blustealer | bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.5MB
MD5

39810b7912907fc879004874df0e9e9e
SHA1

f2e51d5e9f644058a8ff4d64458e2914ddf2a364
SHA256

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
SHA512

abd49e8623428a399f665e2157522b6d285cb6c1f77c043eb22038df2ebbfbb21f3823c08dd781be5df043f1ab9b514990ab890bc80086cf33860aa6f4e75b5d
SSDEEP

24576:molqfbt8n/WmtqmZfq/ppZge1+qWMZukXfRtgyCrWw:sxgWm8m+Zj+qbZuq

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
1640	alg.exe
932	aspnet_state.exe
588	mscorsvw.exe
1052	mscorsvw.exe
1592	mscorsvw.exe
1476	mscorsvw.exe
1948	dllhost.exe
1644	ehRecvr.exe
1724	ehsched.exe
1052	elevation_service.exe
1280	mscorsvw.exe
1596	IEEtwCollector.exe
1356	mscorsvw.exe
2072	mscorsvw.exe
2180	GROOVE.EXE
2244	mscorsvw.exe
2360	mscorsvw.exe
2396	maintenanceservice.exe
2560	msdtc.exe
2688	msiexec.exe
2832	OSE.EXE
2876	OSPPSVC.EXE
3000	perfhost.exe
3032	locator.exe
2084	mscorsvw.exe
2112	snmptrap.exe
936	vds.exe
2316	vssvc.exe
2664	wbengine.exe
2072	WmiApSrv.exe
2720	mscorsvw.exe
3040	mscorsvw.exe
2204	mscorsvw.exe
2476	mscorsvw.exe
2508	mscorsvw.exe
2700	mscorsvw.exe
2300	mscorsvw.exe
872	mscorsvw.exe
2904	mscorsvw.exe
2532	mscorsvw.exe
2396	mscorsvw.exe
2800	mscorsvw.exe
2928	mscorsvw.exe
2992	mscorsvw.exe
2140	mscorsvw.exe
2460	mscorsvw.exe
2432	mscorsvw.exe
2360	mscorsvw.exe
1232	mscorsvw.exe
2872	wmpnetwk.exe
2104	SearchIndexer.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2688	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4bca0a12decfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 648	2040	Quote 1345 rev.3.exe	29
PID 648 set thread context of 556	648	Quote 1345 rev.3.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{772B97C6-1A9E-4F8E-BA7C-57C0EA520338}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{772B97C6-1A9E-4F8E-BA7C-57C0EA520338}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{2177A833-9597-40FE-ACD8-DD0420188C62}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{2177A833-9597-40FE-ACD8-DD0420188C62}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	Quote 1345 rev.3.exe
1300	ehRec.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	Quote 1345 rev.3.exe
Token: SeTakeOwnershipPrivilege	648	Quote 1345 rev.3.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: 33	452	EhTray.exe
Token: SeIncBasePriorityPrivilege	452	EhTray.exe
Token: SeDebugPrivilege	1300	ehRec.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe
Token: SeSecurityPrivilege	2688	msiexec.exe
Token: 33	452	EhTray.exe
Token: SeIncBasePriorityPrivilege	452	EhTray.exe
Token: SeBackupPrivilege	2316	vssvc.exe
Token: SeRestorePrivilege	2316	vssvc.exe
Token: SeAuditPrivilege	2316	vssvc.exe
Token: SeBackupPrivilege	2664	wbengine.exe
Token: SeRestorePrivilege	2664	wbengine.exe
Token: SeSecurityPrivilege	2664	wbengine.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: 33	2872	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2872	wmpnetwk.exe
Token: SeManageVolumePrivilege	2104	SearchIndexer.exe
Token: 33	2104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2104	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
452	EhTray.exe
452	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
452	EhTray.exe
452	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
648	Quote 1345 rev.3.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 532	2040	Quote 1345 rev.3.exe	28
PID 2040 wrote to memory of 532	2040	Quote 1345 rev.3.exe	28
