blustealer | 2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9

Analysis

max time kernel
138s
max time network
157s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.7.exe
Size

1.5MB
MD5

e67a119b25c041892a38c6147fd54c60
SHA1

8c3c63629929b9754c62fbad1e731f33758d2d2d
SHA256

2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9
SHA512

414e8de5219f34c4abcf885444dfab93e794abf69808d9c2e9e70f8de806da9e2159ba3d58dec41991be675955d7bb99b596e6b358a4cf7b3a32881cbbad1776
SSDEEP

24576:OwwBIEAbPY00PXKtW93ZwJGRNI7MhXOd+DsyFqcpVsZB4yYH:0BIENBvDIwmeqcpVSed

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
1528	alg.exe
1656	aspnet_state.exe
1712	mscorsvw.exe
1624	mscorsvw.exe
1080	mscorsvw.exe
840	mscorsvw.exe
588	dllhost.exe
1020	ehRecvr.exe
836	ehsched.exe
2036	mscorsvw.exe
1340	elevation_service.exe
288	IEEtwCollector.exe
1796	mscorsvw.exe
1636	GROOVE.EXE
2064	mscorsvw.exe
2192	mscorsvw.exe
2348	mscorsvw.exe
2440	mscorsvw.exe
2540	mscorsvw.exe
2632	mscorsvw.exe
2732	mscorsvw.exe
2824	mscorsvw.exe
2916	mscorsvw.exe
3016	mscorsvw.exe
2108	mscorsvw.exe
2112	mscorsvw.exe
2308	maintenanceservice.exe
2456	mscorsvw.exe
2428	msdtc.exe
2644	mscorsvw.exe
2684	msiexec.exe
2796	OSE.EXE
2812	mscorsvw.exe
316	mscorsvw.exe
2280	OSPPSVC.EXE
2916	mscorsvw.exe
304	perfhost.exe
444	locator.exe
2380	snmptrap.exe
2276	vds.exe
2408	vssvc.exe
1604	wbengine.exe
2740	WmiApSrv.exe
2732	wmpnetwk.exe
2296	mscorsvw.exe
2884	SearchIndexer.exe
2704	mscorsvw.exe
1468	mscorsvw.exe
2900	mscorsvw.exe
2088	mscorsvw.exe
2968	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2684	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66baccafdecfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 672	1428	Quote 1345 rev.7.exe	29
PID 672 set thread context of 1052	672	Quote 1345 rev.7.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Quote 1345 rev.7.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{331E3A86-C1EE-4A67-8719-4A3B0957A39C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{331E3A86-C1EE-4A67-8719-4A3B0957A39C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{B09EDC68-B4D6-4F1A-A7AC-CFB9D343904B}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{B09EDC68-B4D6-4F1A-A7AC-CFB9D343904B}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1428	Quote 1345 rev.7.exe
1520	ehRec.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	Quote 1345 rev.7.exe
Token: SeTakeOwnershipPrivilege	672	Quote 1345 rev.7.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: 33	1504	EhTray.exe
Token: SeIncBasePriorityPrivilege	1504	EhTray.exe
Token: SeDebugPrivilege	1520	ehRec.exe
Token: 33	1504	EhTray.exe
Token: SeIncBasePriorityPrivilege	1504	EhTray.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeSecurityPrivilege	2684	msiexec.exe
Token: SeBackupPrivilege	2408	vssvc.exe
Token: SeRestorePrivilege	2408	vssvc.exe
Token: SeAuditPrivilege	2408	vssvc.exe
Token: SeBackupPrivilege	1604	wbengine.exe
Token: SeRestorePrivilege	1604	wbengine.exe
Token: SeSecurityPrivilege	1604	wbengine.exe
Token: 33	2732	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2732	wmpnetwk.exe
Token: SeManageVolumePrivilege	2884	SearchIndexer.exe
Token: 33	2884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2884	SearchIndexer.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	840	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1504	EhTray.exe
1504	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1504	EhTray.exe
1504	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
672	Quote 1345 rev.7.exe
364	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 536	1428	Quote 1345 rev.7.exe	28
PID 1428 wrote to memory of 536	1428	Quote 1345 rev.7.exe	28
PID 1428 wrote to memory of 536	1428	Quote 1345 rev.7.exe	28
PID 1428 wrote to memory of 536	1428	Quote 1345 rev.7.exe	28
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 1428 wrote to memory of 672	1428	Quote 1345 rev.7.exe	29
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 672 wrote to memory of 1052	672	Quote 1345 rev.7.exe	32
PID 1080 wrote to memory of 2036	1080	mscorsvw.exe	40
PID 1080 wrote to memory of 2036	1080	mscorsvw.exe	40
PID 1080 wrote to memory of 2036	1080	mscorsvw.exe	40
PID 1080 wrote to memory of 2036	1080	mscorsvw.exe	40
PID 1080 wrote to memory of 1796	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 1796	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 1796	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 1796	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 2064	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2064	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2064	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2064	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2192	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2192	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2192	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2192	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2348	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2348	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2348	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2348	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2440	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2440	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2440	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2440	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2540	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2540	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2540	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2540	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2632	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2632	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2632	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2632	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2732	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2732	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2732	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2732	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2824	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 2824	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 2824	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 2824	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 2916	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 2916	1080	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
  2⤵
  PID:536
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1052

