blustealer | f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-05-2023 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.7MB
MD5

09338b623f4473341a54191980901783
SHA1

40c8fca01c37d1f1592dacc06f48b918311e37e7
SHA256

f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03
SHA512

03da01911a00993ce7ddcd58a3cb6e185389bc341f8b1bde6c287eeca220cf960c690f91d0442b48f812993750d37dc4da4ce86bf6dfc53d00aa9829a31f8fe0
SSDEEP

24576:+b3IBXM8LcvUtY+FGkacy9RjdMD84XKpJKbJ6byq0TyJN8Wo+uOZakN:WQXZcvUtYRcGLoHvJQb8WoIN

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 40 IoCs

pid	Process
468	Process not Found
636	alg.exe
1320	aspnet_state.exe
1348	mscorsvw.exe
1944	mscorsvw.exe
884	mscorsvw.exe
568	mscorsvw.exe
580	dllhost.exe
1256	ehRecvr.exe
752	ehsched.exe
1348	elevation_service.exe
1584	IEEtwCollector.exe
1368	GROOVE.EXE
1796	maintenanceservice.exe
936	mscorsvw.exe
2164	mscorsvw.exe
2256	mscorsvw.exe
2400	mscorsvw.exe
2500	mscorsvw.exe
2592	mscorsvw.exe
2684	mscorsvw.exe
2780	mscorsvw.exe
2876	mscorsvw.exe
2968	mscorsvw.exe
3036	msdtc.exe
2088	msiexec.exe
2108	mscorsvw.exe
2460	OSE.EXE
2352	mscorsvw.exe
2548	OSPPSVC.EXE
2704	perfhost.exe
2712	mscorsvw.exe
2812	locator.exe
2888	snmptrap.exe
2780	vds.exe
1352	vssvc.exe
2080	wbengine.exe
1796	WmiApSrv.exe
2396	wmpnetwk.exe
1452	SearchIndexer.exe

