blustealer | 693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Technical Spec.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
468	Process not Found
1696	alg.exe
1684	aspnet_state.exe
1740	mscorsvw.exe
324	mscorsvw.exe
1656	mscorsvw.exe
900	mscorsvw.exe
1280	dllhost.exe
1872	ehRecvr.exe
1704	ehsched.exe
1628	elevation_service.exe
968	IEEtwCollector.exe
1980	GROOVE.EXE
2056	maintenanceservice.exe
2164	msdtc.exe
2272	msiexec.exe
2264	mscorsvw.exe
2500	OSE.EXE
2572	OSPPSVC.EXE
2668	mscorsvw.exe
2660	perfhost.exe
2732	locator.exe
2868	snmptrap.exe
2968	vds.exe
3060	vssvc.exe
2120	wbengine.exe
2364	mscorsvw.exe
2304	WmiApSrv.exe
1924	wmpnetwk.exe
2844	mscorsvw.exe
2988	SearchIndexer.exe
2052	mscorsvw.exe
2976	mscorsvw.exe
1460	mscorsvw.exe
2192	mscorsvw.exe
2620	mscorsvw.exe
464	mscorsvw.exe
888	mscorsvw.exe
2184	mscorsvw.exe
2864	mscorsvw.exe
2540	mscorsvw.exe
2920	mscorsvw.exe
2724	mscorsvw.exe
940	mscorsvw.exe
2848	mscorsvw.exe
2756	mscorsvw.exe
2300	mscorsvw.exe
1816	mscorsvw.exe
1072	mscorsvw.exe
2656	mscorsvw.exe
672	mscorsvw.exe
2336	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2272	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\vds.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\alg.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\88a8f084a5fe7035.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\locator.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 1504	1344	Technical Spec.exe	28
PID 1504 set thread context of 1580	1504	Technical Spec.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Technical Spec.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Technical Spec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{545026EE-1D88-4B46-A84B-0E2253FE7065}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{545026EE-1D88-4B46-A84B-0E2253FE7065}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{80D69196-5E44-458A-A9ED-744E3A01C2AD}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{80D69196-5E44-458A-A9ED-744E3A01C2AD}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1312	ehRec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe
1504	Technical Spec.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1504	Technical Spec.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: 33	880	EhTray.exe
Token: SeIncBasePriorityPrivilege	880	EhTray.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeDebugPrivilege	1312	ehRec.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeSecurityPrivilege	2272	msiexec.exe
Token: 33	880	EhTray.exe
Token: SeIncBasePriorityPrivilege	880	EhTray.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeBackupPrivilege	3060	vssvc.exe
Token: SeRestorePrivilege	3060	vssvc.exe
Token: SeAuditPrivilege	3060	vssvc.exe
Token: SeBackupPrivilege	2120	wbengine.exe
Token: SeRestorePrivilege	2120	wbengine.exe
Token: SeSecurityPrivilege	2120	wbengine.exe
Token: 33	1924	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1924	wmpnetwk.exe
Token: SeManageVolumePrivilege	2988	SearchIndexer.exe
Token: 33	2988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2988	SearchIndexer.exe
Token: SeDebugPrivilege	1504	Technical Spec.exe
Token: SeDebugPrivilege	1504	Technical Spec.exe
Token: SeDebugPrivilege	1504	Technical Spec.exe
Token: SeDebugPrivilege	1504	Technical Spec.exe
Token: SeDebugPrivilege	1504	Technical Spec.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeDebugPrivilege	1696	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