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1712

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 240 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 288 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 1ac -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 158 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 158 -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1020

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:288

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2796

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e6ff3b3b7eb175e07777b37c823de3ed

SHA1
ca91c8fd3859f52da31462648275613b20f1427d

SHA256
bc685338b44df734815e134d184888e561a7d99c76c40c8da7ec413ca8435856

SHA512
68596bf59c337fd96913fd5705ac8561e57bea3cbd1ad4cc190f18113b19c8f9ba663068c8fdb9608009b617ddd7cdb09ac12181748a6da0e1d4b8c358b9220d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
910a8707d8cfbefe9280628f0e526464

SHA1
03046f8efcd381d0549f9e918a725c360b1e5e41

SHA256
07677dc3889f07c11f040282cdbe8fea85ba048984ce6fb25e49f2fd20819be0

SHA512
f412d0c8c3aff709dcae42bdede45f89175c39b8c1afccaa25ab471685c9b7e666ac83487404f0e22c4a642bddb9e0bf463ba5438e3dce36569dc8060aee9bb3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
efc6edeb94f8a9585a55aa527f4582c0

SHA1
529090413014d18a15cb8f50dbc53d78d79ed841

SHA256
526ac930c00a281e3712420843b94bdfecae7f58fcbfd8eff154f94764fe987d

SHA512
24e65439bcb337f2751e29abee0d8780cac61a7da122bb5543ec3cae75643038ec96ba4658d8f35fcdc7896db4a924adb78edbb4bb6b91030c10715bc02279d2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c042494c91999f6db304c2c5bd42cea1

SHA1
0c9ec1b6398b58f3383dc598e9d6db428390473f

SHA256
e8389b4f876b864756477f513ab2bb5a98c89d07161defbdd59473429e89dc43

SHA512
41a5e07ca0f9fdb73f9b8ffe556a1ffa1c81f4cd7f6bdbfb68fb26417bc87ee815b1566ae53c1f28143974578b99705b10fc628e2be9dee7f9ffa3ac8f899dae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6c099f9addfee597538ad7251abb5577

SHA1
9cef094c53a274fef2d9a6e775c29e8ef2df5ac6

SHA256
144007fa390d079965daab72d69608916c2deeb62f38c895953e7cfa57479024

SHA512
4269088e1f51826605632a12ffc7e2e8fb8f0c514644a080e886c6210a32512e2d8303d607b5cb2bb35bf399f80658c1a6d95d1a72f5942341c1743b85b982b4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bca9f8cc5bc07793ba5bda933baa2a79

SHA1
ec4222fbf79f4510d710910f14d69c2f442a000e

SHA256
d283b37b488ccd181b6e16dc8c863b1c908275c11bc8fa8b3ba5968759db4b5f

SHA512
99de4c8a3f25884f2913d79ab7901296031930a87c75383318a994a185061ac5009665f944d31683c604e4e6cb14d9e3ed4b5d779fa89b68b9d56f6b97c9f3f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bca9f8cc5bc07793ba5bda933baa2a79

SHA1
ec4222fbf79f4510d710910f14d69c2f442a000e

SHA256
d283b37b488ccd181b6e16dc8c863b1c908275c11bc8fa8b3ba5968759db4b5f

SHA512
99de4c8a3f25884f2913d79ab7901296031930a87c75383318a994a185061ac5009665f944d31683c604e4e6cb14d9e3ed4b5d779fa89b68b9d56f6b97c9f3f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b8fc40bd08e985305a8de99d6411e06c

