1508	1316	mscorsvw.exe	43
PID 1316 wrote to memory of 1508	1316	mscorsvw.exe	43
PID 1316 wrote to memory of 1880	1316	mscorsvw.exe	45
PID 1316 wrote to memory of 1880	1316	mscorsvw.exe	45
PID 1316 wrote to memory of 1880	1316	mscorsvw.exe	45
PID 1316 wrote to memory of 1880	1316	mscorsvw.exe	45
PID 1316 wrote to memory of 2472	1316	mscorsvw.exe	49
PID 1316 wrote to memory of 2472	1316	mscorsvw.exe	49
PID 1316 wrote to memory of 2472	1316	mscorsvw.exe	49
PID 1316 wrote to memory of 2472	1316	mscorsvw.exe	49
PID 1316 wrote to memory of 2692	1316	mscorsvw.exe	50
PID 1316 wrote to memory of 2692	1316	mscorsvw.exe	50
PID 1316 wrote to memory of 2692	1316	mscorsvw.exe	50
PID 1316 wrote to memory of 2692	1316	mscorsvw.exe	50
PID 1316 wrote to memory of 2964	1316	mscorsvw.exe	54
PID 1316 wrote to memory of 2964	1316	mscorsvw.exe	54
PID 1316 wrote to memory of 2964	1316	mscorsvw.exe	54
PID 1316 wrote to memory of 2964	1316	mscorsvw.exe	54
PID 1316 wrote to memory of 2216	1316	mscorsvw.exe	59
PID 1316 wrote to memory of 2216	1316	mscorsvw.exe	59
PID 1316 wrote to memory of 2216	1316	mscorsvw.exe	59
PID 1316 wrote to memory of 2216	1316	mscorsvw.exe	59
PID 1316 wrote to memory of 2176	1316	mscorsvw.exe	60
PID 1316 wrote to memory of 2176	1316	mscorsvw.exe	60
PID 1316 wrote to memory of 2176	1316	mscorsvw.exe	60
PID 1316 wrote to memory of 2176	1316	mscorsvw.exe	60
PID 1316 wrote to memory of 2744	1316	mscorsvw.exe	63
PID 1316 wrote to memory of 2744	1316	mscorsvw.exe	63
PID 1316 wrote to memory of 2744	1316	mscorsvw.exe	63
PID 1316 wrote to memory of 2744	1316	mscorsvw.exe	63
PID 1316 wrote to memory of 608	1316	mscorsvw.exe	64
PID 1316 wrote to memory of 608	1316	mscorsvw.exe	64
PID 1316 wrote to memory of 608	1316	mscorsvw.exe	64
PID 1316 wrote to memory of 608	1316	mscorsvw.exe	64
PID 1316 wrote to memory of 1148	1316	mscorsvw.exe	67
PID 1316 wrote to memory of 1148	1316	mscorsvw.exe	67
PID 1316 wrote to memory of 1148	1316	mscorsvw.exe	67
PID 1316 wrote to memory of 1148	1316	mscorsvw.exe	67
PID 2152 wrote to memory of 2120	2152	SearchIndexer.exe	68
PID 2152 wrote to memory of 2120	2152	SearchIndexer.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e4 -NGENProcess 25c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 238 -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 250 -NGENProcess 1dc -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 268 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1e4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 278 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 244 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 250 -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 244 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1684

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1320

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1914912747-3343861975-731272777-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1914912747-3343861975-731272777-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0cebe719a8f1f2e4ffa608c04ed1eba6

SHA1
b2e1327f5a4689a8abd769eb2f9c42715c776dee

SHA256
78d4a201ffd5c6665d392f682d3a6e9b15f238afe232e504cadf097e95ab6f62

SHA512
66482650e3ed59962f75b89aab8d6cc87b234f2cac53a04ae0c174a9ce683f2192c47291c59c24d010e3e839ba1573de3db0f068d04a88bd71459d4ed7f8dabc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
9f59635e25c1359c4ebd1a9107372075