Loads dropped DLL 16 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2088	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
768	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\c7817559decfa14c.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1312	1740	Purchase Order 202319876.exe	28
PID 1312 set thread context of 108	1312	Purchase Order 202319876.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Purchase Order 202319876.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0ABB9932-9272-4781-AE75-F96444B1549A}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0ABB9932-9272-4781-AE75-F96444B1549A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase Order 202319876.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase Order 202319876.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{474B1D36-170B-4149-89F3-07013111D22D}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{474B1D36-170B-4149-89F3-07013111D22D}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1768	ehRec.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe
1312	Purchase Order 202319876.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1312	Purchase Order 202319876.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	568	mscorsvw.exe
Token: 33	1784	EhTray.exe
Token: SeIncBasePriorityPrivilege	1784	EhTray.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeDebugPrivilege	1768	ehRec.exe
Token: SeShutdownPrivilege	568	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	568	mscorsvw.exe
Token: SeShutdownPrivilege	568	mscorsvw.exe
Token: 33	1784	EhTray.exe
Token: SeIncBasePriorityPrivilege	1784	EhTray.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeSecurityPrivilege	2088	msiexec.exe
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe
Token: SeBackupPrivilege	2080	wbengine.exe
Token: SeRestorePrivilege	2080	wbengine.exe
Token: SeSecurityPrivilege	2080	wbengine.exe
Token: 33	2396	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2396	wmpnetwk.exe
Token: SeManageVolumePrivilege	1452	SearchIndexer.exe
Token: 33	1452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1452	SearchIndexer.exe
Token: SeDebugPrivilege	1312	Purchase Order 202319876.exe
Token: SeDebugPrivilege	1312	Purchase Order 202319876.exe
Token: SeDebugPrivilege	1312	Purchase Order 202319876.exe
Token: SeDebugPrivilege	1312	Purchase Order 202319876.exe
Token: SeDebugPrivilege	1312	Purchase Order 202319876.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1784	EhTray.exe
1784	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1784	EhTray.exe
1784	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1312	Purchase Order 202319876.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
1476	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe
840	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1740 wrote to memory of 1312	1740	Purchase Order 202319876.exe	28
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 1312 wrote to memory of 108	1312	Purchase Order 202319876.exe	30
PID 884 wrote to memory of 936	884	mscorsvw.exe	45
PID 884 wrote to memory of 936	884	mscorsvw.exe	45
PID 884 wrote to memory of 936	884	mscorsvw.exe	45
PID 884 wrote to memory of 936	884	mscorsvw.exe	45
PID 884 wrote to memory of 2164	884	mscorsvw.exe	46
PID 884 wrote to memory of 2164	884	mscorsvw.exe	46
PID 884 wrote to memory of 2164	884	mscorsvw.exe	46
PID 884 wrote to memory of 2164	884	mscorsvw.exe	46
PID 884 wrote to memory of 2256	884	mscorsvw.exe	47
PID 884 wrote to memory of 2256	884	mscorsvw.exe	47
PID 884 wrote to memory of 2256	884	mscorsvw.exe	47
PID 884 wrote to memory of 2256	884	mscorsvw.exe	47
PID 884 wrote to memory of 2400	884	mscorsvw.exe	48
PID 884 wrote to memory of 2400	884	mscorsvw.exe	48
PID 884 wrote to memory of 2400	884	mscorsvw.exe	48
PID 884 wrote to memory of 2400	884	mscorsvw.exe	48
PID 884 wrote to memory of 2500	884	mscorsvw.exe	49
PID 884 wrote to memory of 2500	884	mscorsvw.exe	49
PID 884 wrote to memory of 2500	884	mscorsvw.exe	49
PID 884 wrote to memory of 2500	884	mscorsvw.exe	49
PID 884 wrote to memory of 2592	884	mscorsvw.exe	50
PID 884 wrote to memory of 2592	884	mscorsvw.exe	50
PID 884 wrote to memory of 2592	884	mscorsvw.exe	50
PID 884 wrote to memory of 2592	884	mscorsvw.exe	50
PID 884 wrote to memory of 2684	884	mscorsvw.exe	51
PID 884 wrote to memory of 2684	884	mscorsvw.exe	51
PID 884 wrote to memory of 2684	884	mscorsvw.exe	51
PID 884 wrote to memory of 2684	884	mscorsvw.exe	51
PID 884 wrote to memory of 2780	884	mscorsvw.exe	52
PID 884 wrote to memory of 2780	884	mscorsvw.exe	52
PID 884 wrote to memory of 2780	884	mscorsvw.exe	52
PID 884 wrote to memory of 2780	884	mscorsvw.exe	52
PID 884 wrote to memory of 2876	884	mscorsvw.exe	53
PID 884 wrote to memory of 2876	884	mscorsvw.exe	53
PID 884 wrote to memory of 2876	884	mscorsvw.exe	53
PID 884 wrote to memory of 2876	884	mscorsvw.exe	53
PID 884 wrote to memory of 2968	884	mscorsvw.exe	54
PID 884 wrote to memory of 2968	884	mscorsvw.exe	54
PID 884 wrote to memory of 2968	884	mscorsvw.exe	54
PID 884 wrote to memory of 2968	884	mscorsvw.exe	54
PID 884 wrote to memory of 2108	884	mscorsvw.exe	56
PID 884 wrote to memory of 2108	884	mscorsvw.exe	56
PID 884 wrote to memory of 2108	884	mscorsvw.exe	56
PID 884 wrote to memory of 2108	884	mscorsvw.exe	56
PID 884 wrote to memory of 2352	884	mscorsvw.exe	59
PID 884 wrote to memory of 2352	884	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1348

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2d8 -NGENProcess 2e0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e0 -NGENProcess 2d4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2dc -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 30c -NGENProcess 2d4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 314 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2d4 -NGENProcess 2dc -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 314 -NGENProcess 320 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 31c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:580

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1256

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2460

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
441d541489d5c944e0a7714fa4f85a9d

SHA1
b166f91a623da152ca0d97dc39e3e400dbbaa821

SHA256
b808afc42af279148bf836058251be235301cb77233914186244c8562f943087

SHA512
b3e5ebc45d489db982a153e5dd034a123d2fbbd802a789177b7126c0a4e90fd0cede1f8f086291547518128981e160f74a537f77416746eef38aea52053f75d6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
84b6253fd87f7d6c6faa6c79ddd41404