PID 2040 wrote to memory of 532	2040	Quote 1345 rev.3.exe	28
PID 2040 wrote to memory of 532	2040	Quote 1345 rev.3.exe	28
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 2040 wrote to memory of 648	2040	Quote 1345 rev.3.exe	29
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 648 wrote to memory of 556	648	Quote 1345 rev.3.exe	32
PID 1592 wrote to memory of 1280	1592	mscorsvw.exe	42
PID 1592 wrote to memory of 1280	1592	mscorsvw.exe	42
PID 1592 wrote to memory of 1280	1592	mscorsvw.exe	42
PID 1592 wrote to memory of 1280	1592	mscorsvw.exe	42
PID 1592 wrote to memory of 1356	1592	mscorsvw.exe	45
PID 1592 wrote to memory of 1356	1592	mscorsvw.exe	45
PID 1592 wrote to memory of 1356	1592	mscorsvw.exe	45
PID 1592 wrote to memory of 1356	1592	mscorsvw.exe	45
PID 1592 wrote to memory of 2072	1592	mscorsvw.exe	46
PID 1592 wrote to memory of 2072	1592	mscorsvw.exe	46
PID 1592 wrote to memory of 2072	1592	mscorsvw.exe	46
PID 1592 wrote to memory of 2072	1592	mscorsvw.exe	46
PID 1592 wrote to memory of 2244	1592	mscorsvw.exe	48
PID 1592 wrote to memory of 2244	1592	mscorsvw.exe	48
PID 1592 wrote to memory of 2244	1592	mscorsvw.exe	48
PID 1592 wrote to memory of 2244	1592	mscorsvw.exe	48
PID 1592 wrote to memory of 2360	1592	mscorsvw.exe	49
PID 1592 wrote to memory of 2360	1592	mscorsvw.exe	49
PID 1592 wrote to memory of 2360	1592	mscorsvw.exe	49
PID 1592 wrote to memory of 2360	1592	mscorsvw.exe	49
PID 1592 wrote to memory of 2084	1592	mscorsvw.exe	57
PID 1592 wrote to memory of 2084	1592	mscorsvw.exe	57
PID 1592 wrote to memory of 2084	1592	mscorsvw.exe	57
PID 1592 wrote to memory of 2084	1592	mscorsvw.exe	57
PID 1592 wrote to memory of 2720	1592	mscorsvw.exe	63
PID 1592 wrote to memory of 2720	1592	mscorsvw.exe	63
PID 1592 wrote to memory of 2720	1592	mscorsvw.exe	63
PID 1592 wrote to memory of 2720	1592	mscorsvw.exe	63
PID 1592 wrote to memory of 3040	1592	mscorsvw.exe	64
PID 1592 wrote to memory of 3040	1592	mscorsvw.exe	64
PID 1592 wrote to memory of 3040	1592	mscorsvw.exe	64
PID 1592 wrote to memory of 3040	1592	mscorsvw.exe	64
PID 1592 wrote to memory of 2204	1592	mscorsvw.exe	65
PID 1592 wrote to memory of 2204	1592	mscorsvw.exe	65
PID 1592 wrote to memory of 2204	1592	mscorsvw.exe	65
PID 1592 wrote to memory of 2204	1592	mscorsvw.exe	65
PID 1592 wrote to memory of 2476	1592	mscorsvw.exe	66
PID 1592 wrote to memory of 2476	1592	mscorsvw.exe	66
PID 1592 wrote to memory of 2476	1592	mscorsvw.exe	66
PID 1592 wrote to memory of 2476	1592	mscorsvw.exe	66
PID 1592 wrote to memory of 2508	1592	mscorsvw.exe	67
PID 1592 wrote to memory of 2508	1592	mscorsvw.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  PID:532
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 238 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1ec -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 248 -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 1d0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 268 -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 1d0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 1d0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 1d0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1232

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1644

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1596

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2832

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b087ae5df884b666699dca0afacf3c42

