blustealer | 693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Technical Spec.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
460	Process not Found
1828	alg.exe
1092	aspnet_state.exe
1812	mscorsvw.exe
1144	mscorsvw.exe
1692	mscorsvw.exe
2000	mscorsvw.exe
2036	dllhost.exe
1744	ehRecvr.exe
820	ehsched.exe
1036	mscorsvw.exe
1760	elevation_service.exe
1084	IEEtwCollector.exe
1704	mscorsvw.exe
1452	mscorsvw.exe
1572	mscorsvw.exe
2112	mscorsvw.exe
2216	mscorsvw.exe
2308	mscorsvw.exe
2408	mscorsvw.exe
2596	GROOVE.EXE
2580	mscorsvw.exe
2732	maintenanceservice.exe
2832	msdtc.exe
2920	msiexec.exe
1380	OSE.EXE
2068	OSPPSVC.EXE
2188	perfhost.exe
2060	locator.exe
2272	snmptrap.exe
2392	vds.exe
2352	vssvc.exe
1616	wbengine.exe
2572	WmiApSrv.exe
2448	mscorsvw.exe
2852	wmpnetwk.exe
2988	SearchIndexer.exe
2372	mscorsvw.exe
2056	mscorsvw.exe
1624	mscorsvw.exe
2656	mscorsvw.exe
1040	mscorsvw.exe
2232	mscorsvw.exe
1284	mscorsvw.exe
2504	mscorsvw.exe
2400	mscorsvw.exe
2820	mscorsvw.exe
2280	mscorsvw.exe
2436	mscorsvw.exe
2688	mscorsvw.exe
1096	mscorsvw.exe
2748	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2920	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\vds.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ad90681947bf3ad0.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Technical Spec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 944	1376	Technical Spec.exe	28
PID 944 set thread context of 1664	944	Technical Spec.exe	33

