blustealer | 5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Quotation.exe
Size

1.4MB
MD5

6194f48fb37a6bb1ba0908abc6b1a537
SHA1

0e80a10e34ca8b23e568f871bdc0eef8f1fe63f2
SHA256

5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1
SHA512

7723660cb65c449ffd73ce457d3c7ce93a4d7703452c7d2f68608e4245420e26fc390a435f4cf3538931d6938568266043e3600e3fe943f531ad696990f7ef25
SSDEEP

24576:m9WFfD+P2kVORHUvU/C88Cx+DDs9hmt9EwONE+D3APRgbUTfNugzT:+U4C4Cx+DQU9EwqTAPRgbfYT

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
460	Process not Found
1568	alg.exe
2032	aspnet_state.exe
1136	mscorsvw.exe
1528	mscorsvw.exe
604	mscorsvw.exe
1576	mscorsvw.exe
588	dllhost.exe
1156	ehRecvr.exe
1308	mscorsvw.exe
1608	mscorsvw.exe
532	mscorsvw.exe
1428	mscorsvw.exe
1968	mscorsvw.exe
1308	mscorsvw.exe
1796	mscorsvw.exe
1720	mscorsvw.exe
1688	mscorsvw.exe
1648	mscorsvw.exe
1616	mscorsvw.exe
1868	mscorsvw.exe
2012	mscorsvw.exe
1672	mscorsvw.exe
1940	mscorsvw.exe
920	mscorsvw.exe
1108	mscorsvw.exe
748	mscorsvw.exe
1812	mscorsvw.exe
1728	mscorsvw.exe
1688	mscorsvw.exe
2012	ehsched.exe
748	elevation_service.exe
1720	IEEtwCollector.exe
1608	GROOVE.EXE
1872	maintenanceservice.exe
2064	mscorsvw.exe
2136	msdtc.exe
2284	mscorsvw.exe
2364	msiexec.exe
2584	OSE.EXE
2624	OSPPSVC.EXE
2688	mscorsvw.exe
2792	perfhost.exe
2852	locator.exe
2968	snmptrap.exe
3060	vds.exe
2220	mscorsvw.exe
2112	vssvc.exe
1916	wbengine.exe
1688	WmiApSrv.exe
2616	wmpnetwk.exe
2708	SearchIndexer.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2364	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Request for Quotation.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\locator.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\alg.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\vds.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f32d9a0a5fe7035.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Request for Quotation.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 576	1092	Request for Quotation.exe	29
PID 576 set thread context of 1560	576	Request for Quotation.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C04B3A16-0AA6-4535-B606-13B42F7DBF8B}\chrome_installer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Request for Quotation.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{743BA3A4-0131-456D-B24F-4663FF97DAB7}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Request for Quotation.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Request for Quotation.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Request for Quotation.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{743BA3A4-0131-456D-B24F-4663FF97DAB7}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Request for Quotation.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Request for Quotation.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Request for Quotation.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Request for Quotation.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Request for Quotation.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C6A54867-0FFF-41A7-89B4-9475CD943424}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{C6A54867-0FFF-41A7-89B4-9475CD943424}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1092	Request for Quotation.exe
2052	ehRec.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe
576	Request for Quotation.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	Request for Quotation.exe
Token: SeTakeOwnershipPrivilege	576	Request for Quotation.exe
Token: SeShutdownPrivilege	604	mscorsvw.exe
Token: SeShutdownPrivilege	1576	mscorsvw.exe
Token: SeShutdownPrivilege	604	mscorsvw.exe
Token: SeShutdownPrivilege	1576	mscorsvw.exe
Token: SeShutdownPrivilege	604	mscorsvw.exe
Token: SeShutdownPrivilege	604	mscorsvw.exe
Token: SeShutdownPrivilege	1576	mscorsvw.exe
Token: SeShutdownPrivilege	1576	mscorsvw.exe
Token: 33	1428	EhTray.exe
Token: SeIncBasePriorityPrivilege	1428	EhTray.exe
Token: SeRestorePrivilege	2364	msiexec.exe
Token: SeTakeOwnershipPrivilege	2364	msiexec.exe
