blustealer | 693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Technical Spec.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 31 IoCs

pid	Process
460	Process not Found
928	alg.exe
1764	aspnet_state.exe
1524	mscorsvw.exe
1908	mscorsvw.exe
1180	mscorsvw.exe
1912	mscorsvw.exe
524	dllhost.exe
1100	ehRecvr.exe
1808	ehsched.exe
1860	elevation_service.exe
1576	mscorsvw.exe
760	IEEtwCollector.exe
1956	GROOVE.EXE
2056	maintenanceservice.exe
2140	mscorsvw.exe
2160	msdtc.exe
2340	msiexec.exe
2484	OSE.EXE
2540	OSPPSVC.EXE
2620	perfhost.exe
2652	mscorsvw.exe
2668	locator.exe
2768	snmptrap.exe
2856	vds.exe
2928	vssvc.exe
3004	wbengine.exe
2080	WmiApSrv.exe
2244	wmpnetwk.exe
2368	SearchIndexer.exe
2088	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2340	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
736	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\locator.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\vds.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\alg.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d8fcdafb6401d5da.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Technical Spec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 1572	1116	Technical Spec.exe	26
PID 1572 set thread context of 912	1572	Technical Spec.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Technical Spec.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Technical Spec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4B8B2D44-FA45-4B97-93B3-6479947036AB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4B8B2D44-FA45-4B97-93B3-6479947036AB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Technical Spec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Technical Spec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Technical Spec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{7A56FC4F-C787-489D-BF44-1EB853FD1381}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{7A56FC4F-C787-489D-BF44-1EB853FD1381}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	ehRec.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1572	Technical Spec.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: 33	2020	EhTray.exe
Token: SeIncBasePriorityPrivilege	2020	EhTray.exe
Token: SeDebugPrivilege	1612	ehRec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeSecurityPrivilege	2340	msiexec.exe
Token: 33	2020	EhTray.exe
Token: SeIncBasePriorityPrivilege	2020	EhTray.exe
Token: SeBackupPrivilege	2928	vssvc.exe
Token: SeRestorePrivilege	2928	vssvc.exe
Token: SeAuditPrivilege	2928	vssvc.exe
Token: SeBackupPrivilege	3004	wbengine.exe
Token: SeRestorePrivilege	3004	wbengine.exe
Token: SeSecurityPrivilege	3004	wbengine.exe
Token: SeManageVolumePrivilege	2368	SearchIndexer.exe
Token: 33	2368	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2368	SearchIndexer.exe
Token: 33	2244	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2244	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2020	EhTray.exe
2020	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2020	EhTray.exe
2020	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1572	Technical Spec.exe
2508	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1116 wrote to memory of 1572	1116	Technical Spec.exe	26
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1572 wrote to memory of 912	1572	Technical Spec.exe	31
PID 1180 wrote to memory of 1576	1180	mscorsvw.exe	39
PID 1180 wrote to memory of 1576	1180	mscorsvw.exe	39
PID 1180 wrote to memory of 1576	1180	mscorsvw.exe	39
PID 1180 wrote to memory of 1576	1180	mscorsvw.exe	39
PID 1180 wrote to memory of 2140	1180	mscorsvw.exe	44
PID 1180 wrote to memory of 2140	1180	mscorsvw.exe	44
PID 1180 wrote to memory of 2140	1180	mscorsvw.exe	44
PID 1180 wrote to memory of 2140	1180	mscorsvw.exe	44
PID 1180 wrote to memory of 2652	1180	mscorsvw.exe	51
PID 1180 wrote to memory of 2652	1180	mscorsvw.exe	51
PID 1180 wrote to memory of 2652	1180	mscorsvw.exe	51
PID 1180 wrote to memory of 2652	1180	mscorsvw.exe	51
PID 1180 wrote to memory of 2088	1180	mscorsvw.exe	60
PID 1180 wrote to memory of 2088	1180	mscorsvw.exe	60
PID 1180 wrote to memory of 2088	1180	mscorsvw.exe	60
PID 1180 wrote to memory of 2088	1180	mscorsvw.exe	60
PID 2368 wrote to memory of 2508	2368	SearchIndexer.exe	61
PID 2368 wrote to memory of 2508	2368	SearchIndexer.exe	61
PID 2368 wrote to memory of 2508	2368	SearchIndexer.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1524

