blustealer | 96f62d789e0958b3dc3cf346997044f128d29098116e340786993b5308209806

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

58ed8a64599dbf61e2d8083b2c40107e
SHA1

c19e34b59e5ccff5657a1da29308c1015539df2a
SHA256

96f62d789e0958b3dc3cf346997044f128d29098116e340786993b5308209806
SHA512

0a461dd6fbd337452e2a580d0b381642e6ea4cd8f9b863008295fc1671c65ee6dc35886d9dd5fd46960d1c8649c8334898f2be89224a0b21cc824925333fb531
SSDEEP

24576:8xgsRftD0C2nKGt0Djsf9nz4mloFQnpXUMPQDR6q79dA:8aSftDnGCDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 43 IoCs

pid	Process
464	Process not Found
1108	alg.exe
1756	aspnet_state.exe
668	mscorsvw.exe
1504	mscorsvw.exe
1948	mscorsvw.exe
1912	mscorsvw.exe
912	dllhost.exe
664	ehRecvr.exe
1704	ehsched.exe
1672	mscorsvw.exe
684	mscorsvw.exe
1620	mscorsvw.exe
1312	mscorsvw.exe
864	mscorsvw.exe
548	mscorsvw.exe
1268	mscorsvw.exe
1672	mscorsvw.exe
1688	elevation_service.exe
1612	IEEtwCollector.exe
472	GROOVE.EXE
1164	msiexec.exe
628	msdtc.exe
1164	msiexec.exe
2124	OSE.EXE
2168	mscorsvw.exe
2180	OSPPSVC.EXE
2372	perfhost.exe
2412	locator.exe
2500	snmptrap.exe
2596	mscorsvw.exe
2620	vds.exe
2756	vssvc.exe
2852	wbengine.exe
2932	WmiApSrv.exe
3032	wmpnetwk.exe
2104	SearchIndexer.exe
2728	mscorsvw.exe
2980	mscorsvw.exe
2216	mscorsvw.exe
3068	mscorsvw.exe
2764	mscorsvw.exe
1708	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1164	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\10b30211328eb3a2.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\alg.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1236 set thread context of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{22CBC9DE-0126-4AEC-B6EF-36F7E2D6E0DD}\chrome_installer.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23B3ED7D-AFBA-458B-B990-CFC1D3A44876}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23B3ED7D-AFBA-458B-B990-CFC1D3A44876}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{93021562-F32E-4A8C-AD1E-753ED8DA3E59}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{93021562-F32E-4A8C-AD1E-753ED8DA3E59}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: SeShutdownPrivilege	1948	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeSecurityPrivilege	1164	msiexec.exe
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeBackupPrivilege	2852	wbengine.exe
Token: SeRestorePrivilege	2852	wbengine.exe
Token: SeSecurityPrivilege	2852	wbengine.exe
Token: SeManageVolumePrivilege	2104	SearchIndexer.exe
Token: 33	2104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2104	SearchIndexer.exe
Token: 33	3032	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3032	wmpnetwk.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeDebugPrivilege	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe
Token: SeShutdownPrivilege	1912	mscorsvw.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2536	SearchProtocolHost.exe
2536	SearchProtocolHost.exe
2536	SearchProtocolHost.exe
2536	SearchProtocolHost.exe
2536	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1236 wrote to memory of 1284	1236	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1912 wrote to memory of 1672	1912	mscorsvw.exe	38
PID 1912 wrote to memory of 1672	1912	mscorsvw.exe	38
PID 1912 wrote to memory of 1672	1912	mscorsvw.exe	38
PID 1912 wrote to memory of 684	1912	mscorsvw.exe	39
PID 1912 wrote to memory of 684	1912	mscorsvw.exe	39