SHA1
d1c38fa2cfa5498ef4b231ae2d80093101a8ffdd

SHA256
18c7e0b3abd1b98e32900abd69349d55415658aa2eeb008d4f35191f071b9591

SHA512
a81999f0390a7d75ee0c1080846871e342a0128213d7ec990a12ea28cb10fc1b85760c37375e16a069b80596f8cc987cf1c535ca05d04be28b9661d5eb28d065

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
14911066763dbacb86fdd973408751c8

SHA1
9af4a149a9cc6842dc319300ef564624349502a0

SHA256
22b9f91f1344b366f0c8b071e82ad4b827cbba4720e531e6f6961e2f5d93b0c8

SHA512
6d513be08ae66d272fb61ca02118d827a01ad3bf59185dba5d00d9c787b740edb28c7f97669de5790db2a3a81975f659e078e9d8cefeefcb3c184ff20f359856

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
4623cd8e282ab614230a59dd0ecbf296

SHA1
4cc03380d154088e56aae9a67aebd65e3b8be0ac

SHA256
ff44c36edc628fc5b94e0bcb000675ef35847e00864f8876f78f76e336dca726

SHA512
2b859cc2945e4882f1f50374ac6d84b629dc70e0a5546b6edd32097e7ceb0b3f41fd8a901b733452d8f957f03a6e5c7cce757f1f40ee2e50af883897bf223ad9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b246c792842b51b1e761434e6ed5a861

SHA1
0113290a7e4a91c49bb65b9ff5864451a78c9751

SHA256
a150fc05f91c18a77888458ccbd8e58203c66c890085ec64714c05fea9c8f8c7

SHA512
41ab24d547a65b48a17f006be3c14dc58d65c52e813de52da5ee325130dc3abe7253c6e821bc8eb6de2546f1c3881fc3d353e40984bb27a87ecd9954c430bd1a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bbe69ce9dc2c1287ad2f07eb99e23fa6

SHA1
71503bc167f21e86d9dcf383ad9ebed0b03db5c2

SHA256
530a09d11d5e2712d5a9275931d5a07c1dfc8758e13535f904855aee40f18abe

SHA512
d81e47782592e75cfe1b290f09b03658e85574614a01fea1a29cf91caed969dc6870863a6d0bd438cedb19991e78d7773a64a660645eaa9f370d66a895a5fc23

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7b98a1aac0fe2e53b2a83a059aff812a

SHA1
76cda3463a51fa23e64afbdbd037a3821850b4e2

SHA256
80bb699110c72aea57bf47e7ec6394d28eade9b5bcdf200312674ec66a176b02

SHA512
14996a96e48bea29fe6abd0d5c40a6c8e436ee453edee53d2a26ad8e80e50c2f3042dcb9b3612dcdcbdb04d133980859da4de9d9cc9f6edf830a0b5f76febc0c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7b98a1aac0fe2e53b2a83a059aff812a

SHA1
76cda3463a51fa23e64afbdbd037a3821850b4e2

SHA256
80bb699110c72aea57bf47e7ec6394d28eade9b5bcdf200312674ec66a176b02

SHA512
14996a96e48bea29fe6abd0d5c40a6c8e436ee453edee53d2a26ad8e80e50c2f3042dcb9b3612dcdcbdb04d133980859da4de9d9cc9f6edf830a0b5f76febc0c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6812bfd52af6391d6b4d6c21ad8e968a

SHA1
3c285a626365cc8432c4040542d062d90a0ccd78

SHA256
07bdd2fc5a7a77c06cdba1a5624f8addd72a9bfe9cf7f4ed6841eef22cd3b71b

SHA512
7c2dc42a40c950f77c18e2357b798c43bc14c7e9ad627937848f6405584549d63a4c8ba722068b6453ea98bf16c6ed7f2fb4e2fc8ef677562c4df67efdd7e1fb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
88f7801fb66c19c230f3b41547057106

SHA1
a843b19e0fd90e78b04cac01f26df5b3d1514aab

SHA256
5a5d29123873c6caa195ff2061a0f7bf4f0a7c3d3d1b034e0f0289464676a950

SHA512
9ff151aa473d88918b4c36bb1af3320e1e4fba59ed3cabb186674d26c95ff6b89271d7ff23a5f18c8defeac5798fc459d6cd9cafb17a88c00fc142858742661b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ac028d2c4385b861fd7c95f9b4563ea4