880	EhTray.exe
880	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
880	EhTray.exe
880	EhTray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1504	Technical Spec.exe
652	SearchProtocolHost.exe
652	SearchProtocolHost.exe
652	SearchProtocolHost.exe
652	SearchProtocolHost.exe
652	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1344 wrote to memory of 1504	1344	Technical Spec.exe	28
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 1504 wrote to memory of 1580	1504	Technical Spec.exe	34
PID 900 wrote to memory of 2264	900	mscorsvw.exe	46
PID 900 wrote to memory of 2264	900	mscorsvw.exe	46
PID 900 wrote to memory of 2264	900	mscorsvw.exe	46
PID 900 wrote to memory of 2668	900	mscorsvw.exe	51
PID 900 wrote to memory of 2668	900	mscorsvw.exe	51
PID 900 wrote to memory of 2668	900	mscorsvw.exe	51
PID 1656 wrote to memory of 2364	1656	mscorsvw.exe	57
PID 1656 wrote to memory of 2364	1656	mscorsvw.exe	57
PID 1656 wrote to memory of 2364	1656	mscorsvw.exe	57
PID 1656 wrote to memory of 2364	1656	mscorsvw.exe	57
PID 1656 wrote to memory of 2844	1656	mscorsvw.exe	60
PID 1656 wrote to memory of 2844	1656	mscorsvw.exe	60
PID 1656 wrote to memory of 2844	1656	mscorsvw.exe	60
PID 1656 wrote to memory of 2844	1656	mscorsvw.exe	60
PID 1656 wrote to memory of 2052	1656	mscorsvw.exe	62
PID 1656 wrote to memory of 2052	1656	mscorsvw.exe	62
PID 1656 wrote to memory of 2052	1656	mscorsvw.exe	62
PID 1656 wrote to memory of 2052	1656	mscorsvw.exe	62
PID 1656 wrote to memory of 2976	1656	mscorsvw.exe	63
PID 1656 wrote to memory of 2976	1656	mscorsvw.exe	63
PID 1656 wrote to memory of 2976	1656	mscorsvw.exe	63
PID 1656 wrote to memory of 2976	1656	mscorsvw.exe	63
PID 2988 wrote to memory of 652	2988	SearchIndexer.exe	64
PID 2988 wrote to memory of 652	2988	SearchIndexer.exe	64
PID 2988 wrote to memory of 652	2988	SearchIndexer.exe	64
PID 1656 wrote to memory of 1460	1656	mscorsvw.exe	65
PID 1656 wrote to memory of 1460	1656	mscorsvw.exe	65
PID 1656 wrote to memory of 1460	1656	mscorsvw.exe	65
PID 1656 wrote to memory of 1460	1656	mscorsvw.exe	65
PID 1656 wrote to memory of 2192	1656	mscorsvw.exe	66
PID 1656 wrote to memory of 2192	1656	mscorsvw.exe	66
PID 1656 wrote to memory of 2192	1656	mscorsvw.exe	66
PID 1656 wrote to memory of 2192	1656	mscorsvw.exe	66
PID 1656 wrote to memory of 2620	1656	mscorsvw.exe	67
PID 1656 wrote to memory of 2620	1656	mscorsvw.exe	67
PID 1656 wrote to memory of 2620	1656	mscorsvw.exe	67
PID 1656 wrote to memory of 2620	1656	mscorsvw.exe	67
PID 1656 wrote to memory of 464	1656	mscorsvw.exe	68
PID 1656 wrote to memory of 464	1656	mscorsvw.exe	68
PID 1656 wrote to memory of 464	1656	mscorsvw.exe	68
PID 1656 wrote to memory of 464	1656	mscorsvw.exe	68
PID 1656 wrote to memory of 888	1656	mscorsvw.exe	69
PID 1656 wrote to memory of 888	1656	mscorsvw.exe	69
PID 1656 wrote to memory of 888	1656	mscorsvw.exe	69
PID 1656 wrote to memory of 888	1656	mscorsvw.exe	69
PID 1656 wrote to memory of 2184	1656	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 258 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 278 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 258 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 258 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 258 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 2b0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1280

