blustealer | 90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.5MB
MD5

e2b30c0c90faeeb878ed21be152d2dc1
SHA1

b64e8bbd7d23f9585a7ff9b24a61a7ab119f1769
SHA256

90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f
SHA512

7126633aeaeaa91f08d5c0dce6129bfb7501287cad6ac106f1c64c2ab0cb010d3b870680047ea3e9dffdb3bfccab2a9d2a11f8057dd302dfaf140b34022bd74f
SSDEEP

24576:PnQ3GQdfKrh2G8uraReOgX1yFQ+5irxTCQJ5xvCwUXZMnKfJIxzN5b2K:P9QdIuWed+sKK+CQ5CwMZMnx0

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 48 IoCs

pid	Process
464	Process not Found
280	alg.exe
1240	aspnet_state.exe
1744	mscorsvw.exe
1536	mscorsvw.exe
1984	mscorsvw.exe
928	mscorsvw.exe
1804	dllhost.exe
1764	ehRecvr.exe
1864	ehsched.exe
1536	mscorsvw.exe
524	elevation_service.exe
852	IEEtwCollector.exe
1716	mscorsvw.exe
2076	GROOVE.EXE
2184	maintenanceservice.exe
2252	mscorsvw.exe
2368	msdtc.exe
2400	mscorsvw.exe
2560	mscorsvw.exe
2696	msiexec.exe
2820	OSE.EXE
2900	OSPPSVC.EXE
2972	mscorsvw.exe
3040	perfhost.exe
1748	mscorsvw.exe
2168	locator.exe
2420	snmptrap.exe
1412	mscorsvw.exe
2188	vds.exe
2740	vssvc.exe
2968	wbengine.exe
3016	mscorsvw.exe
3048	WmiApSrv.exe
2300	mscorsvw.exe
1932	mscorsvw.exe
1748	mscorsvw.exe
2084	wmpnetwk.exe
2784	mscorsvw.exe
1092	SearchIndexer.exe
2436	mscorsvw.exe
3024	mscorsvw.exe
1484	mscorsvw.exe
3000	mscorsvw.exe
2140	mscorsvw.exe
1740	mscorsvw.exe
2604	mscorsvw.exe
852	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2696	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\af56d56edecfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 972	1320	Quote 1345 rev.3.exe	28
PID 972 set thread context of 1700	972	Quote 1345 rev.3.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{13715BCE-A8EB-4742-8640-32DF3EA51168}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Quote 1345 rev.3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{13715BCE-A8EB-4742-8640-32DF3EA51168}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{63C7EC64-BFC1-4D8B-B941-90F0F6F0ABC9}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{63C7EC64-BFC1-4D8B-B941-90F0F6F0ABC9}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	ehRec.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	972	Quote 1345 rev.3.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: 33	1912	EhTray.exe
Token: SeIncBasePriorityPrivilege	1912	EhTray.exe
Token: SeDebugPrivilege	1740	ehRec.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: 33	1912	EhTray.exe
Token: SeIncBasePriorityPrivilege	1912	EhTray.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeSecurityPrivilege	2696	msiexec.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeBackupPrivilege	2968	wbengine.exe
Token: SeRestorePrivilege	2968	wbengine.exe
Token: SeSecurityPrivilege	2968	wbengine.exe
Token: 33	2084	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2084	wmpnetwk.exe
Token: SeManageVolumePrivilege	1092	SearchIndexer.exe
Token: 33	1092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1092	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
972	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 1320 wrote to memory of 972	1320	Quote 1345 rev.3.exe	28
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 972 wrote to memory of 1700	972	Quote 1345 rev.3.exe	29
PID 928 wrote to memory of 1536	928	mscorsvw.exe	40
PID 928 wrote to memory of 1536	928	mscorsvw.exe	40
PID 928 wrote to memory of 1536	928	mscorsvw.exe	40
PID 928 wrote to memory of 1716	928	mscorsvw.exe	44
PID 928 wrote to memory of 1716	928	mscorsvw.exe	44
PID 928 wrote to memory of 1716	928	mscorsvw.exe	44
PID 1984 wrote to memory of 2252	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2252	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2252	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2252	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 2400	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2400	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2400	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2400	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2560	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 2560	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 2560	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 2560	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 2972	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 2972	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 2972	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 2972	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 1412	1984	mscorsvw.exe	59
PID 1984 wrote to memory of 1412	1984	mscorsvw.exe	59
PID 1984 wrote to memory of 1412	1984	mscorsvw.exe	59
PID 1984 wrote to memory of 1412	1984	mscorsvw.exe	59
PID 1984 wrote to memory of 3016	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 3016	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 3016	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 3016	1984	mscorsvw.exe	63
PID 1984 wrote to memory of 2300	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 2300	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 2300	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 2300	1984	mscorsvw.exe	65
PID 1984 wrote to memory of 1932	1984	mscorsvw.exe	66
PID 1984 wrote to memory of 1932	1984	mscorsvw.exe	66
PID 1984 wrote to memory of 1932	1984	mscorsvw.exe	66
PID 1984 wrote to memory of 1932	1984	mscorsvw.exe	66
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	67
PID 1984 wrote to memory of 1748	1984	mscorsvw.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1700