Token: SeSecurityPrivilege	2364	msiexec.exe
Token: SeShutdownPrivilege	604	mscorsvw.exe
Token: SeDebugPrivilege	2052	ehRec.exe
Token: 33	1428	EhTray.exe
Token: SeIncBasePriorityPrivilege	1428	EhTray.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeBackupPrivilege	1916	wbengine.exe
Token: SeRestorePrivilege	1916	wbengine.exe
Token: SeSecurityPrivilege	1916	wbengine.exe
Token: SeShutdownPrivilege	1576	mscorsvw.exe
Token: 33	2616	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2616	wmpnetwk.exe
Token: SeManageVolumePrivilege	2708	SearchIndexer.exe
Token: 33	2708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2708	SearchIndexer.exe
Token: SeDebugPrivilege	576	Request for Quotation.exe
Token: SeDebugPrivilege	576	Request for Quotation.exe
Token: SeDebugPrivilege	576	Request for Quotation.exe
Token: SeDebugPrivilege	576	Request for Quotation.exe
Token: SeDebugPrivilege	576	Request for Quotation.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1428	EhTray.exe
1428	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1428	EhTray.exe
1428	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
576	Request for Quotation.exe
2188	SearchProtocolHost.exe
2188	SearchProtocolHost.exe
2188	SearchProtocolHost.exe
2188	SearchProtocolHost.exe
2188	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 588	1092	Request for Quotation.exe	28
PID 1092 wrote to memory of 588	1092	Request for Quotation.exe	28
PID 1092 wrote to memory of 588	1092	Request for Quotation.exe	28
PID 1092 wrote to memory of 588	1092	Request for Quotation.exe	28
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 1092 wrote to memory of 576	1092	Request for Quotation.exe	29
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 576 wrote to memory of 1560	576	Request for Quotation.exe	34
PID 604 wrote to memory of 1308	604	mscorsvw.exe	39
PID 604 wrote to memory of 1308	604	mscorsvw.exe	39
PID 604 wrote to memory of 1308	604	mscorsvw.exe	39
PID 604 wrote to memory of 1308	604	mscorsvw.exe	39
PID 604 wrote to memory of 1608	604	mscorsvw.exe	40
PID 604 wrote to memory of 1608	604	mscorsvw.exe	40
PID 604 wrote to memory of 1608	604	mscorsvw.exe	40
PID 604 wrote to memory of 1608	604	mscorsvw.exe	40
PID 604 wrote to memory of 532	604	mscorsvw.exe	41
PID 604 wrote to memory of 532	604	mscorsvw.exe	41
PID 604 wrote to memory of 532	604	mscorsvw.exe	41
PID 604 wrote to memory of 532	604	mscorsvw.exe	41
PID 604 wrote to memory of 1428	604	mscorsvw.exe	42
PID 604 wrote to memory of 1428	604	mscorsvw.exe	42
PID 604 wrote to memory of 1428	604	mscorsvw.exe	42
PID 604 wrote to memory of 1428	604	mscorsvw.exe	42
PID 604 wrote to memory of 1968	604	mscorsvw.exe	43
PID 604 wrote to memory of 1968	604	mscorsvw.exe	43
PID 604 wrote to memory of 1968	604	mscorsvw.exe	43
PID 604 wrote to memory of 1968	604	mscorsvw.exe	43
PID 604 wrote to memory of 1308	604	mscorsvw.exe	44
PID 604 wrote to memory of 1308	604	mscorsvw.exe	44
PID 604 wrote to memory of 1308	604	mscorsvw.exe	44
PID 604 wrote to memory of 1308	604	mscorsvw.exe	44
PID 604 wrote to memory of 1796	604	mscorsvw.exe	45
PID 604 wrote to memory of 1796	604	mscorsvw.exe	45
PID 604 wrote to memory of 1796	604	mscorsvw.exe	45
PID 604 wrote to memory of 1796	604	mscorsvw.exe	45
PID 604 wrote to memory of 1720	604	mscorsvw.exe	46
PID 604 wrote to memory of 1720	604	mscorsvw.exe	46
PID 604 wrote to memory of 1720	604	mscorsvw.exe	46
PID 604 wrote to memory of 1720	604	mscorsvw.exe	46
PID 604 wrote to memory of 1688	604	mscorsvw.exe	47
PID 604 wrote to memory of 1688	604	mscorsvw.exe	47
PID 604 wrote to memory of 1688	604	mscorsvw.exe	47
PID 604 wrote to memory of 1688	604	mscorsvw.exe	47
PID 604 wrote to memory of 1648	604	mscorsvw.exe	48
PID 604 wrote to memory of 1648	604	mscorsvw.exe	48
PID 604 wrote to memory of 1648	604	mscorsvw.exe	48
PID 604 wrote to memory of 1648	604	mscorsvw.exe	48
PID 604 wrote to memory of 1616	604	mscorsvw.exe	49
PID 604 wrote to memory of 1616	604	mscorsvw.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  PID:588
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1136