SHA1
9594f28d8d81bb076989190cf5555d7736173189

SHA256
939e614fd1ab2d09d7c25955d13445c46d52b23628b9f76aece44b8e4752b845

SHA512
7b55a7dde55f14d5b3453afe5bc7e8ac6db4287ebfc843232d2c9c0a1180483c0e85beeed9f24fd08cde450e45aacc2a83bf47268a72a2f2d5b3f82136f3e48c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e753cc2e2abf715aa07aed695ff8b228

SHA1
a962a396fe8861305324d7a534cac96784046525

SHA256
daf5b47ea823c6d9d020755e3bc1698c5c244b8f741ea98b78b5af251f6ba964

SHA512
bfcefc8bcb1182dd73ee1f7b78e575fd10385b2f20da5163343aee58ff774b696879ee64532207e72bd58dd9567354cd65423a1ed185d0bdf4a0a4f4bd852ad5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bf537afcb4f62e58dc5d836183ee99ce

SHA1
6b1eec835a6165cc2484c0c45a6563e46bbdd69f

SHA256
e40ab8fbd2cd870a33c87e154475bf7f280af8f26f4da9afc21a4bb3f187ea14

SHA512
161a275f0047910ce5844e64676c75ea79f5b920faea8f49322ab24c7db2770b50772c1b9b237d6ce227a87df9e0fc78b4ff5490d127fc2c0369276fb39d0470

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
4a480bf74dd857a9f08b42f707aace63

SHA1
9f6b5dccd4061025ee48e2c84e0aff5b70f48c06

SHA256
82fb53d432aa4e55915016de1090a32a1ecae47422dbd7caa808495794d37389

SHA512
61ee2b016868026513adfcdf7d399fd2362b228f581b2b401d2f9b3544115fbd62bab725d792a85c733a173b31a12733b2e96301901048cea390c8b157d65d11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4f446b11a9f0113e674d3525818f7614

SHA1
3dc4748f56c12e653ee9b8ca173231384cf9fdf8

SHA256
974c1717a8b839817d97c63932edfcffb8386ea1eab91d6039584b5ad0e02ec4

SHA512
db084f43122b09a9926c459df9c2b43e093d09293b7583614be14db170048c867b59af81f4e7626b4f2ccd71dfb31a213822b98d9e668eee6665d3cf61f7e03f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
792bf5e4495768050cf6641d1ea3a532

SHA1
657035c2926f9ab02ae82a83b98520aab0fba0e2

SHA256
9013663d7bbd6f87507ecc2e010781c92efc951bc9601d21b257d69acfda3fa4

SHA512
5d0a5d04392eaaa68d8e1a31913e6b8fe9ef9e467acfd99e43f6d5ff80d7ac8371a6664ea3cc3ab5e9149dbad60494df80410697c1055e50d81335dc5a9f7095

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
792bf5e4495768050cf6641d1ea3a532

SHA1
657035c2926f9ab02ae82a83b98520aab0fba0e2

SHA256
9013663d7bbd6f87507ecc2e010781c92efc951bc9601d21b257d69acfda3fa4

SHA512
5d0a5d04392eaaa68d8e1a31913e6b8fe9ef9e467acfd99e43f6d5ff80d7ac8371a6664ea3cc3ab5e9149dbad60494df80410697c1055e50d81335dc5a9f7095

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
cc1f1e7c401b4dd7f51e2f78580d9cf2

SHA1
3e466575631c84c305f1afbf099c96176e41c74d

SHA256
fe641c1c39b335fd871a1bdc64e3065d4b47e2ee671fc828dd546b723716f06b

SHA512
eb304d030b1c57d6795d76ecded59c223517a055add7d34fad8f33eb6772a4208ff8cf9d97b12497040a679b1692207790e0a6a2ee06efe55e3087352da65480

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
5a0da41c78c1a1d8e18a8d515b19616b

SHA1
ff18f804d645ec72658bc600895347696f4b18cf

SHA256
2ee46accd920a73f7ae8c5980c60ff04254846182c88abf4bb7cc2de1fe124e7

SHA512
44c1bf49156528e6889850920bcf902755fde506ef93c6f829a538d5a75d1658dfa6997a73b7b05267fccd8d9f5015f7bdc77f135ebaf8a4322c36d4602c1c76

