blustealer | ef241b30e7e55b276b860ee69841d5062ecbe09d9bb5c156c03e2029730730a9

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

2648da902ed9cd72e1b0a129eea583a0
SHA1

701abc6becba1051ddcbc5652ec78dda7944ca76
SHA256

ef241b30e7e55b276b860ee69841d5062ecbe09d9bb5c156c03e2029730730a9
SHA512

1bc3751bb2494eb6a15a1661a135fecd1d5cddd51f0f3b7250c115a28808b149fd70ae7182f1b62442ffd2ecf0acd8c65c2799265668f410106cfc19328f0fa6
SSDEEP

24576:yxgsRftD0C2nKGH0Djsf9nz4mloFQnpXUMPQDR6q79dA:yaSftDnGUDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
460	Process not Found
524	alg.exe
1700	aspnet_state.exe
788	mscorsvw.exe
1328	mscorsvw.exe
1680	mscorsvw.exe
1160	mscorsvw.exe
1248	dllhost.exe
1732	ehRecvr.exe
864	ehsched.exe
1196	elevation_service.exe
940	IEEtwCollector.exe
1664	GROOVE.EXE
912	mscorsvw.exe
2128	maintenanceservice.exe
2204	mscorsvw.exe
2252	msdtc.exe
2408	msiexec.exe
2512	mscorsvw.exe
2556	OSE.EXE
2660	OSPPSVC.EXE
2800	perfhost.exe
2828	locator.exe
2908	snmptrap.exe
3008	vds.exe
2124	vssvc.exe
2184	mscorsvw.exe
1536	mscorsvw.exe
2416	wbengine.exe
2704	WmiApSrv.exe
2092	wmpnetwk.exe
2864	SearchIndexer.exe
1688	mscorsvw.exe
2460	mscorsvw.exe
1508	mscorsvw.exe
1432	mscorsvw.exe
3028	mscorsvw.exe
2240	mscorsvw.exe
2440	mscorsvw.exe
2248	mscorsvw.exe
2144	mscorsvw.exe
1828	mscorsvw.exe
2792	mscorsvw.exe
2836	mscorsvw.exe
2112	mscorsvw.exe
2164	mscorsvw.exe
1068	mscorsvw.exe
2360	mscorsvw.exe
1728	mscorsvw.exe
1184	mscorsvw.exe
2196	mscorsvw.exe
2132	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2408	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
732	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3d4d6f8d7693df14.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\locator.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\alg.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DAC84675-37FF-4FBE-B599-BD322F822B5F}\chrome_installer.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ABF43BA5-245D-4C9D-8E27-0E41B4AA15BD}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ABF43BA5-245D-4C9D-8E27-0E41B4AA15BD}.crmlog	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{243A3245-5F50-4F21-9DBC-0EAF16DE7C7A}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{243A3245-5F50-4F21-9DBC-0EAF16DE7C7A}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2012	ehRec.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	1680	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1680	mscorsvw.exe
Token: 33	788	EhTray.exe
Token: SeIncBasePriorityPrivilege	788	EhTray.exe
Token: SeDebugPrivilege	2012	ehRec.exe
Token: SeShutdownPrivilege	1680	mscorsvw.exe
Token: SeShutdownPrivilege	1680	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: 33	788	EhTray.exe
Token: SeIncBasePriorityPrivilege	788	EhTray.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeSecurityPrivilege	2408	msiexec.exe
Token: SeBackupPrivilege	2124	vssvc.exe
Token: SeRestorePrivilege	2124	vssvc.exe
Token: SeAuditPrivilege	2124	vssvc.exe
Token: SeBackupPrivilege	2416	wbengine.exe
Token: SeRestorePrivilege	2416	wbengine.exe
Token: SeSecurityPrivilege	2416	wbengine.exe
Token: 33	2092	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2092	wmpnetwk.exe
Token: SeDebugPrivilege	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	1680	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeDebugPrivilege	524	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
788	EhTray.exe
788	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
788	EhTray.exe
788	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1088 wrote to memory of 1440	1088	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	31
PID 1680 wrote to memory of 912	1680	mscorsvw.exe	43
PID 1680 wrote to memory of 912	1680	mscorsvw.exe	43
PID 1680 wrote to memory of 912	1680	mscorsvw.exe	43