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e4 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e4 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 268 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1a8 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 260 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ec -NGENProcess 258 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 180 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 27c -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 180 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 28c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 180 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 284 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 284 -NGENProcess 180 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 1e4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 27c -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 164 -NGENProcess 168 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1804

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:852

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2820

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2900

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3d45d5360112fcb8c07b9afffa085792

SHA1
b8d6a5bdaabb6dd41d2e1d45705cac4985d404be

SHA256
cc31758b83c5ba74dd98a6515e4c26fa1839930a842570f900b7de56ca0de2e7

SHA512
688348b0169ccedf05c7c0e89ee237745f9340cae625168d55b3a7545a7d81b928a3018b6f95793513d71731feed10831a3f71ea9b42d3a7de31f6198215cba9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6f84d9baeb228ec889a2b9f6c2923c0a

SHA1
e437f90f9be60474a32219006ac42247b51e8a09

SHA256
a635fe39097a3fe6511136de028d5bcaea9e4bc6b3fcc4c54bd1b446327ce056

SHA512
4a891113458658b0247aab7985bb8e97733c2b3efe6f347b6eae92df9c8afc646efee80d226c56f0aec5d4eb01ae4843fd9bf892fc8370de8408ad9452fcad5d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
432070dfbe5555fc4d2b85e9fea1ca0f

SHA1
0dafcc35c3fcf43b67b8c9c30c2f6f980940cc6b

SHA256
95e1e8575e54485ec9f5546ad2cdb0afb5042a3457de3a6e3a01adeb92f0b372

SHA512
ee02ea057f06cfdc77d8e7fb83665807fca5d97e491d3b3e4e9f553f669d0b59225a108bed7acd482ab0f467321edbc107db5c44175285e51690d343e4c0fe1e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
24341453fee22858c104a9fddcee5512

SHA1
f57bb66f9069ae0c51f8ebbe22010c74a9228725

SHA256
7960ed0dc830c16abbc67d5974a6bc45344928f42c6ee7f51dc51de6c065eea0

SHA512
84cd13fb9aa58d488b9c6a584b1c02baab58f5bfe3269e35b7140e1db0011848ea503907f3866a6201b488384614d485b6c4d14a9c022a458937f0f4384a3766

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f21101fe3d3e30fef8f666f285be45d7

SHA1
400e562e0ea01e78996506ef77be4a4066dabc99

SHA256
b2fa92fca297556bd030353d77d609533bd3100ddd6299c9b3fb88937ea09619

SHA512
6c76b4546c774e814e745ccd125d5117f98931759d7616cde6bd3a81caca1a8b9f1007604a7eb5e0b53cbc77a51364217612dc8ffd6c28dc33246bf5548998f2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a4235e4a4d893d435059a09a5c441c00