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Technical Spec.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Technical Spec.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Technical Spec.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Technical Spec.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Technical Spec.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Technical Spec.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{24772D4E-C204-468B-A05C-1B8592B2752D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{24772D4E-C204-468B-A05C-1B8592B2752D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{E9725CFC-3FDF-4692-8940-E2498DFE7E0D}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1376	Technical Spec.exe
1948	ehRec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe
944	Technical Spec.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	Technical Spec.exe
Token: SeTakeOwnershipPrivilege	944	Technical Spec.exe
Token: SeShutdownPrivilege	1692	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1692	mscorsvw.exe
Token: SeShutdownPrivilege	1692	mscorsvw.exe
Token: SeShutdownPrivilege	1692	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	1780	EhTray.exe
Token: SeIncBasePriorityPrivilege	1780	EhTray.exe
Token: SeDebugPrivilege	1948	ehRec.exe
Token: 33	1780	EhTray.exe
Token: SeIncBasePriorityPrivilege	1780	EhTray.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeSecurityPrivilege	2920	msiexec.exe
Token: SeBackupPrivilege	2352	vssvc.exe
Token: SeRestorePrivilege	2352	vssvc.exe
Token: SeAuditPrivilege	2352	vssvc.exe
Token: SeBackupPrivilege	1616	wbengine.exe
Token: SeRestorePrivilege	1616	wbengine.exe
Token: SeSecurityPrivilege	1616	wbengine.exe
Token: SeManageVolumePrivilege	2988	SearchIndexer.exe
Token: 33	2988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2988	SearchIndexer.exe
Token: 33	2852	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2852	wmpnetwk.exe
Token: SeDebugPrivilege	944	Technical Spec.exe
Token: SeDebugPrivilege	944	Technical Spec.exe
Token: SeDebugPrivilege	944	Technical Spec.exe
Token: SeDebugPrivilege	944	Technical Spec.exe
Token: SeDebugPrivilege	944	Technical Spec.exe
Token: SeShutdownPrivilege	1692	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1780	EhTray.exe
1780	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1780	EhTray.exe
1780	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
944	Technical Spec.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe
2776	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1168	1376	Technical Spec.exe	27
PID 1376 wrote to memory of 1168	1376	Technical Spec.exe	27
PID 1376 wrote to memory of 1168	1376	Technical Spec.exe	27
PID 1376 wrote to memory of 1168	1376	Technical Spec.exe	27
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 1376 wrote to memory of 944	1376	Technical Spec.exe	28
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 944 wrote to memory of 1664	944	Technical Spec.exe	33
PID 2000 wrote to memory of 1036	2000	mscorsvw.exe	40
PID 2000 wrote to memory of 1036	2000	mscorsvw.exe	40
PID 2000 wrote to memory of 1036	2000	mscorsvw.exe	40
PID 2000 wrote to memory of 1704	2000	mscorsvw.exe	44
PID 2000 wrote to memory of 1704	2000	mscorsvw.exe	44
PID 2000 wrote to memory of 1704	2000	mscorsvw.exe	44
PID 1692 wrote to memory of 1452	1692	mscorsvw.exe	45
PID 1692 wrote to memory of 1452	1692	mscorsvw.exe	45
PID 1692 wrote to memory of 1452	1692	mscorsvw.exe	45
PID 1692 wrote to memory of 1452	1692	mscorsvw.exe	45
PID 1692 wrote to memory of 1572	1692	mscorsvw.exe	46
PID 1692 wrote to memory of 1572	1692	mscorsvw.exe	46
PID 1692 wrote to memory of 1572	1692	mscorsvw.exe	46
PID 1692 wrote to memory of 1572	1692	mscorsvw.exe	46
PID 1692 wrote to memory of 2112	1692	mscorsvw.exe	47
PID 1692 wrote to memory of 2112	1692	mscorsvw.exe	47
PID 1692 wrote to memory of 2112	1692	mscorsvw.exe	47
PID 1692 wrote to memory of 2112	1692	mscorsvw.exe	47
PID 1692 wrote to memory of 2216	1692	mscorsvw.exe	48
PID 1692 wrote to memory of 2216	1692	mscorsvw.exe	48
PID 1692 wrote to memory of 2216	1692	mscorsvw.exe	48
PID 1692 wrote to memory of 2216	1692	mscorsvw.exe	48
PID 1692 wrote to memory of 2308	1692	mscorsvw.exe	49
PID 1692 wrote to memory of 2308	1692	mscorsvw.exe	49
PID 1692 wrote to memory of 2308	1692	mscorsvw.exe	49
PID 1692 wrote to memory of 2308	1692	mscorsvw.exe	49
PID 1692 wrote to memory of 2408	1692	mscorsvw.exe	50
PID 1692 wrote to memory of 2408	1692	mscorsvw.exe	50
PID 1692 wrote to memory of 2408	1692	mscorsvw.exe	50
PID 1692 wrote to memory of 2408	1692	mscorsvw.exe	50
PID 1692 wrote to memory of 2580	1692	mscorsvw.exe	51
PID 1692 wrote to memory of 2580	1692	mscorsvw.exe	51
PID 1692 wrote to memory of 2580	1692	mscorsvw.exe	51
PID 1692 wrote to memory of 2580	1692	mscorsvw.exe	51
PID 1692 wrote to memory of 2448	1692	mscorsvw.exe	65
PID 1692 wrote to memory of 2448	1692	mscorsvw.exe	65
PID 1692 wrote to memory of 2448	1692	mscorsvw.exe	65
PID 1692 wrote to memory of 2448	1692	mscorsvw.exe	65
PID 2988 wrote to memory of 2776	2988	SearchIndexer.exe	68
PID 2988 wrote to memory of 2776	2988	SearchIndexer.exe	68
PID 2988 wrote to memory of 2776	2988	SearchIndexer.exe	68
PID 1692 wrote to memory of 2372	1692	mscorsvw.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 244 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1f0 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 258 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 1d8 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 278 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1744

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:820

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1084

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1380

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1563773381-2037468142-1146002597-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1563773381-2037468142-1146002597-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0a0b1b3582eccd934673911f0ce3b0ec

SHA1
5fe3b5438c40c767acc4617ab0ce01b7875565fa

SHA256
1a03d4384a3207de517086cf32b0fb8d6df99187a0a451e29b26ba45398cb0d2

SHA512
f10c021795bb2529f63207eeb64ac2bd23efd71dd06e3b5d67672ce5c578356fc28c49b8954b76d271887b097f58832060c2294836bf5f4646f0689d45f6c841

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
3c313cd06120c875d08a6def6472a1e2

SHA1
62848b956b92641fa55abf4c1ee94fee917b565a

SHA256
2c547694794dc7b7fdebe4516a0e4866395135cc24359faba9f5c52330399160

SHA512
5ec164dc47aebab2ac29b684a2fee5f2fd54b159073d298e0c95628ecd7fd7ea62c52e6c00e5beb9c5a95883913be6b30fe38d728f236ec2c19ba59fae5ba2bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9c22faf725b7bb64a72136ad64c4adc2