SHA1
0f5665d7c61dbbb7c42cb2e032bdd0629900af47

SHA256
2acd0784a127ae8d5d2a6e0c7e6d448b8b0a3402189dd2db883d16b7d51214f4

SHA512
03368dd4bcb5aaa49da17f18f3a3b3baa432ec0c500a28cbda67894566cbb6855f6547d633f5a35e440befeca5500e204f8c1729f6b6f32cf6336fcac4c4b082

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
4560b2c7f722c04ab86e4bcca20b124f

SHA1
ed5753893b13dadc6a36137a6be369e78a237bb1

SHA256
96854389ec41abf8d2f52c4a474fe2b0cd7efa1be581b8cbd83166845c3a3a56

SHA512
5c2622f4d905952e745d66cbc9984cf1a967209c6e1fe94b1fd31a99b489edb4fef474dcf4c005e71995a488b08d06bebba9f16e9f4e3e022a6a531ccbf1e34c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c125ba01c43c77d490cca45550640d49

SHA1
90296d51ee3d9c65a62e54fc5afc6c02bfc1589e

SHA256
cd311ee07a9502f584f0b38bb1ca5f012280b5dd59c4e0fe71a9f4aa5a74bc18

SHA512
61c38f97a5a62a1f6a935b94ebf60f79559ac103f8ec78d652e672c6d863b41a7f52f0dd747b0fc26c1f06dce491dbac2e694f8be4aec408e2314954c1e31b6a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c125ba01c43c77d490cca45550640d49

SHA1
90296d51ee3d9c65a62e54fc5afc6c02bfc1589e

SHA256
cd311ee07a9502f584f0b38bb1ca5f012280b5dd59c4e0fe71a9f4aa5a74bc18

SHA512
61c38f97a5a62a1f6a935b94ebf60f79559ac103f8ec78d652e672c6d863b41a7f52f0dd747b0fc26c1f06dce491dbac2e694f8be4aec408e2314954c1e31b6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b48da53390b150da29263ccd2d2d1c11

SHA1
08e91d3f076a688957cf7e767327bb515519142e

SHA256
61e30f2f38a15149e8e0017653ac02cf17d88da3e7a9747da1cfaaa2a1a52011

SHA512
3398c3c442f00d13a717b801b542cc30f082c60cceeb97e4a94964969045e201a95f27beac956e687e77ce5d1f454117f4640cf93dfe8a49deda05e673cae5b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b48da53390b150da29263ccd2d2d1c11

SHA1
08e91d3f076a688957cf7e767327bb515519142e

SHA256
61e30f2f38a15149e8e0017653ac02cf17d88da3e7a9747da1cfaaa2a1a52011

SHA512
3398c3c442f00d13a717b801b542cc30f082c60cceeb97e4a94964969045e201a95f27beac956e687e77ce5d1f454117f4640cf93dfe8a49deda05e673cae5b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
664acf11697453abf24803386c8dbd53

SHA1
9883cb6c169fed1224a0fea355a427bacae5f1b1

SHA256
17fbf4b61de20d5088f029ef0793f1e9bbadb112ba85a9be380730dcb4d0aebb

SHA512
faebf63892df55fdcf4435667b8eeafdd3daac45d0f2aa4645e57a4ee9c8762a73c18c52d1790f9a04637ebc96a9ada9913c0a1b2ea012d76564d979d131a192

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5088f30c0c34362273b5159d489a0138

SHA1
39cce22d6254ba1796832129cc4e504865154642

SHA256
20c40f2c728ba404f6b4d912c2f433a5a61e4d6569b4187b03b8f39369db356b

SHA512
6a7d4e75e154bbf6ae3ca63414b8f7aa5a8aaadd8e533126adfdddf1cd02551d8cbe7d45cd981f1d1c57c395da2042866f380daa55bdcb3e07f18256c93ccd94

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
741a40c86df774e7ae29354649ea3ff5