PID 1680 wrote to memory of 912	1680	mscorsvw.exe	43
PID 1680 wrote to memory of 2204	1680	mscorsvw.exe	45
PID 1680 wrote to memory of 2204	1680	mscorsvw.exe	45
PID 1680 wrote to memory of 2204	1680	mscorsvw.exe	45
PID 1680 wrote to memory of 2204	1680	mscorsvw.exe	45
PID 1680 wrote to memory of 2512	1680	mscorsvw.exe	48
PID 1680 wrote to memory of 2512	1680	mscorsvw.exe	48
PID 1680 wrote to memory of 2512	1680	mscorsvw.exe	48
PID 1680 wrote to memory of 2512	1680	mscorsvw.exe	48
PID 1680 wrote to memory of 2184	1680	mscorsvw.exe	56
PID 1680 wrote to memory of 2184	1680	mscorsvw.exe	56
PID 1680 wrote to memory of 2184	1680	mscorsvw.exe	56
PID 1680 wrote to memory of 2184	1680	mscorsvw.exe	56
PID 1680 wrote to memory of 1536	1680	mscorsvw.exe	57
PID 1680 wrote to memory of 1536	1680	mscorsvw.exe	57
PID 1680 wrote to memory of 1536	1680	mscorsvw.exe	57
PID 1680 wrote to memory of 1536	1680	mscorsvw.exe	57
PID 1680 wrote to memory of 1688	1680	mscorsvw.exe	62
PID 1680 wrote to memory of 1688	1680	mscorsvw.exe	62
PID 1680 wrote to memory of 1688	1680	mscorsvw.exe	62
PID 1680 wrote to memory of 1688	1680	mscorsvw.exe	62
PID 1680 wrote to memory of 2460	1680	mscorsvw.exe	63
PID 1680 wrote to memory of 2460	1680	mscorsvw.exe	63
PID 1680 wrote to memory of 2460	1680	mscorsvw.exe	63
PID 1680 wrote to memory of 2460	1680	mscorsvw.exe	63
PID 1680 wrote to memory of 1508	1680	mscorsvw.exe	64
PID 1680 wrote to memory of 1508	1680	mscorsvw.exe	64
PID 1680 wrote to memory of 1508	1680	mscorsvw.exe	64
PID 1680 wrote to memory of 1508	1680	mscorsvw.exe	64
PID 1680 wrote to memory of 1432	1680	mscorsvw.exe	65
PID 1680 wrote to memory of 1432	1680	mscorsvw.exe	65
PID 1680 wrote to memory of 1432	1680	mscorsvw.exe	65
PID 1680 wrote to memory of 1432	1680	mscorsvw.exe	65
PID 1680 wrote to memory of 3028	1680	mscorsvw.exe	66
PID 1680 wrote to memory of 3028	1680	mscorsvw.exe	66
PID 1680 wrote to memory of 3028	1680	mscorsvw.exe	66
PID 1680 wrote to memory of 3028	1680	mscorsvw.exe	66
PID 1680 wrote to memory of 2240	1680	mscorsvw.exe	67
PID 1680 wrote to memory of 2240	1680	mscorsvw.exe	67
PID 1680 wrote to memory of 2240	1680	mscorsvw.exe	67
PID 1680 wrote to memory of 2240	1680	mscorsvw.exe	67
PID 1680 wrote to memory of 2440	1680	mscorsvw.exe	68
PID 1680 wrote to memory of 2440	1680	mscorsvw.exe	68
PID 1680 wrote to memory of 2440	1680	mscorsvw.exe	68
PID 1680 wrote to memory of 2440	1680	mscorsvw.exe	68
PID 1680 wrote to memory of 2248	1680	mscorsvw.exe	69
PID 1680 wrote to memory of 2248	1680	mscorsvw.exe	69
PID 1680 wrote to memory of 2248	1680	mscorsvw.exe	69
PID 1680 wrote to memory of 2248	1680	mscorsvw.exe	69
PID 1680 wrote to memory of 2144	1680	mscorsvw.exe	70
PID 1680 wrote to memory of 2144	1680	mscorsvw.exe	70
PID 1680 wrote to memory of 2144	1680	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2492-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2492-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e8 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 264 -NGENProcess 1f8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 1ac -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 278 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 248 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 1e0 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 288 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 1f8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 248 -NGENProcess 1f8 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 294 -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 25c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 260 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1f8 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 154 -NGENProcess 15c -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1248