PID 1912 wrote to memory of 684	1912	mscorsvw.exe	39
PID 1948 wrote to memory of 1620	1948	mscorsvw.exe	40
PID 1948 wrote to memory of 1620	1948	mscorsvw.exe	40
PID 1948 wrote to memory of 1620	1948	mscorsvw.exe	40
PID 1948 wrote to memory of 1620	1948	mscorsvw.exe	40
PID 1948 wrote to memory of 1312	1948	mscorsvw.exe	41
PID 1948 wrote to memory of 1312	1948	mscorsvw.exe	41
PID 1948 wrote to memory of 1312	1948	mscorsvw.exe	41
PID 1948 wrote to memory of 1312	1948	mscorsvw.exe	41
PID 1948 wrote to memory of 864	1948	mscorsvw.exe	42
PID 1948 wrote to memory of 864	1948	mscorsvw.exe	42
PID 1948 wrote to memory of 864	1948	mscorsvw.exe	42
PID 1948 wrote to memory of 864	1948	mscorsvw.exe	42
PID 1948 wrote to memory of 548	1948	mscorsvw.exe	43
PID 1948 wrote to memory of 548	1948	mscorsvw.exe	43
PID 1948 wrote to memory of 548	1948	mscorsvw.exe	43
PID 1948 wrote to memory of 548	1948	mscorsvw.exe	43
PID 1948 wrote to memory of 1268	1948	mscorsvw.exe	44
PID 1948 wrote to memory of 1268	1948	mscorsvw.exe	44
PID 1948 wrote to memory of 1268	1948	mscorsvw.exe	44
PID 1948 wrote to memory of 1268	1948	mscorsvw.exe	44
PID 1948 wrote to memory of 1672	1948	mscorsvw.exe	45
PID 1948 wrote to memory of 1672	1948	mscorsvw.exe	45
PID 1948 wrote to memory of 1672	1948	mscorsvw.exe	45
PID 1948 wrote to memory of 1672	1948	mscorsvw.exe	45
PID 1948 wrote to memory of 2168	1948	mscorsvw.exe	54
PID 1948 wrote to memory of 2168	1948	mscorsvw.exe	54
PID 1948 wrote to memory of 2168	1948	mscorsvw.exe	54
PID 1948 wrote to memory of 2168	1948	mscorsvw.exe	54
PID 1948 wrote to memory of 2596	1948	mscorsvw.exe	58
PID 1948 wrote to memory of 2596	1948	mscorsvw.exe	58
PID 1948 wrote to memory of 2596	1948	mscorsvw.exe	58
PID 1948 wrote to memory of 2596	1948	mscorsvw.exe	58
PID 1948 wrote to memory of 2728	1948	mscorsvw.exe	65
PID 1948 wrote to memory of 2728	1948	mscorsvw.exe	65
PID 1948 wrote to memory of 2728	1948	mscorsvw.exe	65
PID 1948 wrote to memory of 2728	1948	mscorsvw.exe	65
PID 2104 wrote to memory of 2536	2104	SearchIndexer.exe	66
PID 2104 wrote to memory of 2536	2104	SearchIndexer.exe	66
PID 2104 wrote to memory of 2536	2104	SearchIndexer.exe	66
PID 1948 wrote to memory of 2980	1948	mscorsvw.exe	67
PID 1948 wrote to memory of 2980	1948	mscorsvw.exe	67
PID 1948 wrote to memory of 2980	1948	mscorsvw.exe	67
PID 1948 wrote to memory of 2980	1948	mscorsvw.exe	67
PID 1948 wrote to memory of 2216	1948	mscorsvw.exe	68
PID 1948 wrote to memory of 2216	1948	mscorsvw.exe	68
PID 1948 wrote to memory of 2216	1948	mscorsvw.exe	68
PID 1948 wrote to memory of 2216	1948	mscorsvw.exe	68
PID 2104 wrote to memory of 2984	2104	SearchIndexer.exe	69
PID 2104 wrote to memory of 2984	2104	SearchIndexer.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2168-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2168-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 1f4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ec -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 270 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 270 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1b0 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 248 -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 298 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 120 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:912

