blustealer | 427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-05-2023 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.4MB
MD5

34aa0ca40863c30653a0b6ba10d3daa2
SHA1

c5dbbc9a3f6d537ab49aeb89223810cd67c256f7
SHA256

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9
SHA512

34e46909f3ea586033baa5f73ecbf1f5072f2d05cfaf77f6ab2535ee0798f01427b1e62719fc4026f4b38af03e445a33ff2deb22ef9817ab42e506cfb5cb10d2
SSDEEP

24576:O94Lauo2BLrZ6dj7Wd50QKQIsBJXkQsUc/i/Egj87qLom0Y5m6Uy:O/uHrZ6WPKQ5X0QsUN/EgQ7qEmv

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 50 IoCs

pid	Process
464	Process not Found
1072	alg.exe
1628	aspnet_state.exe
1184	mscorsvw.exe
1336	mscorsvw.exe
844	mscorsvw.exe
592	mscorsvw.exe
568	dllhost.exe
1892	ehRecvr.exe
1632	ehsched.exe
1660	elevation_service.exe
1976	mscorsvw.exe
1724	mscorsvw.exe
1608	mscorsvw.exe
1000	mscorsvw.exe
1976	mscorsvw.exe
2044	mscorsvw.exe
1724	mscorsvw.exe
2144	mscorsvw.exe
2244	mscorsvw.exe
2336	mscorsvw.exe
2428	mscorsvw.exe
2520	mscorsvw.exe
2616	mscorsvw.exe
2716	mscorsvw.exe
2808	mscorsvw.exe
2908	mscorsvw.exe
3004	mscorsvw.exe
1184	mscorsvw.exe
2132	mscorsvw.exe
1704	IEEtwCollector.exe
2292	msdtc.exe
2380	msiexec.exe
2340	OSE.EXE
2504	mscorsvw.exe
2568	OSPPSVC.EXE
2732	perfhost.exe
2764	locator.exe
2848	snmptrap.exe
2784	mscorsvw.exe
2720	vds.exe
1828	vssvc.exe
1656	wbengine.exe
936	WmiApSrv.exe
2240	mscorsvw.exe
2396	wmpnetwk.exe
2612	SearchIndexer.exe
640	mscorsvw.exe
2940	mscorsvw.exe
632	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2380	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c0b9fd1a5fe7035.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 704	1716	Quote 1345 rev.3.exe	29
PID 704 set thread context of 1880	704	Quote 1345 rev.3.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\MeasureWatch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{12F1D0F8-9677-4CFF-937B-F2B1712A60CC}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{12F1D0F8-9677-4CFF-937B-F2B1712A60CC}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{850076E7-CBC9-4658-9D64-2835E9367090}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{850076E7-CBC9-4658-9D64-2835E9367090}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1716	Quote 1345 rev.3.exe
1716	Quote 1345 rev.3.exe
1108	ehRec.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe
704	Quote 1345 rev.3.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	Quote 1345 rev.3.exe
Token: SeTakeOwnershipPrivilege	704	Quote 1345 rev.3.exe
Token: SeShutdownPrivilege	844	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeDebugPrivilege	1108	ehRec.exe
Token: SeShutdownPrivilege	844	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: 33	1568	EhTray.exe
Token: SeIncBasePriorityPrivilege	1568	EhTray.exe
Token: SeShutdownPrivilege	844	mscorsvw.exe
Token: SeShutdownPrivilege	844	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe
Token: SeBackupPrivilege	1656	wbengine.exe
Token: SeRestorePrivilege	1656	wbengine.exe
Token: SeSecurityPrivilege	1656	wbengine.exe
Token: 33	2396	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2396	wmpnetwk.exe
Token: SeManageVolumePrivilege	2612	SearchIndexer.exe
Token: 33	2612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2612	SearchIndexer.exe
Token: SeShutdownPrivilege	844	mscorsvw.exe
Token: SeShutdownPrivilege	592	mscorsvw.exe
Token: SeDebugPrivilege	704	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	704	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	704	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	704	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	704	Quote 1345 rev.3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1568	EhTray.exe