SHA1
07a6b4f748ef17cbda31954602d9d2d0c401a7c2

SHA256
0259aab8ff2438419d58f5818ae8301e8563853135060ad4492e72443dc39f4b

SHA512
5b6ffc401892069f097f7e9138eea580186cc11969d1a22e3f12a913a1a0406b4f7b6f5b433b0b1acc66fd96ba6ca390ad47160c3a064e19f889e138f15d1e9d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9d022d1fe06d677cc67d84ce5c78bd62

SHA1
862145924c759a256c3efd0010f94fce658fbb99

SHA256
5e0947dde90b2b7ff9f8d580ac7f912238435da7bc2a2c1ca8647fe957196800

SHA512
eee7cc28fa6dc0844e2b862fa45e5578b099f6e76944d15ef7cdd9bb2184e8187eab1cd324e71d42e06f1ba3409a9858d857f7474ff5ed4a6fa223541426cc5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9d022d1fe06d677cc67d84ce5c78bd62

SHA1
862145924c759a256c3efd0010f94fce658fbb99

SHA256
5e0947dde90b2b7ff9f8d580ac7f912238435da7bc2a2c1ca8647fe957196800

SHA512
eee7cc28fa6dc0844e2b862fa45e5578b099f6e76944d15ef7cdd9bb2184e8187eab1cd324e71d42e06f1ba3409a9858d857f7474ff5ed4a6fa223541426cc5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
729353b2016181ce475dde8d6a9fbb2a

SHA1
4a25f30ed5df32db74494da905a4890ec44f7d60

SHA256
ceb2155f667deb80d3dbf0b7e7a2aff9ede86ac36257e714984c1059153bad0c

SHA512
c7e7f9d673b81b99c8735d313ee4afd73ba70a28e33986cc1bb3752f83b1df00b845d51d4f98bc4f41389c41ec2c252d25b25a89dd7949eae3b4660afdb5008d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
bc31c73ea61bc6d94686d1f2272b38ed

SHA1
dba04c0f02252d9e1f02678e67a7dcf3bced762a

SHA256
015d8cb0e6063b3c2b8705f2af7742609696a6f603eacef6d0f1855eb24a0004

SHA512
cb387ac6dd051871d96263246198f4d65ec7bdf05efb83822e366deb61d3bd1b894af52f0b01930e666f15822bc656528d7f9ca195c0eb54383ca293e1afdf08

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09ac6287d5680b5c85d32c29e8b8fffe

SHA1
5d0fa504122cf6ce4ceb9280fcbb0e9751510d5a

SHA256
983e3f5ce3a8a39027ec6b7d9483f0fc08cfbdc32fa345dd7aeae19e31bdc70d

SHA512
5a4083033f968a140d7777cce9f49a94d92093c5101f01d017d821229c6e6946581711502cc5b040edf6e647d5fc5020715676ef1c4d19738ec0d9677701b8ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09ac6287d5680b5c85d32c29e8b8fffe

SHA1
5d0fa504122cf6ce4ceb9280fcbb0e9751510d5a

SHA256
983e3f5ce3a8a39027ec6b7d9483f0fc08cfbdc32fa345dd7aeae19e31bdc70d

SHA512
5a4083033f968a140d7777cce9f49a94d92093c5101f01d017d821229c6e6946581711502cc5b040edf6e647d5fc5020715676ef1c4d19738ec0d9677701b8ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09ac6287d5680b5c85d32c29e8b8fffe

SHA1
5d0fa504122cf6ce4ceb9280fcbb0e9751510d5a

SHA256
983e3f5ce3a8a39027ec6b7d9483f0fc08cfbdc32fa345dd7aeae19e31bdc70d

SHA512
5a4083033f968a140d7777cce9f49a94d92093c5101f01d017d821229c6e6946581711502cc5b040edf6e647d5fc5020715676ef1c4d19738ec0d9677701b8ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09ac6287d5680b5c85d32c29e8b8fffe