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:524

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1100

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:760

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1914912747-3343861975-731272777-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1914912747-3343861975-731272777-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
81e021482fdc5604a800b43ae16f9b6e

SHA1
0cda67467e95de741e70ed6eeb05f0885e968659

SHA256
0259d68b9d530821a00418a0115c4ba928ba310e27fe7e7bbcdfd6dab13dbb28

SHA512
f913203ded03471b22defe540a850baee88a70621e7a605f32acadc12017b8e2e34708f8263b29d13d51194c19903287b8c7bc388a9330b047bdb238caa49912

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6d909be191ba3607e43dc52316f7b259

SHA1
19618b8f28cedfecd79faa701f6cd6ed4c9bf07f

SHA256
b31a4139eb2f36f37071ca979b1833e33bd235fc47645e6d826181853f514441

SHA512
804740707d3a4ac6d27e4a1932fe447f291bbce474e4e84dcd5f425f1292fa3cfb263edf3b2f776dcfcc706d01a8495cc60d759d101fc44e408fbb3cee7e9e70

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a3afd3b409266c26ec958467ae765b35

SHA1
59c80e4ae6bef5dfd80d2a6e41c0665b5fe2dc30

SHA256
29304101b03446ccfe97a855f7f0a9c13bf6a3786209e440c8167dcb090ca4ac

SHA512
c3a3bed1bd6142f7f09e60a65a0a85ae3a77f3075c515051daa8414006da66f0d61bdb646d8de4b0ef61381f33ef5db84b24c9c8d455c2c5fbba4a6d447173bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e7701ef9218c48402c910c23a0836326

SHA1
7004e195a444d8ebb20896377479efe8b0da37e7

SHA256
814c5119f5d138bc23758177086df9a4b584e49d4b2b297864706c316e5b434c

SHA512
e5a7918fb7f80a20ca46351223f3a508301a7ced065db972415d6fa9a5eee4c90d0a605df87e27d15078a1a8717418f9dc8df24db2aea8aeb32f3b96f82c800c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7fe231c500a0522cb4fbc984e472d379

SHA1
260210c26824e8f0c098f7fa17dd591af03aa558

SHA256
2ca46207e61069defe761e67fd75441a37703d43465b7729178801e352cacff3

SHA512
93fd829b734ba5270b4a7ebc65660324b0a857cbea08856121be95512b9dffb51ac139ef6bbede1211efecdaa30e59530d278fb4a7408bf945f082b893f394ca

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0b07d99b8b59b09ac72d1827027035ab

SHA1
3e20658cd90983d650b9b381398d4309f924dc22

SHA256
d330ef4a8bb75973ce47d5bf3f9b6b4682ec9be628c245f3f96441b11c845415

SHA512
7bb3cbef810f7df47434b61aa40163ea89e2f933631c756ddeef47f740479af4cabf79740e672b7adbde15dacdc272707cce06ea6f3ff0154cbd9f6ac7638fee

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
88d038531a944ba056a7f1db658f3c3e

SHA1
914c033529873436d898c3279554ecd8da2a2330

SHA256
94becd64cb89ecb34b220d715a6328cbf1ff8ff48c9975bf58cc0bf57efe8af8

SHA512
a31dd73d6b60bf0c9586d8c0ff66ecb212bffdfe4f4b279a922fbb2f0c690a5622c29f959b5763315dfeebed8d5213c12fae9ecaa4a0b78dc61def27eb47d7c3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
3100c4635f5653df3a779c6142f4c778