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1872

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:968

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dac1b18975b2ce740870b0ca1a77c93f

SHA1
68803bdb53d5019d123007b8a68d68d96f286462

SHA256
92bcd6b488ae496c38d0cd150e1377ad6d9250a37d4fb3d19f53863b3de1db6b

SHA512
f720cf1f2e6c7d0946f2ef431e48a5ff7cf7c2d395fefc5f82e5445e87ff8b08da4a42516f94d72a0629f587a9f500ca9cc3be4b9253c16de391f38be30e09b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
add2c2c7a95c4f748f1e813f3ea8dc20

SHA1
e26d07c97736b59d29d1c29f5c31a16a424233bf

SHA256
c770715e1773de8591c4bf0f177e03f1f00703808554170578594f2dba47f939

SHA512
e3feb9b01c38e3232e9b302ea89c54a7ed589ab451fb3cc739d5f72fbb26028a4229db7f50b33fcf623b510f73e023cab2eed59850deb8919db6633733e42c06

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ac2ac2f31817f6ce108f00faed65a6eb

SHA1
80078fdf52cf1a66c6bd3738694c984792931893

SHA256
41b0e740629644a5365cf7a24834c5fc32a6ee23cda2faa052a3b8b72c5d0d3a

SHA512
cd7872a3be2f822881b463f374e379e615fcfa4120e1060df5a5ae2d6407f1887223997c6b8ec9e44624c58d88e08f65879428449087f93ff8945c717324c1ea

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
102db91a0d492d416bcaff34a56a3b35

SHA1
fe45f301653a1374d936e4cfdd8ae14b747b2b26

SHA256
ad1edd2916a82c1c2eb89986006db4078bc04915bf8d33fac9689d5308cb26ef

SHA512
77144a6f215cb59ff1893fbcd0785897e92e80eeedeaa1f50f7b522d156f25cdf3258ada19ac426b6026f5cef7128d23d7b06d72a7c9e1ce9e006384a102e63b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d302d7ee641ffe82a5faabc059bde1ce

SHA1
14528d5376771bb1ebc3288ca45fda217b2055e8

SHA256
134a7825eb110e5b0bf9e6608dcdf8852e6c9c436b5c1e351d8f1d11a81c7920

SHA512
d24e14c0a5a16451a6f3f8dcd757f0f5767a07b44816354f3d4a2cfb18050617f04cafbbb09f966b46e85ef1468af2bcc6accc13c6c26caf3a28add9ef06fece

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
96f721c9ee38c60107638f1a18f60bbe

SHA1
91a6a5eddbb90ece0a78492db5982bf425443567

SHA256
2f852766a4dc23ce25a2e8b3e74765872d39e5b1e762b967ece544638ebb0dd0

SHA512
59d4d8d98bfa7c93d9057920eeec655561c0070ff87f9b3b2f2d031160a1408185dea16e148fc668b59bc50653a87eac9633dc41e6e687cf39b76066fab006f2

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
80b878b71b411b285250f5d77e03ded8

SHA1
793a99e4843cf613d5b176c34ad2d0e74b2d26ba

SHA256
bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c

SHA512
25f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
203d1a3547ef6c6a2240a27418524d24

SHA1
98784967d6a3ed3b1be72d32fb3542bfe53dd9b8

SHA256
dbb6ecdd00bac3e37fc0da38b3d2349755e3ced59604780134ab696f8f14337d

SHA512
46fa059953529048d621c0879b619ffa568b0321bced7d2314a94ac95b9719dddca8afe23b58cdf5325c24165ca55ab35b2c2a98e8e6c7e3083a9d94b74c2ad9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
203d1a3547ef6c6a2240a27418524d24

SHA1
98784967d6a3ed3b1be72d32fb3542bfe53dd9b8

SHA256
dbb6ecdd00bac3e37fc0da38b3d2349755e3ced59604780134ab696f8f14337d

SHA512
46fa059953529048d621c0879b619ffa568b0321bced7d2314a94ac95b9719dddca8afe23b58cdf5325c24165ca55ab35b2c2a98e8e6c7e3083a9d94b74c2ad9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
955ebca9da468c20dc580fa12bf6f38c

SHA1
05b254af77b9c127639d6114cf9faec46e906dc4

SHA256
5bae33cdf9c1e0857e3d74f87a798decfc6a6cb5abafbecf86769e6aa690820d

SHA512
ad710f682b8a70e5e18e601402ecd8f06df3203df4e53482d996d9ef182ddbbd2d968437f1762ccc680524404b7283c033bd7f989ab8c68b39a5826be9c6d842

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
3f73d91552ea31086110e132be4065c9

SHA1
c0fa158589dab7fb46c4e8fedec7c6de9a3087e0

SHA256
0bd52ba8da386c2057b9c9ff70b9f458f2804eddf423567fd5ed481aef077738

SHA512
e470944c64e0908c0749fb53729311c39f02c703ae2f9a79e0c9b62bf9d7177c017d1b9dd6ce21f845a3b18265334c60eff313d23aafe273cfd04f77d0cef95f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
017d23b945c289cefeb811cecbe41d91

SHA1
8cfb906c4634e9bd2754b740cd90d1cc39c4a8e3

SHA256
72d6c667acaec3c21c3ca795c4e88ccee35eb499fe6a99f72a0af5bdae4d04a3

SHA512
d99cad1cfd61178b9df044041d4a33395901777830d434a9b5780ffcc586a8dd6e6f34ed6776fac180e278d0687c5da67abf90bb877076c1620ce0fb3db68e67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
017d23b945c289cefeb811cecbe41d91