SHA1
5d0fa504122cf6ce4ceb9280fcbb0e9751510d5a

SHA256
983e3f5ce3a8a39027ec6b7d9483f0fc08cfbdc32fa345dd7aeae19e31bdc70d

SHA512
5a4083033f968a140d7777cce9f49a94d92093c5101f01d017d821229c6e6946581711502cc5b040edf6e647d5fc5020715676ef1c4d19738ec0d9677701b8ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9627b51ebcf16ede85c65e14fcc097aa

SHA1
5191c4a26ffa221ae1ebb32db9f51aff6ff167c5

SHA256
897d35d948caacf5f6a6fbd804afae998205849df074c9d7c3b4d78c21cea601

SHA512
3bb2a2ce776d30d8ccd3ad03b10cdee11e13d2b2c0daa57ea70c5fa2b82992f1e2fd440cda5dec6683ee946aced5a45bc03b7f64ea90735b55702982145e67f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9627b51ebcf16ede85c65e14fcc097aa

SHA1
5191c4a26ffa221ae1ebb32db9f51aff6ff167c5

SHA256
897d35d948caacf5f6a6fbd804afae998205849df074c9d7c3b4d78c21cea601

SHA512
3bb2a2ce776d30d8ccd3ad03b10cdee11e13d2b2c0daa57ea70c5fa2b82992f1e2fd440cda5dec6683ee946aced5a45bc03b7f64ea90735b55702982145e67f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
048072146677cbac58113d89dff091c2

SHA1
b97f4cc7f37f9bdd287089a9f72d2425144221d6

SHA256
880845dcd45c7b90e2ba1c8f284e34ccf41fc1b2bb6dee364a0e6d5b9c043950

SHA512
78e658f2792b7952533aa86c5fcbdc2a161d330f80a16a26540d91eda4f66469e7d830f15d2c45e418e8671059e7ea81f2fbf456c7d4b98691ec1c9af98a16cd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
09193adab6e2e22d771c38fbbdad6792

SHA1
124dd55b408459fe77caf7c6cdb59b1302be2805

SHA256
8c116f55ea42ec04e87be040cb26e15a7f5d8455dd2dadb1d90e8701dccbc68c

SHA512
f8830ad43e0774454813a104211847fec0378889483c64bf59976d5e16071f255828fc5d4ebffb71eed7d243f22ec98decb8d24812c7c9dc5aefef4a192248f1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6a9a34104903cad90adbbce57f2e30ac

SHA1
d1361ef8c2edab07952e4854efee7cbdbd7df94c

SHA256
884450a741391d1b2524eafe6d4088b197fa2b10a9133bab265f5595a3d0eb64

SHA512
883060e08def25e0b6a9039b84f3899eabd28369dd049ec6d477339f0b0ad4db49c98c73fffdeca7b2e22729a854b2b69f719ad3143b6e32b398cdfa36fd2952

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2c8950a0c265379f4d0511d1ce38ce00

SHA1
0befa6f4b59e23aafd4eae9be22050cd25f4f05c

SHA256
db5f9c3e99119bfde445822b7982f2a7352f55c49905878e426cddbcbff4c2f6

SHA512
470c7571746c0afa7be87670535e0961de16b80dc545b739689cd987d223f414cc16e6a4e0803ceff1098b17a308eed9aa92e41aa312db59686cd46a3fb8d788

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
b3eae4ccfa1f9227b97e0c69b6b23baf

SHA1
1c0fc22f36d4f04af7ec1f14e022b5c517d91bc5

SHA256
2b2f407067a9712358501d2725c8ca935b7620ec7930b92017dadf8ec90cb2a9

SHA512
353449ded7a881058adf61b007632e73fba5b1b9aad650fb5ae8221b292f0f6ce6cc0902df252b1fba96ccecf201781bdf02ca2a893bc6b117740a800f2957b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
73ab16a94b6a5ee3133eae4afe726ac1

SHA1
f49cd365305e2790d74b738e43bd0085f61cf1c6

SHA256
fce5478ff8af6af26139f6970c4190b4dbea1800d0b589b51949829a62b21713

SHA512
6587f4cfea5372caff95caf462ca3611de14329882684b40788da58dcf8430e462cfb84892d51438dde9cecd1e93d5553070c9b23c899dc384541e423037957d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7c7561cfaea6ca96162680e24679bf80

