blustealer | 2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase order 3500354689.exe
Size

1.4MB
MD5

54449cb838ba6a7de0d11f73de31c1af
SHA1

4fa134aaab1517fc86d77de166e8cb5dc65943df
SHA256

2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
SHA512

d9177818bf33a55fda1a4dadd98db20c8f72bea1ee3d43d707ef3ddaaed7af944cc97dfb14d649f916573f201730d6bd39d51506ae314cb38882f59d7be19bc4
SSDEEP

24576:KRmht8BU5wGMUq6HxSzB793rWyxLV08a5XwE7uWhDVzeWhWGAUlCwUY/l:3l5MUqF99TxLG8aJ3lZLeUlv/l

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
468	Process not Found
944	alg.exe
1628	aspnet_state.exe
1912	mscorsvw.exe
1904	mscorsvw.exe
1920	mscorsvw.exe
512	mscorsvw.exe
1124	dllhost.exe
1480	ehRecvr.exe
1948	ehsched.exe
1740	elevation_service.exe
1484	mscorsvw.exe
968	mscorsvw.exe
1616	mscorsvw.exe
1012	mscorsvw.exe
1832	mscorsvw.exe
2056	mscorsvw.exe
2160	mscorsvw.exe
2268	mscorsvw.exe
2360	mscorsvw.exe
2456	mscorsvw.exe
2548	mscorsvw.exe
2640	mscorsvw.exe
2732	mscorsvw.exe
2824	mscorsvw.exe
2920	mscorsvw.exe
3012	mscorsvw.exe
916	mscorsvw.exe
1976	mscorsvw.exe
1388	IEEtwCollector.exe
2192	GROOVE.EXE
2380	maintenanceservice.exe
2464	msdtc.exe
2448	msiexec.exe
2456	mscorsvw.exe
2636	OSE.EXE
2840	mscorsvw.exe
2796	OSPPSVC.EXE
2824	perfhost.exe
2964	mscorsvw.exe
1656	locator.exe
1832	snmptrap.exe
1492	vds.exe
1156	vssvc.exe
2388	wbengine.exe
2416	WmiApSrv.exe
2652	mscorsvw.exe
2700	wmpnetwk.exe
2944	mscorsvw.exe
2764	SearchIndexer.exe
2072	mscorsvw.exe
2756	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2448	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
752	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c9bfb336401d5da.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase order 3500354689.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 580	1124	Purchase order 3500354689.exe	27
PID 580 set thread context of 1980	580	Purchase order 3500354689.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Purchase order 3500354689.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CF82B55E-9DEE-4D03-A7F4-FD80B1E756AA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CF82B55E-9DEE-4D03-A7F4-FD80B1E756AA}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase order 3500354689.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase order 3500354689.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{2E5052AA-E34C-4D04-BEE8-87DC99F341ED}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1380	ehRec.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	580	Purchase order 3500354689.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	512	mscorsvw.exe
Token: SeShutdownPrivilege	512	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: 33	1904	EhTray.exe
Token: SeIncBasePriorityPrivilege	1904	EhTray.exe
Token: SeShutdownPrivilege	512	mscorsvw.exe
Token: SeShutdownPrivilege	512	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeShutdownPrivilege	1920	mscorsvw.exe
Token: SeDebugPrivilege	1380	ehRec.exe
Token: 33	1904	EhTray.exe
Token: SeIncBasePriorityPrivilege	1904	EhTray.exe
Token: SeShutdownPrivilege	512	mscorsvw.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeBackupPrivilege	1156	vssvc.exe
Token: SeRestorePrivilege	1156	vssvc.exe
Token: SeAuditPrivilege	1156	vssvc.exe
Token: SeBackupPrivilege	2388	wbengine.exe