SHA1
8cfb906c4634e9bd2754b740cd90d1cc39c4a8e3

SHA256
72d6c667acaec3c21c3ca795c4e88ccee35eb499fe6a99f72a0af5bdae4d04a3

SHA512
d99cad1cfd61178b9df044041d4a33395901777830d434a9b5780ffcc586a8dd6e6f34ed6776fac180e278d0687c5da67abf90bb877076c1620ce0fb3db68e67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
017d23b945c289cefeb811cecbe41d91

SHA1
8cfb906c4634e9bd2754b740cd90d1cc39c4a8e3

SHA256
72d6c667acaec3c21c3ca795c4e88ccee35eb499fe6a99f72a0af5bdae4d04a3

SHA512
d99cad1cfd61178b9df044041d4a33395901777830d434a9b5780ffcc586a8dd6e6f34ed6776fac180e278d0687c5da67abf90bb877076c1620ce0fb3db68e67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
017d23b945c289cefeb811cecbe41d91

SHA1
8cfb906c4634e9bd2754b740cd90d1cc39c4a8e3

SHA256
72d6c667acaec3c21c3ca795c4e88ccee35eb499fe6a99f72a0af5bdae4d04a3

SHA512
d99cad1cfd61178b9df044041d4a33395901777830d434a9b5780ffcc586a8dd6e6f34ed6776fac180e278d0687c5da67abf90bb877076c1620ce0fb3db68e67

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8dfaeadf950de3be82b8e327ea6f627b

SHA1
34568a36b9de3b739b5ca9063aac6371d8c7fb47

SHA256
bef192831c528c04cd6ab13590c2fd3dc47a57b00479f61f5e3d17efe53a112d

SHA512
7fd50857e9ef3fee41307d4ba8354779ba727be149ce4ab048a1193437dadff0138e7034454b6323b0adfe2482c1f6d3bddea41eb3402cf93676f0c97d80eb62

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8dfaeadf950de3be82b8e327ea6f627b

SHA1
34568a36b9de3b739b5ca9063aac6371d8c7fb47

SHA256
bef192831c528c04cd6ab13590c2fd3dc47a57b00479f61f5e3d17efe53a112d

SHA512
7fd50857e9ef3fee41307d4ba8354779ba727be149ce4ab048a1193437dadff0138e7034454b6323b0adfe2482c1f6d3bddea41eb3402cf93676f0c97d80eb62

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e5395e49c1ce4dba3d150c8bc3d35077

SHA1
aa8570a85628da0771a3544d06921d44c2d4cc4e

SHA256
97b01f6ea1a6e6ebfab634b0931a24fa3125c7a0596417495bc47f43bcf2f6b5

SHA512
bd642b1d38afc63c96ba6965171fb47451b28ddb0da5a1ec8d07c84222a9864601d1fe6b7f4bbd891ab483f9610e74e03bf67df698387ec985b30cc736f6886a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
935f18cb264ce7689813d28374bc8bc9

SHA1
82bf806f69ea8ea3cf5ba73879d21ded2b717883

SHA256
d412325ae6f5ace32b3f754dd4420f2873f26b507f88e7edde9eb11e26e7037f

SHA512
f28cab40a9e2d302a42990e20736e7b8ba8352a37c3df40efaad18e46bb64f985a849b92081eccfe18b004263f391207893c97698c431374ebdffbcc5c94e10c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1c892ff5741074bf3411579357fe04aa

SHA1
ccc51a597db04b61b5daf7291979b72d6f3e0f0f

SHA256
dc09288a02ff07309f116bcae27155e71766b0ee51f7c89339ec04bec17b2462

SHA512
1f77ffb18c8d4e8ec61ad8f85665a666b1341835a800108fb00fca435af75052a75fbb7acb9c907447ee317b1bc5f40694b3a487b520e2d453fe501ef981247d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eff681c3f0c14d172985d170cef7a383

SHA1
cf40da9c433d5dcb8d6aa49ad91a6e10b50a80e0

SHA256
98e169d31731e739eeb300c7c435d151c3b2433230566b84360ed769c41689e1

SHA512
c07a768d049f38eddea7c2accab1c07ac28bd6fb3b20ef4fa55322629cb4710a0522eb2ba968bd81fe400e5d06363ac35caca72ad500c1cabf1082a1230adb5b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
489096c7a5b55697f8c91b3151c208ae