SHA1
9c2327dab6e7c7e5f3dfa107dd2c74cb8e8a11f4

SHA256
50f86b4bf0808fc6749bde9c90dad72b0a43b3193a18a0c19e9431bc09afe696

SHA512
0351cfdd9bc12857c321df12f1942f02196847e151036cb8bda225ec5eede37cc7837a3fc040936664f5287ec60c31f876109ef34c0182c064f112f32ef69bbe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
96eb788f772c2fe8d9d89903306e76d8

SHA1
c22fb587e956f5c1ad0f519e86fd9092adff2670

SHA256
1435e20b77eaed34e78c7fefd7848bf22995fbf9ac2a1fdefba3756ee53fc004

SHA512
b8730e2b76e48c39aabe4e949a3ff369ee34024c2299a01cb383713f02deb6add8b7e635b4624ad5d0ca7d8b5ab4fa260a44264f2dd0590f73a0c9864736e88a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c2c66b3e998800063a599fcb3ae80375

SHA1
eff9134a91dbc8cb5ffb2b2a5c8aa5f4a9cb0666

SHA256
5a24a83fa63e5d1773e069dce5a545a4ec0b61ea74fdfe39fc3b45604caf0c8c

SHA512
655d8d9eeac1d07926466cfed475b4212d7d77888386dff545f1a1062fb5f21e8b9c2c5dd7c9716543fe594b3ac0fdb91e259e5814338721034b18bf24830dc8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
21c7c9ffe7f8f9ac117b48341f74d082

SHA1
f3f43644bc9403c912cd8d6d1e789768f63944ea

SHA256
f7008cfec485c16ba937bc95746916a2b7c915479d79aa139d9d118f6325a167

SHA512
727dae9c52c60c68928ec0be5afc64785474c020d825d295a10c6e2317ccb230abf3068d47fb753dd9fdbb7977b63badaad2e55c6fe738d5a658c348cf5b7c03

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3680222160b10534de56d030f855617d

SHA1
2d8bc7343a38016c2c33ad093efc7972837b0245

SHA256
3a0b31d78eb3944b66d2d9d5e94df49a7e5b3c8e80a6b2558cec58c7a45152ef

SHA512
187285c219a4a1bf48e1726f2886e04c467fd67b5f4c80f906c94f7bf86b39f3796822cf2c3f3b7a67e2f2c359907a734ec1d7807e14be1fa1d7c1659a3ffb9a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
88d038531a944ba056a7f1db658f3c3e

SHA1
914c033529873436d898c3279554ecd8da2a2330

SHA256
94becd64cb89ecb34b220d715a6328cbf1ff8ff48c9975bf58cc0bf57efe8af8

SHA512
a31dd73d6b60bf0c9586d8c0ff66ecb212bffdfe4f4b279a922fbb2f0c690a5622c29f959b5763315dfeebed8d5213c12fae9ecaa4a0b78dc61def27eb47d7c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05983cf83bb084cc43fee8fc060f05e8

SHA1
47ae6b0fa3066fb273a1533aec40de2d64a3b240

SHA256
8adc58508750ec0530475b5004a40e2984da57fb22cf26fb9e194808e500a14c

SHA512
26945844e3debc10b820847b54bdf89679e857c3f57b79a046e44d08d114e233550536d70aaa1e247654bbe91bd62c1a514e0a4028346fd2e09a98558b8a60d9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05983cf83bb084cc43fee8fc060f05e8

SHA1
47ae6b0fa3066fb273a1533aec40de2d64a3b240

SHA256
8adc58508750ec0530475b5004a40e2984da57fb22cf26fb9e194808e500a14c

SHA512
26945844e3debc10b820847b54bdf89679e857c3f57b79a046e44d08d114e233550536d70aaa1e247654bbe91bd62c1a514e0a4028346fd2e09a98558b8a60d9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4b924b30841a816769b64dc9a97bd139

SHA1
9233ebb1e798072ac065500b181f9056327e573b

SHA256
7164984acfdae4826e784c3493df5150e5c9a29fe13a999a8bd7c6758b313754

SHA512
dc8d99b1fcc1192d224f51f7fab83d0a2cee57fb92b854e6c2d152db4d1ad96cacd550bef7be764621dad4415bac58d3f1e9909d5c0d5b6ec38364e4ba59580e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
8a8ec87655a43f03b2a2c6e8eb8827fe