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1732

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:940

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2128

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2556

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e347d13f2c0c2163561207289bf2c0c7

SHA1
10bc1c54def601665b8094d151aa43aad4260a50

SHA256
5a08fe51b5a362b0caff090a97c22645b0acb8b9884bac535b22075ea0a28555

SHA512
1fb394bfa5b5aa43e9fe1535198739ea684976d8f05bcc8a330f9c2ffde74c19e808df85ed417f5ef4c33cc975d961951ab742a25613ad457d79eb83b4d86029

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
62e59e88539dd6a1abd64004eb743c8e

SHA1
d692de6769835a3236eca22a6e94c5d9e15e8763

SHA256
2973141bc5a85c2bfb2a355544181f73480d58e1fdb97d087210887c700098fd

SHA512
96cc126eeed74c54c1bd2b4f6ab38d7e34f93e036711af51ded5bf1b1759db356d9b96aa4e02a02ce60e9996f0a1a638356f3c558adc665904b080d9d1dcf08f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
82ef859af7b153bfa6fce685e1a86418

SHA1
f3857294331a1cb1db9bfd9064a5f8ab56b116fd

SHA256
7caa3f55ad29e48082a86a2bc552401d8aa1d63ac19dcd5bf3ae4d925197b6db

SHA512
b6816460cb48e31f3265858639f967e1a4bff59ca429008a725ff7b720ad00897e7a2aa8bdf20049616d233f6f7364878acbd753d21a749636e817dd577767da

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d9655c324a37f0f7e4a1f9005d900559

SHA1
c18a69f6ee852b49ba64ea48a72934603409f7c6

SHA256
418c2d72b22ebeb6196bb189a12d42b8c36bf92ed7d12fc280d4eb1b2d856c55

SHA512
9aa4fae1af6d3ebb3ebf2177ed62681e468ea103311574c14f3d1e3f82c3c29f6c0f670df04d9426bfad75235b9839557413456141a30f067e8ef09a2f45e99f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d4fed718140ce2f7fc8169ae48c01e4e

SHA1
44b0fd767eeceab8bc08b88068528532fdaf3a86

SHA256
8d753765b6b03fce3e121e991b6248a34bc92ffcb8bab64862232cb46564660c

SHA512
4803891ccd78ea1f2617fb279a6ca5d079c932b7d4110accbe42b35e750ee0e17f87f2758efd1328465ba1d2c42f2fe8f159ddb220cff9667dd9e8c0c5ad08cd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5c8fa9ef4664ee4f1ffacbaeb471118c

SHA1
c72fc3b4a2d224af170dd97720e3b32921205e33

SHA256
88c5039875ed84f1c5b6388bc71bbeabfe145d0a8c351022ebe1f626e4ac7214

SHA512
6c61276857975d80f1dad0c7e0bd0168c161a8fe095c76f959ed7a8feaa1d8e8512464421a2dcb22b77db4c9e5bf8e0ccccdf34dbac0aada6a0bfef4fbc7a5de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7f0e4014300695d2a15180ce06bc3fb1

SHA1
dd2db445aa013b4f8dc9b6192c8589852ad22639

SHA256
93ae652fb810cab71fc844b1ba0b53a688ce433f49a40e8c7dd3fbcf8a4e3e14

SHA512
35a0d002b1ce73ec630c242a4a2b0074b8bfe3cd5dd71b7121b568846f440234beecae26954fb4a37a33a9a125999cdb8044531d876777103df8d833fd520f60

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7f0e4014300695d2a15180ce06bc3fb1

SHA1
dd2db445aa013b4f8dc9b6192c8589852ad22639

SHA256
93ae652fb810cab71fc844b1ba0b53a688ce433f49a40e8c7dd3fbcf8a4e3e14

SHA512
35a0d002b1ce73ec630c242a4a2b0074b8bfe3cd5dd71b7121b568846f440234beecae26954fb4a37a33a9a125999cdb8044531d876777103df8d833fd520f60

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0c19a71accdf24ba46c821992b9e9105