SHA1
adfcbd54cf55a42e37c6f7376fb410cecca1ef84

SHA256
8864a83b44d2fabdbb3d940aa5481bf9aafeb4b3c1dcc6cfcc45254367fadd5b

SHA512
58cd762108d310efaed717fc422942020216f0d777da58322b26d08af29b98d37f7b68d487b918ec81800bdb1e01d75f0582ff2c67dc698fb503ef4397241c9e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ed9ab8767cf1d846db459bbae2fce6c5

SHA1
6658e54675a804115c2805f5457e3a09eee76cee

SHA256
84dab25ca60d0c1d9b00c62151526641af014e2cc484353ac2eac54d324f9995

SHA512
dd825339362c385a4595d28ff9cdbbd6535851a02f38f793eac8cdf5a163ab325c20c16620000eb97df5e459284df76e8b1d27369f11a228ee8c0a2241ee7f3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
9384a1e737becc28586e48f31b8a0b1f

SHA1
07bfd4fafe763ce0c1b8155e958311f3a314f4cf

SHA256
2203afbc2fb817bdb5244b0a4c0d34508730ef3276474dceba37a0ed2d3ce303

SHA512
68ce94665e07e23090256d573a95ca41a722487d7e9bf877c6092f18a07bf8ba5588f9dad8f29ef21887b1dfeb4aa3ffb770189c5e7a718b7b7f0684f593c16d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bb8d7d000c22446e6de1d0710d9d32f1

SHA1
55603b869b3d2b50f2d6cdd40cee7d9573ab198c

SHA256
1e3e283ae567e039a130accba08106c0fdc16365c2add59b10b5bc356844d9d5

SHA512
df0c4723ae03561e0c7bf209615f12d51fb97bcdb816a90f235364249e1e321f399665bcdf27a0babc1f72d0fd4f230a5d9e811d33ae2d03d8e9676dc61b0465

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
7dacf3c8e894bad12a7e9c37ffd93f7f

SHA1
3c327471ac21ea9a618087914767df103017fe8a

SHA256
ece666035c949175abe15432838bded8ea5089f1d5c1cfd18b9177164af249ac

SHA512
2dd75c81971d207b5bc0eaa931324da77a172657a3b89a95189f987a214b89cbd88d7d5907f0612447ff6b6640b9ce087013b1b07ed36dd10d82c7b62de3bf22

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
32173620b9931f6ed2fd2083c026d8b9

SHA1
14e4abe2eac1852efff099c770c88ec0a2333bea

SHA256
1348d0a45fea322f02df52732581ce9463d0064b10ca08665624f24a7ffc8099

SHA512
0d5ff434e5ca2b4e6161d98ce63ddddbba035c58d9cb6bb341b175b295143eb8166514edb3c13b1dd482e6b7027ccdb2f3dac51cdf9d1b0e116121abb3c5f6d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
20580614a775b92175884837ec6aefb5

SHA1
b557e97cb011211a5449e2ebfa159ef62c7ace11

SHA256
44fa10473821877dceeb84fd3b1fbbfe6eced4f107323fab7949b7b4c858eb09

SHA512
b96c51c6a99f5c2cb4287610b4ad5539400fd054be790ccd66d6ee2c0e499c7f9f368becf05b83ff0e433fad2358bbfe9ce9433e7c02f555cec8f43f8109e6ae

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
19651b978f612363cb78d05cfd225606

SHA1
59278401e5a209c4c896144c7361425fdc8e28db

SHA256
29d8f16402a60e3f80cfffee410b45249738f968c446ef6d785d3bc768cd170c

SHA512
eae3156cd362c2daceb578ff47627efaaf22e7292f644b0361eec340bda1b0847efc2f2be14c6a3f0bf968d55ade7ddd1225dc685fb9cc9fa05295a431e25f08

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f6ffbd0b2a7820016d65ef5ae83a0b1b

SHA1
b680e9b40df2d3acb6c61cd37c91e449d50318a2

SHA256
762d192d920acc8535ee8f2d747461ac5baa26b54a020e3d2777eda48892a2aa

SHA512
d5e80114c4e31b551d0a28b9e0be13038701b5e25bfc1b38bc24e7cc1d19ca18001abf3f3357b95b310d502cbde733947fc386262441858244ed431641ca1b1c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
eb0f76d730781854df72cdacdbe99741