SHA1
2436062419e2b67413e371b3af0923928a464175

SHA256
774b38f478b958838b5c8e225352b91334835c4968d84abfec9053c1c56c3fdb

SHA512
6991586bd392a05d1b25bcd0d23316c58d58f0dc21aa98ac51984350e64cedd6c6af0263e0d8e527f61a8a99d6f1e823a38bead88c9633fa8792e8c980196a7e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
597c6eba4e71941a1c9833afe37a7349

SHA1
af2dd4641c63a02d1092d3dce482c771b085886b

SHA256
0cb997602aafdf45e6494fa3cb2f25e561a3da2a8ed3ea453eb3535500f252f8

SHA512
78226ed5c95b4a3650d4fc9f6382294fef17efafb07de16aba4ab405128a7b9326df36068191b28013b455e3b953688ee106c44681773d00d8dcb4c2c9521ba4

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
05234df76c25f8396e4834edbfdce0f6

SHA1
f9b15739347d961c74a3fd5b4ef7ca47799fb678

SHA256
d39bbf5f8ba7b1461b217a456d62d0eabfbcbb209d69b89a93b6ce2132aa972a

SHA512
de726d2af5433d8a1600122535842f805d1c2928c6f4614d76425692a2b85764e4708b44665eb72ab07f260ae818441be641a76c01d55b362c155afa98c2775e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
470842494facf9859b06cd6760daafb4

SHA1
83ca425de4d529b6985b2c3220af8aafff7b015c

SHA256
19301e76166150a7c9f4f5a2f52fbc967adf98a8ac0a1eb72a698ed3eb0624ae

SHA512
78fbc1b315bf15d756b2f51b2d0ac5a78bb87c45efb3bf41df4f62cea497e6aa3918c26bdc494024003a17fa4958e2cd2d6ee38ab82ecfe141d68718dbc1f487

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
573ad394f17e140a720816bea99d1998

SHA1
8e459bc9baa286543cb18f1fbe42f9298c72f3b9

SHA256
2da3cc459c50aeb830cc158d34d58c3dc3ef02d05c1ffb1d17f57aab2f49b40a

SHA512
aef4102f21a53ca334216fa7cf911a6ab5eb682e3c9a2c493d3e72b354581380edf17f064e388bc4580d8245ffb87c9a0a4b473c233a5ecaa1e489c8e064d904

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
63adbfd0c818af2ea15635cc3c029bcd

SHA1
211a2d12d9814b761c28d82da799a749669301fb

SHA256
98db3506454a83210c3a68f88caecc0ac0fa13d348535b021a5bdd9a385077e4

SHA512
0bfb5b23c92c107eb0f10bf867230d5b49b551aa234a2b24ff7339571a99520be99214c5e6c781eceab85adecdb71e51f2f6baa5f3019d53db441ecccb8a4730

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a31b5aba81ebbb5aa37507858ae9e60e

SHA1
ad1087d7f303771e92573f65d4b80a6222cbb80e

SHA256
11a49e1400d3262ab331d64b78634aebd41cbb334ed63ddc5a006834f2ffe58b

SHA512
6dc51653a05e8dbda16f3e9db8392277608bfb541912a00d38ed259a3b3cde3896b2ff95feb38e4496d966fb27f6ba04a648a57722f23b98c7eda7c6fc59b248

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
edf7558ae662f46b924821e8a0c4d4fb

SHA1
c4ed1691dc3ae81cf880d8b3e0021f6584b9cbf5

SHA256
6c6a272a72f308dc40aa3f8c26bf08c3c5b942f9976070815ddf8e11c547b32b

SHA512
56220eda23971e3e4ebe3e5fc6cbb04e8f1845a8827159bf5d9af61d620b9a7f77e62ae818fdd8f401c1d5e3b8576b2c8447ac60fbc9cba7c1023f574f122740

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d9c767fb6bdffdea0a96feae521aad77

