blustealer | 2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9

Analysis

max time kernel
151s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.7.exe
Size

1.5MB
MD5

e67a119b25c041892a38c6147fd54c60
SHA1

8c3c63629929b9754c62fbad1e731f33758d2d2d
SHA256

2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9
SHA512

414e8de5219f34c4abcf885444dfab93e794abf69808d9c2e9e70f8de806da9e2159ba3d58dec41991be675955d7bb99b596e6b358a4cf7b3a32881cbbad1776
SSDEEP

24576:OwwBIEAbPY00PXKtW93ZwJGRNI7MhXOd+DsyFqcpVsZB4yYH:0BIENBvDIwmeqcpVSed

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 21 IoCs

pid	Process
464	Process not Found
1328	alg.exe
624	aspnet_state.exe
336	mscorsvw.exe
2044	mscorsvw.exe
1380	mscorsvw.exe
1096	mscorsvw.exe
1996	dllhost.exe
1400	ehRecvr.exe
1480	ehsched.exe
1744	mscorsvw.exe
268	elevation_service.exe
2008	IEEtwCollector.exe
2128	mscorsvw.exe
2244	GROOVE.EXE
2332	maintenanceservice.exe
2472	msdtc.exe
2556	mscorsvw.exe
2644	mscorsvw.exe
2764	mscorsvw.exe
2844	msiexec.exe

Loads dropped DLL 8 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8ad7824a5fe7035.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 660	1984	Quote 1345 rev.7.exe	28
PID 660 set thread context of 1504	660	Quote 1345 rev.7.exe	29

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Quote 1345 rev.7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Quote 1345 rev.7.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DD8A57A1-E861-427D-ACC8-EFE97509A344}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DD8A57A1-E861-427D-ACC8-EFE97509A344}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Quote 1345 rev.7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Quote 1345 rev.7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
872	ehRec.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	660	Quote 1345 rev.7.exe
Token: SeShutdownPrivilege	1380	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1380	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1380	mscorsvw.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe
Token: SeShutdownPrivilege	1380	mscorsvw.exe
Token: 33	1420	EhTray.exe
Token: SeIncBasePriorityPrivilege	1420	EhTray.exe
Token: SeDebugPrivilege	872	ehRec.exe
Token: SeShutdownPrivilege	1096	mscorsvw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
660	Quote 1345 rev.7.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 1984 wrote to memory of 660	1984	Quote 1345 rev.7.exe	28
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 660 wrote to memory of 1504	660	Quote 1345 rev.7.exe	29
PID 1096 wrote to memory of 1744	1096	mscorsvw.exe	39
PID 1096 wrote to memory of 1744	1096	mscorsvw.exe	39
PID 1096 wrote to memory of 1744	1096	mscorsvw.exe	39
PID 1096 wrote to memory of 2128	1096	mscorsvw.exe	44
PID 1096 wrote to memory of 2128	1096	mscorsvw.exe	44
PID 1096 wrote to memory of 2128	1096	mscorsvw.exe	44
PID 1380 wrote to memory of 2556	1380	mscorsvw.exe	48
PID 1380 wrote to memory of 2556	1380	mscorsvw.exe	48
PID 1380 wrote to memory of 2556	1380	mscorsvw.exe	48
PID 1380 wrote to memory of 2556	1380	mscorsvw.exe	48
PID 1380 wrote to memory of 2644	1380	mscorsvw.exe	49
PID 1380 wrote to memory of 2644	1380	mscorsvw.exe	49
PID 1380 wrote to memory of 2644	1380	mscorsvw.exe	49
PID 1380 wrote to memory of 2644	1380	mscorsvw.exe	49
PID 1380 wrote to memory of 2764	1380	mscorsvw.exe	50
PID 1380 wrote to memory of 2764	1380	mscorsvw.exe	50
PID 1380 wrote to memory of 2764	1380	mscorsvw.exe	50
PID 1380 wrote to memory of 2764	1380	mscorsvw.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:336