Token: SeRestorePrivilege	2388	wbengine.exe
Token: SeSecurityPrivilege	2388	wbengine.exe
Token: SeManageVolumePrivilege	2764	SearchIndexer.exe
Token: 33	2764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2764	SearchIndexer.exe
Token: SeShutdownPrivilege	512	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1904	EhTray.exe
1904	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1904	EhTray.exe
1904	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
580	Purchase order 3500354689.exe
2844	SearchProtocolHost.exe
2844	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 1124 wrote to memory of 580	1124	Purchase order 3500354689.exe	27
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 580 wrote to memory of 1980	580	Purchase order 3500354689.exe	31
PID 512 wrote to memory of 1484	512	mscorsvw.exe	41
PID 512 wrote to memory of 1484	512	mscorsvw.exe	41
PID 512 wrote to memory of 1484	512	mscorsvw.exe	41
PID 512 wrote to memory of 968	512	mscorsvw.exe	42
PID 512 wrote to memory of 968	512	mscorsvw.exe	42
PID 512 wrote to memory of 968	512	mscorsvw.exe	42
PID 1920 wrote to memory of 1616	1920	mscorsvw.exe	43
PID 1920 wrote to memory of 1616	1920	mscorsvw.exe	43
PID 1920 wrote to memory of 1616	1920	mscorsvw.exe	43
PID 1920 wrote to memory of 1616	1920	mscorsvw.exe	43
PID 1920 wrote to memory of 1012	1920	mscorsvw.exe	44
PID 1920 wrote to memory of 1012	1920	mscorsvw.exe	44
PID 1920 wrote to memory of 1012	1920	mscorsvw.exe	44
PID 1920 wrote to memory of 1012	1920	mscorsvw.exe	44
PID 1920 wrote to memory of 1832	1920	mscorsvw.exe	45
PID 1920 wrote to memory of 1832	1920	mscorsvw.exe	45
PID 1920 wrote to memory of 1832	1920	mscorsvw.exe	45
PID 1920 wrote to memory of 1832	1920	mscorsvw.exe	45
PID 1920 wrote to memory of 2056	1920	mscorsvw.exe	46
PID 1920 wrote to memory of 2056	1920	mscorsvw.exe	46
PID 1920 wrote to memory of 2056	1920	mscorsvw.exe	46
PID 1920 wrote to memory of 2056	1920	mscorsvw.exe	46
PID 1920 wrote to memory of 2160	1920	mscorsvw.exe	47
PID 1920 wrote to memory of 2160	1920	mscorsvw.exe	47
PID 1920 wrote to memory of 2160	1920	mscorsvw.exe	47
PID 1920 wrote to memory of 2160	1920	mscorsvw.exe	47
PID 1920 wrote to memory of 2268	1920	mscorsvw.exe	48
PID 1920 wrote to memory of 2268	1920	mscorsvw.exe	48
PID 1920 wrote to memory of 2268	1920	mscorsvw.exe	48
PID 1920 wrote to memory of 2268	1920	mscorsvw.exe	48
PID 1920 wrote to memory of 2360	1920	mscorsvw.exe	49
PID 1920 wrote to memory of 2360	1920	mscorsvw.exe	49
PID 1920 wrote to memory of 2360	1920	mscorsvw.exe	49
PID 1920 wrote to memory of 2360	1920	mscorsvw.exe	49
PID 1920 wrote to memory of 2456	1920	mscorsvw.exe	50
PID 1920 wrote to memory of 2456	1920	mscorsvw.exe	50
PID 1920 wrote to memory of 2456	1920	mscorsvw.exe	50
PID 1920 wrote to memory of 2456	1920	mscorsvw.exe	50
PID 1920 wrote to memory of 2548	1920	mscorsvw.exe	51
PID 1920 wrote to memory of 2548	1920	mscorsvw.exe	51
PID 1920 wrote to memory of 2548	1920	mscorsvw.exe	51
PID 1920 wrote to memory of 2548	1920	mscorsvw.exe	51
PID 1920 wrote to memory of 2640	1920	mscorsvw.exe	52
PID 1920 wrote to memory of 2640	1920	mscorsvw.exe	52
PID 1920 wrote to memory of 2640	1920	mscorsvw.exe	52
PID 1920 wrote to memory of 2640	1920	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1980