SHA1
921282f2f6d37c90fb87737b15e7dc5ee5ac9fd9

SHA256
43b6677f90d954b661995a0c332fc456107c038a6247252802c8cfd7b502b3ce

SHA512
5ae4bc27665244e962ed4cfb99ec2902da63ad8bbe9c438d4c2120bd7036eb121441be464aec1de6fa0a27068998e88fca76af7752801d8fadf27890b5337955

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c99c85ef88abf6fb8e2a9455c4b1e01f

SHA1
df2a3020bd84a8cf5503b56cf76f88de1e4f4242

SHA256
6efb96b0ed5e11fe7ff7adbe90f558988558848e4855b1e98e58ec1ed0eab11a

SHA512
95606cd4665303f4bb9728008b147b1dd0173637471093beca6770e4bd1d648fa57f4ec4e9fd8f909e2069c84dea5df0c8a63aee0d3fb3f81d6a14b6c3e26dd2

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b5cf2aa1fe66206ca1c101081365c06a

SHA1
1c3d83fde59301598be9f7a49f6ab308ad2d48f7

SHA256
74be89a3b4bde098af298294b75cc87c36f2134ede50914b48a8d0aa3ef4e283

SHA512
d2644cb36eeaf0b2123d06b1ba6126ef36e17031ef26c01eb5a3c0f9a45a7c99735b468219e36c71eb7d86b2477df5119bb67d83caf213c36a0b993386190836

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
573ad394f17e140a720816bea99d1998

SHA1
8e459bc9baa286543cb18f1fbe42f9298c72f3b9

SHA256
2da3cc459c50aeb830cc158d34d58c3dc3ef02d05c1ffb1d17f57aab2f49b40a

SHA512
aef4102f21a53ca334216fa7cf911a6ab5eb682e3c9a2c493d3e72b354581380edf17f064e388bc4580d8245ffb87c9a0a4b473c233a5ecaa1e489c8e064d904

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a4235e4a4d893d435059a09a5c441c00

SHA1
07a6b4f748ef17cbda31954602d9d2d0c401a7c2

SHA256
0259aab8ff2438419d58f5818ae8301e8563853135060ad4492e72443dc39f4b

SHA512
5b6ffc401892069f097f7e9138eea580186cc11969d1a22e3f12a913a1a0406b4f7b6f5b433b0b1acc66fd96ba6ca390ad47160c3a064e19f889e138f15d1e9d

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a4235e4a4d893d435059a09a5c441c00

SHA1
07a6b4f748ef17cbda31954602d9d2d0c401a7c2

SHA256
0259aab8ff2438419d58f5818ae8301e8563853135060ad4492e72443dc39f4b

SHA512
5b6ffc401892069f097f7e9138eea580186cc11969d1a22e3f12a913a1a0406b4f7b6f5b433b0b1acc66fd96ba6ca390ad47160c3a064e19f889e138f15d1e9d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9d022d1fe06d677cc67d84ce5c78bd62

SHA1
862145924c759a256c3efd0010f94fce658fbb99

SHA256
5e0947dde90b2b7ff9f8d580ac7f912238435da7bc2a2c1ca8647fe957196800

SHA512
eee7cc28fa6dc0844e2b862fa45e5578b099f6e76944d15ef7cdd9bb2184e8187eab1cd324e71d42e06f1ba3409a9858d857f7474ff5ed4a6fa223541426cc5e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
bc31c73ea61bc6d94686d1f2272b38ed

SHA1
dba04c0f02252d9e1f02678e67a7dcf3bced762a

SHA256
015d8cb0e6063b3c2b8705f2af7742609696a6f603eacef6d0f1855eb24a0004

SHA512
cb387ac6dd051871d96263246198f4d65ec7bdf05efb83822e366deb61d3bd1b894af52f0b01930e666f15822bc656528d7f9ca195c0eb54383ca293e1afdf08

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2c8950a0c265379f4d0511d1ce38ce00