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1f8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1e8 -NGENProcess 174 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1400

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:268

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2008

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
3e84e3e16dbce59067e732444ab220be

SHA1
d157c32dd391ba4e65215a1356b553201bfc1a9c

SHA256
af060ad2ad1f54e05ade77b773cea19ef723ebdc1f3942003edc6e8a776174ac

SHA512
3d2c79de9e598627c8f9a98d50190a3077374f092015dfb311fbf566d9212eee0cd8c5018d87b67548a16478098a1ca7e3fb636d5bef30d0c98f6cea2f54400c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2b0525904ec8415e406cf3d3276f7bf2

SHA1
d1311d5572ad2182eca319f06378c5aa06aa60f8

SHA256
36c78b4734dbdd11dddb59da85cbb47d83fb5c439fdb41967d21b216c5906cba

SHA512
e583d96bcc71038074704b8937870c9b1d8a8859dbfa4dd32386bab6c787f50e0dcd1f5dacd7b87e41ad2294cd3a6d577fd4b67b8ee4cbacafb7f73c69959c2c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
24c33a7940e85da9c65d60666bd0be98

SHA1
c81807311204bd78aabe492e5b6742949615503c

SHA256
3faef629e32697af1e3f57f8cbd89f1ea4566f40c2090d708edd9544516d81a6

SHA512
af9f0b8909a270f575e671f411004468a833df1da31c3cfa429fec97c21a6dc8c8fd83025d4efe831658a22d2479e1547f61e28701fe22460e053147a6ec72b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a323161d64d62df3b4e7859cdba5dba5

SHA1
9d0b2c3b6ce28b1697512a396e50eaa40eb5c9b9

SHA256
1999674dc670a25fff9746b2811398341040af5ad7f44258abb561b9fca4265e

SHA512
0fb9a5440695a2f2c713bfae63e626adb7d7cd15f37f873be48135d733db55f4d635c28f2d1460fe9b6d623868dc91b0990888a66855f956c810eee9238a3450

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a323161d64d62df3b4e7859cdba5dba5

SHA1
9d0b2c3b6ce28b1697512a396e50eaa40eb5c9b9

SHA256
1999674dc670a25fff9746b2811398341040af5ad7f44258abb561b9fca4265e

SHA512
0fb9a5440695a2f2c713bfae63e626adb7d7cd15f37f873be48135d733db55f4d635c28f2d1460fe9b6d623868dc91b0990888a66855f956c810eee9238a3450

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9864ab10a46ec6fb8a5c9904017aa254

SHA1
77f6af4b016ebb80116555af3a7eb155656fca8e

SHA256
bbcedd256da5b03f029948a2f887e8e28c321ef26ea00611997e52406cfbc9bc

SHA512
e45357909d8f32ab8e89fff219ef3dde0bc6e4aee7545b67a6ee263e263e4ec0c051dd0e7161a0770ddb394c3d25ebaa349bd362a68c9d108dc8aac49671a4b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
6972186c7ae9ef2d3431a2679128284c

SHA1
1c47bb2903621a25186e99d3a2c41639d5bbc459

SHA256
48567a0d4121b409c209887d04172a08c30649e430de1ccfd1d4a5a0c55a34f4

SHA512
f97d99d7bebabd6785be008b66683308c50dedd6a10b2a9af5a62d5e3ff696affde78b255ecad23cd6e5ae9a806842dae4ae679e948693157b462a4edbbc01ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5dc8f07b1cdb124cb811df79470bbfab

SHA1
67e4e683d1b6e332dd3a8e8eea9fe4ba0067d337

SHA256
882f0d73b1f839c03743475ca4880ecf0ecdceac9fc7b41ab43ac9ccbdb32228

SHA512
4467b81ee35ce6ec61ca8991235518d9ec3c03429f93966b62066d1d5bc5f794495defd38649cd6c2d7bb24ad74834cd9212445effce29abb9cec9e8a0e1c788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5dc8f07b1cdb124cb811df79470bbfab