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9689219c6eebc358879aa2207913677f

SHA1
bfbde8a28083009539f10a7d0279bb7de20d53d7

SHA256
7cd27c931a3673160c4cd81a367141054aabb2a3142a7568ddac98c5466530f4

SHA512
c27f4cd05038b584a70be7d2beca0e5316e6aa2612eb8f018dceda870b45b74adaf7f74815ab457a1255680fd3c85856bc0fdd0970b4a8212368c453cbaaad46

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9689219c6eebc358879aa2207913677f

SHA1
bfbde8a28083009539f10a7d0279bb7de20d53d7

SHA256
7cd27c931a3673160c4cd81a367141054aabb2a3142a7568ddac98c5466530f4

SHA512
c27f4cd05038b584a70be7d2beca0e5316e6aa2612eb8f018dceda870b45b74adaf7f74815ab457a1255680fd3c85856bc0fdd0970b4a8212368c453cbaaad46

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b6dfd63133ba3587925438b4375df3a7

SHA1
d04baf2192e363fb76923e0e3f9ea770523c9498

SHA256
66311bd0ce018e0c72c5212e8bb2c80e56299e0e99dd711d4dec83ee23d94bc5

SHA512
af8345e41a2be36ed79bae79612a95a160aee0df2bf440980a7a2e3addea9e3cd769a78ca066705f3999fc757f62e4ddf45584a6ae3bb73c1d38e34c8ef369da

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b6dfd63133ba3587925438b4375df3a7

SHA1
d04baf2192e363fb76923e0e3f9ea770523c9498

SHA256
66311bd0ce018e0c72c5212e8bb2c80e56299e0e99dd711d4dec83ee23d94bc5

SHA512
af8345e41a2be36ed79bae79612a95a160aee0df2bf440980a7a2e3addea9e3cd769a78ca066705f3999fc757f62e4ddf45584a6ae3bb73c1d38e34c8ef369da

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
61662c82a0714b41b401653f01cb634d

SHA1
1bd4f535e038c7b6b24074b35ceca3e1177a2f10

SHA256
f80b5d15f2398dc90c637b0856b0558544c35fde8f83a056f9434f3099d2d5e3

SHA512
1b0e3c62838f8219b048b1d68ae6a9d62397ba2794091fbb1d787624cfe8b2814f72b509c0647716a9813705423cc9fe9ed6f44ef1a55097208d8f5fcdefa039

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14abc3b92a6d47af546fe5ba9a36f1d0

SHA1
6b9e312677b794332a0bee844553e98003f8f85a

SHA256
7808dafeb1134bb90a1f9c52d2dbbb0794fe49e856d1a492d21dcc186371cbed

SHA512
073c6963463940a7b73aa7b32d5f5056dd71070e57fc980faf89e1043725408eda01e97c14d71cd76b9af841f5dfc044c32ca0840d0fba866cd8a67a9ff80d3c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
23dcde48b0483e2ca6dcddae6548984d

SHA1
e97cdb657cf2c2bca6ec9736b7a5950e22f824a5

SHA256
3f7f9c5d4bf1e388063e25203d86d3b067405890bda74802ba436b2e240fbf23

SHA512
f543ce0f2a6cf084f555222bea9dfd44724280fc0908f47201a728780784394c38337769b982b43b38e10b92614021157e6f91cc2a0c139329a3f050cd5ce4c5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d77f791c1c737bcc7e2ba54970ba0636

SHA1
870c411e6f8c064148b2211178d27a3b8d90f681

SHA256
64c15743d3957a7ce6f4e40621e8b0bdea0ea581d7646115c64b82d1a3748614

SHA512
2c33fa33ef025a4830f59ee5ab1551ae915d26936653b98f9b82a9a57f3d5ba014b96062ea5b7c407cd0d22171062559ec93a624fa4854fae5ef458134fd9a17