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 264 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 238 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 1d0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e4 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 26c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 1d0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 1d0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 238 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 1d0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 1d0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 29c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:748

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1720

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2188
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
91a1f49680834ddf450061cb40e37cf4

SHA1
a474773ffbf8247c835cfcc0089b3c9344dc313c

SHA256
92abc1e2d52185124d367ec2a7a82e35ec382a9af5a5f363d94cb0fbff7c2156

SHA512
163df48b15c5fb82becc91780808e57697508cdd77eda3cd544bbe4b58a376ee9dbe9a8de9a5e93b4be12ddf357eade473154668f9c8fc0463a5242b7eb92290

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
186e895c23dd87d1c2ee154b7ee4b0ef

SHA1
881eb8b71b7b6525b0416405f758db52e46dd29c

SHA256
14fdeb03050e9cb15baa49dda541c05891078e0ef430e4baaf750a94774d56d1

SHA512
b7137d5383c431960f7dfd5d6fee3c04bec4799f60c2cf92c7bff040d3ea6c8b72cfe937c49c5183d5d25fe73ec9a7bd4d5068fd31896e9296f50566d2fd4777

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
07227bc583a8fb4e5e8c5ee8eb590311

SHA1
d0d63fd74fb30e5abc1bc00f09317e2bbeca8434

SHA256
a7f93d144de5e9f7339aaeccdbe487e8e926fc237ee28772bd29d66e6f532b04

SHA512
4ea345bf4a10b1cb9628362527ba201f196c99fc6998339984c6881d948e9e81bf3864b9c095a693939cf391082b3ac9aea6f2e808bc6ad31b156c4af9083e2d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
eadad85b13ee8c3f8d9109afe7fc42e8

SHA1
01c6eaf46df32de162f5358cd95a1511846ddd74

SHA256
9ff06c3194dcba40df133081f502db34ef325e230436ad52dc9891d620a6eacc

SHA512
f48c5c45c7e8944124c04db13478660e79d268a4df8d96bd12d09802ab6b243ae0576ad5714cb28703647aaf75a414055b82e48e71bf7d5e7e6687c7ef4d8933

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
39cf2934166079ae025b4b0261a8a40b

SHA1
ff9b50b71d765467c140bf25d416dff3d3ad4f20

SHA256
e4cfde854df96d79c47774a708e07a6755abcf673c89a9dbf6e0a4f91a970924

SHA512
b7d0dc51eb1c8413b33c254747a1f87c0a63e6a8a88f883e1ea06f45f15f5487e4ab4c487355b7293e49265fbc9cc5de41cc96fc97886f221de1f6e04d046813

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
80b878b71b411b285250f5d77e03ded8

SHA1
793a99e4843cf613d5b176c34ad2d0e74b2d26ba

SHA256
bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c

SHA512
25f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0a5a1730ed4413cb52f1a8792f007bcf