1568	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
704	Quote 1345 rev.3.exe
2096	SearchProtocolHost.exe
2096	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 524	1716	Quote 1345 rev.3.exe	27
PID 1716 wrote to memory of 524	1716	Quote 1345 rev.3.exe	27
PID 1716 wrote to memory of 524	1716	Quote 1345 rev.3.exe	27
PID 1716 wrote to memory of 524	1716	Quote 1345 rev.3.exe	27
PID 1716 wrote to memory of 596	1716	Quote 1345 rev.3.exe	28
PID 1716 wrote to memory of 596	1716	Quote 1345 rev.3.exe	28
PID 1716 wrote to memory of 596	1716	Quote 1345 rev.3.exe	28
PID 1716 wrote to memory of 596	1716	Quote 1345 rev.3.exe	28
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 1716 wrote to memory of 704	1716	Quote 1345 rev.3.exe	29
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 704 wrote to memory of 1880	704	Quote 1345 rev.3.exe	32
PID 844 wrote to memory of 1976	844	mscorsvw.exe	43
PID 844 wrote to memory of 1976	844	mscorsvw.exe	43
PID 844 wrote to memory of 1976	844	mscorsvw.exe	43
PID 844 wrote to memory of 1976	844	mscorsvw.exe	43
PID 844 wrote to memory of 1724	844	mscorsvw.exe	44
PID 844 wrote to memory of 1724	844	mscorsvw.exe	44
PID 844 wrote to memory of 1724	844	mscorsvw.exe	44
PID 844 wrote to memory of 1724	844	mscorsvw.exe	44
PID 844 wrote to memory of 1608	844	mscorsvw.exe	45
PID 844 wrote to memory of 1608	844	mscorsvw.exe	45
PID 844 wrote to memory of 1608	844	mscorsvw.exe	45
PID 844 wrote to memory of 1608	844	mscorsvw.exe	45
PID 844 wrote to memory of 1000	844	mscorsvw.exe	46
PID 844 wrote to memory of 1000	844	mscorsvw.exe	46
PID 844 wrote to memory of 1000	844	mscorsvw.exe	46
PID 844 wrote to memory of 1000	844	mscorsvw.exe	46
PID 844 wrote to memory of 1976	844	mscorsvw.exe	47
PID 844 wrote to memory of 1976	844	mscorsvw.exe	47
PID 844 wrote to memory of 1976	844	mscorsvw.exe	47
PID 844 wrote to memory of 1976	844	mscorsvw.exe	47
PID 844 wrote to memory of 2044	844	mscorsvw.exe	48
PID 844 wrote to memory of 2044	844	mscorsvw.exe	48
PID 844 wrote to memory of 2044	844	mscorsvw.exe	48
PID 844 wrote to memory of 2044	844	mscorsvw.exe	48
PID 844 wrote to memory of 1724	844	mscorsvw.exe	49
PID 844 wrote to memory of 1724	844	mscorsvw.exe	49
PID 844 wrote to memory of 1724	844	mscorsvw.exe	49
PID 844 wrote to memory of 1724	844	mscorsvw.exe	49
PID 844 wrote to memory of 2144	844	mscorsvw.exe	50
PID 844 wrote to memory of 2144	844	mscorsvw.exe	50
PID 844 wrote to memory of 2144	844	mscorsvw.exe	50
PID 844 wrote to memory of 2144	844	mscorsvw.exe	50
PID 844 wrote to memory of 2244	844	mscorsvw.exe	51
PID 844 wrote to memory of 2244	844	mscorsvw.exe	51
PID 844 wrote to memory of 2244	844	mscorsvw.exe	51
PID 844 wrote to memory of 2244	844	mscorsvw.exe	51
PID 844 wrote to memory of 2336	844	mscorsvw.exe	52
PID 844 wrote to memory of 2336	844	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  PID:524
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  PID:596
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 244 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 1d4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 244 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 270 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f0 -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 29c -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 278 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 264 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2bc -NGENProcess 298 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:568