SHA1
82a314934595155fb01fd436769ebb162124e929

SHA256
1e1058e493a5dfc5922071ede4c11e749313c405e45b8fd31f184b72dd08785d

SHA512
546b0271616340db5a6c6ea75382ebe351ff7ca5b204d6a52c33417014a8c2ea8d5966c8bd98a16c3b878af1949fe0eb6bf13ed1ec5c52e2c0e852180813b2a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3d0b57c290dc6077984f32feff1ecca7

SHA1
a325baec363df59cf347d46da72dadb93f89d606

SHA256
b3f43d13d3402fcebd9ebaab1760fb3c80b5e9c469ada01f2d4f4b3baff9177a

SHA512
201e9b03048e0de0679d3df7e15a213787fefe97720055c83527798fd1f81f4ec0cdc4645abc07e67cd67a1169b2efc361ad16cfe941af1d388206813d88a67e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3d0b57c290dc6077984f32feff1ecca7

SHA1
a325baec363df59cf347d46da72dadb93f89d606

SHA256
b3f43d13d3402fcebd9ebaab1760fb3c80b5e9c469ada01f2d4f4b3baff9177a

SHA512
201e9b03048e0de0679d3df7e15a213787fefe97720055c83527798fd1f81f4ec0cdc4645abc07e67cd67a1169b2efc361ad16cfe941af1d388206813d88a67e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bcb30a46eb90656da49a61ae15280cdc

SHA1
81cbff8297af0e38b60e0d7d93dc7f3f725b376e

SHA256
6b27b8ba48bc2e7bbd3f349f6c98bfdf6bc4ce98555a28418fd44db362349e44

SHA512
28cf57f45234a75a5e95c7fe080f7fb27471a5b002cba4651d25c1c4894cb212aac65053cd0d59afa96e7126bb00651862f48301a2ab750ca791df2a057ccf9e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bcb30a46eb90656da49a61ae15280cdc

SHA1
81cbff8297af0e38b60e0d7d93dc7f3f725b376e

SHA256
6b27b8ba48bc2e7bbd3f349f6c98bfdf6bc4ce98555a28418fd44db362349e44

SHA512
28cf57f45234a75a5e95c7fe080f7fb27471a5b002cba4651d25c1c4894cb212aac65053cd0d59afa96e7126bb00651862f48301a2ab750ca791df2a057ccf9e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8eb9b44b2a340f18018ad16eefa60506

SHA1
5c92d543761af29fb4c200bea0a09f7efb260cf0

SHA256
08c0be74047f3a8e7bd5d43a872c915cfcf1b9292c64fe516662b822e3778790

SHA512
1173f23ab041f4ef4bb17d23d8ddb86418504b80474d12c0f064766c5655c886ffa9e956ee0522efcdf736dbd545257361ab97f7fda5d5c853296b3934938221

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
191d4cf70b498d3577d5a12c2256117b

SHA1
c4aeb4fb12cd072d0d4dbd29f30e7d8d22c35ffc

SHA256
9cba92bad0b9fa7b0676d824ed09349c13197533e9c8d604a524706115778e1e

SHA512
e3e7f869234621a57c96548387aadef8742bae45ed9242cab1bb83d294be67401869b95f16e27b4d242789181070373b8094ada97bc40855fdcec3a9dec9cf05

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b98b85d03193cf6708a00c88564da607

SHA1
6c6c3c54688a647e9294d2e962cac1d30b7dc4b6

SHA256
038c1f2ece5032e518f28d660ca9e940b070ee79c57f76734afaf34b39275802

SHA512
dfd336ba82c287613001e0a75fe008e37e0097d392a528d09d037430ba59ea120791dec603b42bb1bab8a14030f668de3e6128a3976509da315a6bd8ebe2d887

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2e3fca8f1d102543f129260b85e7b4a3

SHA1
2e956e6c75b9306029027bda272adf6b6240cf01

SHA256
046b89c0ca0daa09a186b7096a80f1b3532db6ae67b34a669a230b65cd48c3f9

SHA512
c2dcce4da8e0cbfda2a861c308beb93589837724ca55b73fd9b1300b1a212eb2b34826f14c4afd0a60501fb67c97a59847eb81da8f0f7e1870e517f63905815e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
bb454187ed7688c0c4fbb62862be329a