SHA1
67e4e683d1b6e332dd3a8e8eea9fe4ba0067d337

SHA256
882f0d73b1f839c03743475ca4880ecf0ecdceac9fc7b41ab43ac9ccbdb32228

SHA512
4467b81ee35ce6ec61ca8991235518d9ec3c03429f93966b62066d1d5bc5f794495defd38649cd6c2d7bb24ad74834cd9212445effce29abb9cec9e8a0e1c788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5dc8f07b1cdb124cb811df79470bbfab

SHA1
67e4e683d1b6e332dd3a8e8eea9fe4ba0067d337

SHA256
882f0d73b1f839c03743475ca4880ecf0ecdceac9fc7b41ab43ac9ccbdb32228

SHA512
4467b81ee35ce6ec61ca8991235518d9ec3c03429f93966b62066d1d5bc5f794495defd38649cd6c2d7bb24ad74834cd9212445effce29abb9cec9e8a0e1c788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5dc8f07b1cdb124cb811df79470bbfab

SHA1
67e4e683d1b6e332dd3a8e8eea9fe4ba0067d337

SHA256
882f0d73b1f839c03743475ca4880ecf0ecdceac9fc7b41ab43ac9ccbdb32228

SHA512
4467b81ee35ce6ec61ca8991235518d9ec3c03429f93966b62066d1d5bc5f794495defd38649cd6c2d7bb24ad74834cd9212445effce29abb9cec9e8a0e1c788

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0ccbd1e702d38729ec9695ca2876ebe7

SHA1
a1a1a5f9901d7138b42de20868c84f269ee38f33

SHA256
e1e11123294d4b387152d5026c823dfab99d753765b1961477a4cfd89fa7095d

SHA512
b4b55389b41032936fb64618502d01203f35fe6dac8963179c65570caf7a3f329490c1ec128df14a59655ac31577f1170d46d600e1d8a0e4b3a1bf46e13505da

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0ccbd1e702d38729ec9695ca2876ebe7

SHA1
a1a1a5f9901d7138b42de20868c84f269ee38f33

SHA256
e1e11123294d4b387152d5026c823dfab99d753765b1961477a4cfd89fa7095d

SHA512
b4b55389b41032936fb64618502d01203f35fe6dac8963179c65570caf7a3f329490c1ec128df14a59655ac31577f1170d46d600e1d8a0e4b3a1bf46e13505da

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e5132f57ffacff95ec1562d8da581e5d

SHA1
baaaf2ed869c7b0cc79f82dd34d8e23dcc257aa7

SHA256
effd62e309fddc09c7558cfbaa040d59f60cedbdf313acf3e898dcf4dee42fa8

SHA512
dc56d2965f29022ecbb9e54d10eff33ec200c07c6fad59219ae155a67e94eb7f592a4e066585715ba9fa28c0ac0df073b8ff5c451212412842744264faf80173

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
db24cf7698a99ff370b90c9912789ca7

SHA1
ddef22223565f81f8980a02b977459e204e8b39e

SHA256
f40af6e9dc9bd7822d464c4e936640ebfa4596d23afc5cbb2df743f787dda6ce

SHA512
1feecf820747b8b79f4cfd623e7126e3a516276d273cb98e187680c9b45e49e624496716c6ce8bffda830fd73d98eb19ee5c56971cedbd24e9245cc0f616a44e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
db24cf7698a99ff370b90c9912789ca7

SHA1
ddef22223565f81f8980a02b977459e204e8b39e

SHA256
f40af6e9dc9bd7822d464c4e936640ebfa4596d23afc5cbb2df743f787dda6ce

SHA512
1feecf820747b8b79f4cfd623e7126e3a516276d273cb98e187680c9b45e49e624496716c6ce8bffda830fd73d98eb19ee5c56971cedbd24e9245cc0f616a44e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
db24cf7698a99ff370b90c9912789ca7