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:664

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1612

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:472

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3948302646-268491222-1934009652-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3948302646-268491222-1934009652-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
93f188a10ae59a76626f28c2ee6bc7e3

SHA1
a689c9041579749df61e4783b10779aa57c8e27e

SHA256
5d9964a77882d03353de3b6873f876d7493babdfeaf0d965efe3152ba87e15b5

SHA512
791ec48a388bae4811494ab7f39d8ddd06dbbd1de1c62fe8e95a1c46a90b3030354a909d53218909b310be306359e9d56627ff388594dc630cd31042e11b662f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
1756b2c96263a8a9477069e6038b8b30

SHA1
8833f0e9e835d2cb0d350edcd4da2f321918fadf

SHA256
8d2afc5acee8bde116917e333bc7f13d2e6211f7601ec363086757f569c91f11

SHA512
927eeac35987debe50a9b8d68fb6d40478eb7adb5e3ba6b142805a299e38d782beb9399fdad9ecfb68b9df284a65ee0cbb44f5a4fe90eca949e7430a625b6c3b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8e1f94571bea7cc90cf132b71ca6d26a

SHA1
7d7d2fd7cfce62281075c937b316c9cdc99471f1

SHA256
65adc34ad5ea4d715e4877171daf8957266386e2559ec0576fc3110c10874b24

SHA512
09524e2218587e95b3cd7718524355eb37315653270109552c18050d5e89267bcf98fe4691eb63241f5bcc4145f58bb93046a3bafaa2cdb432619b559afb62e0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9fb5dd45e190d3f65dde3fe574cb1c2a

SHA1
ef6446bb3312fa3dcd900a014d189fe0232380bf

SHA256
0bd231fabafec2eccf3c98d2a1100b2bbd26b862e024afe16a2a24ff16151843

SHA512
25426fe06f58e99a42e2db154054130fa3832d7c8872d697e3526a8e123fef63eb481550f8e74c8ab566f2cb7271337bbfa05e50e0559b40d943e7a9e75f6490

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
29ea11306ee39c726b0595524e16f927

SHA1
edd70b5c97321cee69da9e86d0cc9383eacf9bdd

SHA256
bcc09552d1409f5b1332a6598137895d11a155f44a31ec6d0ef47899f5f39c61

SHA512
44d013bfbd7088178432071c6b1b793e2361718b9f8e6133ad3e48551949f1aba448eb47ad84bd6f5d64e136cf4c7f209b41b6eceb5263e42db06df89e32f25e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b643744832f0c8e4b3b6df3afaa6b25d

SHA1
417d4aaf32e7987a3eb9e5de88c8d0f9fe5615a1

SHA256
6c64c5881430144327eb8fd5b3cbee6dda169891553fc7121aa3b75caf5578ad

SHA512
da972e61517271a76be151f3bd1114df2b69315761eb1e91c0f4af8d4f50f54ac1974ffcd5b63156b00565f8f1cdcf3a24e042459c8cd59610ffce99e0529d64

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
603b03cd3fb07d905d5bd2baf23e77c6

SHA1
1dfd2c27609d2a35612a38632b2cdb8d9659d40a

SHA256
8b6f97b1a606204d4b4ed9f377d34afbfd67c6fdf2fa09bdf806668c763b8782

SHA512
4e70e5bf808bb642b039711cf31c8843e481cb861fd27872ac489a1fe8b49d991cd2b101052225c168359a631934338d6e1fb579b560e1f3313129fcd070d19d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a652fdb5a7e5c3ffa1e160d6ace57632

SHA1
21cbcd4a226cc30102c1fabf9523439f113c6e0b

SHA256
6a13183eeb7411efff19b6d8aa0a93b9aebb60d37b40819573400e9d7b01a4fc

SHA512
8c8f36f492dc2471083374650e5f92f6fc8269e6ac36223e3a8d793be3ad02b2276b6423cc2be272f9e14693fb659dcd715b996258b6a66f99b6b8119de5eeea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a652fdb5a7e5c3ffa1e160d6ace57632

SHA1
21cbcd4a226cc30102c1fabf9523439f113c6e0b

SHA256
6a13183eeb7411efff19b6d8aa0a93b9aebb60d37b40819573400e9d7b01a4fc

SHA512
8c8f36f492dc2471083374650e5f92f6fc8269e6ac36223e3a8d793be3ad02b2276b6423cc2be272f9e14693fb659dcd715b996258b6a66f99b6b8119de5eeea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
653258f67fa86585811004e735c21a11

SHA1
35b9e4c4a42b4f6e3e8542c9df433a53e5a60bb8

SHA256
ee7c26d038765484b59c145aad6d295c6ca4e1418a8dad17c0e16da5cd182088

SHA512
f1168b74efdeadc93e0d61c26e8d6e598d04a7983cca21262facb118089851c9f67dd261366a1a7e0102bbfe7e5d14d4286b1c3c0ce2f84b6422879bb36ffaae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e4f7db4f294e4a82d71b518a518c1320