SHA1
737d58821a1be82bc2c77067459bcef08db929b0

SHA256
3e49f0cd63bdb3e717cce669713159b8720190efba4aa85d1a9ea83cf99e72f6

SHA512
0924edd1a6c24e8574d0b3f756782acbd017aca76a0b7ab0ee71ab4b936e1dee6f0cf274e25666d02a6136a29d06791ff56b00c6abc1ed450d98cb47abb0ad09

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ac028d2c4385b861fd7c95f9b4563ea4

SHA1
737d58821a1be82bc2c77067459bcef08db929b0

SHA256
3e49f0cd63bdb3e717cce669713159b8720190efba4aa85d1a9ea83cf99e72f6

SHA512
0924edd1a6c24e8574d0b3f756782acbd017aca76a0b7ab0ee71ab4b936e1dee6f0cf274e25666d02a6136a29d06791ff56b00c6abc1ed450d98cb47abb0ad09

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a5a720847a3457ea4a24fc1f77f38315

SHA1
19f8ff2458add866ec2e1754b21d84ea0f8018cd

SHA256
220108cdbcaeba7330ac8049b73445ff07c882bd61b5081099af118d4aa16204

SHA512
e70e68183f946b59e9e544dc81fae7e85ebb08c044ca83ecf67b06a991b5115f5d1811f07f5968977180456266e3f9003c555afde41a277bfa57f38e0609e524

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a5a720847a3457ea4a24fc1f77f38315

SHA1
19f8ff2458add866ec2e1754b21d84ea0f8018cd

SHA256
220108cdbcaeba7330ac8049b73445ff07c882bd61b5081099af118d4aa16204

SHA512
e70e68183f946b59e9e544dc81fae7e85ebb08c044ca83ecf67b06a991b5115f5d1811f07f5968977180456266e3f9003c555afde41a277bfa57f38e0609e524

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b9334d3b06b7cde13acbf076f68b2b2f

SHA1
441cfa1826b8284561885b1ecf313eb64e75305d

SHA256
6121e2b48b2d8d4c0d49b8f315d19bfcb54d8c230cc0698e095f8ae1a8ecd2fb

SHA512
7cc0f6a366d8f828a4ea889cc745aac8cf3f04e5d5315091ff49c896d5df34c85dbd8d405c452b8828d5eceabbbd4f036e8e4dcfbeb07126e48b6fb99a0c824e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
8b5fbcccfffd676d849431b61d8b44fe

SHA1
b40b888c1b2fb31bea316604864edc41a41ca306

SHA256
055d03e0b89f4c7b2197b3c794f5e72eb9524e31e60ee2679b960324c323c1f8

SHA512
dbfb02b627737865b04ad97c9d00cad071c3204bce37f3665cd53585e2b4370cda794de509baeafdf34341c96a5412ef7cf0647e290f638e628705209abc8dbf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a4db19f74432937a1b6aa9a1b88c4217

SHA1
f8b97b39f570e882ba69422672627fc7f56ce553

SHA256
81b0d7b7e42af27a23f7e05c527bb1c1ddc599abdb5f162bf957de0e7b56f67f

SHA512
cd7a72b14823938608e0d774a0467733afe478790a914c5a5b4c8023e0f490513b2571727b8885bb873b2cef27f21906224b7d66e58e07a35405062598c641a5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
aea14d5f07e5e3e054d612adc88d4942

SHA1
49d89aa0d2cbef8330557696adc3b64a623e70f5

SHA256
9757bebac2ed29c5af1106e9b111331dc3dbd6803297ca6851b485c17cf4522c

SHA512
3361904b8211b5ba66deeb6912eab7efca79b5d8ae2ca7db28818a9eb894fca7b195406dcd32183ef1b056bdbf2303e1029f7bc3a796ccb2ad852696a8d09ba3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7e3925f8c545dba1180bcf9be880caa7