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
473ace802f62141a2e0abcfdadf9a316

SHA1
6c1e8c80383fedfdf982fdeb556c8cb0cfac41d0

SHA256
3bfa36765e05b8ba1680b5547cad3e387465bed2a8374c0991f3972d04691a6c

SHA512
3c93050c3ff11e27cfd74b2846a6c803ea1079e1c1c554f79540d924b0033b296e14a1e962d42defdedc5cc5813f1971eecd1ac9a745c1403d8cbb0b942cf6e9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e17aae590555fc7d802a7b8b47c0994b

SHA1
6146fc3001361149225467edc6aeca028d508fb1

SHA256
24af1a66a9913d7af11f54b09e252b49d27da01cc2b6e52ef6cb7c845eda1305

SHA512
006e4d035e4134deb3b2918c342c9ac5c015e53421288e509ecbfe25916e9176cc2da7f67f177c7acaef1e0472bea7e2a2566ac1a7de017b5783beb966b05a6c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
8db8a3ec7fe4d5c85be718242cf232da

SHA1
6e19a63c881d185a1fb8c576ddbc683229d3bbab

SHA256
5375c1464e3d54b36ae283c71be50ed2cd231fa03559d0abdcc179d51573ac3d

SHA512
ccb8cfc8f0819c7ad4ab0c36326552bd2107aee0393f3d89e844f291c0e0d98def4bd00de120a69def833091fbb7ee84343638d9a7af5b40f63e740cdefe6498

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
8b19cfd9ccd56260623e4be3c74e2681

SHA1
7888e01382fc0b7bfa0c6804f77d1e4f3e13bfb3

SHA256
e86ffd0e03768060152bf591a3307741d75a4dedf8f048ab8dc4fca7cae3852b

SHA512
3031d9cb02b180dd07e92c346a0be70fa3200ef3c477200580fba850fc5ae7ea8e33791c5722dc76676f54ebf6aab85fda694a707966f636c6d466e2d410f6c0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3a8ae241da122fe897b876ce717e42b7

SHA1
4501e21d1e75138800ce3e5699092fa4b8171cf8

SHA256
4e452a8d728b60f24c09c7e1aee1bae873aaea630fadef8d5cb42347262c2081

SHA512
25df63469b0ec3c73d5d7950eb42a73ae8fd410c42d6363aaa15e970cc6e24e1e29eefd481aa9b010defa839865911c54eee82412fe9694724f897b2dc248d7f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c636bd48228f5c390e513806ca41c55e

SHA1
d5ac07ca75326e7c9c6df50f1f5f5f81ebbb4060

SHA256
07854364e4c0926b79e4f95ee8006b56326adeb2ae5fabebef94601eb2f83e77

SHA512
4ef405269d4c6b1fdcc5f072c4ba70d9049daac6e00e2d548b291f644d8fa16098249cceac856867ff0ad4fdc39d1f18b61b4d99c13d7113677707c3e2a88125

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d3a26335467d47e8022f692dbbc8032b

SHA1
ba33f102c32a3f1b056281ec02e55dc3d2696442

SHA256
95f45c2d9bf45b483db53421d14691de0acc066af618df016744ca6ef785dc86

SHA512
b8b461e84e59bcbbee751844c2ff9711a328c871895236c05d684370bdaaf9f5ac275ff41c5b9ec44c59b708c90ae80243e0c99694031c1d0d6bc66bda83cd31

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
c1cdfa190fd637d7c3898e02d2b5a38c

SHA1
1bf937491d7a9edb6e5f569e480e06e0e8c062aa

SHA256
3c359205e9b65446c32371d8179af9504bdbb24d06d161a50978fad2585f0d96

SHA512
30d0d73a05867a1dc8912bb7516da93688fbfa5bfe51acf8c39d651f9b91018f670516503798c18719870b2dcda246aefdf6412d23a316cb9e8e766955cf5783

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fd9062ee92c085e1acabb336aa96059c