SHA1
51b68627ba4f1c4b40304bf23ab050e24ea4ad72

SHA256
35db02df5677920f611761c016932d2aec28f72a8c19a43a19af5b7a592de506

SHA512
7cb2d634fd88fcd92a8cb8c8beb611f868621471f410aa9c162ba158194d862a60fb51e6bcab1a75faa25ae76336003a6f417c0d47b9d9f1a60719aac7c6caac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e72bf688acf24b7a61d364a3a7cbd2a7

SHA1
7642390dabd2dd3365094661632bf69867c52c8e

SHA256
b77ed0ae755011db0d55dd38a21d796a3d036e45a05898ff1e2a9ba1e34d5f79

SHA512
a80276606d0071e5e92105c47db3eb413412ec3ca20c4979761b8aa8761aadd8823c99e4ee3a319205d0e0adc4110bdb6ccc5c27af3a2f5165062ebcc2b95d3d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
631cf1f5d679c5b273d0d0bfb421bd58

SHA1
d241feda4f2b9f90672b1787ec6292239acc7bd6

SHA256
3724f241da0000eae98602fdbaaf08877b3579a7b80e334394ac138c26f84615

SHA512
755e366bf07f395ce7e76f69a683a5d184c856a5db2a6d06a61fbb084d0bf76ad18f9b0adda7f7e870d7a74c85d21b4c33d8c3834e8911d309fb18e45c994333

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
631cf1f5d679c5b273d0d0bfb421bd58

SHA1
d241feda4f2b9f90672b1787ec6292239acc7bd6

SHA256
3724f241da0000eae98602fdbaaf08877b3579a7b80e334394ac138c26f84615

SHA512
755e366bf07f395ce7e76f69a683a5d184c856a5db2a6d06a61fbb084d0bf76ad18f9b0adda7f7e870d7a74c85d21b4c33d8c3834e8911d309fb18e45c994333

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05c328debdb7c238b3daa84e9f1d4e85

SHA1
1bb9f96721095ef22c3d0bef3a2a93d665692969

SHA256
05606365c065b0f539a446e0e0492dfa6777a16fcceae50a1f25b917eda5a733

SHA512
d576d8363a7fb236f9b8e7b1e9c6a575efc88d3202e0a7b52470140364ba0eb33d113249e1f10b514589e2e6b2151787ec7b4bf8b6068544539b8a12da309ee7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
05c328debdb7c238b3daa84e9f1d4e85

SHA1
1bb9f96721095ef22c3d0bef3a2a93d665692969

SHA256
05606365c065b0f539a446e0e0492dfa6777a16fcceae50a1f25b917eda5a733

SHA512
d576d8363a7fb236f9b8e7b1e9c6a575efc88d3202e0a7b52470140364ba0eb33d113249e1f10b514589e2e6b2151787ec7b4bf8b6068544539b8a12da309ee7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5dac04edf0b787d71875f7eb4b6614b4

SHA1
433bad1c5269e11c26122d3232c42ffa98ea24e0

SHA256
359604ed6282ae791d14de810058cb0483c45669d4490f149d32715a831c2615

SHA512
6c15d0d3aec96e4ce45bc94113e44f2fe3ac8755a979faf57dab313c58d5e983376055279ec72d4d0d3a78bc23deff303751149609f3774b21e9c6e3aa1c00ac

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
68fb0599c1f173f24a0f4f602057ac81

SHA1
cbc3560050772234cfb549fe21cbce1a3563cc4e

SHA256
3acddb895a7bed5af33a72e38095e2d1233d1525db12c1f435f354f092c29977

SHA512
191963cc4a18ed7bb3106476b1fc1836cdbb8d2342f72736e9418bcae5cbc228c795bd017c24efcaf5fae3210ed3d4fc731bac73bfa8fa3697b8697f55f08a91

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e22e6217f624accd9b82f38cb984c457

SHA1
246231a6be9bca47704a8a5b6d05743eae9f7180

SHA256
a666bffc0a40122093417327fe7ec27e3dbb0c6b3ddb80b966fa710b6d7c64d6

SHA512
5c2beb682c77be3f2ac48b83b49bd0614445d6381c92990af8fa9427a73f3e1b9b8f1108d7fe10c706b980fbb3f135ee1245e931df7395b620ec1d5a407293c1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a884a672e0c25b9706a2e960fe538b32