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1892

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2340

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:936

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e75ee94a00ff898d64e1756a84bd18e0

SHA1
e5763fd9752230dd698852b240f13e8babc06c8a

SHA256
ed5fc9495420222dab1659db545b9a2fe27f5e8c9ae1d5a082fa363f56a04884

SHA512
c932d09d9bf2f9aff25476a416b29c4cecb1a129c8c1215e7a60de14887a479f237d43e4b95b78cbd35c9c894aa06020e415af06342851a6c9f3ff2a07783531

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
5ed7f720eb03eb71a2f20dc97fd627a5

SHA1
92ccb6e56ada1c6166b301b4169884abd38bacd9

SHA256
d09b8e91be592849d1667eea8bc66275515ad6cd674b529e56c1dd91bb5c30e7

SHA512
52854f9987d5be52039b82db0c2991f26c84b2292a77bdb26519f66b2252eaba9a587a15b711f7aca7fa4a6df4411b883e1d9a6f4d5c2a23000d4b9a222508c7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
925cb900c7a0644cabb54f7d92609037

SHA1
0b9ca6f88553c8615bc3022d50de7adf095ecb31

SHA256
2bd7bab36ea2e004bfdd2e80af4e5f2a0badcb49ede1ff0fefd24f0288489e69

SHA512
32161f2f406fb34f84928e08ee28949c4b06e9b8317a579091179e0a434739f6524673b6441d11950b215c85092e92979ec53cd726cd234f0480133961b5b00c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
80b878b71b411b285250f5d77e03ded8

SHA1
793a99e4843cf613d5b176c34ad2d0e74b2d26ba

SHA256
bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c

SHA512
25f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
23a99233381a5a467e33be8a937893c8

SHA1
ae1a5030153fc749fc66d8d15b6b0553edfaacd8

SHA256
c9668bdc2bcd2d8846d3cfe14c9f89b15cc2a841be17bf97e07a5ca2b665a584

SHA512
c289282cff4a2ec0f9dc57145a11c30b7aa19f461a0590e2d7319f373bc7753b5952fc185cc590b469a4a6df213dfc56c88e628a80fdd7d32a5d90f96c87190d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
23a99233381a5a467e33be8a937893c8

SHA1
ae1a5030153fc749fc66d8d15b6b0553edfaacd8

SHA256
c9668bdc2bcd2d8846d3cfe14c9f89b15cc2a841be17bf97e07a5ca2b665a584

SHA512
c289282cff4a2ec0f9dc57145a11c30b7aa19f461a0590e2d7319f373bc7753b5952fc185cc590b469a4a6df213dfc56c88e628a80fdd7d32a5d90f96c87190d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
98e790fd64a836996404ab164275599b

SHA1
c2a88235eb54c8515b3a0d64b0b30c651ff93a74

SHA256
c63a1bc7f0ea612a8b0b4cd61aa4796417e807f877f805ead1d48bb2e4a27342

SHA512
d8d7325a88d40cd6bccb76531d94db319dd8928acdc679cdaee62f4c77dd989cd1ce95c24e026edd0410e267dba709ac6463c91bf414a677351c6cc67caea4ca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
fa24d2a723fc4f113d07251c24941fdc

SHA1
7abba793fc16841352ed386766bf112808091816

SHA256
48ef8cff157bc69edab64116272f8cd9b57087426d8c97a32f841d33ee71f29e

SHA512
158874cd8e18d25a204da636092e6cd809da3a083c7338fab88e24ab40d72325aadb08fdb16af343f1284bd591021534e15ae1dd378fc3ab1f49d059e6cffc2a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
fc176ae18dc251e13392f780b2f26b48

SHA1
00a73867a1f15c3fbd147d9a66235ca20227ea3f

SHA256
e3935b04c3fdd25ac2d585a5c16ae6828a8c9143cd9b730b564028c52fd4e099

SHA512
7f0f342846de23c0798d5a49d791bd32a9135b3a582ffebb9b59c6a67c41452c95e35945995ce128324f6b9262c1d8b6f64311622108a88179e1ced7dc7b06dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
fc176ae18dc251e13392f780b2f26b48