SHA1
19220d3438bba453e8c12501a848827385b28ca3

SHA256
fcbedf2b0e2f22386332322ff7f8638cb81dc29df096a7ce1e1435646b5dc6e2

SHA512
b4b0df906cd559c72acc186ff26a06ff6fd3eb5228cd6b559ad77e8063d298e6bfa7582d5ffe2adb0fb943f36fd1c07581430ffc19624f9a5c92e7e03f232469

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b63ce57eaa30596799a5fc64181561a

SHA1
25a4288c598269c6e60789b7941fa7e358740f9d

SHA256
dcf2f5fce8bfc05689cf93428484369a11cce625ff4b5f76452778400f0efa08

SHA512
2f1de989bfcbad2858f9ed2edb253c3d88ae63e44ec53e8d9c82cb8d1e54a4c124a10db2508596ea5db1eb4812177c03bb0f0091922ea0904365ce809ed3a3ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b63ce57eaa30596799a5fc64181561a

SHA1
25a4288c598269c6e60789b7941fa7e358740f9d

SHA256
dcf2f5fce8bfc05689cf93428484369a11cce625ff4b5f76452778400f0efa08

SHA512
2f1de989bfcbad2858f9ed2edb253c3d88ae63e44ec53e8d9c82cb8d1e54a4c124a10db2508596ea5db1eb4812177c03bb0f0091922ea0904365ce809ed3a3ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b63ce57eaa30596799a5fc64181561a

SHA1
25a4288c598269c6e60789b7941fa7e358740f9d

SHA256
dcf2f5fce8bfc05689cf93428484369a11cce625ff4b5f76452778400f0efa08

SHA512
2f1de989bfcbad2858f9ed2edb253c3d88ae63e44ec53e8d9c82cb8d1e54a4c124a10db2508596ea5db1eb4812177c03bb0f0091922ea0904365ce809ed3a3ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b63ce57eaa30596799a5fc64181561a

SHA1
25a4288c598269c6e60789b7941fa7e358740f9d

SHA256
dcf2f5fce8bfc05689cf93428484369a11cce625ff4b5f76452778400f0efa08

SHA512
2f1de989bfcbad2858f9ed2edb253c3d88ae63e44ec53e8d9c82cb8d1e54a4c124a10db2508596ea5db1eb4812177c03bb0f0091922ea0904365ce809ed3a3ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8391112e576d10444716b0009b630f9f

SHA1
1e6d10015b7c97febce46cafcb9fe05e1f9f4e62

SHA256
0f3789aa43ee84c2074a9df59dbe4f186fc912cbabecbe4e002e1fd323dd7ec9

SHA512
c60208c2124e1f4c24bd1f0c71b862361df668c0f5770cff99e63c1a928d9cca33ddf111d6ef807a4ff41dcc60127e138980f6b2c98a9c9699af9ce97aa37d1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8391112e576d10444716b0009b630f9f

SHA1
1e6d10015b7c97febce46cafcb9fe05e1f9f4e62

SHA256
0f3789aa43ee84c2074a9df59dbe4f186fc912cbabecbe4e002e1fd323dd7ec9

SHA512
c60208c2124e1f4c24bd1f0c71b862361df668c0f5770cff99e63c1a928d9cca33ddf111d6ef807a4ff41dcc60127e138980f6b2c98a9c9699af9ce97aa37d1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
fd360e853a55a8207e49e6963cea3996

SHA1
5a71e67583540a1f27da2826c252a894dedd6b4e

SHA256
ab4360b84635d69c353e2231ef2c3f6ec3877257d0985a533f93c4279bef7ffc

SHA512
c565c6039b5581c81414f71faf76edb9b388511df0b7f62a556f95ef3e7d195c46f01928622a0a32dffaceafe72752677246a427dda3770ebd6646427d1681b5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
19f316aae49a766ae447a9d1fec682aa

SHA1
55f90c1f62de6d2bcd1785745e6a93d62892bcbd

SHA256
1a6f352abbc2de5fb38533d569e13cbaecce774ba1d5815f69daa90eba914405

SHA512
71c6e30d55ee0b579891b67c7c0b8e0814741b39f450c191037fe3c6ae0426d26c44dc168d978c29e0be5b8686fe832b81de4ad07d9f452c1131c97dc6bc0856

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0476f8d660ea90584effd4f51ccfc909