SHA1
1417c33477970e5678cbe5360f1620404a0780ae

SHA256
74eda48ea3f0d7c34a159d60a295072b54b07af8be4cf10059400d4e1a1d78ca

SHA512
64f52ed1db0845d5317554000f699de25defbe31b7ae645af426462bfd1cea3ec832d5d617ee924eb63a61bb487db42d1e369ed8adb2c6d4b84fd94209c0c0e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0a5a1730ed4413cb52f1a8792f007bcf

SHA1
1417c33477970e5678cbe5360f1620404a0780ae

SHA256
74eda48ea3f0d7c34a159d60a295072b54b07af8be4cf10059400d4e1a1d78ca

SHA512
64f52ed1db0845d5317554000f699de25defbe31b7ae645af426462bfd1cea3ec832d5d617ee924eb63a61bb487db42d1e369ed8adb2c6d4b84fd94209c0c0e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
edf8246265e91d24e33879cface66cbb

SHA1
cf7f52c8a7f846e6d16ef5570f560c5632fa34d3

SHA256
7f17465ece30f03d4dd2b6d30bcd554c97c114e1452d7f8f2f21264ef50e981c

SHA512
a99beeadc901f7c721646153e6784aedb65f59c3225261d0bd63c87103d64f2fba95e4a7ec8cf85ec32a8f9b198ddd9cd5267a9bf88369b1a6aba9a047fdc822

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
10914119937a2e4bcc8ecc1975afef7e

SHA1
8a6f6177f3dfc5d14c04ad38effc91c1bd555bb2

SHA256
de60016a86b136df3d8b8d9fc59986ed7f60e680535e466e29242aa85967ed17

SHA512
5064cbc5c5a73c7ab4451cdb24bb355d946ccf6e2e670fbe905ae3ecce9a67eff0557ae751fee2628aa65361d41de4d50f35ab336d94d5d22d3e2c2caceacb32

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c45a8baf8bbff982c953bc266da4a949

SHA1
e4716595b82f1df6f009a76595b0ccefd8977395

SHA256
3a1daba09388266376e968ba1318a9716f6710f861db856302f1646049fed696

SHA512
0dba0aff8586dd6da45a1f6d478ad24188afd7ae8f89f352735dd92636aa131adcb43f293335ec9c2ec8545d01e89b5a75a9c6a49f325920f47dfa94daa016ba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c45a8baf8bbff982c953bc266da4a949

SHA1
e4716595b82f1df6f009a76595b0ccefd8977395

SHA256
3a1daba09388266376e968ba1318a9716f6710f861db856302f1646049fed696

SHA512
0dba0aff8586dd6da45a1f6d478ad24188afd7ae8f89f352735dd92636aa131adcb43f293335ec9c2ec8545d01e89b5a75a9c6a49f325920f47dfa94daa016ba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c45a8baf8bbff982c953bc266da4a949

SHA1
e4716595b82f1df6f009a76595b0ccefd8977395

SHA256
3a1daba09388266376e968ba1318a9716f6710f861db856302f1646049fed696

SHA512
0dba0aff8586dd6da45a1f6d478ad24188afd7ae8f89f352735dd92636aa131adcb43f293335ec9c2ec8545d01e89b5a75a9c6a49f325920f47dfa94daa016ba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c45a8baf8bbff982c953bc266da4a949

SHA1
e4716595b82f1df6f009a76595b0ccefd8977395

SHA256
3a1daba09388266376e968ba1318a9716f6710f861db856302f1646049fed696

SHA512
0dba0aff8586dd6da45a1f6d478ad24188afd7ae8f89f352735dd92636aa131adcb43f293335ec9c2ec8545d01e89b5a75a9c6a49f325920f47dfa94daa016ba

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2d7f4240d038e7d6c51ff2a5f867f04e