SHA1
b094e1e658562bf882c0c7e2fa5f3a3143e06611

SHA256
bbc17dd6d0b436b5cf8635ddde95688eed8eeb346eecbfe81bcce879da5aef8f

SHA512
b40157ee1c0e478646913033809cb0856d4cdfa93d0334024ecfa917238f113a5b185a5b1c98d06aa8e2d81b14d3be23cf3020370e88c5086fea30e8c20ce082

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
3dda240929a77d6bde1fbd27ab95287d

SHA1
619b6a3956c9ee2614b10a31b71fac6c200d5d5c

SHA256
24a67b9a21e319655d417fbefab59d7c1ad475806916e4388d01b9f5f442c328

SHA512
527c493277fcfda7898026265ec03b589e4d85b160b71fc27340246a993753a68e2e2829f5e7c56d249be78a3ae068150da87ea603333e01fda18a3709400193

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
73c663e86d3cc63749a096af1957dd5d

SHA1
3227590cb84c5a81d427dd08cb5b6731a65df5e3

SHA256
c3b046b529984c08921a8dacf2a5e93a6385f5b0dc32226713f2e94196e8959d

SHA512
ede4e862989f934d74f332d4d344a0a052c37bf8a139372974ae765c1d257cd9f861375bbc0498a2217d10b3183420549a21868cf1e47133fdf76ec2fd629961

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
66d85b19c777b6da1743f2a14ff8c78b

SHA1
8ce0d15bb1fd86d4835cd4e1b7dffe6697399044

SHA256
a422586d5adaaadb8acbb9eb4d441dd304538f15c11f169884fae83e69b748c5

SHA512
e8fb09a3cdf6fc701babb2d3258fe5dbc1ddc57493d12df272fd7a7f0baf28fbf9271ad61fa171afb85120b183a23dacad6b35526bf7a02f1fb348fd7d91e074

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
0226486f4eccc69d857a9b27f2546fce

SHA1
b310987edd1c6b51d8df09ddf4ab61a0265e7add

SHA256
f0fd5ac4a3eeaf74bfcdd29dc3321de49ae4ac2286f008318d9a738666d57324

SHA512
2d458ebdcaf9a539e0da60a49c1441aaadcb64b61efa0416ab74deccf77adb8194e4993d6ad582c0447136c47f4c80d38b1d71020efa3ee9f4bec2a45fea4178

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
fe28d822dcaef881de9be92320d3d356

SHA1
30b87d6b611a74280b59a8f10a5b0fc482320d94

SHA256
ccbc7318632fe6763ff8a0751858ad309eac918cf07fb235c85d70c86a5966b6

SHA512
fa9fd013d9c82b804ec03c7021404366e5eaf2c1bddc095edd014ca7d794ab44a41d4546aef27013f31392565f7dc2054608072b1eaec5e1b6fa5e552f23cc64

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
94066eb54b297d75a2697ef31f78d137

SHA1
3e4a177ace460e18d620c784a17ab1268af33ee8

SHA256
e66f78249d9d42b8e59aa653c9440f6620d7658dbba4ec9491b9324867be4fba

SHA512
69e34e80f3694f932a292446e59d41a507676f069986dab2f9adaf0d05123d0a2932d9fab45bee3dfcedd72d3df7ff39ec333ac4a383acb8733ad38a7f4fc4ac

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c3d13dafd5f3564303344164e209b216

SHA1
301f79ad8683d0b2b31cc94b7a4dd4f0f6439855

SHA256
70dea84792b76db8459c7be54006eb167e858ac18dd535ed1f99123bbaf55361

SHA512
cb321c74ffe213819b1b2b2e0a009adb2c8ed20e61f2e6904c59196af30f675493cf7b51ded018497f16f74588fea652c77865f313cb9799527c026f8f1ee6ba

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fc78e65e425f45a754395684a9d64eb7

SHA1
bdb939059d05aeef5aadfad0e84d950d13bb9ce8

SHA256
7c068256c91f9c7be78f53d53fdec3775dff21c248bbc2c9a060b266166c11c6

SHA512
8a3aea0c5d3dd87818fb4405555b4c8c20e02f82e2e64d7a9197e5ced84cecc685be108cd27f5cf237cb74900f933d6d312b2315d43d892d02b6808bbce1de8e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
74fe0bd07d7d3300ba5813ada020342f