SHA1
50261d7ec04e15bbb68c8fe82a060c9166823a68

SHA256
64303e781daebe06fd14c51e870c0b5b6bbdb4906f21e7d906a9a91995e8d2eb

SHA512
f57928dbda8d092effb24625aff6bda6eb2437bc861faf46af3ed134a09a39231f2d043705d23657cdb50ae061f3e7496007f0404895702e40d2422419ef05ab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e8fb69d2d64aaf610e138981e19e77c0

SHA1
6cef41dbba520fc5f8ac8d278e290a46cf0d353a

SHA256
1e9b01133d9f45d03c60f3688d2ab08f3ee4cbf2638dfb425d0cc79c755403d0

SHA512
b84417fd18f7491a869b7a8d0ae3431e815781d1925a7d459837b9d9681a07d555a6307f1940503bdf7c945c30b019067b5405bdfc5f7f1961723ea6477055c5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
672367454ba007885bdd1bcedfbd52d5

SHA1
0c7d438a10f4bd6315af0e9d7287e245453ab897

SHA256
5a04cea56424a87b13c6c3529acbf6b503d4029d1ea37eb5b9fcc9043f1040c2

SHA512
41f160140fbc99dcd5ce67db93f3753997e1caa6e834ed0435873fa47f55459b08167802616f69e6cebbab0853e756542c192c04769b0f2c1ef1d021507f6925

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
1631144ee17b8050fe94f185d8f791ee

SHA1
bac64979e1f1fc1b76ca531a7c4e07f815a5439c

SHA256
e053986505dc555c8e050debf34389211bef697517f9adddfab0051904f4fbec

SHA512
4eb11e4ff40b520035b3b87010152dec74b3a947db56bca93b44bec58d8b5b3cc2e20cf5ae9a327ddbdd252836d2bec02f7ba3884e8fc16a913d14480c9e9fa4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
98983aeb058fc59b66c942c17f738895

SHA1
ab1774c9f35e370f53dfd4f72af32a291a3bf978

SHA256
5d9d35d5f61be1556ef0a57e337ecf6b721a8700edc32055750f885329019e9d

SHA512
9c94c31644552b2206f21c6c7ba061511bce94859ce273ffde6bd421772ad2b8bf97961b54e4e3b10a3af06f01c18cbbc964169b3fcadb3d4e9202a39e635a74

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
6c6e73158596002058c98369be67223b

SHA1
bb2bece0fbcbb28b4d0a4628547762936b058aab

SHA256
4bc7efa3bf818994ac5367e296553b049e80d549d4ed8b357d42c5d057cc1ef3

SHA512
d6a1277260e1c493e8c6b6a447da95c215b3c08169ac5eb73f1f346592f3be62f16f058ace5a023b31320ff705bb21014508dedc7110f8c01c0e6d2804631078

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a15604ff1829ec150af87daf221e0e4a

SHA1
446096e74c3af3b165a7e256c1a250deb59b7012

SHA256
07642e64a830bece8e8c4161ca9ee9fcd9418ac80d242eaa9e628c30e5f7ec88

SHA512
81410d17bdeb33d8dcc377d12f51f08db16e78c57d38d9bbc47697849851d88dbe9ef57e943ca5232621803603dfa893c6a918cf01537b63dfad5151acafd1ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
219d8e3ca44bb43a7e087aa84fc14d2d

SHA1
926785647c1777ec31726a7741b0dee2b63d4ba8

SHA256
9da59ad40bce83305475b456404c545f0b90da9e503c895f35c29cea074263cd

SHA512
cc2527eb7e163242ffb33c9ff6d7ef317544650206fc52ce1081dbae19b5888c8a9e3bfcba6e903b18a6a380c1085969c6bdf7e2d80913c9953278f8ecb4a272

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9b093a56352f951b77e42160c72eb5b1

SHA1
3abd0dba21243065eae5d6f2e40160df92db4491

SHA256
624a229980b912853507415a52de1cacf363a9067c778536a30b963dc8eb2977

SHA512
859d72ca3658f526ab343996e09a9d85075fde905e4d0bc597dafa29a7aeb297d420120dd0b7691ee1f938be42bce445c886e2f852bef592673c545298e7ba99

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c08e9c8b6b5f5a65fc55b2d21404f47b