SHA1
6ba6da20f3d40da014eac929d2b1acf2ddafc9b5

SHA256
aa79dcfd87a493b492218b213bc8d07091289da57fe7761029f793ba5e3b0304

SHA512
284bfce612c26e2215badd28796d1009502b645510c6ab81668deca93435873081df0c305010de39899f4634deb3b52a7d2ea560312a60a055ae1829b8f98c5d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
3da503318b383f4e75e7d62352bab8b1

SHA1
a18fca4a8c8acda5417c58ac0fe953c7a0ec0223

SHA256
a4305c5200243be4089ff175efc65a72a8ff91afa3ea4de56a62c6b095604a93

SHA512
06e4f63b14a2d8fce4bc2e10ccec2cef263e801e1d9555ec5747e11bf5e1853f3610ee47297a29ac434b321c932eb48644a67669f53719932324a40279ffebdc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fc36c9fdcfe2fc732512fe97d14ef93b

SHA1
4911786eed468a7c83cd866ee704263b9b03687c

SHA256
2ad1608694bab27de7cc30ffbaf3946159dcd232717f8059525f5b17c7a12c63

SHA512
0b84f96a94aa5c1ce2f517299f28e70e4b1b4167f6075ead309450f32e476b9afbfe6e1f800ba069231f26f21ec68259f199d05524ded1b37846f6cc530dc93a

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
7b2dfc31907bffb252d40ff2a8befb6c

SHA1
4e320d48553135ec7c080a443ea2c3d399118a40

SHA256
3c5f1e4b8cb4c3eb7fba2eb3dc8d749c3eb94c1fa8823b4c0162b531c6cda28f

SHA512
85cc261ecf36fc54c59f657fd717741016e152f310fe74cad7c2889b53b110f716bd92511accea854f17376b0e49ed12228a765d093a688e27ebde972353f09c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
2ac30e3b10d932804e44447aa4a41c2d

SHA1
ac118f39778311d66d9987567417dc5e1946d613

SHA256
28df64ef5820a43431a8a1d6c1d2ecf86bd0c91ee2d16bf18ee2d6518fa6cb1f

SHA512
38cfb0f18cf2bca608b0e7923336cb4ceedb8afee801fd129e8adf60006b693a0d9d409f7869a78d91bce566ca716db13fd9c9e4e32c3cf619d920f1e716724a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b813e774c9b1d4925b9ce6b15401fa6d

SHA1
f81d670be2d20c4410c3be675d9a8e28a9e2a8f1

SHA256
3076d311f92aa1b3ed58925874a6fef59b531a679275f1f698455a570872ff6d

SHA512
da2a5f8277e5e65374bdfce25bdfc51854e102230c867478d28e36a4b3c57da1938d4082940864c65b7dccb47018ba5f5c059641565f92f75593197f72a5012f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d2346e4fc4565a739e525937d85f5423

SHA1
09e3e99303839ed0d62a098bef36a425d3b306fc

SHA256
249dc2911bbaa26c0a85cf58bcb43067f5121e3957e4dd21b6596f3ee35db508

SHA512
89b77a595918a9da7c00fc9c5ad3427d6ff359726a61df9e9635cd76cd4bbf7f669c14c90cd39d147f0638c75ca82f4d28ad585adc68156573b99e4a31a12b7a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
044fde396617c7b92f9497bc1a514cb9

SHA1
0a548c34a88eeed809e4a35141c1aef564cb8097

SHA256
0186c8beb80dc86b69a0b9f129104a59436db13a4456e99830372fc61eff01c2

SHA512
2fd4435a1329f24d7aefe523941acbf89f0220337acf78039014a89c2050093a317d7b9100d31114efafa8dce33ebc7f53d1d99f2f93de5a4f11c8400100b1af

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
f7327a5360ccf431aa859a33e91c1ff9

SHA1
eb197ec62871fc08e4a519c1e2bae19f749bc95e

SHA256
40167e8ecaed53a8b60332ed2f23ab7aa2a5de6aee1d7147b2f80148caa6c0cc

SHA512
e3cca6c225574b6a511fa8cbced717ac55b79530f1986150b3a591546c4b0ad1979238247d40dd66b62487e8d3cd4e6bd22ef731ac1e2916289160c72b3dd481

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b8287bf4c9587cd37eecac1386b865a7