SHA1
bb835dbbb78820639f9ec6bdb17c561d68fa1060

SHA256
36cc299fdb8e95e6e6623800ecc0ac7fc38518d75761459dc61a54577fdb07a1

SHA512
e1613aca020d7f3bc3465b31a407278e596e1d54a0af24c90934fd6f5dad8f577ce07c40bb8216ec4295e08078198477cdbd98e7001dcae648e22b4ffef24c2a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
b4d9e729081211c20ac79d0cc0faf98e

SHA1
17c1d092ce8ea65d7e4494eb3779deb928fa3cde

SHA256
5da8b605f1af178e0091b4b43bebc82d4e7a792102a301f9132d49a140cd14a3

SHA512
b2b5b449ae7e51482244ae36289b6f5b3866569ad5578310bc3584fce11c94f94896e743778ec72c07c3811c2fdf45f685958de9e8bdf597a8d5a22adaaf0a03

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
45fc580469aab327d350fe57bbdc710b

SHA1
195016cf2f8dab6ece4f7256f85ab4da53c69a3b

SHA256
616f2c00a5db1d6734c35245aa80d778209e762a806186a4c2519f31a1922372

SHA512
74f866eb619e2a01b42f61dc0b0371e77a18d5752350e8bdd846e6ba2c554addbbf9e2f82847a54a8f8df0e19540fe84a46aeae2eeaa45c565a2b2c7a7468647

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
9754509a7fc20b782d85a1d12882aff7

SHA1
32aab93c3f8fcfd0571eee8650c1121dd2f8b758

SHA256
e61c067b7db2ef5a6e82c9c94375321f6ca1b7c98b64ebdbbcf05127c71d4275

SHA512
cd4f176f9dd2fdd729f779a5a05992f1a710bdce832f3c04a5c29526493b7e68e7b76c2a6411e6cd232e430f41c7551e2854a26c6a15943edf8ac4bf1746f76a

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6cfd52013082ab4dc401fa7b5ef6d671

SHA1
c9a8380714c56d298669de4c0392dbc11c359292

SHA256
04bdadd56890b3d800a3d004dfa10be942c36d78fe8704193d447c6414ae8154

SHA512
789a939006ce4b65dba4446f7ede0c13570c3e88d28e2cbd78132f7ba5ad4bc75dfd78584dcae3ba52847739e76a72e9b0ce8f1075196a5758f76c4230ddcd97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1aacbd8c45c80d29174e444f46a2a37f

SHA1
127ebe280bca27a6f6b2d2c7d61653ffba47a294

SHA256
10e086ee116f3a356c4155d9c4a75f390153be1b896a9021db11cddf26808697

SHA512
fca5aa84bcdc2ed0080aae790c6b3e1a3bd80dd32c7d2625a63fe1865c20824ca81fcc1f97374e17d077d935f6f091b0d13e1e95e52aaaefc5b092a64a4cc755

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4cf9a66cc5159eaa5626a58e5df5f943

SHA1
d3ea064ec0f183773604698e12bfb9de523f1436

SHA256
acdc0beaf42799465bd8827d4138a7a7e5bf6566488d65ef9311a5a4b07baedf

SHA512
753e2805f0c69e751809d66a4208858ea833004d723301075ca48ddc0d6d2a7f1bc09fc9a7945810fca62ae91413869f61cdd36e158ffc1cf001e6fc390805f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3d71c6f28b9cd801a2c0fa41e0a2346c

SHA1
b54c830e4756f1f077d9eae37947d3c12438d230

SHA256
c7f4a782caf3aabb1b8d01ae522fb93485de1b1bc905491fd96355d8caacc456

SHA512
c64e5d2197326c9aaed87145544f1d4ca8e9bb415406adfc6e4f3b2ae65dd1ac855a097ee16585293fd80aa2eae736cdf87871c3793c1bcfefeae7c64a82c434

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
cb380798cc24e4bdacc70a32777f2cd2

SHA1
aff0b0d8432705b4b717ca9fd584282adbba6b84

SHA256
0fb2827fe23b6214aa1d24b56cb4a602e481983f03903700acc889c86e57d13f

SHA512
57c3d3949af158781a438a9a02e5cd35aa43e7fdb0bc1e3321f0608e9e7a8af5c75ad53e9b7cf4e5cc05803aa6badc2e1550a2fa5eefb652fd8ee4e96f4661db