SHA1
c5384db6cbab307c26ce5cab5208dbc91375d018

SHA256
9b510b62218b7cfe1045d7d77bbc1044d5600b089cac246797e75531870c8501

SHA512
cd676331239c26c78fd0373d8169c5923100373502283ca1400f9d7ea86ad87dd8db9a225024ffcbbe4925f83e80bab8c3d8b3530758bd70a5835e4240b8cc2b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
3100c4635f5653df3a779c6142f4c778

SHA1
c5384db6cbab307c26ce5cab5208dbc91375d018

SHA256
9b510b62218b7cfe1045d7d77bbc1044d5600b089cac246797e75531870c8501

SHA512
cd676331239c26c78fd0373d8169c5923100373502283ca1400f9d7ea86ad87dd8db9a225024ffcbbe4925f83e80bab8c3d8b3530758bd70a5835e4240b8cc2b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b1c237b52f3c18d644007fe82cecd204

SHA1
82e668399d0a502d4279b265625ffbcc47d87015

SHA256
d6c5f549edc4961e12d7c951f05e28d66119e87855a1fec45d64c13ec8aa1561

SHA512
9dec3f2124eaf771236b21d11631f634df546e66e68c33ce2ed092d041dc4335f6e3f646f61b8ba350cb1e3f11166f4096c3029a444cb1beb7d1bfe33e191bca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
ea1c06dfea0abe7c06739a6e24097b24

SHA1
136c691730fe88e92c245c3e34f25aaac3ec0d17

SHA256
bcb8152c7012395e91fcf71db17ac13085e616ca23fb7605e77b0411325a998c

SHA512
e4002a914653bff436e8c4f99c9c12dee8e79e26f457a7a3c60fa6533fa342685b18571b75daf2d090a6f0de989b02cc8c916f32eeeeb501d858f7ac590c1e4f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
acc49defe3e4792e3df7826ce092edca

SHA1
6f41595c65a583a154a9257df773e01462b61423

SHA256
80f89aeac018914fef4e4d59ea8b6b050b064e766f32b0f6cbae4cfd181d918e

SHA512
e8685d4d7e46238d4dd58d437416e9c2f973dc95ad7f5b8391a53a939e71d7bc3c8f329ca9bc8ece633387784dbd141603bc98924a45bdeb29294bd6782f8c18

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
809f55f749c3809726a8426d5a944592

SHA1
2421a60fe24888400d466b3edf89d6e6a1102498

SHA256
d04abf11285bfd203d5bffecc52cf502d7f3ea991634de65366ba21d4ef625a7

SHA512
3749626d3abf642104ebf50be2864e7fd3596c3e324e8f7beb93dd70d6df64f1f01fa4d40529759a6b7304600e778c391989758a3fdb3f65be4e8d2bd884cc01

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
809f55f749c3809726a8426d5a944592

SHA1
2421a60fe24888400d466b3edf89d6e6a1102498

SHA256
d04abf11285bfd203d5bffecc52cf502d7f3ea991634de65366ba21d4ef625a7

SHA512
3749626d3abf642104ebf50be2864e7fd3596c3e324e8f7beb93dd70d6df64f1f01fa4d40529759a6b7304600e778c391989758a3fdb3f65be4e8d2bd884cc01

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8161bc1b33b3b5f05f41c2a5405b18c7

SHA1
5045c63795a0f84a047ce598f44476e7f096d77e

SHA256
ef39a8a4e1b27d0a9cf15762f6bda04e4a9f01fb3a70657ef4993e8e3fc39a73

SHA512
20730cc7badf9be7a2400ee9d3f97dc80e1198625f691b8e407b9cea86c41cfe283480e1053158324fe81e6f4f906b4e4b12172ebd7d53b1b697ce77947464c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e8057aaf481cfcb60b34fe3469c39e60

SHA1
3216609e9b67e4719254d9385f09d7c4e9748b32

SHA256
6309372f24c6d97333e82de3b24f10186b4b346ad11e00bc640c60fad6922f99

SHA512
082f8d8c7d0512f99d3b003f2c3f872e3d757196283cbe3296ccc142d3a74afb5b301aa65255dc823f38e05f48af3532e2fecac3c74bca0b03334fb9e1aa2b26