SHA1
9a1f52e7d3f2efe505edf2e68387b478f2b28199

SHA256
a019c6721f84f54a851f708db4f4ed4f97e9032a995e9f1e3c7ec34aca0d2c63

SHA512
d9c0eb127b202f75554416154b5d9f4dd5070076d95f4afeaba600a4b9d19f2b0604b456f4227f67913717b9903501613f18ccc59d131839bd2a06f31ea1d2aa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8c0361f61f04352c48ade8d9a8639cdf

SHA1
9e275babdb6eb59e75d997d3e9cf2428a845ef5d

SHA256
dcb26afa8b53413d944fe7a5010d56258ee8e9ad10ef7e0c25de835138ad783f

SHA512
f6c3490c8f2ea077cd561c80f00ad2fdb60a1bb0257a1e7ad63a9959a425ec90ea4fec3903dd2472de099ef94c5e5739f42951916bc9bca3624a0d5f53c6c181

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
420ef50ec441fe3269c0d841c398e8e5

SHA1
5a50310b4b27d72afc2bfdabc954780fb0fb6377

SHA256
e45958905bb3df9a3180a826447a22161bb118a806602761490a4eb146413500

SHA512
abf12e33da03fa0f3ac0e0d314dbeeb318c4c82e4fd240dd3efe1f59602de6139755782b5caabb1c7de0062a6e4d41fc18d3aa0039e4ec574a4fe4ee78f20c48

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e21bd3d1238fe3c5c0cc1176f8fb8ec0

SHA1
3e776db09410eff9fd9d65ca9d4c5b3c9dc1cb1a

SHA256
d95dc634b68c9ba7f6ee4ec6ac56fd48f11d67f804947c4350f0cb62575ce46c

SHA512
538e49e7d7e701a0ad3d60f20da0f6446bbb217af42fabfe689463e81c6224cf09be9932212ef2b44c44d022fa15d5c44747c3c0e6e2fdd7820bcfaa79aa5d0b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ea368de5b6f0eafaa95185e92c277389

SHA1
8733f7e8eb5cc4ebf323a96e949b9d8f11fa3254

SHA256
80b634526d8da89298158d5629038edd1bc82dc4ee043352902791559787b72e

SHA512
9c591f95260946e6d7802c7a71285df53ac8b8b9ea5c84bc585645884a2e16aed84b0dfcea756e1ef8c06c249ffdc4e40e43a234a2f59b0899498b7816415c43

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
c3d13dafd5f3564303344164e209b216

SHA1
301f79ad8683d0b2b31cc94b7a4dd4f0f6439855

SHA256
70dea84792b76db8459c7be54006eb167e858ac18dd535ed1f99123bbaf55361

SHA512
cb321c74ffe213819b1b2b2e0a009adb2c8ed20e61f2e6904c59196af30f675493cf7b51ded018497f16f74588fea652c77865f313cb9799527c026f8f1ee6ba

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5c8fa9ef4664ee4f1ffacbaeb471118c

SHA1
c72fc3b4a2d224af170dd97720e3b32921205e33

SHA256
88c5039875ed84f1c5b6388bc71bbeabfe145d0a8c351022ebe1f626e4ac7214

SHA512
6c61276857975d80f1dad0c7e0bd0168c161a8fe095c76f959ed7a8feaa1d8e8512464421a2dcb22b77db4c9e5bf8e0ccccdf34dbac0aada6a0bfef4fbc7a5de

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5c8fa9ef4664ee4f1ffacbaeb471118c

SHA1
c72fc3b4a2d224af170dd97720e3b32921205e33

SHA256
88c5039875ed84f1c5b6388bc71bbeabfe145d0a8c351022ebe1f626e4ac7214

SHA512
6c61276857975d80f1dad0c7e0bd0168c161a8fe095c76f959ed7a8feaa1d8e8512464421a2dcb22b77db4c9e5bf8e0ccccdf34dbac0aada6a0bfef4fbc7a5de

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7f0e4014300695d2a15180ce06bc3fb1

SHA1
dd2db445aa013b4f8dc9b6192c8589852ad22639

SHA256
93ae652fb810cab71fc844b1ba0b53a688ce433f49a40e8c7dd3fbcf8a4e3e14

SHA512
35a0d002b1ce73ec630c242a4a2b0074b8bfe3cd5dd71b7121b568846f440234beecae26954fb4a37a33a9a125999cdb8044531d876777103df8d833fd520f60