SHA1
141b514c6121f3203a723717ae389404638a8afb

SHA256
c4d3e449746c4c5dad46429ffe2538f6803795fe3180e9f885ea14c2545d2031

SHA512
c422fc42628892b240ec319e46256cd760a3079c82e9fada85f9b9f4531036069c98afd705c9a3269d2821327ce6430b9afd525883d28e33d573297e3e874019

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
42c7507ba9c873860fa9c740f4a15a41

SHA1
ee91ac4bc33f9597b0e04e19c55658af24a4e300

SHA256
4426ca11b2fcc525fc088ab3abd38c4ee36b2ab10fa4252d07acb1f2865d2ae8

SHA512
14e96f4cc8bf7bb5c0f41da193161e5f5952e634bef7b56c004146e8bf761ddf8b52bd22527c8fcba740203e900a095d94004103989004a140ccd871c8c4ee62

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
452c4f328ae6537ad9032222eb1a6efa

SHA1
d8d9675536d56dc674eb0933d821316146e7c145

SHA256
702185a3fef8ac67afef1ae427bd02d3be2ee1ac180edbf264345fa7e1d6577f

SHA512
1e27ebd8ab21eeee0497977172aa0fbe79d40815ab6c76c4553a4cc9c744671237abd5d05f21ceeae97cedae6cb5937a52dddf194ac363f5b31593b09d1a302a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
044330fb39bf64faee14aa14d92729ce

SHA1
405e8adf0d2b635f784072549b7736669fcb1188

SHA256
5fd666977c4f4b565d3c663d56315d1cadc44f3cc1371c74a99de91fafba1605

SHA512
e4dd1ff880d9bd6d8b44c6d99f60db0f37be12d87c39c01869860abf08292303c906d77c36841e40d3388cdeefa8f07bfab511c4c1b0af4116609a558d0aaf21

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
8e9c1313a3e1154c9c292fa2b072cb2b

SHA1
926f218c154eff707a3bd3e123f7f4da5f2583ec

SHA256
72ea14b4dd22d285dddcfa3dac77603f9a7cdb2c9c5839af52cd82ec4927bb2e

SHA512
8d63f32f2f256f7d0aa0d4b8869b84ad5b7a40651de05936fbd26b543a4d4b2e31de4a3c1d3b47c0eb6a447db200ccb11da0a329a2cdd2b4804e7f57a0078d8e

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c857ed641c40a518acc1bb59f1c687fc

SHA1
c227247b6adf3fe442127d16a03b18034a5234af

SHA256
67e11b67ac35eee1e9d9b8b02a607b0995938e374fca21721993dc8e093e1fff

SHA512
35ecc69bab838bff085db4ea009013ef95533044b17c8dfd198258bbb2755587632282135c0ccb93f558e497e9e964bd9a243b67e5cbda6cfbdb4ffd3a9add13

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
9b093a56352f951b77e42160c72eb5b1

SHA1
3abd0dba21243065eae5d6f2e40160df92db4491

SHA256
624a229980b912853507415a52de1cacf363a9067c778536a30b963dc8eb2977

SHA512
859d72ca3658f526ab343996e09a9d85075fde905e4d0bc597dafa29a7aeb297d420120dd0b7691ee1f938be42bce445c886e2f852bef592673c545298e7ba99

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b643744832f0c8e4b3b6df3afaa6b25d

SHA1
417d4aaf32e7987a3eb9e5de88c8d0f9fe5615a1

SHA256
6c64c5881430144327eb8fd5b3cbee6dda169891553fc7121aa3b75caf5578ad

SHA512
da972e61517271a76be151f3bd1114df2b69315761eb1e91c0f4af8d4f50f54ac1974ffcd5b63156b00565f8f1cdcf3a24e042459c8cd59610ffce99e0529d64

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b643744832f0c8e4b3b6df3afaa6b25d

SHA1
417d4aaf32e7987a3eb9e5de88c8d0f9fe5615a1

SHA256
6c64c5881430144327eb8fd5b3cbee6dda169891553fc7121aa3b75caf5578ad

SHA512
da972e61517271a76be151f3bd1114df2b69315761eb1e91c0f4af8d4f50f54ac1974ffcd5b63156b00565f8f1cdcf3a24e042459c8cd59610ffce99e0529d64

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a652fdb5a7e5c3ffa1e160d6ace57632