SHA1
ddef22223565f81f8980a02b977459e204e8b39e

SHA256
f40af6e9dc9bd7822d464c4e936640ebfa4596d23afc5cbb2df743f787dda6ce

SHA512
1feecf820747b8b79f4cfd623e7126e3a516276d273cb98e187680c9b45e49e624496716c6ce8bffda830fd73d98eb19ee5c56971cedbd24e9245cc0f616a44e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
db24cf7698a99ff370b90c9912789ca7

SHA1
ddef22223565f81f8980a02b977459e204e8b39e

SHA256
f40af6e9dc9bd7822d464c4e936640ebfa4596d23afc5cbb2df743f787dda6ce

SHA512
1feecf820747b8b79f4cfd623e7126e3a516276d273cb98e187680c9b45e49e624496716c6ce8bffda830fd73d98eb19ee5c56971cedbd24e9245cc0f616a44e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
db24cf7698a99ff370b90c9912789ca7

SHA1
ddef22223565f81f8980a02b977459e204e8b39e

SHA256
f40af6e9dc9bd7822d464c4e936640ebfa4596d23afc5cbb2df743f787dda6ce

SHA512
1feecf820747b8b79f4cfd623e7126e3a516276d273cb98e187680c9b45e49e624496716c6ce8bffda830fd73d98eb19ee5c56971cedbd24e9245cc0f616a44e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6bb58cec2f9188b0aefc6d4dbce6c95d

SHA1
24ff20db4bd39d6cca25708bdb07e72bac553d28

SHA256
c40b8efa4e17dc6c0dc2bc777b1c347227da7df0450fbe52e8e3142deb8031d2

SHA512
e814d05cbf795ed72e1db5582760106c9ab7a2d02f5d6b4f678f2c3dbc80bd28509b4e6e0e377139b33aa678d0455a9d1f8fce97395ffc04d98ba1b7e4d3663c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
f0acf9e6524435f66fc065f41b59d1ff

SHA1
137a9a121405eee10a1914df092991d035cf6e9b

SHA256
913d43106c040d70167408aea064829bfca01e1b08fe68480b98efcd6fae7076

SHA512
8941a25ceb09db167cdda35d2a2d63f20819bbc37f0d880e1dce6f05cee6363689c485efec97df3ace89650755ae008fb25868c8493f7331bc8263786c2dba94

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
05195ec750ea52c5933d090e34043710

SHA1
9625429f366daae3d5700b0f805250b7630c8b42

SHA256
6d45ad343cbfa2b0715259548a201c71c4b59c911891344d29c712dbcc64afc2

SHA512
9d265edb78bea763f979ed7920806a89b90ea44cdfeb42596072e581560cc1e488a3e5c679e1075506536d12beedf183339371fdaf7f28444217b339209354b8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d8ccfae9ab37625ed693d1ea536c9926

SHA1
b250a15112915291ee6196645d5f4f7df78ca78d

SHA256
a079868775f53dd14eba704f2d1128d9ab29806f485b776a3614188115b91d71

SHA512
f364afb088769ba8976ed0b77870b32540f4be44ce4ae2ab579983d1b129754bdedc914d8f975163a52ce6cd931a7c3f70d61cae7e33526e8d05758dd43c4d54

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ce0ee238ba82255ad0b4a867df837fbc

SHA1
3e0ed486ba34eec11dc6bfcd3718e267e7ce8721

SHA256
a800ad1499de36c4a0ff65789ec0114e2aa2c6900f4e96d784c16895bbc8d324

SHA512
5402d786c4c08fd798b7637513a4600852d7b00334968485b08afe5519e91b0a53fa572bf50876e22666639a4285048461f2e8195824a6d1b5a96220a97f64f3

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
28df95c18aa7d8c8f9ccb82851463272