SHA1
2bce2a6381a648bef66acfffad7dccdd4e622662

SHA256
ebcdb5463c553ccd7607b69e07ce9fbb3eff6058f36e4823b504e87425b2529c

SHA512
a9d808e91b3f25611d4df99cd4671fd100b3437eb01c73e2a98ff627cb62990cc4a1e99035064d2cdc3a773441d85fa8ad842d048424afeabab1c17dfed42b5d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
7a2dc5e1fa6f4ca9c7adf1f5fd7469f4

SHA1
fcbf603d0c78be82efe863473b5c05f328e31de1

SHA256
503c0a20ae2c2389febe4514f0c9098d9fdb93486ae2124a012d207d7781e698

SHA512
04f75e00795e2cbd816fd5cf2c792d423720ea2bf75acea48ea71a2e8738fd57456b345d349debbd9247262112da4086e4657568cd7f9aeaca73b24b1f4f9c82

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e7d06ebbc07a754ac7619bf593af0463

SHA1
951ef8a7ce413060367fbd4933f7399ffd7cca02

SHA256
3ec2962031ae68bb14a81c09275210c35e912d4dcb1c83931bb9aed7c6f94b32

SHA512
d61b0811f71d19a0965cb8becae8fa48c2bfca04e3742e62aa71a709ff6d9e03d4894e72ca9d2b0fe2a8ab801540222765f191dabd755598c7164ca28414a316

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
1608cb814cbab0fa64982c4f73d1d0bd

SHA1
3b72a03a632ddefbe847419333c5ab2fe1a54c47

SHA256
71b0d0e399ba11bad2a67985f982d6ebd3eb99494c6d9c5003d97aea324ba856

SHA512
f69d070d3f7319665d34f2b103a0fe2b50fcd08d7ba61fa2ad9b250d6ad93d3cf20e289f81517ed46f9d431d4d9dafcf85d171ae027db0f7efff87904d9208cf

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
db00eba02cdd2eadb056f64e63d3f6e4

SHA1
793ff1fb71239093af61d34f5e69ac1550842482

SHA256
1def3fabc184cc09761c5987a01358840cf126b30a17d3bacbd5906275c94f44

SHA512
b2504024342805748bcbe54b21d664560df24470b121115b6af0770ef44fc14193e4d19f0fe01f23be7451fdca85e61397c9746edcbddf2e7650e62c8f9065a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9fc08687445d250cab878daca9495e98

SHA1
c4fd22be0865fb33936f8f365fc1e1a1de323154

SHA256
1a76de00a2d36cc7eb5d9679f09b22e445d12e3ef69ccd72494a77b581aac8a5

SHA512
bf76e3f4cdd39bcc129f164b4bf974bfe3009d2905d69ff93a5b627eb92a4e3397ee9a498f38e8ef6de7d4facdbc6b34b96c3ade0fa4ad4f5c3fa84d551aa1d6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9fc08687445d250cab878daca9495e98

SHA1
c4fd22be0865fb33936f8f365fc1e1a1de323154

SHA256
1a76de00a2d36cc7eb5d9679f09b22e445d12e3ef69ccd72494a77b581aac8a5

SHA512
bf76e3f4cdd39bcc129f164b4bf974bfe3009d2905d69ff93a5b627eb92a4e3397ee9a498f38e8ef6de7d4facdbc6b34b96c3ade0fa4ad4f5c3fa84d551aa1d6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e48fb3e660137c5b9917aa7258d14d9a

SHA1
2d5c5260dfd9d3137b26d4771349333b6f439c4d

SHA256
cbba5b9fcaf3580f755587074353277f361ace7a2383a2e7eabf6072fb09818a

SHA512
d582430a9d29287b468d83b8b2e3d38b211ff9ca838999203580bbecd55452bbf5f87e37091d9a7936e18a3ac3ef9b422ae77375fba053a83748aed78ea73171

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
135587c64060fbb894077cfbfcaa00fe

SHA1
d92b77ae0247f2b33b6bb553d650577585e79406

SHA256
712eef6f36804c54b903230bc3dc5919f1bd5691bcbf327b733eee2ca1bb0ef0

SHA512
947e68e841043f8ceac8905de7bca88047a0fc42cc867116739f3fa93179860a6c1477d3b1cff5c022ad68dc959f298f27ed2114ffd26f5b2925c9ee17e19220