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e8057aaf481cfcb60b34fe3469c39e60

SHA1
3216609e9b67e4719254d9385f09d7c4e9748b32

SHA256
6309372f24c6d97333e82de3b24f10186b4b346ad11e00bc640c60fad6922f99

SHA512
082f8d8c7d0512f99d3b003f2c3f872e3d757196283cbe3296ccc142d3a74afb5b301aa65255dc823f38e05f48af3532e2fecac3c74bca0b03334fb9e1aa2b26

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e8057aaf481cfcb60b34fe3469c39e60

SHA1
3216609e9b67e4719254d9385f09d7c4e9748b32

SHA256
6309372f24c6d97333e82de3b24f10186b4b346ad11e00bc640c60fad6922f99

SHA512
082f8d8c7d0512f99d3b003f2c3f872e3d757196283cbe3296ccc142d3a74afb5b301aa65255dc823f38e05f48af3532e2fecac3c74bca0b03334fb9e1aa2b26

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e8057aaf481cfcb60b34fe3469c39e60

SHA1
3216609e9b67e4719254d9385f09d7c4e9748b32

SHA256
6309372f24c6d97333e82de3b24f10186b4b346ad11e00bc640c60fad6922f99

SHA512
082f8d8c7d0512f99d3b003f2c3f872e3d757196283cbe3296ccc142d3a74afb5b301aa65255dc823f38e05f48af3532e2fecac3c74bca0b03334fb9e1aa2b26

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e8057aaf481cfcb60b34fe3469c39e60

SHA1
3216609e9b67e4719254d9385f09d7c4e9748b32

SHA256
6309372f24c6d97333e82de3b24f10186b4b346ad11e00bc640c60fad6922f99

SHA512
082f8d8c7d0512f99d3b003f2c3f872e3d757196283cbe3296ccc142d3a74afb5b301aa65255dc823f38e05f48af3532e2fecac3c74bca0b03334fb9e1aa2b26

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e8057aaf481cfcb60b34fe3469c39e60

SHA1
3216609e9b67e4719254d9385f09d7c4e9748b32

SHA256
6309372f24c6d97333e82de3b24f10186b4b346ad11e00bc640c60fad6922f99

SHA512
082f8d8c7d0512f99d3b003f2c3f872e3d757196283cbe3296ccc142d3a74afb5b301aa65255dc823f38e05f48af3532e2fecac3c74bca0b03334fb9e1aa2b26

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d4abcfe71829b3ed0102878a06649e0e

SHA1
979a3bab8cf3cffce3c2d9e1c8a1a6fcd5ba5b23

SHA256
52dcfb04db2e1f814d97de19261adcb1f7611083c9d38d21a68abd5bd9233fc8

SHA512
ab258896aebd1cbf30fe38d7f7e5ffb6f2378992ebaa434737cca8bc4f1519b40a87e137e432810919c7e80853e13d8fe98181fae1103e60acc22486005f1527

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dba3214a429793a2c78a0c7d320c3578

SHA1
32623d5435b06b4261d4c900ebaf9d8bcce19da1

SHA256
a8d6d6c721843902112ca5c39797d12da7e0e040a3ede47e16cecc89b60bdd1f

SHA512
401e9cfdc4d7922656f5af3261bcaa30097f7d00af0a7f53b5a7be337d1cc9f568f5ace15144eedcc278544359d072cefa1dc665b060c062f7def34f7b8360b0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
a1e4f214d64643059915344cc8a27e3e

SHA1
4561574829d201dd3dec1c94990e8671d7996206

SHA256
ebae7f20b04549f610ff73a11ab3d00feac85d0a423eec5bfb13450385292c74

SHA512
b50ba0df9de23d03f3bdca36955b05ceca1c8f5cf779f62e2d9440e1722d59f47e3c0c84ff5b7cb30f294e485182da48b7f757ae3eb2c2377a2c7724ee71c7e4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
474f187f0380395595560a0cfe6e4888