SHA1
a13de3cb0dd58c0b7fb019c90cab2aeea03faf48

SHA256
12733f0a8983e87f479095cfd9796ec4f3fe9c25e4e908116d940b93ef74a083

SHA512
993eeeaff35fbf44876f8e571a213c2b6d9526246b60e387bdeb5aef97b4f6f5453a11da5e4192ba74496de1e83efefc289d04d92c6353d0f33c181c39063c65

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
528d387b012b4414a51cc6f21ac2a35a

SHA1
37fd2b92d3e0ceba4f945f5cc61c363c83bfe2b9

SHA256
a5d8e2fd7acddc1e669a370ea16690553700c1dd2131b291407c124093dce444

SHA512
f8966630cd9f67d893a0574c2f153ba39babce52058f233d164b27617f91a2c96e6f98e3df05fa6f9e22b58f0fc528d7a019fd73aa6f4eb8707a4b3c6be5897d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ce0ee238ba82255ad0b4a867df837fbc

SHA1
3e0ed486ba34eec11dc6bfcd3718e267e7ce8721

SHA256
a800ad1499de36c4a0ff65789ec0114e2aa2c6900f4e96d784c16895bbc8d324

SHA512
5402d786c4c08fd798b7637513a4600852d7b00334968485b08afe5519e91b0a53fa572bf50876e22666639a4285048461f2e8195824a6d1b5a96220a97f64f3

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a323161d64d62df3b4e7859cdba5dba5

SHA1
9d0b2c3b6ce28b1697512a396e50eaa40eb5c9b9

SHA256
1999674dc670a25fff9746b2811398341040af5ad7f44258abb561b9fca4265e

SHA512
0fb9a5440695a2f2c713bfae63e626adb7d7cd15f37f873be48135d733db55f4d635c28f2d1460fe9b6d623868dc91b0990888a66855f956c810eee9238a3450

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
6972186c7ae9ef2d3431a2679128284c

SHA1
1c47bb2903621a25186e99d3a2c41639d5bbc459

SHA256
48567a0d4121b409c209887d04172a08c30649e430de1ccfd1d4a5a0c55a34f4

SHA512
f97d99d7bebabd6785be008b66683308c50dedd6a10b2a9af5a62d5e3ff696affde78b255ecad23cd6e5ae9a806842dae4ae679e948693157b462a4edbbc01ed

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6bb58cec2f9188b0aefc6d4dbce6c95d

SHA1
24ff20db4bd39d6cca25708bdb07e72bac553d28

SHA256
c40b8efa4e17dc6c0dc2bc777b1c347227da7df0450fbe52e8e3142deb8031d2

SHA512
e814d05cbf795ed72e1db5582760106c9ab7a2d02f5d6b4f678f2c3dbc80bd28509b4e6e0e377139b33aa678d0455a9d1f8fce97395ffc04d98ba1b7e4d3663c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
f0acf9e6524435f66fc065f41b59d1ff

SHA1
137a9a121405eee10a1914df092991d035cf6e9b

SHA256
913d43106c040d70167408aea064829bfca01e1b08fe68480b98efcd6fae7076

SHA512
8941a25ceb09db167cdda35d2a2d63f20819bbc37f0d880e1dce6f05cee6363689c485efec97df3ace89650755ae008fb25868c8493f7331bc8263786c2dba94

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
05195ec750ea52c5933d090e34043710

SHA1
9625429f366daae3d5700b0f805250b7630c8b42

SHA256
6d45ad343cbfa2b0715259548a201c71c4b59c911891344d29c712dbcc64afc2

SHA512
9d265edb78bea763f979ed7920806a89b90ea44cdfeb42596072e581560cc1e488a3e5c679e1075506536d12beedf183339371fdaf7f28444217b339209354b8

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d8ccfae9ab37625ed693d1ea536c9926