SHA1
6731cb26cb8eaf228fe5156d053f418e83b58a47

SHA256
a977c282600baaac90b6d0edad65c7639b9a0ba2f89e751ed02fd23e857b34af

SHA512
af9c3d2f655b6822ec627691ffaea2ae146965ad53633873c6d66d0493056fb58ef703d9fe8e424aae22e029ae319d4f0d30e340640969374eea01e728c31010

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
30b3c41c8a31a9358be01586866b36be

SHA1
c311622830d6cccac7ee99fb9634bba1b9a6f04b

SHA256
bab43aef7fb3baf90b4c4fb27a976b70fede102a37217286535b8140098fcc77

SHA512
96c3d347e93d45ec4f8a67b0c0697e699147ad3154f22a48e7f7af6306a3ab5170ab000e8b0828d38e6827b1f872b43bf26625e0a1d12d52c533c06bd508be65

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6d5cfc2632c12820415044978879a3c6

SHA1
1f011fb7f683d9d2c39b43ae022b9bbc8ca620ff

SHA256
9b7d1ab14652903a2da82ed3789b5b22b44e59b0bd1fd83cb4df79137ef518da

SHA512
254df88f68d7c9f7be0c45876262a1817c5b42093bedb08603406c9133bbf0e3049840501b98e0255b3844c4c96732b47b7e62a6eb39fd472960b035143dfd17

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
873d7a3f91df2722553422e86c4affc5

SHA1
bf9ee694dd4a9d2896eb66daa4ad5f7cdcb7a211

SHA256
cbc274a570d74d20a221b756a011f9348c01f90c40e83696323c01dda4cc6fbb

SHA512
2dd14e368bbf17b1274baeae27bec3207b6a4620675a94047d7389211cae512eb8a7a6b9f6a20fc60ccc94cfa4a0d4a5dadfa4c62190f4b88fb1192dcc59021d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
c636bd48228f5c390e513806ca41c55e

SHA1
d5ac07ca75326e7c9c6df50f1f5f5f81ebbb4060

SHA256
07854364e4c0926b79e4f95ee8006b56326adeb2ae5fabebef94601eb2f83e77

SHA512
4ef405269d4c6b1fdcc5f072c4ba70d9049daac6e00e2d548b291f644d8fa16098249cceac856867ff0ad4fdc39d1f18b61b4d99c13d7113677707c3e2a88125

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
792bf5e4495768050cf6641d1ea3a532

SHA1
657035c2926f9ab02ae82a83b98520aab0fba0e2

SHA256
9013663d7bbd6f87507ecc2e010781c92efc951bc9601d21b257d69acfda3fa4

SHA512
5d0a5d04392eaaa68d8e1a31913e6b8fe9ef9e467acfd99e43f6d5ff80d7ac8371a6664ea3cc3ab5e9149dbad60494df80410697c1055e50d81335dc5a9f7095

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
5a0da41c78c1a1d8e18a8d515b19616b

SHA1
ff18f804d645ec72658bc600895347696f4b18cf

SHA256
2ee46accd920a73f7ae8c5980c60ff04254846182c88abf4bb7cc2de1fe124e7

SHA512
44c1bf49156528e6889850920bcf902755fde506ef93c6f829a538d5a75d1658dfa6997a73b7b05267fccd8d9f5015f7bdc77f135ebaf8a4322c36d4602c1c76

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d77f791c1c737bcc7e2ba54970ba0636

SHA1
870c411e6f8c064148b2211178d27a3b8d90f681

SHA256
64c15743d3957a7ce6f4e40621e8b0bdea0ea581d7646115c64b82d1a3748614

SHA512
2c33fa33ef025a4830f59ee5ab1551ae915d26936653b98f9b82a9a57f3d5ba014b96062ea5b7c407cd0d22171062559ec93a624fa4854fae5ef458134fd9a17

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e17aae590555fc7d802a7b8b47c0994b