SHA1
f72568a8b0bd207595b260a0d547ea601047d543

SHA256
b3286cf295309cc9f2c0fb5e1bb829835a38ff30ebf808719346b70ec6b26b80

SHA512
bcc15770609aeb63af63206b44860802644d5fe4c08835589ca136b6cb58e83ae66447d2a3514ce757d761c6e8051e491caa343c6d77759b2ff1ff39ea68af9f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8df503f238ed8f61239a14b69674e0b9

SHA1
1da81becf31c6fb55232fae17e602a1a267748ed

SHA256
995b350d352ed2e8cec3484fb89acedda0f6550fd26ec91046e4c968df2f3eaf

SHA512
f3b6bb4c05777d7bae4ffbce9ad8ce544fbc6c268e1cc1ab5c5c24ada6097527db8c25b5ab19bb930f3093997d27f679c3d7205c1689b161dc9408431197d5d2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5fe6d57d8ae09ae408acd7163cb5dea5

SHA1
5a8c42cd5e6c5520d6f5bf9d74511b764771544b

SHA256
cf0d8c1eeab4ae622c852eba5619a0e545d926ff2944650c569bad8a288f199e

SHA512
80d040c044352dc152e930db9b77871590d8fcc53f7235611f68c88a8e59b38369959fb960d3623820ccc2eb9bcdddc733870ab644d6f8a53a3c07fa3f442b5d

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d9014788d301b7b415165d3c6e4554ea

SHA1
ddfa9ab5cd04d437759124e0b48d1a1ec1f91119

SHA256
3e2171020086bce1007b064f05312863e4795ad313cecfccdea46c5c263a19ee

SHA512
0d140a2736891ce8866c3a3e345b331446be7575d7891f6aed1100f380c3f8b1175c367b5e5fbe0ec318f8849a905c235d677dbeaafc11e171c12e14b47d8690

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
030580b512ba7d64659da2a345720f68

SHA1
c0f983322ef4e2526f548e9fbb2fab43747ff1f5

SHA256
9782d79a65437b046cdedc9d013274852996ca1831ab0363b26f4316b3d7a475

SHA512
2aaad1dcc8bab657f67979fcc5acac09e8f2465f23ed12ac7d77bf18f887924cb06a4e0da85c7577ea26119ba34f48e84d3d362a9ca9008dabca76b52b9510f3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
19651b978f612363cb78d05cfd225606

SHA1
59278401e5a209c4c896144c7361425fdc8e28db

SHA256
29d8f16402a60e3f80cfffee410b45249738f968c446ef6d785d3bc768cd170c

SHA512
eae3156cd362c2daceb578ff47627efaaf22e7292f644b0361eec340bda1b0847efc2f2be14c6a3f0bf968d55ade7ddd1225dc685fb9cc9fa05295a431e25f08

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
6bfac16e05c36a4130241436d8e4af75

SHA1
ab8858cd54d11db81bbc674c3c5173c6ace0f1de

SHA256
54df045a10fda7c7aa6d674e5a08a0506897e26dc98a5b1f245797c659f6917a

SHA512
b5bbc182f105f8716fdcc01a7e80c99521208edd9637c323d19a1a301656843a4f0d29d23250fed21495d531bce5c9dc56f525fbcf8eea9a3f3913ce70cee5f8

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bca9f8cc5bc07793ba5bda933baa2a79

SHA1
ec4222fbf79f4510d710910f14d69c2f442a000e

SHA256
d283b37b488ccd181b6e16dc8c863b1c908275c11bc8fa8b3ba5968759db4b5f

SHA512
99de4c8a3f25884f2913d79ab7901296031930a87c75383318a994a185061ac5009665f944d31683c604e4e6cb14d9e3ed4b5d779fa89b68b9d56f6b97c9f3f6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
4560b2c7f722c04ab86e4bcca20b124f

SHA1
ed5753893b13dadc6a36137a6be369e78a237bb1

SHA256
96854389ec41abf8d2f52c4a474fe2b0cd7efa1be581b8cbd83166845c3a3a56

SHA512
5c2622f4d905952e745d66cbc9984cf1a967209c6e1fe94b1fd31a99b489edb4fef474dcf4c005e71995a488b08d06bebba9f16e9f4e3e022a6a531ccbf1e34c

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ed9ab8767cf1d846db459bbae2fce6c5