SHA1
00a73867a1f15c3fbd147d9a66235ca20227ea3f

SHA256
e3935b04c3fdd25ac2d585a5c16ae6828a8c9143cd9b730b564028c52fd4e099

SHA512
7f0f342846de23c0798d5a49d791bd32a9135b3a582ffebb9b59c6a67c41452c95e35945995ce128324f6b9262c1d8b6f64311622108a88179e1ced7dc7b06dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
11b8184569f5a1f6f60536638178b41a

SHA1
a8d8f9ef5846cd96bef580e98222607b2c6e86ec

SHA256
72c9bab07720d33144b592ae46b0de266e5a6ad80ef5429f69988e15adf6fb3b

SHA512
fd7a0f5d4da3c2b63563f3357bdfcfb281fc3d3d74a16dfb5885ed0f68b2e2eac05ad5d80ff55f50f4d1b81ae7534cd1be33d281b6ed3f5198152340969649c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
11b8184569f5a1f6f60536638178b41a

SHA1
a8d8f9ef5846cd96bef580e98222607b2c6e86ec

SHA256
72c9bab07720d33144b592ae46b0de266e5a6ad80ef5429f69988e15adf6fb3b

SHA512
fd7a0f5d4da3c2b63563f3357bdfcfb281fc3d3d74a16dfb5885ed0f68b2e2eac05ad5d80ff55f50f4d1b81ae7534cd1be33d281b6ed3f5198152340969649c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7bb809eb534a47662626ff83610478ae

SHA1
3f26456391efe1ae470d76f64ea806086ada48ff

SHA256
a0b67ee86192bca056abcfaf41ffc5a1f5db001afc44aa84a9fc034172108b30

SHA512
88f7f9202f1f2941c1fda02f60514c95e56ef9844574942d61ff214c98d313dff639ad06bd72e1d6da0248ee00291af64a550009313df5c66881a0db1ea8caba

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1bb73568439cc1504f5887ca9e29fbf

SHA1
4a53700915dcce90ecf110ff0307ab238d9f370e

SHA256
aeb99722ddf5c99f732a867661032f57f2bea351eadcd023ce5c1eb8265f3afd

SHA512
9f7cdf1cedd09f70227ed1a35adbad5f06554cc2a074950edeabc50145335840b9a390a4674f168af96582fc92f74efc9288b74a9967520afc465836716557b6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9b4117d8845aacbccb044fa37883bf14

SHA1
bd0fdbcc6fb6e65afb0173b67fe428b7795c81be

SHA256
526f37505dce9e14f1f66b19a578fdabce3475bbef3dfb069191fbc9e5ee43bd

SHA512
a82f187f1da57e22bd809b373efc0e4ddad140acb4d6ff5f25e52c910b9a90f014453ec98830e04451c43f2e0dcb9507063a3decbdffb5bd748c6b8161e35d95

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
be3ba1f408c0720f9736e683b3f3af46

SHA1
c6116c6f6dcade055b7758a472ef890eccffacb3

SHA256
10f7cb44b12b8dfd9e3d0e5713528855db34aabcc7b212cedcc12f8d81dfc23d

SHA512
a538e3c0d1188dbd3d29e2180c4f8dafb942e4ff435c9b87c3be831abcd85f71b819eecb0e726ef0144a57b8056cc3797557f9ea346dea11a07d24fdcec96a23

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2b77cb6b3540c2ff09a32dad8c8ed9f3

SHA1
b576eeafcda416af581a04946313712293fc5944

SHA256
94420cf0aff886c550950d4c52a99c3b3a706a1b35ba8ec36e2dfdbd4b56c3f6

SHA512
4e861060b5a4129c1bd296ea196814670738b34354d7155b563b0635e4e6562b2f10dd12230f627e193c33e4ddca92fbf51614c67b919299d376d240486045f8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3733d8f9669eb4a3ab27f4f006b188b2