SHA1
df2ecffa6964694fbf49103dcbae705f853e755f

SHA256
174ce1a7b817ab50768de8fab5b0540367c8ddc69e91ebade2e895006b249ba9

SHA512
a11bd930a5ecf7a7ffea41e5d93c1213e72045d5966d735281631a318fd835ea85e2ee246e31679f4428fffe7e16a6db715b55416bdedea479d5e005465f8619

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f7d9014f55edf438fe682567ed1031f0

SHA1
6fd268edcf318812a0f7e2f0714a177735e9ad38

SHA256
bbd8452e9cbe9db1ae272e566615f7764922dd86163cf9b7993f8589d0571ec6

SHA512
be9e7f855ed3e30f798eff100c6b2d81c42b2be7d3f8530c4f3b112ed797c7d9f5ca76b592d62e5af3da6f722d04744fb3422ba910968177f506a4ca84baec9f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
295668203f234609291af2621d27ebd9

SHA1
7b4dcbd55c81aa97d12c31a8e9db99f21c5eb83d

SHA256
d7d74aa2bc5d0740cc30fa0127ee3a53c9024cae3ed9bdee482be4b281634204

SHA512
77ea54a3206dd1e7dc03c29f33b2e67825a068aafd5a65e839a59b5225141d2d42916f23a7c30247a07c12331af870aa7d1ef1a020d417ed09161c139400a995

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1e12a95cb283e4a856bbfc8f4ea36880

SHA1
a884d12152f1f92f139093d4fcf1d0f986894dc7

SHA256
e34aa19012206b3b8242dc2873ad7b61077b3c3dab9970a979bb0f5e0c1bfff9

SHA512
528d2534e3bd37d078243fae5b9a63f9d8e66618391f1f83db8f40b211e95901576446f801687c4dafa0bfd1a6c4a063394a8d8f72f9ece4da2531be8590b24c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7076165428e29869ac6dbe6c9d13ba83

SHA1
0e0a42df51880158221cdd68ef88a76c23051692

SHA256
c55f145526a8afa8093821d10e905a60cb7193c0b74f6ad13c3219721996ba94

SHA512
ddb77f2d14909645ba20891d1d70ff39eec5f80ba1e21ef4dad48618f0e34e4ace85da7665d4dbf66f75d11010fc40f800e9afd3859c9dea7bf08432c3bb4143

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
fccce09cae89ab2653eef713acb81eec

SHA1
2103d74d1391ca7dc23ee8cd28d4fc8110a48d38

SHA256
29fbf529c373ab8e0c49ffff06d4ff4150240f5e9acc659a5d226570bdd39745

SHA512
c910a4bd26eb180e7f13362e82ed3772121e1a7b88d7a5c48da283edc730ff5d865660bb60aec91174692fd4ac3b088ce76b5a2f9790e1834aafeb59db6198a7

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1c8cecbb42cdead5bd0fc9bdd8648112

SHA1
be93adb0e65a6f31d61f9424389523f1aad06f01

SHA256
84e759144bdc4cc761bf3a29670baa3247c8547c892de0265bfbc1987ba74be3

SHA512
c48df8738e5d8ab44f9be1e656645431a03551f2dc77508fa0d54453115831e1af48dffde8195385a17ae98a3240ad2cb93aa04912d07ac4a536b6b3758ea51c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
936a5ba602a5d8d309e846fb07bfb580

SHA1
05c5e42f3f4afd2928f102144a0d2c3bc48e43c1

SHA256
deb6b6d24e8ecd579e4b73769179b9dfffa11a2b0acf7b95a9685fe567e9a420

SHA512
41d4e6c405129384f37a99f5aa96aaef9975298235dafb13ecc2691b4a60809b2daff72721f030b768772a223c86dfe071902f623c6756b41a21dfc940853ffc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
51d6cdbea4cd708cbf1a26b3506e86df

SHA1
ec71eafebe8f1dea7f427d96de4c972cac87d6c3

SHA256
3143c256998617a9c5cb02d845ca02e95dfa5651fce35eded5ff648af2bb70c1

SHA512
16f7cd3f00de898b7f570a5e3d3f7c86acb21276128d48647c4d9127d972b472fa0731cb5dc9f0805be48c715065f0214e3ee4aa7574165e4376c5675ae41ec3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a45eec7fb79f7a67aae027fbb446f605