SHA1
6fac9e2df7b3482f97c5520ae08a116173280657

SHA256
629f272510ac05642e7bac02908a01b3753358ff3c249a80b95c0ccbcbd434fd

SHA512
0ba25ce12f966e9f97dd2371c2d6278f8d7560ab7b9bcbbe0f5f1d302ca7187617210ab9ff63a4d8f3ee340340ae911b1b604b39531cb65bda18c09454f05250

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2d7f4240d038e7d6c51ff2a5f867f04e

SHA1
6fac9e2df7b3482f97c5520ae08a116173280657

SHA256
629f272510ac05642e7bac02908a01b3753358ff3c249a80b95c0ccbcbd434fd

SHA512
0ba25ce12f966e9f97dd2371c2d6278f8d7560ab7b9bcbbe0f5f1d302ca7187617210ab9ff63a4d8f3ee340340ae911b1b604b39531cb65bda18c09454f05250

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
388722ec93d6ead9f94bae403fe4bb31

SHA1
fe2626030620df60cbdd61466fee51689d0f64c4

SHA256
df18e6306510dd9a879cb8041212c20dbcea2774aca1643a53f051dd8757a542

SHA512
da6928ecc479701f99872fcb251e5e337049400e2a815f84b4369c8f87f2fbe25118e208c3057b442925411c443ed0472a864462cbdb5209329d749470e7cd51

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e3520ac56832a9d1964b524f97327ece

SHA1
59fd4a28e9cc638609a73220abd270ddb6fa2936

SHA256
2b95fd0de1e043b053c20ae5c9fd39a6af89ac640e01c0a7f3f4761aa08e40ac

SHA512
9d61ed578c8f91d9d336268dc6974881df0737780731533f29529dbabf6c108f4876ace46f2ba75b192fac3ef3e837827ab22a391cb7fbcee23c23a5bc7e06f1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4b5045bb4664aa360fd93c406e4229f7

SHA1
92a1330b768a3d3c293be57a9075880834142301

SHA256
f9074c630858641de7a605d1c9dc552028705b458ea5b979fb3f86ab7d652c0f

SHA512
1e781877b6774b920fdd15d69dddb15c461e25797bf1bd8d4d585d10cbd9158432aad47ef924121aacf31fd11c2c8faaf53ca8673f3211ee22173d4ea2698042

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
456f60e6d653d4933be559ef14659a9c

SHA1
dd3d1c129c2fb9e6b74a8e152d4c839ab8bd9b15

SHA256
97f542f417753ba997f8fd130a1deae522451ffae7abe8c5246740fe0389587f

SHA512
83b4e2643422a68cdc5ea8f4cdeab03b083e9beba3b746697e764194c1298144c111aa4259c94da1d2ed02d016ff20d3d0ab31834c75a64d1680b881f8936d0b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
719c73955129b7dd27b8c263b7e54319

SHA1
10410e0ac5c0e75192b9011b26c44141f17ec698

SHA256
301cf3c975b0075f7b65befdd578054b7b82ff32bb9f68a8be58a137f17d63d3

SHA512
2554301b489c535b660c682dfdf3971b23816138bd0066001540e79632378d84a9f4f9528d52d167f76e684f0a3968435bd774d63c8a5b196db4ec6c94f0394f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
21c9de1a1665a752c9533746357373ca

SHA1
3ce1c15cc765550ac207ef14284044520307e1d4

SHA256
cfba97dba9f7feaa14ed5927230a1509475001e5c5b0ce46ba70efa089c3a54f

SHA512
6f0db7164ffd47e9107125cab1d715c355254b58e2e66f907af7168de3f4e0870a31b1349b26d2506d7f5e51a1dabc6d86455c2af8973895080ce0b7f12ae3fa

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a08e51473ad6310dbed594ff43f9a79a

SHA1
f26ee6165e193c7533c1fe22b8d21b2938bcbea9

SHA256
880fc3db705ebe5860c6088fe826620f44ba58e0c499ad182be7d6b800eb47e5

SHA512
c82027e369db827846332b0a7723c213d9117391056862df983ea7d759b4bc6425248553fc4f4bb48ff8ad53ae13b38697fc25a60b84b3a5a6dd397cf797b811