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
93db0f1f55d7f8afa1a7ff4abb54d44d

SHA1
3c88aae077f442f709adeb8c629fbc845c967cfc

SHA256
9261a4d7ee108d23e0e88fde755f4fc35e98f1742a1bed3bb8288ad71cb41d9a

SHA512
b172db8b8eb9696e9e64f6ad17202c8378ce7393a5a9537520ae3ca4a871ce8a230605a32cd5be34fefd1aad474832960188d75aac08b71c5a3eb545aff354d1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
93db0f1f55d7f8afa1a7ff4abb54d44d

SHA1
3c88aae077f442f709adeb8c629fbc845c967cfc

SHA256
9261a4d7ee108d23e0e88fde755f4fc35e98f1742a1bed3bb8288ad71cb41d9a

SHA512
b172db8b8eb9696e9e64f6ad17202c8378ce7393a5a9537520ae3ca4a871ce8a230605a32cd5be34fefd1aad474832960188d75aac08b71c5a3eb545aff354d1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
93db0f1f55d7f8afa1a7ff4abb54d44d

SHA1
3c88aae077f442f709adeb8c629fbc845c967cfc

SHA256
9261a4d7ee108d23e0e88fde755f4fc35e98f1742a1bed3bb8288ad71cb41d9a

SHA512
b172db8b8eb9696e9e64f6ad17202c8378ce7393a5a9537520ae3ca4a871ce8a230605a32cd5be34fefd1aad474832960188d75aac08b71c5a3eb545aff354d1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
93db0f1f55d7f8afa1a7ff4abb54d44d

SHA1
3c88aae077f442f709adeb8c629fbc845c967cfc

SHA256
9261a4d7ee108d23e0e88fde755f4fc35e98f1742a1bed3bb8288ad71cb41d9a

SHA512
b172db8b8eb9696e9e64f6ad17202c8378ce7393a5a9537520ae3ca4a871ce8a230605a32cd5be34fefd1aad474832960188d75aac08b71c5a3eb545aff354d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7ac0f34094975bf3a4b3977200eb2198

SHA1
d8600330191e5f946a5594a5d7450fbfce37e3ee

SHA256
b054eb564d29a6f7c6d6fb650ee01b543f102a11900a6a902ab73441eaa87042

SHA512
7e6af0bd59fc5cd3185db46f6ec5f287fc0a5ad53a98650d337d54b310b7e3a4055c655775a6b5efa1011526cc9a35b6a639d029d0ddbd0fd2ccf5411d77a21f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7ac0f34094975bf3a4b3977200eb2198

SHA1
d8600330191e5f946a5594a5d7450fbfce37e3ee

SHA256
b054eb564d29a6f7c6d6fb650ee01b543f102a11900a6a902ab73441eaa87042

SHA512
7e6af0bd59fc5cd3185db46f6ec5f287fc0a5ad53a98650d337d54b310b7e3a4055c655775a6b5efa1011526cc9a35b6a639d029d0ddbd0fd2ccf5411d77a21f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
09efef16af1cf02db609b3b4edb73cbb

SHA1
295195f8ad97234cfbe33cb7a8eefb73e323dfc5

SHA256
baca1fff68ece38697e507cda195a2ab750940630aba7534cf1456dea0af106a

SHA512
46e812447a71daee64f61b1d5a0f01403bd8d8bd525c1f048ab14d1ac878f9f1a0b1e36cb421b1105ca058f718a72be1eaebf361850ce2a6ec405779399a532c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
206f500f07737bc0e0e5bfa891760857

SHA1
795f6cd69cc942da071541e0b2ddddae603535b2

SHA256
4cadf10ac38990441a738cf4c55b046d95fc9854e54c8a05fea05fa0864cf4a9

SHA512
7f2c9a4b6a376bac3662c5c15b37327d38e9f233b82883f8dc094038fd7fa86f78e063e0f1eef54f5018c4b2a223a1679f9f49d8c68e7fd5423b4b4bb1cdd60c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4ded93d048735825bdde08bbc3d248d0