SHA1
919f7788627754d68018e85ecedbe0f1e349ec19

SHA256
38fbaa64b69321e0e272d0fc59f1cf7ab0fba11d04340baf3845e13b06e06e8b

SHA512
eec55cdda471a4f269c476ef8a7af32bdd68f67c8587468aa30bd9645686dae698fa1f4fd019b8e2bc06cabc0a13945f49e61df92d37f1978282704da2eb1924

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
878111379842ba418b68f2a327a12086

SHA1
06ca885e3c7367305ce1d01c582bb05664a98a30

SHA256
fb860af0de85c83c0b6fb7bdb620c6cb74cf0a2976b8dd495b5d5a14097fea86

SHA512
e936a580f61dc8791abe279c745b0958827fc02a25bf3c39b4461cbe9c4b7ebdcd1663f88010aa2910dd551816c6066c6af73709eb0862e1a34102c982b102e8

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
d1053c68a40155b1f143ad8441dbd72f

SHA1
d7c4b87dd6d504cad8dd8603d083558f163ac777

SHA256
d445567e1caf5ca4dea8aac98d21710af762f67eb1945657255dbd7829ad39a3

SHA512
c91492a93f0ad5b371b9eb5a42ee62dcff2138aa2dc004b8e1cdefde39ad32216f570e226ad03bf69683bdd76939e6b52d41b2567065febf89d7424ed4f5b8a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7a1c7a1f4223a40b886fb7c8d2542ba1

SHA1
2e9d82f9da2466e885fff2798d3a99bafe17dcdd

SHA256
9ebf9d4a51120740718c7fbd3337c3a279c2c6b5195437fc825171908d995c8d

SHA512
33bdb213502b54dd49ce52739fca71646d50150b23933efb05d98c60b5b2dad4b8977c230dc8885583a8782f72d6bb170544e17fe516090150e17dbe740b8023

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ea0f8f2730017cc2195daf26ad11ca81

SHA1
bd86cfb97a0d6e275d51b46ba68af5b1911c4095

SHA256
c95ed11b319280a1a6d36a40a80e1ae91d49488fc168d618662b074aea75b834

SHA512
7c85f1e3bebfa51b4830c6a45659884e4ccc172be02faad9e53955dc21de51da3e721f1cc45425e2209dc035e9e6da3cbd2301eff7b89bac3b2cd584a1dbfd1d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4a0ca7eee1875094aed9d05cd5c71f67

SHA1
7b51557e28dcaaab291bb0b7b3b684cae706b03b

SHA256
276325bf7f02375523930e24d65c6a29d1aea1b09cc1753ca2b5ca84612db0d6

SHA512
49bf418149bb5bd974f7aa493229852edefac5118e92999763c339d146b0fbbdb31bac22c9352369495a0fb7d20b20d3ed0ae339c28b3d32261c5814761bcc13

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3cb84fc9b82e041ffbb2954b13c45188

SHA1
5c47156f8dea92c4f4ce842db123640ddd43fb3a

SHA256
ddc54a73b990a2bb082a6ab5ba52cc3bc6650f7e884294c747c55b7b781dca4d

SHA512
f3a527a70ec890b6847102b92fc129c7ddbd0b9c370087bef95c460250fff32755fd0977299db6f00527bc19be20618cbd466205f474ef49224528ffb1ec0e2c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
22222764b2c4a2dc64877e34fda8d601

SHA1
c1a46de3d8a913109ff5563bf2dfee6d2e835656

SHA256
e7bbf15ba4e88bb5dfc659dddad703bcc7c7b19267d8b839830e902d525dc67a

SHA512
593fb264dffb56228b489bfbcc38991e7651b0fcb22ca35c24dc1c27a0554f7eb3236962a3225594aa04ece296762b6bb0c260a772f4d9f25d1179ae613b0558

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5b261238e81656d9ab7afa493c80d3d6