SHA1
ecca2c18affe1a3cc9d487d136692aa82e1d3e8c

SHA256
039f02fa39b95b5fb7774e1b03faef4983a5dc06cf749039121a9ada6785598b

SHA512
804a16c82ef16e82d70ea67486f560530b9e514c67b52bf01c17098d7eff82ff6238773f15439b210539bd0b335383cbf6f1b382febc2a728706e86152039896

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d88f64ec7f8cdbaea3fb83e2402f4da5

SHA1
2bdb80e4e4fa849acfb4eccfb347a7764c3319ca

SHA256
8113429ab5110df1ab1223d422a7d5cd2a560d8a6647a8e45e57a12e453c306e

SHA512
aa08815b6a7a0b5eca9558e2e43071673f7102047f9d104e06fd825d282fcc4016574172e899cade3ebefde371ce2d8ecbf78076b9dc18f4643ca9f1c0bba38e

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a462441cab6aca2b0dec4c4dde2f80d4

SHA1
b53f42a2774b9ccea4398866988b5097b51aa47d

SHA256
a07bf4d90a7e9028ae8cb67510921074a160128f4a47562dd114b22d0bb38cc6

SHA512
3f76a4a2f1ee59bb18355da49f4a707e87077a47cdf13ef44e2fe2f0772e03d6099dd8d32461f02ff0b15e2ace21ea68397d7d74308efb9b1829b7bdce751bb8

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
bc489753180af8e0842f08ae48275ebe

SHA1
fb00d0cde77ee70731908d074f4cb5329fd92e33

SHA256
f74a3a6274b6fc45169e3f682a8a2818d715a8d031cd7f368fe71e7b8f163e8c

SHA512
f003e9829d8f5e33231757e5d934017285cba230e3d684aa9e388e0689d26ce79e9d0854289bbfdd3c85ed4b8f60761c7ac9e6a18fbb3cfe4dc43601210d3d04

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d2346e4fc4565a739e525937d85f5423

SHA1
09e3e99303839ed0d62a098bef36a425d3b306fc

SHA256
249dc2911bbaa26c0a85cf58bcb43067f5121e3957e4dd21b6596f3ee35db508

SHA512
89b77a595918a9da7c00fc9c5ad3427d6ff359726a61df9e9635cd76cd4bbf7f669c14c90cd39d147f0638c75ca82f4d28ad585adc68156573b99e4a31a12b7a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bbe69ce9dc2c1287ad2f07eb99e23fa6

SHA1
71503bc167f21e86d9dcf383ad9ebed0b03db5c2

SHA256
530a09d11d5e2712d5a9275931d5a07c1dfc8758e13535f904855aee40f18abe

SHA512
d81e47782592e75cfe1b290f09b03658e85574614a01fea1a29cf91caed969dc6870863a6d0bd438cedb19991e78d7773a64a660645eaa9f370d66a895a5fc23

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bbe69ce9dc2c1287ad2f07eb99e23fa6

SHA1
71503bc167f21e86d9dcf383ad9ebed0b03db5c2

SHA256
530a09d11d5e2712d5a9275931d5a07c1dfc8758e13535f904855aee40f18abe

SHA512
d81e47782592e75cfe1b290f09b03658e85574614a01fea1a29cf91caed969dc6870863a6d0bd438cedb19991e78d7773a64a660645eaa9f370d66a895a5fc23

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7b98a1aac0fe2e53b2a83a059aff812a

SHA1
76cda3463a51fa23e64afbdbd037a3821850b4e2

SHA256
80bb699110c72aea57bf47e7ec6394d28eade9b5bcdf200312674ec66a176b02

SHA512
14996a96e48bea29fe6abd0d5c40a6c8e436ee453edee53d2a26ad8e80e50c2f3042dcb9b3612dcdcbdb04d133980859da4de9d9cc9f6edf830a0b5f76febc0c

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
88f7801fb66c19c230f3b41547057106

SHA1
a843b19e0fd90e78b04cac01f26df5b3d1514aab

SHA256
5a5d29123873c6caa195ff2061a0f7bf4f0a7c3d3d1b034e0f0289464676a950

SHA512
9ff151aa473d88918b4c36bb1af3320e1e4fba59ed3cabb186674d26c95ff6b89271d7ff23a5f18c8defeac5798fc459d6cd9cafb17a88c00fc142858742661b