SHA1
b250a15112915291ee6196645d5f4f7df78ca78d

SHA256
a079868775f53dd14eba704f2d1128d9ab29806f485b776a3614188115b91d71

SHA512
f364afb088769ba8976ed0b77870b32540f4be44ce4ae2ab579983d1b129754bdedc914d8f975163a52ce6cd931a7c3f70d61cae7e33526e8d05758dd43c4d54

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ce0ee238ba82255ad0b4a867df837fbc

SHA1
3e0ed486ba34eec11dc6bfcd3718e267e7ce8721

SHA256
a800ad1499de36c4a0ff65789ec0114e2aa2c6900f4e96d784c16895bbc8d324

SHA512
5402d786c4c08fd798b7637513a4600852d7b00334968485b08afe5519e91b0a53fa572bf50876e22666639a4285048461f2e8195824a6d1b5a96220a97f64f3

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
28df95c18aa7d8c8f9ccb82851463272

SHA1
a13de3cb0dd58c0b7fb019c90cab2aeea03faf48

SHA256
12733f0a8983e87f479095cfd9796ec4f3fe9c25e4e908116d940b93ef74a083

SHA512
993eeeaff35fbf44876f8e571a213c2b6d9526246b60e387bdeb5aef97b4f6f5453a11da5e4192ba74496de1e83efefc289d04d92c6353d0f33c181c39063c65

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
528d387b012b4414a51cc6f21ac2a35a

SHA1
37fd2b92d3e0ceba4f945f5cc61c363c83bfe2b9

SHA256
a5d8e2fd7acddc1e669a370ea16690553700c1dd2131b291407c124093dce444

SHA512
f8966630cd9f67d893a0574c2f153ba39babce52058f233d164b27617f91a2c96e6f98e3df05fa6f9e22b58f0fc528d7a019fd73aa6f4eb8707a4b3c6be5897d

Download Submit
memory/268-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/268-195-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/336-112-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/624-138-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/624-104-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/660-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/660-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/660-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/660-75-0x00000000001A0000-0x0000000000206000-memory.dmp

Filesize
408KB

Download
memory/660-131-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/660-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/660-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/660-70-0x00000000001A0000-0x0000000000206000-memory.dmp

Filesize
408KB

Download
memory/660-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/660-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/872-266-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/872-215-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/872-297-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/1096-143-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1328-89-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1328-137-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1328-92-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1328-83-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1380-124-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1380-129-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1380-135-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1400-156-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1400-171-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1400-182-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1400-169-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1400-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-162-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1400-260-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1480-172-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1480-177-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1480-168-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1480-262-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1504-100-0x0000000000100000-0x0000000000166000-memory.dmp

Filesize
408KB

Download
memory/1504-111-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1504-94-0x0000000000100000-0x0000000000166000-memory.dmp

Filesize
408KB

Download
memory/1504-95-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1504-96-0x0000000000100000-0x0000000000166000-memory.dmp

Filesize
408KB

Download
memory/1504-102-0x0000000000100000-0x0000000000166000-memory.dmp

Filesize
408KB

Download
memory/1504-105-0x0000000004DC0000-0x0000000004E7C000-memory.dmp

Filesize
752KB

Download
memory/1744-229-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1744-184-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1744-192-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1744-190-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1984-58-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1984-60-0x00000000088F0000-0x0000000008AAC000-memory.dmp

Filesize
1.7MB

Download
memory/1984-59-0x0000000008540000-0x0000000008684000-memory.dmp

Filesize
1.3MB

Download
memory/1984-55-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1984-57-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1984-54-0x00000000013E0000-0x0000000001566000-memory.dmp

Filesize
1.5MB

Download
memory/1984-56-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1996-153-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2008-216-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2044-115-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2128-255-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2128-230-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2244-240-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2244-309-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2332-261-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2472-312-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2472-265-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2556-295-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2556-284-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2644-296-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2644-308-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2764-310-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2844-315-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download