SHA1
3e61a36f5b766a5cea7475651db28d5c18a0580a

SHA256
96bb5b3912004d1c1a23581045776918f7750c0046129b0a92eb93a87f646d55

SHA512
bd52b5eb414fe902544233e364eb6617d01daf40b439c91543bcc5b0d4fcd6c661314b041f3b94cd3e4af66c14e58478b9025d87881de3540020830a4e4c4bdc

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
047d57a058c5bbd187d2c6c6171f6ceb

SHA1
31a5b9c78e708ed5f514678bc07ebb4f4c91cb90

SHA256
668293255551861ebdb30fac7f4b09caeafa40c1e0a5908ad7fecbcf4db2ab31

SHA512
6f4c00d76f4f3e89bf82aa56860f87b009a3202cf2f6274f921007c31618d7b6e10dc4d2c5d671b3ad6807ae8d1635236edf6902096793953a1f6fe025ef6ef7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
58549a0fb045dfd05191726a2df223ab

SHA1
4087245c28604c0324e7e3904991f9191336bb4e

SHA256
707ad438ec492a1e21a978ffefcf9f348843b3aa1cf018e5e8caacdc1feee237

SHA512
2b67546d17c45122849d0486b6e8fc3764970fdaae93a2b15cb5290aadc31fe92a9b626b5223f1a7370f412ac2c8d829899a07260c7284e2c0c8e37896a86d89

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ea0f8f2730017cc2195daf26ad11ca81

SHA1
bd86cfb97a0d6e275d51b46ba68af5b1911c4095

SHA256
c95ed11b319280a1a6d36a40a80e1ae91d49488fc168d618662b074aea75b834

SHA512
7c85f1e3bebfa51b4830c6a45659884e4ccc172be02faad9e53955dc21de51da3e721f1cc45425e2209dc035e9e6da3cbd2301eff7b89bac3b2cd584a1dbfd1d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
23a99233381a5a467e33be8a937893c8

SHA1
ae1a5030153fc749fc66d8d15b6b0553edfaacd8

SHA256
c9668bdc2bcd2d8846d3cfe14c9f89b15cc2a841be17bf97e07a5ca2b665a584

SHA512
c289282cff4a2ec0f9dc57145a11c30b7aa19f461a0590e2d7319f373bc7753b5952fc185cc590b469a4a6df213dfc56c88e628a80fdd7d32a5d90f96c87190d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
fa24d2a723fc4f113d07251c24941fdc

SHA1
7abba793fc16841352ed386766bf112808091816

SHA256
48ef8cff157bc69edab64116272f8cd9b57087426d8c97a32f841d33ee71f29e

SHA512
158874cd8e18d25a204da636092e6cd809da3a083c7338fab88e24ab40d72325aadb08fdb16af343f1284bd591021534e15ae1dd378fc3ab1f49d059e6cffc2a

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
be3ba1f408c0720f9736e683b3f3af46

SHA1
c6116c6f6dcade055b7758a472ef890eccffacb3

SHA256
10f7cb44b12b8dfd9e3d0e5713528855db34aabcc7b212cedcc12f8d81dfc23d

SHA512
a538e3c0d1188dbd3d29e2180c4f8dafb942e4ff435c9b87c3be831abcd85f71b819eecb0e726ef0144a57b8056cc3797557f9ea346dea11a07d24fdcec96a23

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3733d8f9669eb4a3ab27f4f006b188b2

SHA1
919f7788627754d68018e85ecedbe0f1e349ec19

SHA256
38fbaa64b69321e0e272d0fc59f1cf7ab0fba11d04340baf3845e13b06e06e8b

SHA512
eec55cdda471a4f269c476ef8a7af32bdd68f67c8587468aa30bd9645686dae698fa1f4fd019b8e2bc06cabc0a13945f49e61df92d37f1978282704da2eb1924

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
878111379842ba418b68f2a327a12086