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
df5816b4042e289ee189f52f728d84de

SHA1
0e866d026137d71227fabcba188f907389249f05

SHA256
861f328972c55980c0741dbf655e44fb00571b8509a3eb84f2515879165e7ba3

SHA512
4bee9835a82b8d7ffcc64843738237b285bb61070f12596a0fe005eb4bb3d0669a7222a74fe7b4f32f5d59f3fa30ed97b95586c4ce97504ae2e5a64cd93cc823

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
23be0583050fda899621c3ed0d7eba39

SHA1
548852d0aa823b7c3838b9f0b3c42ad50ef9433e

SHA256
05ca6df809126cbf951680f54bb9c6eacf3126414ea1f6a898e7849d7317857c

SHA512
4fa0e5ebedfd21e1027fb3be94abc189dc12692b1ae9807fb3490b7b542168891e819bfefcfa3614be478a719315800a8aacccbe20c4e88549ce6576238cc06e

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1979cfe32c59cee01c101ad9f5ee3809

SHA1
408dd4813541d6c46255df8e5b456a39f32ff4ac

SHA256
9edccb1ea5e1bcb769f2be153175b0a07ac5b1ae6fa878bebafd7081091bffe7

SHA512
70eb1a6cbee01d0da30af94c1c7e040798b6ba05136fbcac7b97d1e63ccc710681bcb1c0a05186c6f15e0f7147e392aa879906512892b62d4ab750b5af485f73

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9145989cf7118de728e9f50fbb64ee39

SHA1
ccb542944e92a4b92ded96eb576ae72c49f71445

SHA256
a44aaa14df32e9e20b0f18906293e4286938f2ecdfca84c1801eab0bedc67b5c

SHA512
dc457803164c80686fb4f28147d332f5aee97db1b30b50d4e59fd54f9cad9dc32755e995248ff5e900fee197d1af0494193add59614c542a88640097070a79a3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4cf9a66cc5159eaa5626a58e5df5f943

SHA1
d3ea064ec0f183773604698e12bfb9de523f1436

SHA256
acdc0beaf42799465bd8827d4138a7a7e5bf6566488d65ef9311a5a4b07baedf

SHA512
753e2805f0c69e751809d66a4208858ea833004d723301075ca48ddc0d6d2a7f1bc09fc9a7945810fca62ae91413869f61cdd36e158ffc1cf001e6fc390805f7

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3680222160b10534de56d030f855617d

SHA1
2d8bc7343a38016c2c33ad093efc7972837b0245

SHA256
3a0b31d78eb3944b66d2d9d5e94df49a7e5b3c8e80a6b2558cec58c7a45152ef

SHA512
187285c219a4a1bf48e1726f2886e04c467fd67b5f4c80f906c94f7bf86b39f3796822cf2c3f3b7a67e2f2c359907a734ec1d7807e14be1fa1d7c1659a3ffb9a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3680222160b10534de56d030f855617d

SHA1
2d8bc7343a38016c2c33ad093efc7972837b0245

SHA256
3a0b31d78eb3944b66d2d9d5e94df49a7e5b3c8e80a6b2558cec58c7a45152ef

SHA512
187285c219a4a1bf48e1726f2886e04c467fd67b5f4c80f906c94f7bf86b39f3796822cf2c3f3b7a67e2f2c359907a734ec1d7807e14be1fa1d7c1659a3ffb9a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05983cf83bb084cc43fee8fc060f05e8

SHA1
47ae6b0fa3066fb273a1533aec40de2d64a3b240

SHA256
8adc58508750ec0530475b5004a40e2984da57fb22cf26fb9e194808e500a14c

SHA512
26945844e3debc10b820847b54bdf89679e857c3f57b79a046e44d08d114e233550536d70aaa1e247654bbe91bd62c1a514e0a4028346fd2e09a98558b8a60d9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
8a8ec87655a43f03b2a2c6e8eb8827fe