SHA1
0befa6f4b59e23aafd4eae9be22050cd25f4f05c

SHA256
db5f9c3e99119bfde445822b7982f2a7352f55c49905878e426cddbcbff4c2f6

SHA512
470c7571746c0afa7be87670535e0961de16b80dc545b739689cd987d223f414cc16e6a4e0803ceff1098b17a308eed9aa92e41aa312db59686cd46a3fb8d788

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7c7561cfaea6ca96162680e24679bf80

SHA1
2436062419e2b67413e371b3af0923928a464175

SHA256
774b38f478b958838b5c8e225352b91334835c4968d84abfec9053c1c56c3fdb

SHA512
6991586bd392a05d1b25bcd0d23316c58d58f0dc21aa98ac51984350e64cedd6c6af0263e0d8e527f61a8a99d6f1e823a38bead88c9633fa8792e8c980196a7e

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
597c6eba4e71941a1c9833afe37a7349

SHA1
af2dd4641c63a02d1092d3dce482c771b085886b

SHA256
0cb997602aafdf45e6494fa3cb2f25e561a3da2a8ed3ea453eb3535500f252f8

SHA512
78226ed5c95b4a3650d4fc9f6382294fef17efafb07de16aba4ab405128a7b9326df36068191b28013b455e3b953688ee106c44681773d00d8dcb4c2c9521ba4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
05234df76c25f8396e4834edbfdce0f6

SHA1
f9b15739347d961c74a3fd5b4ef7ca47799fb678

SHA256
d39bbf5f8ba7b1461b217a456d62d0eabfbcbb209d69b89a93b6ce2132aa972a

SHA512
de726d2af5433d8a1600122535842f805d1c2928c6f4614d76425692a2b85764e4708b44665eb72ab07f260ae818441be641a76c01d55b362c155afa98c2775e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
470842494facf9859b06cd6760daafb4

SHA1
83ca425de4d529b6985b2c3220af8aafff7b015c

SHA256
19301e76166150a7c9f4f5a2f52fbc967adf98a8ac0a1eb72a698ed3eb0624ae

SHA512
78fbc1b315bf15d756b2f51b2d0ac5a78bb87c45efb3bf41df4f62cea497e6aa3918c26bdc494024003a17fa4958e2cd2d6ee38ab82ecfe141d68718dbc1f487

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
573ad394f17e140a720816bea99d1998

SHA1
8e459bc9baa286543cb18f1fbe42f9298c72f3b9

SHA256
2da3cc459c50aeb830cc158d34d58c3dc3ef02d05c1ffb1d17f57aab2f49b40a

SHA512
aef4102f21a53ca334216fa7cf911a6ab5eb682e3c9a2c493d3e72b354581380edf17f064e388bc4580d8245ffb87c9a0a4b473c233a5ecaa1e489c8e064d904

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
573ad394f17e140a720816bea99d1998

SHA1
8e459bc9baa286543cb18f1fbe42f9298c72f3b9

SHA256
2da3cc459c50aeb830cc158d34d58c3dc3ef02d05c1ffb1d17f57aab2f49b40a

SHA512
aef4102f21a53ca334216fa7cf911a6ab5eb682e3c9a2c493d3e72b354581380edf17f064e388bc4580d8245ffb87c9a0a4b473c233a5ecaa1e489c8e064d904

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
63adbfd0c818af2ea15635cc3c029bcd

SHA1
211a2d12d9814b761c28d82da799a749669301fb

SHA256
98db3506454a83210c3a68f88caecc0ac0fa13d348535b021a5bdd9a385077e4

SHA512
0bfb5b23c92c107eb0f10bf867230d5b49b551aa234a2b24ff7339571a99520be99214c5e6c781eceab85adecdb71e51f2f6baa5f3019d53db441ecccb8a4730

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a31b5aba81ebbb5aa37507858ae9e60e

SHA1
ad1087d7f303771e92573f65d4b80a6222cbb80e

SHA256
11a49e1400d3262ab331d64b78634aebd41cbb334ed63ddc5a006834f2ffe58b

SHA512
6dc51653a05e8dbda16f3e9db8392277608bfb541912a00d38ed259a3b3cde3896b2ff95feb38e4496d966fb27f6ba04a648a57722f23b98c7eda7c6fc59b248