SHA1
06ca885e3c7367305ce1d01c582bb05664a98a30

SHA256
fb860af0de85c83c0b6fb7bdb620c6cb74cf0a2976b8dd495b5d5a14097fea86

SHA512
e936a580f61dc8791abe279c745b0958827fc02a25bf3c39b4461cbe9c4b7ebdcd1663f88010aa2910dd551816c6066c6af73709eb0862e1a34102c982b102e8

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
d1053c68a40155b1f143ad8441dbd72f

SHA1
d7c4b87dd6d504cad8dd8603d083558f163ac777

SHA256
d445567e1caf5ca4dea8aac98d21710af762f67eb1945657255dbd7829ad39a3

SHA512
c91492a93f0ad5b371b9eb5a42ee62dcff2138aa2dc004b8e1cdefde39ad32216f570e226ad03bf69683bdd76939e6b52d41b2567065febf89d7424ed4f5b8a7

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7a1c7a1f4223a40b886fb7c8d2542ba1

SHA1
2e9d82f9da2466e885fff2798d3a99bafe17dcdd

SHA256
9ebf9d4a51120740718c7fbd3337c3a279c2c6b5195437fc825171908d995c8d

SHA512
33bdb213502b54dd49ce52739fca71646d50150b23933efb05d98c60b5b2dad4b8977c230dc8885583a8782f72d6bb170544e17fe516090150e17dbe740b8023

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ea0f8f2730017cc2195daf26ad11ca81

SHA1
bd86cfb97a0d6e275d51b46ba68af5b1911c4095

SHA256
c95ed11b319280a1a6d36a40a80e1ae91d49488fc168d618662b074aea75b834

SHA512
7c85f1e3bebfa51b4830c6a45659884e4ccc172be02faad9e53955dc21de51da3e721f1cc45425e2209dc035e9e6da3cbd2301eff7b89bac3b2cd584a1dbfd1d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ea0f8f2730017cc2195daf26ad11ca81

SHA1
bd86cfb97a0d6e275d51b46ba68af5b1911c4095

SHA256
c95ed11b319280a1a6d36a40a80e1ae91d49488fc168d618662b074aea75b834

SHA512
7c85f1e3bebfa51b4830c6a45659884e4ccc172be02faad9e53955dc21de51da3e721f1cc45425e2209dc035e9e6da3cbd2301eff7b89bac3b2cd584a1dbfd1d

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4a0ca7eee1875094aed9d05cd5c71f67

SHA1
7b51557e28dcaaab291bb0b7b3b684cae706b03b

SHA256
276325bf7f02375523930e24d65c6a29d1aea1b09cc1753ca2b5ca84612db0d6

SHA512
49bf418149bb5bd974f7aa493229852edefac5118e92999763c339d146b0fbbdb31bac22c9352369495a0fb7d20b20d3ed0ae339c28b3d32261c5814761bcc13

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
3cb84fc9b82e041ffbb2954b13c45188

SHA1
5c47156f8dea92c4f4ce842db123640ddd43fb3a

SHA256
ddc54a73b990a2bb082a6ab5ba52cc3bc6650f7e884294c747c55b7b781dca4d

SHA512
f3a527a70ec890b6847102b92fc129c7ddbd0b9c370087bef95c460250fff32755fd0977299db6f00527bc19be20618cbd466205f474ef49224528ffb1ec0e2c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
22222764b2c4a2dc64877e34fda8d601

SHA1
c1a46de3d8a913109ff5563bf2dfee6d2e835656

SHA256
e7bbf15ba4e88bb5dfc659dddad703bcc7c7b19267d8b839830e902d525dc67a

SHA512
593fb264dffb56228b489bfbcc38991e7651b0fcb22ca35c24dc1c27a0554f7eb3236962a3225594aa04ece296762b6bb0c260a772f4d9f25d1179ae613b0558

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5b261238e81656d9ab7afa493c80d3d6