SHA1
82a314934595155fb01fd436769ebb162124e929

SHA256
1e1058e493a5dfc5922071ede4c11e749313c405e45b8fd31f184b72dd08785d

SHA512
546b0271616340db5a6c6ea75382ebe351ff7ca5b204d6a52c33417014a8c2ea8d5966c8bd98a16c3b878af1949fe0eb6bf13ed1ec5c52e2c0e852180813b2a6

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2e3fca8f1d102543f129260b85e7b4a3

SHA1
2e956e6c75b9306029027bda272adf6b6240cf01

SHA256
046b89c0ca0daa09a186b7096a80f1b3532db6ae67b34a669a230b65cd48c3f9

SHA512
c2dcce4da8e0cbfda2a861c308beb93589837724ca55b73fd9b1300b1a212eb2b34826f14c4afd0a60501fb67c97a59847eb81da8f0f7e1870e517f63905815e

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
45fc580469aab327d350fe57bbdc710b

SHA1
195016cf2f8dab6ece4f7256f85ab4da53c69a3b

SHA256
616f2c00a5db1d6734c35245aa80d778209e762a806186a4c2519f31a1922372

SHA512
74f866eb619e2a01b42f61dc0b0371e77a18d5752350e8bdd846e6ba2c554addbbf9e2f82847a54a8f8df0e19540fe84a46aeae2eeaa45c565a2b2c7a7468647

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
9754509a7fc20b782d85a1d12882aff7

SHA1
32aab93c3f8fcfd0571eee8650c1121dd2f8b758

SHA256
e61c067b7db2ef5a6e82c9c94375321f6ca1b7c98b64ebdbbcf05127c71d4275

SHA512
cd4f176f9dd2fdd729f779a5a05992f1a710bdce832f3c04a5c29526493b7e68e7b76c2a6411e6cd232e430f41c7551e2854a26c6a15943edf8ac4bf1746f76a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6cfd52013082ab4dc401fa7b5ef6d671

SHA1
c9a8380714c56d298669de4c0392dbc11c359292

SHA256
04bdadd56890b3d800a3d004dfa10be942c36d78fe8704193d447c6414ae8154

SHA512
789a939006ce4b65dba4446f7ede0c13570c3e88d28e2cbd78132f7ba5ad4bc75dfd78584dcae3ba52847739e76a72e9b0ce8f1075196a5758f76c4230ddcd97

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1aacbd8c45c80d29174e444f46a2a37f

SHA1
127ebe280bca27a6f6b2d2c7d61653ffba47a294

SHA256
10e086ee116f3a356c4155d9c4a75f390153be1b896a9021db11cddf26808697

SHA512
fca5aa84bcdc2ed0080aae790c6b3e1a3bd80dd32c7d2625a63fe1865c20824ca81fcc1f97374e17d077d935f6f091b0d13e1e95e52aaaefc5b092a64a4cc755

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4cf9a66cc5159eaa5626a58e5df5f943

SHA1
d3ea064ec0f183773604698e12bfb9de523f1436

SHA256
acdc0beaf42799465bd8827d4138a7a7e5bf6566488d65ef9311a5a4b07baedf

SHA512
753e2805f0c69e751809d66a4208858ea833004d723301075ca48ddc0d6d2a7f1bc09fc9a7945810fca62ae91413869f61cdd36e158ffc1cf001e6fc390805f7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
4cf9a66cc5159eaa5626a58e5df5f943

SHA1
d3ea064ec0f183773604698e12bfb9de523f1436

SHA256
acdc0beaf42799465bd8827d4138a7a7e5bf6566488d65ef9311a5a4b07baedf

SHA512
753e2805f0c69e751809d66a4208858ea833004d723301075ca48ddc0d6d2a7f1bc09fc9a7945810fca62ae91413869f61cdd36e158ffc1cf001e6fc390805f7

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3d71c6f28b9cd801a2c0fa41e0a2346c

SHA1
b54c830e4756f1f077d9eae37947d3c12438d230

SHA256
c7f4a782caf3aabb1b8d01ae522fb93485de1b1bc905491fd96355d8caacc456

SHA512
c64e5d2197326c9aaed87145544f1d4ca8e9bb415406adfc6e4f3b2ae65dd1ac855a097ee16585293fd80aa2eae736cdf87871c3793c1bcfefeae7c64a82c434