SHA1
2616d48f3d37660f5999b46802a71321a4fcba9f

SHA256
df08c3bf58ee149bbfb282279e208f5f310dd9654ef9b6848ed02e6ab6a86b23

SHA512
bfd30123c8b5e46c7d87ca278790b97f997acb38419dfe1984657f32999772071f9c5b32c411e52e68ec829d51c3d20fcb247da46965ee30e9fb260eb6686c41

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
037f3369a38acb3e49f9797ef07d6a13

SHA1
504d7611d9219473b857156271248f56dd4be91a

SHA256
4f10f113689a9f2d17f255356863aba879df4fedd79713053b43e33e5ae8a05b

SHA512
c218a9dee76f7fb9fb07d8986d2021aa04f869a1c6b8951d681da86988282f366748aaf7e485bc1f0b0b73c086af757236c2a5c172bdd8be0ab3212ab842b6cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
73e75acc8611badbb59e327da663618c

SHA1
ae65b5e0d8b7597b1bee2a10e809a6bd9efc1dad

SHA256
398bac39f00fc67ef1f6da4949966a0da87ee063b527da5d15f27c0fa9f4ad06

SHA512
a7f2e8ea61ebcb0891ce554c5ae7b43957de3e664b249630460c64cef4880796bc5bc1a5a1d2cb7acd95ec3ad2c1cb8eadb4c9c7dcd48ec43835980b568ba780

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f67f6ceed66a05b88f79ccc45bd10feb

SHA1
f9641ce9ccfc6f79b813356d20253a74ac70c6e6

SHA256
564aad432bbe42dc95547f99ea28010b36848107224076dc33e338f245a87fce

SHA512
73b3b522e1716384a324283b44ddf8360f099b6dc532cda66ad58e08f26f9d05184f13995761fc42e19e19f82649f0ee219872790c82255615caa08c7ae90f12

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
11b57e3394bc034db48da6ff9aff0d8a

SHA1
92683c66671b2e03d3817893df2bba28274281a2

SHA256
8df8a4e6ab279ec363304b3e5fb0ad19ec5fab46cb6283313565dba0a7a2ef92

SHA512
1975e31c5f5fd5ddf1fae54dffee256c35cee0c88dce45493bdaf3a1dc68cb7a0dea68e24b573233317304480c809fbbab22c3b9d4bf1107cf382b9b16933b7c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
dc58a9e9be33d083ea9fd44d3408cc7a

SHA1
a2aad5e3cb9283bd21ea660007d26b077789f872

SHA256
5b7c7eaab0249193359abbd6e697191b5fd23a516e834309313d01a1cddeba31

SHA512
8c9f5717e26d5c92cb4ecdc8560fc976aecef03dd7950fb8a859f5eba913e76a7a3010f766acc7b78b3e6dbbd3d61497d33a350d8028d806a26e60fbe0b86167

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
86bd09d4013a76574d882b90e03fc8b8

SHA1
11c7e58eb8b9d8750a83671f3054576b5c91a884

SHA256
40b01e87313a4ba9411350b69141a9a0bd23f0dd484b2662e4a7b9872a1d21c6

SHA512
67517059f64b8735b05e524df0602bced4427fdc877817b9a3337f59f5378307f19d7095d2f49c831c4e74648b4a28845137ef0163c71f4f3717e68c7175894e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1df6c93fca11ec0a59d2e4e97786382f

SHA1
7ca48af734f77d1dbb554a42b46c1e86dd99bcde

SHA256
1986edc65bee59a9f6322be08a18232f28fe464612b60cfce9c23912c4d2eeb8

SHA512
e0044c27aa9941c42b0eb85767c0254034d4808e8b00ae8f69ec45c4b14a4a3f7f4281d0e6632a3521b27902d6da153307d482410659f5605dde0de6cad87d94

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9f64c03535815e9eabc00f0e6e6870e5

SHA1
d5519ca19acbde19b3191c541f4aa1657e7eace2

SHA256
b1aeb33f67c20d285a118942437e718a7c989aece2143f4c970a04c5f229ec73

SHA512
6701147037bdb29dd4031c6255f7070919a520bfccf90696c3554ff7970149af2b6756cb23005650690251999f511a5414ee0e4b5ac69b92a821d535bb30725d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d15480f11fe5044a3b1357df7649c2a6

SHA1
2c1adb461330060b813cfb8a3c0a203efdce6b8d

SHA256
ab15b9bd4609ebef410632b7dd4101dfdfd7559a0066ee2ff73edbfa344bf058

SHA512
65308cfdfbc1ad47da598b09ea08df98e13267b0c05d81149531900d4c919caa2e068952277cb5de70a29f505b87f1f92280cc874ed07d675b610988567f83bb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a84e31db91e0afc59cd9941ff4672231