SHA1
e4bb0dd74d76abbeed196322978f31599a02f8a5

SHA256
076cd4a8ba2f412646291a078ff74bcd8289c436c8372b60df76a6db1c969985

SHA512
f810e96827de19ec78280eb3502f895996a66091b54737bf3511f0b4c7e84541e77467c01428840c0721ae2cfdf7bdb77865e8a6f252801d278e5cd86dfc8870

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
76cde4e8e05d12eeeeed8fab46da3145

SHA1
1dcde6ef9bd68ba7fd53d9684b0cc126f2dc8f17

SHA256
36b934298966fa5a06c4e5de07f98315aa2b72513d515921dbca6f457c836db0

SHA512
367b0b94ffc6dc6cfedf19e460eea57a64c7294db6b3a9274734238c78dcddc9c5e17a4854b5502dd5a33277e6964a5964169498721805060e30db485c705bde

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b320a8d2eeb3ad1637fdd4ce3dc385f0

SHA1
f422ddb98586a1a7489179ab0f77e8c3e70e50cc

SHA256
5c7a2383fdba4359ab883842208ffd2f87b4cfe6de39ff7c3d00ab9708726015

SHA512
c3534e82b51d7c7b32807c0079a029a6b5b7b8f360cdb73f129e50e4f21106a40282e9717d5d437f2b631871fbb39aad24ba7fc9fd44c21cd8f293738c669a29

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
394c2bb377b79bcb082cfad1d83430c6

SHA1
6827f26c306c31b8899a163d99fcb7fa6b2188c3

SHA256
c07cddacf95e97fa67166ed3eefb103582d50191e79c1546d222cc7d403e7338

SHA512
595463d4cacb8cbc990437b7a601be516b85bcad52ab9b603559875c5cfa511abdf9f9bda30b30edfb83c04a658987545dc4bd667aa15a954f6c9287e09e6386

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
07e01b98afd16e7a6047e43db17a7171

SHA1
4a6ab315b243e0a7c5fa935619d33075ae23d2fc

SHA256
a500768a2c07e7959f447a12b2a1ca1cda0f0fa7e7e07526332ace6b0cae8576

SHA512
6c91a680becac0fe9f49641cdf5ea31a46a7691b2e5aa19fbe3dff9cb1c39bf97e01113a5634a591856cadb82e35a0ca4709e09035b1bd6e96462a4203ebd9be

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a935e8b4bfa694edd10551fe5ebc0ac9

SHA1
f057e0fa39b1e3d1c272430bc01ad6f7d1da9260

SHA256
263f642646385af7e1f95199158e7cc205905d2c6fea7e45224cd8beb5b0851c

SHA512
03defecb80762827ce50843593ca7c8f1f6fce7e822c7f85ffa9849c2d97c3551852d55f08917a82cdaf1e9e52a80c371975c402ccf51ae7f684b8a161673555

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
188197b1d32ebf65eb0b3b8da8d8cb5f

SHA1
c25bdfce8a50f83f1d1117b19ac9f5b6b74ea190

SHA256
d3999428b92919c075a108fb3348b1dfb0c3604572ba8173292ba7041a3ceb6f

SHA512
40142035c0ebd5f35caed62976d917712c85e9707e747c9eaa0706357b5178eb1499c1276c659a4253eb0d5410d1193ad1623ba477128a6c4ad895da2ae0a41a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
4348c42f885b13a087bb1c0dcf1e31e4

SHA1
7fd584e933c491b17c264ca427e6fecd4e39f31d

SHA256
67b9a40a4081c1f5bbd2f9db553eb164f74215acb7df29d42023a167a9422d3c

SHA512
fd5dc511a2de4fc01ac65d0b8daee623897a495862999696ed6b0f06a67ff9086de907dfb268976f1e4291722ec913ef4d7b00d4aebd945b6fea4831dfeb640e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0067a7124528f08f4d6c838d36d70aef