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e72bf688acf24b7a61d364a3a7cbd2a7

SHA1
7642390dabd2dd3365094661632bf69867c52c8e

SHA256
b77ed0ae755011db0d55dd38a21d796a3d036e45a05898ff1e2a9ba1e34d5f79

SHA512
a80276606d0071e5e92105c47db3eb413412ec3ca20c4979761b8aa8761aadd8823c99e4ee3a319205d0e0adc4110bdb6ccc5c27af3a2f5165062ebcc2b95d3d

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a884a672e0c25b9706a2e960fe538b32

SHA1
b094e1e658562bf882c0c7e2fa5f3a3143e06611

SHA256
bbc17dd6d0b436b5cf8635ddde95688eed8eeb346eecbfe81bcce879da5aef8f

SHA512
b40157ee1c0e478646913033809cb0856d4cdfa93d0334024ecfa917238f113a5b185a5b1c98d06aa8e2d81b14d3be23cf3020370e88c5086fea30e8c20ce082

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
66d85b19c777b6da1743f2a14ff8c78b

SHA1
8ce0d15bb1fd86d4835cd4e1b7dffe6697399044

SHA256
a422586d5adaaadb8acbb9eb4d441dd304538f15c11f169884fae83e69b748c5

SHA512
e8fb09a3cdf6fc701babb2d3258fe5dbc1ddc57493d12df272fd7a7f0baf28fbf9271ad61fa171afb85120b183a23dacad6b35526bf7a02f1fb348fd7d91e074

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
0226486f4eccc69d857a9b27f2546fce

SHA1
b310987edd1c6b51d8df09ddf4ab61a0265e7add

SHA256
f0fd5ac4a3eeaf74bfcdd29dc3321de49ae4ac2286f008318d9a738666d57324

SHA512
2d458ebdcaf9a539e0da60a49c1441aaadcb64b61efa0416ab74deccf77adb8194e4993d6ad582c0447136c47f4c80d38b1d71020efa3ee9f4bec2a45fea4178

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
fe28d822dcaef881de9be92320d3d356

SHA1
30b87d6b611a74280b59a8f10a5b0fc482320d94

SHA256
ccbc7318632fe6763ff8a0751858ad309eac918cf07fb235c85d70c86a5966b6

SHA512
fa9fd013d9c82b804ec03c7021404366e5eaf2c1bddc095edd014ca7d794ab44a41d4546aef27013f31392565f7dc2054608072b1eaec5e1b6fa5e552f23cc64

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
94066eb54b297d75a2697ef31f78d137

SHA1
3e4a177ace460e18d620c784a17ab1268af33ee8

SHA256
e66f78249d9d42b8e59aa653c9440f6620d7658dbba4ec9491b9324867be4fba

SHA512
69e34e80f3694f932a292446e59d41a507676f069986dab2f9adaf0d05123d0a2932d9fab45bee3dfcedd72d3df7ff39ec333ac4a383acb8733ad38a7f4fc4ac

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c3d13dafd5f3564303344164e209b216

SHA1
301f79ad8683d0b2b31cc94b7a4dd4f0f6439855

SHA256
70dea84792b76db8459c7be54006eb167e858ac18dd535ed1f99123bbaf55361

SHA512
cb321c74ffe213819b1b2b2e0a009adb2c8ed20e61f2e6904c59196af30f675493cf7b51ded018497f16f74588fea652c77865f313cb9799527c026f8f1ee6ba

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c3d13dafd5f3564303344164e209b216

SHA1
301f79ad8683d0b2b31cc94b7a4dd4f0f6439855

SHA256
70dea84792b76db8459c7be54006eb167e858ac18dd535ed1f99123bbaf55361

SHA512
cb321c74ffe213819b1b2b2e0a009adb2c8ed20e61f2e6904c59196af30f675493cf7b51ded018497f16f74588fea652c77865f313cb9799527c026f8f1ee6ba

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fc78e65e425f45a754395684a9d64eb7

SHA1
bdb939059d05aeef5aadfad0e84d950d13bb9ce8

SHA256
7c068256c91f9c7be78f53d53fdec3775dff21c248bbc2c9a060b266166c11c6

SHA512
8a3aea0c5d3dd87818fb4405555b4c8c20e02f82e2e64d7a9197e5ced84cecc685be108cd27f5cf237cb74900f933d6d312b2315d43d892d02b6808bbce1de8e