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
cb380798cc24e4bdacc70a32777f2cd2

SHA1
aff0b0d8432705b4b717ca9fd584282adbba6b84

SHA256
0fb2827fe23b6214aa1d24b56cb4a602e481983f03903700acc889c86e57d13f

SHA512
57c3d3949af158781a438a9a02e5cd35aa43e7fdb0bc1e3321f0608e9e7a8af5c75ad53e9b7cf4e5cc05803aa6badc2e1550a2fa5eefb652fd8ee4e96f4661db

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
df5816b4042e289ee189f52f728d84de

SHA1
0e866d026137d71227fabcba188f907389249f05

SHA256
861f328972c55980c0741dbf655e44fb00571b8509a3eb84f2515879165e7ba3

SHA512
4bee9835a82b8d7ffcc64843738237b285bb61070f12596a0fe005eb4bb3d0669a7222a74fe7b4f32f5d59f3fa30ed97b95586c4ce97504ae2e5a64cd93cc823

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
23be0583050fda899621c3ed0d7eba39

SHA1
548852d0aa823b7c3838b9f0b3c42ad50ef9433e

SHA256
05ca6df809126cbf951680f54bb9c6eacf3126414ea1f6a898e7849d7317857c

SHA512
4fa0e5ebedfd21e1027fb3be94abc189dc12692b1ae9807fb3490b7b542168891e819bfefcfa3614be478a719315800a8aacccbe20c4e88549ce6576238cc06e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1979cfe32c59cee01c101ad9f5ee3809

SHA1
408dd4813541d6c46255df8e5b456a39f32ff4ac

SHA256
9edccb1ea5e1bcb769f2be153175b0a07ac5b1ae6fa878bebafd7081091bffe7

SHA512
70eb1a6cbee01d0da30af94c1c7e040798b6ba05136fbcac7b97d1e63ccc710681bcb1c0a05186c6f15e0f7147e392aa879906512892b62d4ab750b5af485f73

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9145989cf7118de728e9f50fbb64ee39

SHA1
ccb542944e92a4b92ded96eb576ae72c49f71445

SHA256
a44aaa14df32e9e20b0f18906293e4286938f2ecdfca84c1801eab0bedc67b5c

SHA512
dc457803164c80686fb4f28147d332f5aee97db1b30b50d4e59fd54f9cad9dc32755e995248ff5e900fee197d1af0494193add59614c542a88640097070a79a3

Download Submit
memory/268-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-78-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-74-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/268-69-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/268-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-351-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/268-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/292-83-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/292-89-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/292-96-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/428-243-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/608-116-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/608-484-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/636-115-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/936-118-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/936-144-0x0000000000980000-0x0000000000A3C000-memory.dmp

Filesize
752KB

Download
memory/936-129-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/936-124-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/936-117-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/936-119-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1176-273-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1176-355-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1176-209-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1316-125-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1316-122-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1316-438-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1316-131-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1320-203-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1320-150-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1320-168-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1320-156-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1320-483-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1320-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1320-170-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1324-223-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1324-211-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1508-240-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1572-161-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1596-180-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1596-186-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1596-630-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1596-207-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1636-172-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1636-162-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1636-173-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1636-512-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1684-163-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1856-58-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/1856-59-0x0000000005E10000-0x0000000005F48000-memory.dmp

Filesize
1.2MB

Download
memory/1856-60-0x0000000007F30000-0x00000000080E0000-memory.dmp

Filesize
1.7MB

Download
memory/1856-57-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1856-56-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1856-55-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1856-54-0x0000000001360000-0x00000000014DC000-memory.dmp

Filesize
1.5MB

Download
memory/1880-303-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1880-244-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2020-191-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2020-210-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2020-632-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2044-398-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2044-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2060-488-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2116-407-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2152-515-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2176-446-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2176-462-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2212-272-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2212-257-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2216-440-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2216-413-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2264-402-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2320-274-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2412-410-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2444-318-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2444-320-0x0000000000570000-0x0000000000779000-memory.dmp

Filesize
2.0MB

Download
memory/2472-313-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2660-448-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2692-378-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2692-316-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-487-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2772-319-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2848-354-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2928-357-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2948-482-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2964-415-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2964-358-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2980-365-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download