SHA1
f38552e0e801da56049bb7acdf21c8f4a3452fd0

SHA256
7addd219f9fe827de7585c576d4a5b750a524addea8ad2add0dbaf905b5a1807

SHA512
92fb1eb315da8b0b4ee80b8f8739dc2f04994fdc3776e0a975fd00c8521bcd1eff2764867f09e5f7bd277f110b0a00515d77c5c6e91080917016af53cad7ce89

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
05dbbd88cf6318e95d72a842e5e51d28

SHA1
775f916606df674b7e72a88e31cac41336d648cc

SHA256
940a250bbc2f018e1f8380f8dafc0c2d01e00768bba4ed94b5fe2c00525a5b0b

SHA512
d3b3900ab6349bbbb5bcb5edb7d6d156f04014d4d772052f1b9be225c17476b8f08f641902777724d93a4d778fb6500cc7e9dd3d1120eaa7c8887c586b1daefb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b7622249c5c5bf38331937e8f36c7bd9

SHA1
17e339d425831277b4fd77a054d78ef26b541460

SHA256
9ea8512c8fe8fc4f9240dfaa54f4f04ece0a753dea8b72e79be261c05e0d17a8

SHA512
45ab166dc0aa7b328a9972ce8d167426049c72943ffd07d39b9f0c304977e2ad7ddf80f41850687be9cbf64a1d55d3741f8f4a748f523a6f589dfd85e3fe7495

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5c052aabf5eb328b28ddec8147cf3a5c

SHA1
2821b82c46f38fd7f1d3610acf29dfe31a57d51f

SHA256
e535f5d3c875cd77ea28d75473bd68b28910aa52d833aa52f9de6e672e462311

SHA512
836bb18f480e581d0f06015a6a0a160be2ffac263556862fa4891be175a67544559e2cb2056bd6a7917c58b80cb09525c0110fd3c5428b1b92cf889c3eea6e7d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
90a8a47224a04259be51c4a53bcf8046

SHA1
6d4deca3731e8753e611b9664615beb218731957

SHA256
4acd594fdd20126cb4f1ec412efa0e5e8aa20083615f15c07ca43d43ca68923c

SHA512
69deb6b7d89fe2f6be7912ed586a68dfa99c322419d2d26bbb43bb3d77614e4313478aae855ba1de3cd115168278ad7fe15b2516be4e12dd4bdd51b79aaf63df

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
9f64c03535815e9eabc00f0e6e6870e5

SHA1
d5519ca19acbde19b3191c541f4aa1657e7eace2

SHA256
b1aeb33f67c20d285a118942437e718a7c989aece2143f4c970a04c5f229ec73

SHA512
6701147037bdb29dd4031c6255f7070919a520bfccf90696c3554ff7970149af2b6756cb23005650690251999f511a5414ee0e4b5ac69b92a821d535bb30725d

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
1608cb814cbab0fa64982c4f73d1d0bd

SHA1
3b72a03a632ddefbe847419333c5ab2fe1a54c47

SHA256
71b0d0e399ba11bad2a67985f982d6ebd3eb99494c6d9c5003d97aea324ba856

SHA512
f69d070d3f7319665d34f2b103a0fe2b50fcd08d7ba61fa2ad9b250d6ad93d3cf20e289f81517ed46f9d431d4d9dafcf85d171ae027db0f7efff87904d9208cf

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
1608cb814cbab0fa64982c4f73d1d0bd

SHA1
3b72a03a632ddefbe847419333c5ab2fe1a54c47

SHA256
71b0d0e399ba11bad2a67985f982d6ebd3eb99494c6d9c5003d97aea324ba856

SHA512
f69d070d3f7319665d34f2b103a0fe2b50fcd08d7ba61fa2ad9b250d6ad93d3cf20e289f81517ed46f9d431d4d9dafcf85d171ae027db0f7efff87904d9208cf

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9fc08687445d250cab878daca9495e98

SHA1
c4fd22be0865fb33936f8f365fc1e1a1de323154

SHA256
1a76de00a2d36cc7eb5d9679f09b22e445d12e3ef69ccd72494a77b581aac8a5

SHA512
bf76e3f4cdd39bcc129f164b4bf974bfe3009d2905d69ff93a5b627eb92a4e3397ee9a498f38e8ef6de7d4facdbc6b34b96c3ade0fa4ad4f5c3fa84d551aa1d6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
135587c64060fbb894077cfbfcaa00fe