SHA1
7d54711620af628ff5ed14bdf153a689d9f3333b

SHA256
a15b44c653a5681cce6cc5dd104aac7e34ee45d9c1cd0fcdcbdb907d058c73a0

SHA512
36d6b3242e0491bf96be68825ad3ac1ccd11cf062bd83f29f3fc54d1fd80e10a7048147b0fa13a16958206096c3277472f0f3ae6276f8b520586a23afc33b35b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7696378fcf06786b7d5219612d4b77f9

SHA1
06b83943036a0344a78581607db8b5b42772ac53

SHA256
3f2e8127047b2a9bff5cf0633faea2c6dce4540fca43a12b407c8c7abb79b8c8

SHA512
f22c13286d757bf20284e75201b9220a3570c0d60888fc8d2b7cc0d50f1efd6addcbc6be9e98bc8a5b6ced56fce5e99c1971f06911abfada65e7aae7e3e02259

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5527b8be22ec3c5e41aacff109c3668e

SHA1
f113b9940db6101bd083f1ed0ca097422acceb84

SHA256
842c07998260c943eaded0074258cdc3060900ba94a7d9253918a03de5c1f7ee

SHA512
86f4562928efec992b84ede2f7d19d43125f01904591a0f7d2eedc1102282e6b976127ca2fdb5f7c9751729bf3fedcdb6ddbff7b93c39bbb20891037ef3a1d63

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
0b39e4408bf994efc2ce2d7aadae569d

SHA1
42942b5b83a0f168a7c32b6a3a34c6abf5503467

SHA256
03afff1d90e204477405d189c66c0111b1831bd50b8fdf775b3295cddb401128

SHA512
a598bed27f7391830c3c4cf08fb68e8a62d30050ffab489a9b2e8a6a4e5de6fed3bf381bfc77d534703556df3283ea4389fcdf97ce3bf0a16f0e7246bbf7cb35

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
1c8cecbb42cdead5bd0fc9bdd8648112

SHA1
be93adb0e65a6f31d61f9424389523f1aad06f01

SHA256
84e759144bdc4cc761bf3a29670baa3247c8547c892de0265bfbc1987ba74be3

SHA512
c48df8738e5d8ab44f9be1e656645431a03551f2dc77508fa0d54453115831e1af48dffde8195385a17ae98a3240ad2cb93aa04912d07ac4a536b6b3758ea51c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
96f721c9ee38c60107638f1a18f60bbe

SHA1
91a6a5eddbb90ece0a78492db5982bf425443567

SHA256
2f852766a4dc23ce25a2e8b3e74765872d39e5b1e762b967ece544638ebb0dd0

SHA512
59d4d8d98bfa7c93d9057920eeec655561c0070ff87f9b3b2f2d031160a1408185dea16e148fc668b59bc50653a87eac9633dc41e6e687cf39b76066fab006f2

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
96f721c9ee38c60107638f1a18f60bbe

SHA1
91a6a5eddbb90ece0a78492db5982bf425443567

SHA256
2f852766a4dc23ce25a2e8b3e74765872d39e5b1e762b967ece544638ebb0dd0

SHA512
59d4d8d98bfa7c93d9057920eeec655561c0070ff87f9b3b2f2d031160a1408185dea16e148fc668b59bc50653a87eac9633dc41e6e687cf39b76066fab006f2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
203d1a3547ef6c6a2240a27418524d24

SHA1
98784967d6a3ed3b1be72d32fb3542bfe53dd9b8

SHA256
dbb6ecdd00bac3e37fc0da38b3d2349755e3ced59604780134ab696f8f14337d

SHA512
46fa059953529048d621c0879b619ffa568b0321bced7d2314a94ac95b9719dddca8afe23b58cdf5325c24165ca55ab35b2c2a98e8e6c7e3083a9d94b74c2ad9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
3f73d91552ea31086110e132be4065c9

SHA1
c0fa158589dab7fb46c4e8fedec7c6de9a3087e0

SHA256
0bd52ba8da386c2057b9c9ff70b9f458f2804eddf423567fd5ed481aef077738

SHA512
e470944c64e0908c0749fb53729311c39f02c703ae2f9a79e0c9b62bf9d7177c017d1b9dd6ce21f845a3b18265334c60eff313d23aafe273cfd04f77d0cef95f