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9d4e962432ebca576cf53ce18276d6d1

SHA1
9aaac98c5d2e12f040888c1c456be3b69b134eed

SHA256
13fd5b660a1b2dc76e7084182d13e53bd52d984f9190250b6e60d59eebf10865

SHA512
2435033f3e21a99b7eb6292a91cbb573825ea3223747d88f93d57bb76d7c66928ee8ab6d89b53b12985e52c6591dc37753ec035cf2142ab98ef001b31b0b9782

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a61335ff1d08ae9f38f0159a19ed8dcf

SHA1
0a2882daf2fc0fe0a8de4ceb77adcdf243c30d27

SHA256
7fb75380cebff304809433821e9f892e0baa96d42255c1a9d0196f604257519c

SHA512
4b653da0fe572e6af24c368a68301e1a0866b248246cf1aede3bd81f3d926bcefedc37b50919aabd44572e1ab72683f56668d2fe62f574ab65c8c88aa0e70981

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bcff049fe8efd7b0eeceb36bdf9d1190

SHA1
9950d24461a2d418c8b5ccbdaf882722808b70af

SHA256
3f5dc764c5471ae1b3a1647d3df260f1eda33d81612ea02b78a9bab7be1cb0f0

SHA512
7f2fb011d55ebc5931f929e4fdfda66d8f03ad1c7af3fe1148d3b1bb5440609970f7a1cd35e3a88b087bec1b65fdccda59c077440417f111c31088e6fb7e49f2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
640b5845bb9c1ebd6acf8fe7c8559bb2

SHA1
352939156b22ba93c29c0c8bbc31957364cd0b92

SHA256
b1eb2d93a2c95ee0d09dcd5e688d1e7618dbb4f37fce48cfe9303f122bbc1805

SHA512
3cd47bcd5a724e83ba69802f611c269c5e0d3a0379717cb91530c34dbf1fc9540c92fc3f78c0cc5993a4b6e9cc36aff973cf5cd55c7b9a8f6e9bc33c9ed56d41

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e0cd0ea169a459bbe9e288ea12b2f8cc

SHA1
6549d6ba494eee435adef78a199e870f9a895bf5

SHA256
3b3a32ccb0d62265a1e8a8b02fcb65a920847f096a0362e4eb46979212675cec

SHA512
aaf0301b88517961fb18b8254853db9a7cdbbfdbfc5301550263267abb00385a37c8e7121792eca4692bc07fbed8b5c805ec184fa12da38372709dc01e507ea9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ac64d3089976fa5a0069cfda14baefdd

SHA1
a7a8e3d6f12c5b106f18908ecb76de9dc5b8cfaf

SHA256
c7a8325ecbc6adc63923905dfff66ad38bec746f05453598db80db10ffceac61

SHA512
d3c30e10ea8757fc389469d076e6d5f2c321e95a3ac005403388df5a14534ec389b9075d6848a5088dc290c59e2d1c0c96248d48f15e31358c233313616dc86f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
a61335ff1d08ae9f38f0159a19ed8dcf

SHA1
0a2882daf2fc0fe0a8de4ceb77adcdf243c30d27

SHA256
7fb75380cebff304809433821e9f892e0baa96d42255c1a9d0196f604257519c

SHA512
4b653da0fe572e6af24c368a68301e1a0866b248246cf1aede3bd81f3d926bcefedc37b50919aabd44572e1ab72683f56668d2fe62f574ab65c8c88aa0e70981

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0a5a1730ed4413cb52f1a8792f007bcf

SHA1
1417c33477970e5678cbe5360f1620404a0780ae

SHA256
74eda48ea3f0d7c34a159d60a295072b54b07af8be4cf10059400d4e1a1d78ca

SHA512
64f52ed1db0845d5317554000f699de25defbe31b7ae645af426462bfd1cea3ec832d5d617ee924eb63a61bb487db42d1e369ed8adb2c6d4b84fd94209c0c0e2

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
10914119937a2e4bcc8ecc1975afef7e