SHA1
374fd6035e3ae27071b9aac326bec053890e7695

SHA256
57727c9f8b56e33b7df85a78967b385b1bbd178b45d716dc4f20184148d95153

SHA512
47b3e24749a50be19058ead0e0e81c953fa84b9a44d9cee121753564e709d4d717b8e642920627a07f268234d350cd5bd923e96d5cdfd6b3fabea9c16ca8d147

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
8342522057bc07ada536241034e7eb7d

SHA1
41c292230d0866bbde1371cbdfd7155ca2bcc8bb

SHA256
825cacdddc6fd913840fcad33cab573beb1cf3560c7dd992106f0870fd961488

SHA512
725f7c091d8b1a511ae117caf6fe6263533713d75e13c836325c373d8629ce6bb556af7f830bb1fa8be940fd65dba267ff6fce53b4a48db25482bfb245a546c7

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
64fdd75d22be044dacde89c0816f8192

SHA1
b32f10075971648d197aed642ba8d96eb275a394

SHA256
2ac415c59b31a02f617342e90ed9c4c4cf15722818f8d82395ae0519f432c9fb

SHA512
196488ac22c07da3f17e4fffefaed913aefe207febe36cfe36ad1a1728e20686a69ee6552b4528367cb01f3fbe174d2cf3b53247f95bd1225b89be431554ad3d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fdacccd1871025df6b9f6fdef0ceba66

SHA1
f35bc088b8babadf98d7a06129d2be8addb30ccb

SHA256
a918c2f6157619966639a984d8006fbb6993c114095deeff1b8ab4b9fde890da

SHA512
5168b7c01ae430b84c0a13ee729d4d7da7b106fed67b1d7290ed30bf430692c9f88a2d7dfd894f720cbb7884a0bc778a37df22eba861256e49ccddc44365812b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
a935e8b4bfa694edd10551fe5ebc0ac9

SHA1
f057e0fa39b1e3d1c272430bc01ad6f7d1da9260

SHA256
263f642646385af7e1f95199158e7cc205905d2c6fea7e45224cd8beb5b0851c

SHA512
03defecb80762827ce50843593ca7c8f1f6fce7e822c7f85ffa9849c2d97c3551852d55f08917a82cdaf1e9e52a80c371975c402ccf51ae7f684b8a161673555

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0b07d99b8b59b09ac72d1827027035ab

SHA1
3e20658cd90983d650b9b381398d4309f924dc22

SHA256
d330ef4a8bb75973ce47d5bf3f9b6b4682ec9be628c245f3f96441b11c845415

SHA512
7bb3cbef810f7df47434b61aa40163ea89e2f933631c756ddeef47f740479af4cabf79740e672b7adbde15dacdc272707cce06ea6f3ff0154cbd9f6ac7638fee

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0b07d99b8b59b09ac72d1827027035ab

SHA1
3e20658cd90983d650b9b381398d4309f924dc22

SHA256
d330ef4a8bb75973ce47d5bf3f9b6b4682ec9be628c245f3f96441b11c845415

SHA512
7bb3cbef810f7df47434b61aa40163ea89e2f933631c756ddeef47f740479af4cabf79740e672b7adbde15dacdc272707cce06ea6f3ff0154cbd9f6ac7638fee

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
3100c4635f5653df3a779c6142f4c778

SHA1
c5384db6cbab307c26ce5cab5208dbc91375d018

SHA256
9b510b62218b7cfe1045d7d77bbc1044d5600b089cac246797e75531870c8501

SHA512
cd676331239c26c78fd0373d8169c5923100373502283ca1400f9d7ea86ad87dd8db9a225024ffcbbe4925f83e80bab8c3d8b3530758bd70a5835e4240b8cc2b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
ea1c06dfea0abe7c06739a6e24097b24

SHA1
136c691730fe88e92c245c3e34f25aaac3ec0d17

SHA256
bcb8152c7012395e91fcf71db17ac13085e616ca23fb7605e77b0411325a998c

SHA512
e4002a914653bff436e8c4f99c9c12dee8e79e26f457a7a3c60fa6533fa342685b18571b75daf2d090a6f0de989b02cc8c916f32eeeeb501d858f7ac590c1e4f