SHA1
d92b77ae0247f2b33b6bb553d650577585e79406

SHA256
712eef6f36804c54b903230bc3dc5919f1bd5691bcbf327b733eee2ca1bb0ef0

SHA512
947e68e841043f8ceac8905de7bca88047a0fc42cc867116739f3fa93179860a6c1477d3b1cff5c022ad68dc959f298f27ed2114ffd26f5b2925c9ee17e19220

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
037f3369a38acb3e49f9797ef07d6a13

SHA1
504d7611d9219473b857156271248f56dd4be91a

SHA256
4f10f113689a9f2d17f255356863aba879df4fedd79713053b43e33e5ae8a05b

SHA512
c218a9dee76f7fb9fb07d8986d2021aa04f869a1c6b8951d681da86988282f366748aaf7e485bc1f0b0b73c086af757236c2a5c172bdd8be0ab3212ab842b6cd

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
11b57e3394bc034db48da6ff9aff0d8a

SHA1
92683c66671b2e03d3817893df2bba28274281a2

SHA256
8df8a4e6ab279ec363304b3e5fb0ad19ec5fab46cb6283313565dba0a7a2ef92

SHA512
1975e31c5f5fd5ddf1fae54dffee256c35cee0c88dce45493bdaf3a1dc68cb7a0dea68e24b573233317304480c809fbbab22c3b9d4bf1107cf382b9b16933b7c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
dc58a9e9be33d083ea9fd44d3408cc7a

SHA1
a2aad5e3cb9283bd21ea660007d26b077789f872

SHA256
5b7c7eaab0249193359abbd6e697191b5fd23a516e834309313d01a1cddeba31

SHA512
8c9f5717e26d5c92cb4ecdc8560fc976aecef03dd7950fb8a859f5eba913e76a7a3010f766acc7b78b3e6dbbd3d61497d33a350d8028d806a26e60fbe0b86167

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
86bd09d4013a76574d882b90e03fc8b8

SHA1
11c7e58eb8b9d8750a83671f3054576b5c91a884

SHA256
40b01e87313a4ba9411350b69141a9a0bd23f0dd484b2662e4a7b9872a1d21c6

SHA512
67517059f64b8735b05e524df0602bced4427fdc877817b9a3337f59f5378307f19d7095d2f49c831c4e74648b4a28845137ef0163c71f4f3717e68c7175894e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1df6c93fca11ec0a59d2e4e97786382f

SHA1
7ca48af734f77d1dbb554a42b46c1e86dd99bcde

SHA256
1986edc65bee59a9f6322be08a18232f28fe464612b60cfce9c23912c4d2eeb8

SHA512
e0044c27aa9941c42b0eb85767c0254034d4808e8b00ae8f69ec45c4b14a4a3f7f4281d0e6632a3521b27902d6da153307d482410659f5605dde0de6cad87d94

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9f64c03535815e9eabc00f0e6e6870e5

SHA1
d5519ca19acbde19b3191c541f4aa1657e7eace2

SHA256
b1aeb33f67c20d285a118942437e718a7c989aece2143f4c970a04c5f229ec73

SHA512
6701147037bdb29dd4031c6255f7070919a520bfccf90696c3554ff7970149af2b6756cb23005650690251999f511a5414ee0e4b5ac69b92a821d535bb30725d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
9f64c03535815e9eabc00f0e6e6870e5

SHA1
d5519ca19acbde19b3191c541f4aa1657e7eace2

SHA256
b1aeb33f67c20d285a118942437e718a7c989aece2143f4c970a04c5f229ec73

SHA512
6701147037bdb29dd4031c6255f7070919a520bfccf90696c3554ff7970149af2b6756cb23005650690251999f511a5414ee0e4b5ac69b92a821d535bb30725d

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d15480f11fe5044a3b1357df7649c2a6

SHA1
2c1adb461330060b813cfb8a3c0a203efdce6b8d

SHA256
ab15b9bd4609ebef410632b7dd4101dfdfd7559a0066ee2ff73edbfa344bf058

SHA512
65308cfdfbc1ad47da598b09ea08df98e13267b0c05d81149531900d4c919caa2e068952277cb5de70a29f505b87f1f92280cc874ed07d675b610988567f83bb