SHA1
8a6f6177f3dfc5d14c04ad38effc91c1bd555bb2

SHA256
de60016a86b136df3d8b8d9fc59986ed7f60e680535e466e29242aa85967ed17

SHA512
5064cbc5c5a73c7ab4451cdb24bb355d946ccf6e2e670fbe905ae3ecce9a67eff0557ae751fee2628aa65361d41de4d50f35ab336d94d5d22d3e2c2caceacb32

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
456f60e6d653d4933be559ef14659a9c

SHA1
dd3d1c129c2fb9e6b74a8e152d4c839ab8bd9b15

SHA256
97f542f417753ba997f8fd130a1deae522451ffae7abe8c5246740fe0389587f

SHA512
83b4e2643422a68cdc5ea8f4cdeab03b083e9beba3b746697e764194c1298144c111aa4259c94da1d2ed02d016ff20d3d0ab31834c75a64d1680b881f8936d0b

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
719c73955129b7dd27b8c263b7e54319

SHA1
10410e0ac5c0e75192b9011b26c44141f17ec698

SHA256
301cf3c975b0075f7b65befdd578054b7b82ff32bb9f68a8be58a137f17d63d3

SHA512
2554301b489c535b660c682dfdf3971b23816138bd0066001540e79632378d84a9f4f9528d52d167f76e684f0a3968435bd774d63c8a5b196db4ec6c94f0394f

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
21c9de1a1665a752c9533746357373ca

SHA1
3ce1c15cc765550ac207ef14284044520307e1d4

SHA256
cfba97dba9f7feaa14ed5927230a1509475001e5c5b0ce46ba70efa089c3a54f

SHA512
6f0db7164ffd47e9107125cab1d715c355254b58e2e66f907af7168de3f4e0870a31b1349b26d2506d7f5e51a1dabc6d86455c2af8973895080ce0b7f12ae3fa

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a08e51473ad6310dbed594ff43f9a79a

SHA1
f26ee6165e193c7533c1fe22b8d21b2938bcbea9

SHA256
880fc3db705ebe5860c6088fe826620f44ba58e0c499ad182be7d6b800eb47e5

SHA512
c82027e369db827846332b0a7723c213d9117391056862df983ea7d759b4bc6425248553fc4f4bb48ff8ad53ae13b38697fc25a60b84b3a5a6dd397cf797b811

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9d4e962432ebca576cf53ce18276d6d1

SHA1
9aaac98c5d2e12f040888c1c456be3b69b134eed

SHA256
13fd5b660a1b2dc76e7084182d13e53bd52d984f9190250b6e60d59eebf10865

SHA512
2435033f3e21a99b7eb6292a91cbb573825ea3223747d88f93d57bb76d7c66928ee8ab6d89b53b12985e52c6591dc37753ec035cf2142ab98ef001b31b0b9782

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a61335ff1d08ae9f38f0159a19ed8dcf

SHA1
0a2882daf2fc0fe0a8de4ceb77adcdf243c30d27

SHA256
7fb75380cebff304809433821e9f892e0baa96d42255c1a9d0196f604257519c

SHA512
4b653da0fe572e6af24c368a68301e1a0866b248246cf1aede3bd81f3d926bcefedc37b50919aabd44572e1ab72683f56668d2fe62f574ab65c8c88aa0e70981

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
a61335ff1d08ae9f38f0159a19ed8dcf

SHA1
0a2882daf2fc0fe0a8de4ceb77adcdf243c30d27

SHA256
7fb75380cebff304809433821e9f892e0baa96d42255c1a9d0196f604257519c

SHA512
4b653da0fe572e6af24c368a68301e1a0866b248246cf1aede3bd81f3d926bcefedc37b50919aabd44572e1ab72683f56668d2fe62f574ab65c8c88aa0e70981

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bcff049fe8efd7b0eeceb36bdf9d1190