SHA1
6658e54675a804115c2805f5457e3a09eee76cee

SHA256
84dab25ca60d0c1d9b00c62151526641af014e2cc484353ac2eac54d324f9995

SHA512
dd825339362c385a4595d28ff9cdbbd6535851a02f38f793eac8cdf5a163ab325c20c16620000eb97df5e459284df76e8b1d27369f11a228ee8c0a2241ee7f3c

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bb8d7d000c22446e6de1d0710d9d32f1

SHA1
55603b869b3d2b50f2d6cdd40cee7d9573ab198c

SHA256
1e3e283ae567e039a130accba08106c0fdc16365c2add59b10b5bc356844d9d5

SHA512
df0c4723ae03561e0c7bf209615f12d51fb97bcdb816a90f235364249e1e321f399665bcdf27a0babc1f72d0fd4f230a5d9e811d33ae2d03d8e9676dc61b0465

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
7dacf3c8e894bad12a7e9c37ffd93f7f

SHA1
3c327471ac21ea9a618087914767df103017fe8a

SHA256
ece666035c949175abe15432838bded8ea5089f1d5c1cfd18b9177164af249ac

SHA512
2dd75c81971d207b5bc0eaa931324da77a172657a3b89a95189f987a214b89cbd88d7d5907f0612447ff6b6640b9ce087013b1b07ed36dd10d82c7b62de3bf22

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
32173620b9931f6ed2fd2083c026d8b9

SHA1
14e4abe2eac1852efff099c770c88ec0a2333bea

SHA256
1348d0a45fea322f02df52732581ce9463d0064b10ca08665624f24a7ffc8099

SHA512
0d5ff434e5ca2b4e6161d98ce63ddddbba035c58d9cb6bb341b175b295143eb8166514edb3c13b1dd482e6b7027ccdb2f3dac51cdf9d1b0e116121abb3c5f6d4

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
20580614a775b92175884837ec6aefb5

SHA1
b557e97cb011211a5449e2ebfa159ef62c7ace11

SHA256
44fa10473821877dceeb84fd3b1fbbfe6eced4f107323fab7949b7b4c858eb09

SHA512
b96c51c6a99f5c2cb4287610b4ad5539400fd054be790ccd66d6ee2c0e499c7f9f368becf05b83ff0e433fad2358bbfe9ce9433e7c02f555cec8f43f8109e6ae

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
19651b978f612363cb78d05cfd225606

SHA1
59278401e5a209c4c896144c7361425fdc8e28db

SHA256
29d8f16402a60e3f80cfffee410b45249738f968c446ef6d785d3bc768cd170c

SHA512
eae3156cd362c2daceb578ff47627efaaf22e7292f644b0361eec340bda1b0847efc2f2be14c6a3f0bf968d55ade7ddd1225dc685fb9cc9fa05295a431e25f08

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
19651b978f612363cb78d05cfd225606

SHA1
59278401e5a209c4c896144c7361425fdc8e28db

SHA256
29d8f16402a60e3f80cfffee410b45249738f968c446ef6d785d3bc768cd170c

SHA512
eae3156cd362c2daceb578ff47627efaaf22e7292f644b0361eec340bda1b0847efc2f2be14c6a3f0bf968d55ade7ddd1225dc685fb9cc9fa05295a431e25f08

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f6ffbd0b2a7820016d65ef5ae83a0b1b

SHA1
b680e9b40df2d3acb6c61cd37c91e449d50318a2

SHA256
762d192d920acc8535ee8f2d747461ac5baa26b54a020e3d2777eda48892a2aa

SHA512
d5e80114c4e31b551d0a28b9e0be13038701b5e25bfc1b38bc24e7cc1d19ca18001abf3f3357b95b310d502cbde733947fc386262441858244ed431641ca1b1c

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
eb0f76d730781854df72cdacdbe99741

SHA1
f72568a8b0bd207595b260a0d547ea601047d543

SHA256
b3286cf295309cc9f2c0fb5e1bb829835a38ff30ebf808719346b70ec6b26b80

SHA512
bcc15770609aeb63af63206b44860802644d5fe4c08835589ca136b6cb58e83ae66447d2a3514ce757d761c6e8051e491caa343c6d77759b2ff1ff39ea68af9f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8df503f238ed8f61239a14b69674e0b9

SHA1
1da81becf31c6fb55232fae17e602a1a267748ed

SHA256
995b350d352ed2e8cec3484fb89acedda0f6550fd26ec91046e4c968df2f3eaf

SHA512
f3b6bb4c05777d7bae4ffbce9ad8ce544fbc6c268e1cc1ab5c5c24ada6097527db8c25b5ab19bb930f3093997d27f679c3d7205c1689b161dc9408431197d5d2