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a84e31db91e0afc59cd9941ff4672231

SHA1
f38552e0e801da56049bb7acdf21c8f4a3452fd0

SHA256
7addd219f9fe827de7585c576d4a5b750a524addea8ad2add0dbaf905b5a1807

SHA512
92fb1eb315da8b0b4ee80b8f8739dc2f04994fdc3776e0a975fd00c8521bcd1eff2764867f09e5f7bd277f110b0a00515d77c5c6e91080917016af53cad7ce89

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
05dbbd88cf6318e95d72a842e5e51d28

SHA1
775f916606df674b7e72a88e31cac41336d648cc

SHA256
940a250bbc2f018e1f8380f8dafc0c2d01e00768bba4ed94b5fe2c00525a5b0b

SHA512
d3b3900ab6349bbbb5bcb5edb7d6d156f04014d4d772052f1b9be225c17476b8f08f641902777724d93a4d778fb6500cc7e9dd3d1120eaa7c8887c586b1daefb

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b7622249c5c5bf38331937e8f36c7bd9

SHA1
17e339d425831277b4fd77a054d78ef26b541460

SHA256
9ea8512c8fe8fc4f9240dfaa54f4f04ece0a753dea8b72e79be261c05e0d17a8

SHA512
45ab166dc0aa7b328a9972ce8d167426049c72943ffd07d39b9f0c304977e2ad7ddf80f41850687be9cbf64a1d55d3741f8f4a748f523a6f589dfd85e3fe7495

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5c052aabf5eb328b28ddec8147cf3a5c

SHA1
2821b82c46f38fd7f1d3610acf29dfe31a57d51f

SHA256
e535f5d3c875cd77ea28d75473bd68b28910aa52d833aa52f9de6e672e462311

SHA512
836bb18f480e581d0f06015a6a0a160be2ffac263556862fa4891be175a67544559e2cb2056bd6a7917c58b80cb09525c0110fd3c5428b1b92cf889c3eea6e7d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
90a8a47224a04259be51c4a53bcf8046

SHA1
6d4deca3731e8753e611b9664615beb218731957

SHA256
4acd594fdd20126cb4f1ec412efa0e5e8aa20083615f15c07ca43d43ca68923c

SHA512
69deb6b7d89fe2f6be7912ed586a68dfa99c322419d2d26bbb43bb3d77614e4313478aae855ba1de3cd115168278ad7fe15b2516be4e12dd4bdd51b79aaf63df

Download Submit
memory/820-439-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/820-336-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/820-163-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/820-175-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/820-169-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/944-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/944-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/944-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/944-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/944-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/944-69-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/944-94-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/944-268-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/944-74-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/944-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1036-202-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1036-218-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1036-189-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1036-179-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1084-205-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1084-367-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1092-269-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1092-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1144-112-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1376-59-0x0000000005E70000-0x0000000005FBA000-memory.dmp

Filesize
1.3MB

Download
memory/1376-54-0x0000000000E80000-0x000000000100A000-memory.dmp

Filesize
1.5MB

Download
memory/1376-57-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1376-58-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1376-56-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1376-60-0x0000000007FB0000-0x0000000008172000-memory.dmp

Filesize
1.8MB

Download
memory/1376-55-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1380-397-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1452-254-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1572-255-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1572-267-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1616-459-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1664-121-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1664-138-0x00000000024F0000-0x00000000025AC000-memory.dmp

Filesize
752KB

Download
memory/1664-115-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1664-116-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-127-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1664-117-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1692-129-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1692-131-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1692-284-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1692-120-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1704-220-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1704-225-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1744-201-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1744-152-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1744-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1744-165-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1744-168-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1744-335-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1744-158-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1760-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1812-126-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1828-88-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1828-95-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1828-82-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1948-253-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1948-219-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/1948-204-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/2000-146-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2036-147-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2060-427-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2068-400-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2112-281-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2112-270-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2188-404-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2216-289-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2272-430-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2308-305-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2308-287-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2352-455-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2392-432-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2408-307-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2408-626-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2448-490-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2572-488-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2580-673-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2580-347-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2596-344-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2732-363-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2832-369-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2852-492-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2920-383-0x0000000000570000-0x0000000000779000-memory.dmp

Filesize
2.0MB

Download
memory/2920-368-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2988-510-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download