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
aea14d5f07e5e3e054d612adc88d4942

SHA1
49d89aa0d2cbef8330557696adc3b64a623e70f5

SHA256
9757bebac2ed29c5af1106e9b111331dc3dbd6803297ca6851b485c17cf4522c

SHA512
3361904b8211b5ba66deeb6912eab7efca79b5d8ae2ca7db28818a9eb894fca7b195406dcd32183ef1b056bdbf2303e1029f7bc3a796ccb2ad852696a8d09ba3

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fc36c9fdcfe2fc732512fe97d14ef93b

SHA1
4911786eed468a7c83cd866ee704263b9b03687c

SHA256
2ad1608694bab27de7cc30ffbaf3946159dcd232717f8059525f5b17c7a12c63

SHA512
0b84f96a94aa5c1ce2f517299f28e70e4b1b4167f6075ead309450f32e476b9afbfe6e1f800ba069231f26f21ec68259f199d05524ded1b37846f6cc530dc93a

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
7b2dfc31907bffb252d40ff2a8befb6c

SHA1
4e320d48553135ec7c080a443ea2c3d399118a40

SHA256
3c5f1e4b8cb4c3eb7fba2eb3dc8d749c3eb94c1fa8823b4c0162b531c6cda28f

SHA512
85cc261ecf36fc54c59f657fd717741016e152f310fe74cad7c2889b53b110f716bd92511accea854f17376b0e49ed12228a765d093a688e27ebde972353f09c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
2ac30e3b10d932804e44447aa4a41c2d

SHA1
ac118f39778311d66d9987567417dc5e1946d613

SHA256
28df64ef5820a43431a8a1d6c1d2ecf86bd0c91ee2d16bf18ee2d6518fa6cb1f

SHA512
38cfb0f18cf2bca608b0e7923336cb4ceedb8afee801fd129e8adf60006b693a0d9d409f7869a78d91bce566ca716db13fd9c9e4e32c3cf619d920f1e716724a

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b813e774c9b1d4925b9ce6b15401fa6d

SHA1
f81d670be2d20c4410c3be675d9a8e28a9e2a8f1

SHA256
3076d311f92aa1b3ed58925874a6fef59b531a679275f1f698455a570872ff6d

SHA512
da2a5f8277e5e65374bdfce25bdfc51854e102230c867478d28e36a4b3c57da1938d4082940864c65b7dccb47018ba5f5c059641565f92f75593197f72a5012f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d2346e4fc4565a739e525937d85f5423

SHA1
09e3e99303839ed0d62a098bef36a425d3b306fc

SHA256
249dc2911bbaa26c0a85cf58bcb43067f5121e3957e4dd21b6596f3ee35db508

SHA512
89b77a595918a9da7c00fc9c5ad3427d6ff359726a61df9e9635cd76cd4bbf7f669c14c90cd39d147f0638c75ca82f4d28ad585adc68156573b99e4a31a12b7a

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
d2346e4fc4565a739e525937d85f5423

SHA1
09e3e99303839ed0d62a098bef36a425d3b306fc

SHA256
249dc2911bbaa26c0a85cf58bcb43067f5121e3957e4dd21b6596f3ee35db508

SHA512
89b77a595918a9da7c00fc9c5ad3427d6ff359726a61df9e9635cd76cd4bbf7f669c14c90cd39d147f0638c75ca82f4d28ad585adc68156573b99e4a31a12b7a

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
044fde396617c7b92f9497bc1a514cb9

SHA1
0a548c34a88eeed809e4a35141c1aef564cb8097

SHA256
0186c8beb80dc86b69a0b9f129104a59436db13a4456e99830372fc61eff01c2

SHA512
2fd4435a1329f24d7aefe523941acbf89f0220337acf78039014a89c2050093a317d7b9100d31114efafa8dce33ebc7f53d1d99f2f93de5a4f11c8400100b1af

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
f7327a5360ccf431aa859a33e91c1ff9