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dba3214a429793a2c78a0c7d320c3578

SHA1
32623d5435b06b4261d4c900ebaf9d8bcce19da1

SHA256
a8d6d6c721843902112ca5c39797d12da7e0e040a3ede47e16cecc89b60bdd1f

SHA512
401e9cfdc4d7922656f5af3261bcaa30097f7d00af0a7f53b5a7be337d1cc9f568f5ace15144eedcc278544359d072cefa1dc665b060c062f7def34f7b8360b0

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
76cde4e8e05d12eeeeed8fab46da3145

SHA1
1dcde6ef9bd68ba7fd53d9684b0cc126f2dc8f17

SHA256
36b934298966fa5a06c4e5de07f98315aa2b72513d515921dbca6f457c836db0

SHA512
367b0b94ffc6dc6cfedf19e460eea57a64c7294db6b3a9274734238c78dcddc9c5e17a4854b5502dd5a33277e6964a5964169498721805060e30db485c705bde

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b320a8d2eeb3ad1637fdd4ce3dc385f0

SHA1
f422ddb98586a1a7489179ab0f77e8c3e70e50cc

SHA256
5c7a2383fdba4359ab883842208ffd2f87b4cfe6de39ff7c3d00ab9708726015

SHA512
c3534e82b51d7c7b32807c0079a029a6b5b7b8f360cdb73f129e50e4f21106a40282e9717d5d437f2b631871fbb39aad24ba7fc9fd44c21cd8f293738c669a29

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
394c2bb377b79bcb082cfad1d83430c6

SHA1
6827f26c306c31b8899a163d99fcb7fa6b2188c3

SHA256
c07cddacf95e97fa67166ed3eefb103582d50191e79c1546d222cc7d403e7338

SHA512
595463d4cacb8cbc990437b7a601be516b85bcad52ab9b603559875c5cfa511abdf9f9bda30b30edfb83c04a658987545dc4bd667aa15a954f6c9287e09e6386

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
07e01b98afd16e7a6047e43db17a7171

SHA1
4a6ab315b243e0a7c5fa935619d33075ae23d2fc

SHA256
a500768a2c07e7959f447a12b2a1ca1cda0f0fa7e7e07526332ace6b0cae8576

SHA512
6c91a680becac0fe9f49641cdf5ea31a46a7691b2e5aa19fbe3dff9cb1c39bf97e01113a5634a591856cadb82e35a0ca4709e09035b1bd6e96462a4203ebd9be

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a935e8b4bfa694edd10551fe5ebc0ac9

SHA1
f057e0fa39b1e3d1c272430bc01ad6f7d1da9260

SHA256
263f642646385af7e1f95199158e7cc205905d2c6fea7e45224cd8beb5b0851c

SHA512
03defecb80762827ce50843593ca7c8f1f6fce7e822c7f85ffa9849c2d97c3551852d55f08917a82cdaf1e9e52a80c371975c402ccf51ae7f684b8a161673555

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a935e8b4bfa694edd10551fe5ebc0ac9

SHA1
f057e0fa39b1e3d1c272430bc01ad6f7d1da9260

SHA256
263f642646385af7e1f95199158e7cc205905d2c6fea7e45224cd8beb5b0851c

SHA512
03defecb80762827ce50843593ca7c8f1f6fce7e822c7f85ffa9849c2d97c3551852d55f08917a82cdaf1e9e52a80c371975c402ccf51ae7f684b8a161673555

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
188197b1d32ebf65eb0b3b8da8d8cb5f

SHA1
c25bdfce8a50f83f1d1117b19ac9f5b6b74ea190

SHA256
d3999428b92919c075a108fb3348b1dfb0c3604572ba8173292ba7041a3ceb6f

SHA512
40142035c0ebd5f35caed62976d917712c85e9707e747c9eaa0706357b5178eb1499c1276c659a4253eb0d5410d1193ad1623ba477128a6c4ad895da2ae0a41a