SHA1
21cbcd4a226cc30102c1fabf9523439f113c6e0b

SHA256
6a13183eeb7411efff19b6d8aa0a93b9aebb60d37b40819573400e9d7b01a4fc

SHA512
8c8f36f492dc2471083374650e5f92f6fc8269e6ac36223e3a8d793be3ad02b2276b6423cc2be272f9e14693fb659dcd715b996258b6a66f99b6b8119de5eeea

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e4f7db4f294e4a82d71b518a518c1320

SHA1
19220d3438bba453e8c12501a848827385b28ca3

SHA256
fcbedf2b0e2f22386332322ff7f8638cb81dc29df096a7ce1e1435646b5dc6e2

SHA512
b4b0df906cd559c72acc186ff26a06ff6fd3eb5228cd6b559ad77e8063d298e6bfa7582d5ffe2adb0fb943f36fd1c07581430ffc19624f9a5c92e7e03f232469

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e8fb69d2d64aaf610e138981e19e77c0

SHA1
6cef41dbba520fc5f8ac8d278e290a46cf0d353a

SHA256
1e9b01133d9f45d03c60f3688d2ab08f3ee4cbf2638dfb425d0cc79c755403d0

SHA512
b84417fd18f7491a869b7a8d0ae3431e815781d1925a7d459837b9d9681a07d555a6307f1940503bdf7c945c30b019067b5405bdfc5f7f1961723ea6477055c5

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
98983aeb058fc59b66c942c17f738895

SHA1
ab1774c9f35e370f53dfd4f72af32a291a3bf978

SHA256
5d9d35d5f61be1556ef0a57e337ecf6b721a8700edc32055750f885329019e9d

SHA512
9c94c31644552b2206f21c6c7ba061511bce94859ce273ffde6bd421772ad2b8bf97961b54e4e3b10a3af06f01c18cbbc964169b3fcadb3d4e9202a39e635a74

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
6c6e73158596002058c98369be67223b

SHA1
bb2bece0fbcbb28b4d0a4628547762936b058aab

SHA256
4bc7efa3bf818994ac5367e296553b049e80d549d4ed8b357d42c5d057cc1ef3

SHA512
d6a1277260e1c493e8c6b6a447da95c215b3c08169ac5eb73f1f346592f3be62f16f058ace5a023b31320ff705bb21014508dedc7110f8c01c0e6d2804631078

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a15604ff1829ec150af87daf221e0e4a

SHA1
446096e74c3af3b165a7e256c1a250deb59b7012

SHA256
07642e64a830bece8e8c4161ca9ee9fcd9418ac80d242eaa9e628c30e5f7ec88

SHA512
81410d17bdeb33d8dcc377d12f51f08db16e78c57d38d9bbc47697849851d88dbe9ef57e943ca5232621803603dfa893c6a918cf01537b63dfad5151acafd1ca

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
219d8e3ca44bb43a7e087aa84fc14d2d

SHA1
926785647c1777ec31726a7741b0dee2b63d4ba8

SHA256
9da59ad40bce83305475b456404c545f0b90da9e503c895f35c29cea074263cd

SHA512
cc2527eb7e163242ffb33c9ff6d7ef317544650206fc52ce1081dbae19b5888c8a9e3bfcba6e903b18a6a380c1085969c6bdf7e2d80913c9953278f8ecb4a272

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9b093a56352f951b77e42160c72eb5b1

SHA1
3abd0dba21243065eae5d6f2e40160df92db4491

SHA256
624a229980b912853507415a52de1cacf363a9067c778536a30b963dc8eb2977

SHA512
859d72ca3658f526ab343996e09a9d85075fde905e4d0bc597dafa29a7aeb297d420120dd0b7691ee1f938be42bce445c886e2f852bef592673c545298e7ba99

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9b093a56352f951b77e42160c72eb5b1

SHA1
3abd0dba21243065eae5d6f2e40160df92db4491

SHA256
624a229980b912853507415a52de1cacf363a9067c778536a30b963dc8eb2977

SHA512
859d72ca3658f526ab343996e09a9d85075fde905e4d0bc597dafa29a7aeb297d420120dd0b7691ee1f938be42bce445c886e2f852bef592673c545298e7ba99

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c08e9c8b6b5f5a65fc55b2d21404f47b