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eff681c3f0c14d172985d170cef7a383

SHA1
cf40da9c433d5dcb8d6aa49ad91a6e10b50a80e0

SHA256
98e169d31731e739eeb300c7c435d151c3b2433230566b84360ed769c41689e1

SHA512
c07a768d049f38eddea7c2accab1c07ac28bd6fb3b20ef4fa55322629cb4710a0522eb2ba968bd81fe400e5d06363ac35caca72ad500c1cabf1082a1230adb5b

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
295668203f234609291af2621d27ebd9

SHA1
7b4dcbd55c81aa97d12c31a8e9db99f21c5eb83d

SHA256
d7d74aa2bc5d0740cc30fa0127ee3a53c9024cae3ed9bdee482be4b281634204

SHA512
77ea54a3206dd1e7dc03c29f33b2e67825a068aafd5a65e839a59b5225141d2d42916f23a7c30247a07c12331af870aa7d1ef1a020d417ed09161c139400a995

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1e12a95cb283e4a856bbfc8f4ea36880

SHA1
a884d12152f1f92f139093d4fcf1d0f986894dc7

SHA256
e34aa19012206b3b8242dc2873ad7b61077b3c3dab9970a979bb0f5e0c1bfff9

SHA512
528d2534e3bd37d078243fae5b9a63f9d8e66618391f1f83db8f40b211e95901576446f801687c4dafa0bfd1a6c4a063394a8d8f72f9ece4da2531be8590b24c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7076165428e29869ac6dbe6c9d13ba83

SHA1
0e0a42df51880158221cdd68ef88a76c23051692

SHA256
c55f145526a8afa8093821d10e905a60cb7193c0b74f6ad13c3219721996ba94

SHA512
ddb77f2d14909645ba20891d1d70ff39eec5f80ba1e21ef4dad48618f0e34e4ace85da7665d4dbf66f75d11010fc40f800e9afd3859c9dea7bf08432c3bb4143

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
fccce09cae89ab2653eef713acb81eec

SHA1
2103d74d1391ca7dc23ee8cd28d4fc8110a48d38

SHA256
29fbf529c373ab8e0c49ffff06d4ff4150240f5e9acc659a5d226570bdd39745

SHA512
c910a4bd26eb180e7f13362e82ed3772121e1a7b88d7a5c48da283edc730ff5d865660bb60aec91174692fd4ac3b088ce76b5a2f9790e1834aafeb59db6198a7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1c8cecbb42cdead5bd0fc9bdd8648112

SHA1
be93adb0e65a6f31d61f9424389523f1aad06f01

SHA256
84e759144bdc4cc761bf3a29670baa3247c8547c892de0265bfbc1987ba74be3

SHA512
c48df8738e5d8ab44f9be1e656645431a03551f2dc77508fa0d54453115831e1af48dffde8195385a17ae98a3240ad2cb93aa04912d07ac4a536b6b3758ea51c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1c8cecbb42cdead5bd0fc9bdd8648112

SHA1
be93adb0e65a6f31d61f9424389523f1aad06f01

SHA256
84e759144bdc4cc761bf3a29670baa3247c8547c892de0265bfbc1987ba74be3

SHA512
c48df8738e5d8ab44f9be1e656645431a03551f2dc77508fa0d54453115831e1af48dffde8195385a17ae98a3240ad2cb93aa04912d07ac4a536b6b3758ea51c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
936a5ba602a5d8d309e846fb07bfb580

SHA1
05c5e42f3f4afd2928f102144a0d2c3bc48e43c1

SHA256
deb6b6d24e8ecd579e4b73769179b9dfffa11a2b0acf7b95a9685fe567e9a420

SHA512
41d4e6c405129384f37a99f5aa96aaef9975298235dafb13ecc2691b4a60809b2daff72721f030b768772a223c86dfe071902f623c6756b41a21dfc940853ffc

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
51d6cdbea4cd708cbf1a26b3506e86df

SHA1
ec71eafebe8f1dea7f427d96de4c972cac87d6c3

SHA256
3143c256998617a9c5cb02d845ca02e95dfa5651fce35eded5ff648af2bb70c1

SHA512
16f7cd3f00de898b7f570a5e3d3f7c86acb21276128d48647c4d9127d972b472fa0731cb5dc9f0805be48c715065f0214e3ee4aa7574165e4376c5675ae41ec3