SHA1
6146fc3001361149225467edc6aeca028d508fb1

SHA256
24af1a66a9913d7af11f54b09e252b49d27da01cc2b6e52ef6cb7c845eda1305

SHA512
006e4d035e4134deb3b2918c342c9ac5c015e53421288e509ecbfe25916e9176cc2da7f67f177c7acaef1e0472bea7e2a2566ac1a7de017b5783beb966b05a6c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
8db8a3ec7fe4d5c85be718242cf232da

SHA1
6e19a63c881d185a1fb8c576ddbc683229d3bbab

SHA256
5375c1464e3d54b36ae283c71be50ed2cd231fa03559d0abdcc179d51573ac3d

SHA512
ccb8cfc8f0819c7ad4ab0c36326552bd2107aee0393f3d89e844f291c0e0d98def4bd00de120a69def833091fbb7ee84343638d9a7af5b40f63e740cdefe6498

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
8b19cfd9ccd56260623e4be3c74e2681

SHA1
7888e01382fc0b7bfa0c6804f77d1e4f3e13bfb3

SHA256
e86ffd0e03768060152bf591a3307741d75a4dedf8f048ab8dc4fca7cae3852b

SHA512
3031d9cb02b180dd07e92c346a0be70fa3200ef3c477200580fba850fc5ae7ea8e33791c5722dc76676f54ebf6aab85fda694a707966f636c6d466e2d410f6c0

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3a8ae241da122fe897b876ce717e42b7

SHA1
4501e21d1e75138800ce3e5699092fa4b8171cf8

SHA256
4e452a8d728b60f24c09c7e1aee1bae873aaea630fadef8d5cb42347262c2081

SHA512
25df63469b0ec3c73d5d7950eb42a73ae8fd410c42d6363aaa15e970cc6e24e1e29eefd481aa9b010defa839865911c54eee82412fe9694724f897b2dc248d7f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c636bd48228f5c390e513806ca41c55e

SHA1
d5ac07ca75326e7c9c6df50f1f5f5f81ebbb4060

SHA256
07854364e4c0926b79e4f95ee8006b56326adeb2ae5fabebef94601eb2f83e77

SHA512
4ef405269d4c6b1fdcc5f072c4ba70d9049daac6e00e2d548b291f644d8fa16098249cceac856867ff0ad4fdc39d1f18b61b4d99c13d7113677707c3e2a88125

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c636bd48228f5c390e513806ca41c55e

SHA1
d5ac07ca75326e7c9c6df50f1f5f5f81ebbb4060

SHA256
07854364e4c0926b79e4f95ee8006b56326adeb2ae5fabebef94601eb2f83e77

SHA512
4ef405269d4c6b1fdcc5f072c4ba70d9049daac6e00e2d548b291f644d8fa16098249cceac856867ff0ad4fdc39d1f18b61b4d99c13d7113677707c3e2a88125

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d3a26335467d47e8022f692dbbc8032b

SHA1
ba33f102c32a3f1b056281ec02e55dc3d2696442

SHA256
95f45c2d9bf45b483db53421d14691de0acc066af618df016744ca6ef785dc86

SHA512
b8b461e84e59bcbbee751844c2ff9711a328c871895236c05d684370bdaaf9f5ac275ff41c5b9ec44c59b708c90ae80243e0c99694031c1d0d6bc66bda83cd31

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
c1cdfa190fd637d7c3898e02d2b5a38c

SHA1
1bf937491d7a9edb6e5f569e480e06e0e8c062aa

SHA256
3c359205e9b65446c32371d8179af9504bdbb24d06d161a50978fad2585f0d96

SHA512
30d0d73a05867a1dc8912bb7516da93688fbfa5bfe51acf8c39d651f9b91018f670516503798c18719870b2dcda246aefdf6412d23a316cb9e8e766955cf5783

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fd9062ee92c085e1acabb336aa96059c

SHA1
6731cb26cb8eaf228fe5156d053f418e83b58a47

SHA256
a977c282600baaac90b6d0edad65c7639b9a0ba2f89e751ed02fd23e857b34af

SHA512
af9c3d2f655b6822ec627691ffaea2ae146965ad53633873c6d66d0493056fb58ef703d9fe8e424aae22e029ae319d4f0d30e340640969374eea01e728c31010