SHA1
141b514c6121f3203a723717ae389404638a8afb

SHA256
c4d3e449746c4c5dad46429ffe2538f6803795fe3180e9f885ea14c2545d2031

SHA512
c422fc42628892b240ec319e46256cd760a3079c82e9fada85f9b9f4531036069c98afd705c9a3269d2821327ce6430b9afd525883d28e33d573297e3e874019

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
42c7507ba9c873860fa9c740f4a15a41

SHA1
ee91ac4bc33f9597b0e04e19c55658af24a4e300

SHA256
4426ca11b2fcc525fc088ab3abd38c4ee36b2ab10fa4252d07acb1f2865d2ae8

SHA512
14e96f4cc8bf7bb5c0f41da193161e5f5952e634bef7b56c004146e8bf761ddf8b52bd22527c8fcba740203e900a095d94004103989004a140ccd871c8c4ee62

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
452c4f328ae6537ad9032222eb1a6efa

SHA1
d8d9675536d56dc674eb0933d821316146e7c145

SHA256
702185a3fef8ac67afef1ae427bd02d3be2ee1ac180edbf264345fa7e1d6577f

SHA512
1e27ebd8ab21eeee0497977172aa0fbe79d40815ab6c76c4553a4cc9c744671237abd5d05f21ceeae97cedae6cb5937a52dddf194ac363f5b31593b09d1a302a

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
044330fb39bf64faee14aa14d92729ce

SHA1
405e8adf0d2b635f784072549b7736669fcb1188

SHA256
5fd666977c4f4b565d3c663d56315d1cadc44f3cc1371c74a99de91fafba1605

SHA512
e4dd1ff880d9bd6d8b44c6d99f60db0f37be12d87c39c01869860abf08292303c906d77c36841e40d3388cdeefa8f07bfab511c4c1b0af4116609a558d0aaf21

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
8e9c1313a3e1154c9c292fa2b072cb2b

SHA1
926f218c154eff707a3bd3e123f7f4da5f2583ec

SHA256
72ea14b4dd22d285dddcfa3dac77603f9a7cdb2c9c5839af52cd82ec4927bb2e

SHA512
8d63f32f2f256f7d0aa0d4b8869b84ad5b7a40651de05936fbd26b543a4d4b2e31de4a3c1d3b47c0eb6a447db200ccb11da0a329a2cdd2b4804e7f57a0078d8e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c857ed641c40a518acc1bb59f1c687fc

SHA1
c227247b6adf3fe442127d16a03b18034a5234af

SHA256
67e11b67ac35eee1e9d9b8b02a607b0995938e374fca21721993dc8e093e1fff

SHA512
35ecc69bab838bff085db4ea009013ef95533044b17c8dfd198258bbb2755587632282135c0ccb93f558e497e9e964bd9a243b67e5cbda6cfbdb4ffd3a9add13

Download Submit
memory/472-289-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/472-502-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/548-239-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/628-310-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/628-571-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/664-152-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/664-149-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/664-344-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/664-153-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/664-142-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/664-157-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/664-136-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/668-108-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/684-176-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/684-184-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/684-170-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/684-181-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/684-182-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/864-218-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/864-229-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/912-131-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1108-78-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1108-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1108-67-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1164-611-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/1164-330-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/1164-329-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1164-303-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1164-608-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1236-54-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1236-59-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1236-77-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1236-285-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1268-238-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1268-254-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1284-148-0x00000000008D0000-0x000000000098C000-memory.dmp

Filesize
752KB

Download
memory/1284-88-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1284-85-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1284-84-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1284-83-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1284-150-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download
memory/1284-90-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1312-202-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1312-217-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1504-110-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1612-287-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1612-631-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1620-199-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1620-188-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1672-266-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1672-161-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1672-179-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1672-167-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1672-375-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1672-180-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1688-265-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1688-489-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1704-156-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1756-105-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1912-132-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1948-130-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1948-114-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/1948-107-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/2104-474-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2124-351-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2168-353-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2168-616-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2180-355-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2180-617-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2372-367-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2412-636-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2412-369-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2500-400-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2596-656-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2596-402-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2620-657-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2620-404-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2728-655-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2756-659-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2756-419-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2852-660-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2852-442-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2932-444-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2932-661-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2980-658-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3032-473-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download