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5fe6d57d8ae09ae408acd7163cb5dea5

SHA1
5a8c42cd5e6c5520d6f5bf9d74511b764771544b

SHA256
cf0d8c1eeab4ae622c852eba5619a0e545d926ff2944650c569bad8a288f199e

SHA512
80d040c044352dc152e930db9b77871590d8fcc53f7235611f68c88a8e59b38369959fb960d3623820ccc2eb9bcdddc733870ab644d6f8a53a3c07fa3f442b5d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d9014788d301b7b415165d3c6e4554ea

SHA1
ddfa9ab5cd04d437759124e0b48d1a1ec1f91119

SHA256
3e2171020086bce1007b064f05312863e4795ad313cecfccdea46c5c263a19ee

SHA512
0d140a2736891ce8866c3a3e345b331446be7575d7891f6aed1100f380c3f8b1175c367b5e5fbe0ec318f8849a905c235d677dbeaafc11e171c12e14b47d8690

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
030580b512ba7d64659da2a345720f68

SHA1
c0f983322ef4e2526f548e9fbb2fab43747ff1f5

SHA256
9782d79a65437b046cdedc9d013274852996ca1831ab0363b26f4316b3d7a475

SHA512
2aaad1dcc8bab657f67979fcc5acac09e8f2465f23ed12ac7d77bf18f887924cb06a4e0da85c7577ea26119ba34f48e84d3d362a9ca9008dabca76b52b9510f3

Download Submit
memory/288-492-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/288-210-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/588-148-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/672-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/672-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/672-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/672-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/672-70-0x0000000000A20000-0x0000000000A86000-memory.dmp

Filesize
408KB

Download
memory/672-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/672-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/672-250-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/672-75-0x0000000000A20000-0x0000000000A86000-memory.dmp

Filesize
408KB

Download
memory/672-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/836-163-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/836-175-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/836-263-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/836-425-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/836-168-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/840-147-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1020-164-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1020-262-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1020-264-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1020-176-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1020-167-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1020-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1020-158-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1052-105-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1052-106-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1052-107-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1052-116-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1052-118-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1052-124-0x0000000001070000-0x000000000112C000-memory.dmp

Filesize
752KB

Download
memory/1080-126-0x0000000000C30000-0x0000000000C96000-memory.dmp

Filesize
408KB

Download
memory/1080-131-0x0000000000C30000-0x0000000000C96000-memory.dmp

Filesize
408KB

Download
memory/1080-149-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1340-286-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1340-187-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1340-209-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1428-54-0x0000000001130000-0x00000000012B6000-memory.dmp

Filesize
1.5MB

Download
memory/1428-60-0x00000000087A0000-0x000000000895C000-memory.dmp

Filesize
1.7MB

Download
memory/1428-59-0x00000000083D0000-0x0000000008514000-memory.dmp

Filesize
1.3MB

Download
memory/1428-58-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/1428-57-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1428-56-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/1428-55-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1520-233-0x0000000000E10000-0x0000000000E90000-memory.dmp

Filesize
512KB

Download
memory/1520-261-0x0000000000E10000-0x0000000000E90000-memory.dmp

Filesize
512KB

Download
memory/1520-308-0x0000000000E10000-0x0000000000E90000-memory.dmp

Filesize
512KB

Download
memory/1520-253-0x0000000000E10000-0x0000000000E90000-memory.dmp

Filesize
512KB

Download
memory/1528-96-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1528-89-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1528-83-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1624-122-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1636-231-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1656-97-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1656-259-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1712-123-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1796-245-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1796-232-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2036-206-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2036-189-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2036-181-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2036-214-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2064-260-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2064-239-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2108-376-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2112-409-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2192-277-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2308-402-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2308-383-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2348-288-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2428-420-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2440-287-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2440-301-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2456-421-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2456-426-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/2456-440-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2540-312-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2632-325-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2632-310-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2644-453-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2644-467-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2684-455-0x0000000000720000-0x0000000000929000-memory.dmp

Filesize
2.0MB

Download
memory/2684-456-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2732-334-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2824-348-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2916-360-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3016-371-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3016-359-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download