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
30b3c41c8a31a9358be01586866b36be

SHA1
c311622830d6cccac7ee99fb9634bba1b9a6f04b

SHA256
bab43aef7fb3baf90b4c4fb27a976b70fede102a37217286535b8140098fcc77

SHA512
96c3d347e93d45ec4f8a67b0c0697e699147ad3154f22a48e7f7af6306a3ab5170ab000e8b0828d38e6827b1f872b43bf26625e0a1d12d52c533c06bd508be65

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6d5cfc2632c12820415044978879a3c6

SHA1
1f011fb7f683d9d2c39b43ae022b9bbc8ca620ff

SHA256
9b7d1ab14652903a2da82ed3789b5b22b44e59b0bd1fd83cb4df79137ef518da

SHA512
254df88f68d7c9f7be0c45876262a1817c5b42093bedb08603406c9133bbf0e3049840501b98e0255b3844c4c96732b47b7e62a6eb39fd472960b035143dfd17

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
873d7a3f91df2722553422e86c4affc5

SHA1
bf9ee694dd4a9d2896eb66daa4ad5f7cdcb7a211

SHA256
cbc274a570d74d20a221b756a011f9348c01f90c40e83696323c01dda4cc6fbb

SHA512
2dd14e368bbf17b1274baeae27bec3207b6a4620675a94047d7389211cae512eb8a7a6b9f6a20fc60ccc94cfa4a0d4a5dadfa4c62190f4b88fb1192dcc59021d

Download Submit
memory/556-99-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/556-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/556-101-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/556-103-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/556-104-0x0000000000900000-0x00000000009BC000-memory.dmp

Filesize
752KB

Download
memory/556-97-0x00000000001D0000-0x0000000000236000-memory.dmp

Filesize
408KB

Download
memory/588-116-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/648-94-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-69-0x00000000000F0000-0x0000000000156000-memory.dmp

Filesize
408KB

Download
memory/648-74-0x00000000000F0000-0x0000000000156000-memory.dmp

Filesize
408KB

Download
memory/648-258-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/648-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/648-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/932-96-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/932-262-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/936-395-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1052-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1052-418-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1052-181-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1052-139-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1052-115-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1280-221-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1280-184-0x0000000000730000-0x0000000000796000-memory.dmp

Filesize
408KB

Download
memory/1280-200-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1300-424-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1300-453-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1300-335-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1300-233-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/1356-236-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1476-147-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1592-123-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1592-128-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1592-150-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1596-232-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1640-95-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1640-82-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1640-88-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1644-198-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1644-153-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1644-159-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1644-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1644-287-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1644-165-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1644-169-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1724-176-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1724-168-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1724-289-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1948-146-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1948-283-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2040-54-0x0000000001210000-0x000000000138C000-memory.dmp

Filesize
1.5MB

Download
memory/2040-55-0x00000000011A0000-0x00000000011E0000-memory.dmp

Filesize
256KB

Download
memory/2040-59-0x0000000005D20000-0x0000000005E58000-memory.dmp

Filesize
1.2MB

Download
memory/2040-58-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2040-57-0x00000000011A0000-0x00000000011E0000-memory.dmp

Filesize
256KB

Download
memory/2040-60-0x0000000007E60000-0x0000000008010000-memory.dmp

Filesize
1.7MB

Download
memory/2040-56-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2072-420-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2072-225-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2072-255-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2084-431-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2112-393-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2180-276-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2180-457-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2204-473-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2244-280-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2316-389-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2360-385-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2360-281-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2396-282-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2396-301-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2476-474-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2476-485-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2508-496-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2560-291-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2664-422-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2688-330-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2688-331-0x00000000005C0000-0x00000000007C9000-memory.dmp

Filesize
2.0MB

Download
memory/2720-449-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2720-426-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2832-333-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2876-334-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3000-354-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/3032-355-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/3040-459-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download