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
edf7558ae662f46b924821e8a0c4d4fb

SHA1
c4ed1691dc3ae81cf880d8b3e0021f6584b9cbf5

SHA256
6c6a272a72f308dc40aa3f8c26bf08c3c5b942f9976070815ddf8e11c547b32b

SHA512
56220eda23971e3e4ebe3e5fc6cbb04e8f1845a8827159bf5d9af61d620b9a7f77e62ae818fdd8f401c1d5e3b8576b2c8447ac60fbc9cba7c1023f574f122740

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d9c767fb6bdffdea0a96feae521aad77

SHA1
921282f2f6d37c90fb87737b15e7dc5ee5ac9fd9

SHA256
43b6677f90d954b661995a0c332fc456107c038a6247252802c8cfd7b502b3ce

SHA512
5ae4bc27665244e962ed4cfb99ec2902da63ad8bbe9c438d4c2120bd7036eb121441be464aec1de6fa0a27068998e88fca76af7752801d8fadf27890b5337955

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c99c85ef88abf6fb8e2a9455c4b1e01f

SHA1
df2a3020bd84a8cf5503b56cf76f88de1e4f4242

SHA256
6efb96b0ed5e11fe7ff7adbe90f558988558848e4855b1e98e58ec1ed0eab11a

SHA512
95606cd4665303f4bb9728008b147b1dd0173637471093beca6770e4bd1d648fa57f4ec4e9fd8f909e2069c84dea5df0c8a63aee0d3fb3f81d6a14b6c3e26dd2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b5cf2aa1fe66206ca1c101081365c06a

SHA1
1c3d83fde59301598be9f7a49f6ab308ad2d48f7

SHA256
74be89a3b4bde098af298294b75cc87c36f2134ede50914b48a8d0aa3ef4e283

SHA512
d2644cb36eeaf0b2123d06b1ba6126ef36e17031ef26c01eb5a3c0f9a45a7c99735b468219e36c71eb7d86b2477df5119bb67d83caf213c36a0b993386190836

Download Submit
memory/280-84-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/280-104-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/280-90-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/524-192-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/524-413-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/524-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/852-443-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/852-237-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/928-148-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/972-69-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/972-80-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-82-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-74-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/972-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/972-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1240-105-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1240-179-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1320-57-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1320-55-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1320-60-0x000000000B660000-0x000000000B820000-memory.dmp

Filesize
1.8MB

Download
memory/1320-54-0x0000000000EE0000-0x0000000001064000-memory.dmp

Filesize
1.5MB

Download
memory/1320-56-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/1320-59-0x0000000006010000-0x0000000006158000-memory.dmp

Filesize
1.3MB

Download
memory/1320-58-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/1412-461-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1412-411-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1536-181-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1536-226-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1536-187-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1536-189-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1536-121-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1700-96-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/1700-106-0x0000000001160000-0x000000000121C000-memory.dmp

Filesize
752KB

Download
memory/1700-98-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/1700-97-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1700-102-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/1700-100-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/1716-260-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1716-238-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1740-417-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1740-415-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1740-283-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1740-201-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1740-412-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1740-386-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/1744-120-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1748-388-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1748-410-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1764-159-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1764-171-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1764-172-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1764-170-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/1764-200-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1764-264-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1764-153-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1804-147-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1864-175-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1864-164-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1864-173-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1864-266-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1984-123-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1984-128-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1984-139-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2076-236-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2076-414-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2168-385-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2184-279-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2184-303-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2188-420-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2252-285-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2368-305-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2400-275-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2400-299-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2420-399-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2560-306-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2560-345-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2696-327-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2696-416-0x00000000006C0000-0x00000000008C9000-memory.dmp

Filesize
2.0MB

Download
memory/2696-328-0x00000000006C0000-0x00000000008C9000-memory.dmp

Filesize
2.0MB

Download
memory/2740-471-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2820-329-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2900-384-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2968-473-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2972-359-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3016-475-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3040-383-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download