SHA1
9950d24461a2d418c8b5ccbdaf882722808b70af

SHA256
3f5dc764c5471ae1b3a1647d3df260f1eda33d81612ea02b78a9bab7be1cb0f0

SHA512
7f2fb011d55ebc5931f929e4fdfda66d8f03ad1c7af3fe1148d3b1bb5440609970f7a1cd35e3a88b087bec1b65fdccda59c077440417f111c31088e6fb7e49f2

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
640b5845bb9c1ebd6acf8fe7c8559bb2

SHA1
352939156b22ba93c29c0c8bbc31957364cd0b92

SHA256
b1eb2d93a2c95ee0d09dcd5e688d1e7618dbb4f37fce48cfe9303f122bbc1805

SHA512
3cd47bcd5a724e83ba69802f611c269c5e0d3a0379717cb91530c34dbf1fc9540c92fc3f78c0cc5993a4b6e9cc36aff973cf5cd55c7b9a8f6e9bc33c9ed56d41

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e0cd0ea169a459bbe9e288ea12b2f8cc

SHA1
6549d6ba494eee435adef78a199e870f9a895bf5

SHA256
3b3a32ccb0d62265a1e8a8b02fcb65a920847f096a0362e4eb46979212675cec

SHA512
aaf0301b88517961fb18b8254853db9a7cdbbfdbfc5301550263267abb00385a37c8e7121792eca4692bc07fbed8b5c805ec184fa12da38372709dc01e507ea9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
ac64d3089976fa5a0069cfda14baefdd

SHA1
a7a8e3d6f12c5b106f18908ecb76de9dc5b8cfaf

SHA256
c7a8325ecbc6adc63923905dfff66ad38bec746f05453598db80db10ffceac61

SHA512
d3c30e10ea8757fc389469d076e6d5f2c321e95a3ac005403388df5a14534ec389b9075d6848a5088dc290c59e2d1c0c96248d48f15e31358c233313616dc86f

Download Submit
memory/532-181-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/532-186-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/532-191-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/532-202-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/576-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-229-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/576-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-76-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-74-0x00000000000F0000-0x0000000000156000-memory.dmp

Filesize
408KB

Download
memory/576-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/576-69-0x00000000000F0000-0x0000000000156000-memory.dmp

Filesize
408KB

Download
memory/588-155-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/604-125-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/604-139-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/604-115-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/748-373-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/748-421-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/920-347-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1092-56-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/1092-59-0x0000000005CC0000-0x0000000005DF8000-memory.dmp

Filesize
1.2MB

Download
memory/1092-57-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/1092-55-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/1092-60-0x000000000A4E0000-0x000000000A690000-memory.dmp

Filesize
1.7MB

Download
memory/1092-54-0x00000000011A0000-0x0000000001306000-memory.dmp

Filesize
1.4MB

Download
memory/1092-58-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1108-361-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-111-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1156-151-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1156-156-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1308-171-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1308-166-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1308-231-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1428-214-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1528-112-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1560-114-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1560-118-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1560-137-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/1560-135-0x0000000000C30000-0x0000000000CEC000-memory.dmp

Filesize
752KB

Download
memory/1560-126-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1560-122-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/1560-116-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1568-89-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1568-107-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1568-83-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1576-157-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1608-464-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1608-178-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1608-190-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1608-169-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1608-173-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1616-293-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1616-281-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1648-282-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1672-326-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-395-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-476-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-268-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1720-433-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1720-257-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1728-396-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1796-247-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1812-372-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1812-383-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1868-302-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1872-486-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1872-472-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1940-328-0x0000000003D40000-0x0000000003DFA000-memory.dmp

Filesize
744KB

Download
memory/1940-339-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1940-327-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1968-225-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1968-213-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2012-404-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2012-314-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2032-110-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2052-499-0x0000000000820000-0x00000000008A0000-memory.dmp

Filesize
512KB

Download
memory/2064-508-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2064-474-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2136-502-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2284-513-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2284-496-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2364-505-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2364-507-0x0000000000560000-0x0000000000769000-memory.dmp

Filesize
2.0MB

Download
memory/2584-519-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2624-543-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download