SHA1
3e61a36f5b766a5cea7475651db28d5c18a0580a

SHA256
96bb5b3912004d1c1a23581045776918f7750c0046129b0a92eb93a87f646d55

SHA512
bd52b5eb414fe902544233e364eb6617d01daf40b439c91543bcc5b0d4fcd6c661314b041f3b94cd3e4af66c14e58478b9025d87881de3540020830a4e4c4bdc

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
047d57a058c5bbd187d2c6c6171f6ceb

SHA1
31a5b9c78e708ed5f514678bc07ebb4f4c91cb90

SHA256
668293255551861ebdb30fac7f4b09caeafa40c1e0a5908ad7fecbcf4db2ab31

SHA512
6f4c00d76f4f3e89bf82aa56860f87b009a3202cf2f6274f921007c31618d7b6e10dc4d2c5d671b3ad6807ae8d1635236edf6902096793953a1f6fe025ef6ef7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
58549a0fb045dfd05191726a2df223ab

SHA1
4087245c28604c0324e7e3904991f9191336bb4e

SHA256
707ad438ec492a1e21a978ffefcf9f348843b3aa1cf018e5e8caacdc1feee237

SHA512
2b67546d17c45122849d0486b6e8fc3764970fdaae93a2b15cb5290aadc31fe92a9b626b5223f1a7370f412ac2c8d829899a07260c7284e2c0c8e37896a86d89

Download Submit
memory/568-151-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/592-155-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/704-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/704-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/704-69-0x0000000002800000-0x0000000002866000-memory.dmp

Filesize
408KB

Download
memory/704-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/704-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/704-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/704-253-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/704-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/704-74-0x0000000002800000-0x0000000002866000-memory.dmp

Filesize
408KB

Download
memory/704-85-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/844-125-0x0000000000B40000-0x0000000000BA6000-memory.dmp

Filesize
408KB

Download
memory/844-136-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/844-130-0x0000000000B40000-0x0000000000BA6000-memory.dmp

Filesize
408KB

Download
memory/1000-248-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1072-90-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1072-252-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1072-82-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1072-83-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1108-215-0x00000000009A0000-0x0000000000A20000-memory.dmp

Filesize
512KB

Download
memory/1108-187-0x00000000009A0000-0x0000000000A20000-memory.dmp

Filesize
512KB

Download
memory/1108-191-0x00000000009A0000-0x0000000000A20000-memory.dmp

Filesize
512KB

Download
memory/1184-402-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1184-108-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1336-134-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1608-237-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1628-106-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1632-177-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1632-167-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1632-343-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1632-415-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1632-173-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1660-364-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1660-180-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/1660-186-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1704-433-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1716-55-0x0000000004730000-0x0000000004770000-memory.dmp

Filesize
256KB

Download
memory/1716-56-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1716-59-0x0000000005E40000-0x0000000005F78000-memory.dmp

Filesize
1.2MB

Download
memory/1716-58-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1716-60-0x000000000A3F0000-0x000000000A5A0000-memory.dmp

Filesize
1.7MB

Download
memory/1716-54-0x0000000000140000-0x00000000002AC000-memory.dmp

Filesize
1.4MB

Download
memory/1716-57-0x0000000004730000-0x0000000004770000-memory.dmp

Filesize
256KB

Download
memory/1724-231-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1724-217-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1724-278-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1880-100-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1880-121-0x00000000009A0000-0x0000000000A5C000-memory.dmp

Filesize
752KB

Download
memory/1880-105-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1880-102-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1880-99-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-133-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/1880-98-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1892-163-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1892-156-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1892-322-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1892-160-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1892-164-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1892-178-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1892-152-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1976-195-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1976-255-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1976-213-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1976-197-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2044-274-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2144-297-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2244-306-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2292-434-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2336-317-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2340-484-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2380-456-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2380-457-0x00000000005D0000-0x00000000007D9000-memory.dmp

Filesize
2.0MB

Download
memory/2428-325-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2504-534-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2504-485-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-341-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2568-486-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2616-344-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2616-355-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2716-367-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2732-501-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2764-504-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2808-368-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/2808-379-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2848-535-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2908-380-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2908-391-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3004-403-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download