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
74fe0bd07d7d3300ba5813ada020342f

SHA1
9a1f52e7d3f2efe505edf2e68387b478f2b28199

SHA256
a019c6721f84f54a851f708db4f4ed4f97e9032a995e9f1e3c7ec34aca0d2c63

SHA512
d9c0eb127b202f75554416154b5d9f4dd5070076d95f4afeaba600a4b9d19f2b0604b456f4227f67913717b9903501613f18ccc59d131839bd2a06f31ea1d2aa

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8c0361f61f04352c48ade8d9a8639cdf

SHA1
9e275babdb6eb59e75d997d3e9cf2428a845ef5d

SHA256
dcb26afa8b53413d944fe7a5010d56258ee8e9ad10ef7e0c25de835138ad783f

SHA512
f6c3490c8f2ea077cd561c80f00ad2fdb60a1bb0257a1e7ad63a9959a425ec90ea4fec3903dd2472de099ef94c5e5739f42951916bc9bca3624a0d5f53c6c181

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
420ef50ec441fe3269c0d841c398e8e5

SHA1
5a50310b4b27d72afc2bfdabc954780fb0fb6377

SHA256
e45958905bb3df9a3180a826447a22161bb118a806602761490a4eb146413500

SHA512
abf12e33da03fa0f3ac0e0d314dbeeb318c4c82e4fd240dd3efe1f59602de6139755782b5caabb1c7de0062a6e4d41fc18d3aa0039e4ec574a4fe4ee78f20c48

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e21bd3d1238fe3c5c0cc1176f8fb8ec0

SHA1
3e776db09410eff9fd9d65ca9d4c5b3c9dc1cb1a

SHA256
d95dc634b68c9ba7f6ee4ec6ac56fd48f11d67f804947c4350f0cb62575ce46c

SHA512
538e49e7d7e701a0ad3d60f20da0f6446bbb217af42fabfe689463e81c6224cf09be9932212ef2b44c44d022fa15d5c44747c3c0e6e2fdd7820bcfaa79aa5d0b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ea368de5b6f0eafaa95185e92c277389

SHA1
8733f7e8eb5cc4ebf323a96e949b9d8f11fa3254

SHA256
80b634526d8da89298158d5629038edd1bc82dc4ee043352902791559787b72e

SHA512
9c591f95260946e6d7802c7a71285df53ac8b8b9ea5c84bc585645884a2e16aed84b0dfcea756e1ef8c06c249ffdc4e40e43a234a2f59b0899498b7816415c43

Download Submit
memory/524-73-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/524-81-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/524-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/788-106-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/864-159-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/864-148-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/864-397-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/864-155-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/912-210-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/912-246-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/940-186-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/940-175-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/940-181-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/940-546-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1088-59-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1088-54-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1088-310-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-80-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1160-143-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1196-170-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1196-164-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1196-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1196-415-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1248-141-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1328-107-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1432-649-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1440-97-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1440-151-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1440-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1440-154-0x0000000000D30000-0x0000000000DEC000-memory.dmp

Filesize
752KB

Download
memory/1440-99-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1440-102-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1440-104-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1508-644-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1536-547-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1664-208-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1664-192-0x0000000000AE0000-0x0000000000B46000-memory.dmp

Filesize
408KB

Download
memory/1664-493-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1680-109-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1680-114-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1680-123-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-601-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-497-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1700-82-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1700-311-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1732-134-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1732-150-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1732-388-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-140-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1732-145-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1732-183-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1732-153-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2012-291-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2012-185-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2012-209-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2092-557-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2092-416-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2124-369-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2124-549-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2128-325-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2128-226-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2184-372-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2204-227-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2204-282-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2252-257-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2408-542-0x0000000000570000-0x0000000000779000-memory.dmp

Filesize
2.0MB

Download
memory/2408-541-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2408-255-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2408-259-0x0000000000570000-0x0000000000779000-memory.dmp

Filesize
2.0MB

Download
memory/2416-390-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2460-624-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2460-602-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2512-360-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2512-292-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2556-294-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2660-543-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2660-295-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2704-550-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2704-393-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2800-313-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2828-316-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2864-558-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2864-418-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2908-339-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/3008-340-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/3008-548-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download