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a45eec7fb79f7a67aae027fbb446f605

SHA1
7d54711620af628ff5ed14bdf153a689d9f3333b

SHA256
a15b44c653a5681cce6cc5dd104aac7e34ee45d9c1cd0fcdcbdb907d058c73a0

SHA512
36d6b3242e0491bf96be68825ad3ac1ccd11cf062bd83f29f3fc54d1fd80e10a7048147b0fa13a16958206096c3277472f0f3ae6276f8b520586a23afc33b35b

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7696378fcf06786b7d5219612d4b77f9

SHA1
06b83943036a0344a78581607db8b5b42772ac53

SHA256
3f2e8127047b2a9bff5cf0633faea2c6dce4540fca43a12b407c8c7abb79b8c8

SHA512
f22c13286d757bf20284e75201b9220a3570c0d60888fc8d2b7cc0d50f1efd6addcbc6be9e98bc8a5b6ced56fce5e99c1971f06911abfada65e7aae7e3e02259

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5527b8be22ec3c5e41aacff109c3668e

SHA1
f113b9940db6101bd083f1ed0ca097422acceb84

SHA256
842c07998260c943eaded0074258cdc3060900ba94a7d9253918a03de5c1f7ee

SHA512
86f4562928efec992b84ede2f7d19d43125f01904591a0f7d2eedc1102282e6b976127ca2fdb5f7c9751729bf3fedcdb6ddbff7b93c39bbb20891037ef3a1d63

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
0b39e4408bf994efc2ce2d7aadae569d

SHA1
42942b5b83a0f168a7c32b6a3a34c6abf5503467

SHA256
03afff1d90e204477405d189c66c0111b1831bd50b8fdf775b3295cddb401128

SHA512
a598bed27f7391830c3c4cf08fb68e8a62d30050ffab489a9b2e8a6a4e5de6fed3bf381bfc77d534703556df3283ea4389fcdf97ce3bf0a16f0e7246bbf7cb35

Download Submit
memory/324-120-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/900-139-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/968-190-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/968-202-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1280-141-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1312-272-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1312-201-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1312-392-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1344-59-0x0000000005E70000-0x0000000005FBA000-memory.dmp

Filesize
1.3MB

Download
memory/1344-56-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1344-54-0x00000000011E0000-0x000000000136A000-memory.dmp

Filesize
1.5MB

Download
memory/1344-55-0x00000000051F0000-0x0000000005230000-memory.dmp

Filesize
256KB

Download
memory/1344-58-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1344-60-0x0000000007F90000-0x0000000008152000-memory.dmp

Filesize
1.8MB

Download
memory/1344-57-0x00000000051F0000-0x0000000005230000-memory.dmp

Filesize
256KB

Download
memory/1460-714-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1460-691-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1504-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1504-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1504-92-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1504-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1504-385-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1504-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1504-74-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1504-69-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1504-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1504-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1580-155-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1580-148-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1580-150-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1580-152-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1580-158-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1580-159-0x0000000000D30000-0x0000000000DEC000-memory.dmp

Filesize
752KB

Download
memory/1580-167-0x0000000005120000-0x0000000005160000-memory.dmp

Filesize
256KB

Download
memory/1628-690-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1628-200-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1628-185-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1628-179-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1656-117-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/1656-111-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/1656-121-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1684-115-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1696-82-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1696-387-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1696-88-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1696-93-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1704-632-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1704-172-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1704-170-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1704-163-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1740-118-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1872-198-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1872-175-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1872-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1872-176-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1872-144-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1872-628-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1872-154-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1924-440-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1980-227-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2052-550-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2056-226-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2120-394-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2164-245-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2192-712-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2192-725-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2264-325-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2264-247-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2272-698-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2272-705-0x0000000000530000-0x0000000000739000-memory.dmp

Filesize
2.0MB

Download
memory/2272-246-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2272-270-0x0000000000530000-0x0000000000739000-memory.dmp

Filesize
2.0MB

Download
memory/2304-398-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2364-397-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2364-437-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2500-708-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2500-273-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2572-726-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2572-302-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2660-307-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2668-303-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2668-339-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2732-310-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2844-441-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2868-342-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2968-340-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2976-635-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2976-697-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2988-442-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3060-390-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download