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
4348c42f885b13a087bb1c0dcf1e31e4

SHA1
7fd584e933c491b17c264ca427e6fecd4e39f31d

SHA256
67b9a40a4081c1f5bbd2f9db553eb164f74215acb7df29d42023a167a9422d3c

SHA512
fd5dc511a2de4fc01ac65d0b8daee623897a495862999696ed6b0f06a67ff9086de907dfb268976f1e4291722ec913ef4d7b00d4aebd945b6fea4831dfeb640e

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0067a7124528f08f4d6c838d36d70aef

SHA1
374fd6035e3ae27071b9aac326bec053890e7695

SHA256
57727c9f8b56e33b7df85a78967b385b1bbd178b45d716dc4f20184148d95153

SHA512
47b3e24749a50be19058ead0e0e81c953fa84b9a44d9cee121753564e709d4d717b8e642920627a07f268234d350cd5bd923e96d5cdfd6b3fabea9c16ca8d147

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
8342522057bc07ada536241034e7eb7d

SHA1
41c292230d0866bbde1371cbdfd7155ca2bcc8bb

SHA256
825cacdddc6fd913840fcad33cab573beb1cf3560c7dd992106f0870fd961488

SHA512
725f7c091d8b1a511ae117caf6fe6263533713d75e13c836325c373d8629ce6bb556af7f830bb1fa8be940fd65dba267ff6fce53b4a48db25482bfb245a546c7

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
64fdd75d22be044dacde89c0816f8192

SHA1
b32f10075971648d197aed642ba8d96eb275a394

SHA256
2ac415c59b31a02f617342e90ed9c4c4cf15722818f8d82395ae0519f432c9fb

SHA512
196488ac22c07da3f17e4fffefaed913aefe207febe36cfe36ad1a1728e20686a69ee6552b4528367cb01f3fbe174d2cf3b53247f95bd1225b89be431554ad3d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fdacccd1871025df6b9f6fdef0ceba66

SHA1
f35bc088b8babadf98d7a06129d2be8addb30ccb

SHA256
a918c2f6157619966639a984d8006fbb6993c114095deeff1b8ab4b9fde890da

SHA512
5168b7c01ae430b84c0a13ee729d4d7da7b106fed67b1d7290ed30bf430692c9f88a2d7dfd894f720cbb7884a0bc778a37df22eba861256e49ccddc44365812b

Download Submit
memory/524-156-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/760-512-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/912-123-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/912-122-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/912-129-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/912-133-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/912-136-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/912-139-0x00000000048C0000-0x000000000497C000-memory.dmp

Filesize
752KB

Download
memory/928-93-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/928-88-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/928-82-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1100-153-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1100-147-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1100-162-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1100-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1100-164-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1116-60-0x0000000007F70000-0x0000000008132000-memory.dmp

Filesize
1.8MB

Download
memory/1116-59-0x0000000005DE0000-0x0000000005F2A000-memory.dmp

Filesize
1.3MB

Download
memory/1116-55-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/1116-56-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1116-54-0x0000000000EF0000-0x000000000107A000-memory.dmp

Filesize
1.5MB

Download
memory/1116-57-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/1116-58-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1180-138-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1180-115-0x0000000000BD0000-0x0000000000C36000-memory.dmp

Filesize
408KB

Download
memory/1180-120-0x0000000000BD0000-0x0000000000C36000-memory.dmp

Filesize
408KB

Download
memory/1524-112-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1572-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1572-92-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1572-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1572-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1572-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1572-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1572-69-0x0000000000150000-0x00000000001B6000-memory.dmp

Filesize
408KB

Download
memory/1572-74-0x0000000000150000-0x00000000001B6000-memory.dmp

Filesize
408KB

Download
memory/1572-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1576-279-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1576-179-0x0000000000C90000-0x0000000000CF6000-memory.dmp

Filesize
408KB

Download
memory/1764-110-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1808-171-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1808-160-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1808-535-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1860-176-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1908-113-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1912-137-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2056-248-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download