SHA1
eb197ec62871fc08e4a519c1e2bae19f749bc95e

SHA256
40167e8ecaed53a8b60332ed2f23ab7aa2a5de6aee1d7147b2f80148caa6c0cc

SHA512
e3cca6c225574b6a511fa8cbced717ac55b79530f1986150b3a591546c4b0ad1979238247d40dd66b62487e8d3cd4e6bd22ef731ac1e2916289160c72b3dd481

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b8287bf4c9587cd37eecac1386b865a7

SHA1
ecca2c18affe1a3cc9d487d136692aa82e1d3e8c

SHA256
039f02fa39b95b5fb7774e1b03faef4983a5dc06cf749039121a9ada6785598b

SHA512
804a16c82ef16e82d70ea67486f560530b9e514c67b52bf01c17098d7eff82ff6238773f15439b210539bd0b335383cbf6f1b382febc2a728706e86152039896

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d88f64ec7f8cdbaea3fb83e2402f4da5

SHA1
2bdb80e4e4fa849acfb4eccfb347a7764c3319ca

SHA256
8113429ab5110df1ab1223d422a7d5cd2a560d8a6647a8e45e57a12e453c306e

SHA512
aa08815b6a7a0b5eca9558e2e43071673f7102047f9d104e06fd825d282fcc4016574172e899cade3ebefde371ce2d8ecbf78076b9dc18f4643ca9f1c0bba38e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a462441cab6aca2b0dec4c4dde2f80d4

SHA1
b53f42a2774b9ccea4398866988b5097b51aa47d

SHA256
a07bf4d90a7e9028ae8cb67510921074a160128f4a47562dd114b22d0bb38cc6

SHA512
3f76a4a2f1ee59bb18355da49f4a707e87077a47cdf13ef44e2fe2f0772e03d6099dd8d32461f02ff0b15e2ace21ea68397d7d74308efb9b1829b7bdce751bb8

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
bc489753180af8e0842f08ae48275ebe

SHA1
fb00d0cde77ee70731908d074f4cb5329fd92e33

SHA256
f74a3a6274b6fc45169e3f682a8a2818d715a8d031cd7f368fe71e7b8f163e8c

SHA512
f003e9829d8f5e33231757e5d934017285cba230e3d684aa9e388e0689d26ce79e9d0854289bbfdd3c85ed4b8f60761c7ac9e6a18fbb3cfe4dc43601210d3d04

Download Submit
memory/108-95-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/108-90-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/108-96-0x00000000009E0000-0x0000000000A9C000-memory.dmp

Filesize
752KB

Download
memory/108-89-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/108-88-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/108-93-0x00000000001B0000-0x0000000000216000-memory.dmp

Filesize
408KB

Download
memory/568-159-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/580-163-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/636-91-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/636-83-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/752-169-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/752-160-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/752-168-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/752-513-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/752-236-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/884-121-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/884-137-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/884-126-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/936-247-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/936-228-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1256-235-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-148-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1256-154-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1256-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-172-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1256-173-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1256-195-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1312-97-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-75-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1312-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1312-70-0x0000000000130000-0x0000000000196000-memory.dmp

Filesize
408KB

Download
memory/1312-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1320-106-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1348-196-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1348-251-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1348-176-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1348-182-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1348-103-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1352-498-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1368-214-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1584-187-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1584-452-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1584-198-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1740-59-0x00000000085D0000-0x0000000008708000-memory.dmp

Filesize
1.2MB

Download
memory/1740-58-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1740-57-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1740-56-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1740-60-0x0000000008920000-0x0000000008AD0000-memory.dmp

Filesize
1.7MB

Download
memory/1740-54-0x0000000000880000-0x0000000000A30000-memory.dmp

Filesize
1.7MB

Download
memory/1740-55-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1768-321-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/1768-254-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/1768-257-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/1768-223-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/1768-197-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/1796-218-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1796-281-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1796-368-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1944-135-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2080-499-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2088-397-0x00000000004E0000-0x00000000006E9000-memory.dmp

Filesize
2.0MB

Download
memory/2088-396-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2108-419-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2164-258-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2256-260-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2256-283-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2352-422-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2352-436-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2396-522-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2400-282-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2400-294-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2460-421-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2500-301-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2548-423-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2592-316-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2684-323-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2704-446-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2780-472-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2780-339-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2812-443-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2876-356-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2888-469-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2968-375-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3036-352-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download