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f0 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 23c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 24c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 248 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 298 -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 1f0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 2a0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 2a4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f0 -NGENProcess 2a8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 164 -NGENProcess 168 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1124

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1480

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1388

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1914912747-3343861975-731272777-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1914912747-3343861975-731272777-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
06b50cd724d13b15cf5c4ad501c68ec8

SHA1
b2a5792a5571d4e6931c94b29b697d9f3e45ba8f

SHA256
685e26073c95cf8dcafccd6470bfe556214aa82066bfe483ad0097e6b21778fb

SHA512
e7d6e8c34439ba8c76ffbf23e67ee2a5f247e987899515008be5c330ea27e817dbf6633e2307a1c837a9161f6eca69ce4af730f0b075ba398583e7e23ae4912d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
609467a0b41792c8c30d321970738ec4

SHA1
ecd4a4b63dc9b83169ff4b12a7956f9d6b8144d5

SHA256
9da3c9a8fc1d90fd822276ff81c8dee56294cc99fc345020ed674091721ca1f7

SHA512
28f6834dd36c37b5bbc40b8749388b61625806493f00b5e92cd8d6b232e28c0b80c7d702cf2297d1c9891b6b4070d8591ad878b07d8a20813ff0c6943ed66211

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f1ce0fc312dbc26bf75cd0a48c21c7be

SHA1
5eee5fe3dfdbae0ae4ba3d81200bb41843909755

SHA256
d42031ac9d73f3d82e3257ff511a416a929c3696bf9e711c24114dad39150b25

SHA512
f50d7d9be6e0e04198451b43f75930e462b615951d31d923d5bfd38a41e707d11b43df7fe9d0286e8aace2a658d30047d149a631e64244049944f67a66d9802b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
54fe295befc2b906695816ca8f133027

SHA1
2d9c928b78f3ec8015c777209c6071d0fffdcc4c

SHA256
ac14905e67a92e764a6a5ee98902d41f7565cd0bc2e9d7c94e58ea54ef4a6c2f

SHA512
b1c8c0294ab2900683e53bbef1146723668c6777ffa5d1bd70ebaaf8043473b6572a9386e7fd6b1e5c99290cdcadd7200a7589d8ef864348e8d4d6a4f0175564

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2a94d091da5971e747a089fed05d181c

SHA1
f6a4cad407e700c2777778681b2a20d1da8d5e32

SHA256
14dd66a1524a2c424b600a76df3e04b2a72d18ad2e143dba8ae4ed49652bf261

SHA512
05c54a20c27c19f427b7cdf068cdbb88d10498d01cbe0096edd97d7455e9873a246c0a0a831975ea8585ee9d007622fcdabffa9a26f2ded6c30f425cebab8033

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
88d038531a944ba056a7f1db658f3c3e

SHA1
914c033529873436d898c3279554ecd8da2a2330

SHA256
94becd64cb89ecb34b220d715a6328cbf1ff8ff48c9975bf58cc0bf57efe8af8

SHA512
a31dd73d6b60bf0c9586d8c0ff66ecb212bffdfe4f4b279a922fbb2f0c690a5622c29f959b5763315dfeebed8d5213c12fae9ecaa4a0b78dc61def27eb47d7c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f851b6e1f5c8197e4a8dc3177ade497f

SHA1
82a8f603aec3dd0dcd3616f90a6fdbc947f6a4cb

SHA256
7201fa95458083050abb845360cd200e89cb8d711aa2fba44c8c45276f4fe5ac

SHA512
8898ca0b8190b90a5ee8b8cafb824b0a679a0037d6bc6a363201629c81f40e9f7605abe8ae1827fb3f3c9f6b333a15978875c7aa0f71041e1a9f503417176451

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f851b6e1f5c8197e4a8dc3177ade497f

SHA1
82a8f603aec3dd0dcd3616f90a6fdbc947f6a4cb

SHA256
7201fa95458083050abb845360cd200e89cb8d711aa2fba44c8c45276f4fe5ac

SHA512
8898ca0b8190b90a5ee8b8cafb824b0a679a0037d6bc6a363201629c81f40e9f7605abe8ae1827fb3f3c9f6b333a15978875c7aa0f71041e1a9f503417176451

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3af25b875375810a7a54865fd07335be

SHA1
944d6600685dfb10fe0f557807d665b15f181bb9

SHA256
fa44d3517539440116169547b59dd193c55e94105612699c046907b257c00b3a

SHA512
bc71166411ffa0c3dfb611b67a36f36dfeb8835f1a7cc5e7d4d60e9865aef6fb8972bc77f6f0b75b15aadb6652f558e7a790214dd630da0c96f93a545a7450bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
83f5679603c95dd80ddcb8efd01b1b3c

SHA1
fb27cada12155f0e2b18631bfe9f5b3ec0808659

SHA256
be5753b1b8b780e81a80c45c412aad9e42334470a0a31d131054ab09d205f047

SHA512
7ccf594430984bfeac3bd8b7ef3102195486c304876273dd785312805e65f2485fcfd8f2ee21841bf53114f28e0a096c1aa2f90c232157d0e1b46a7d6635f988

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e6378e83c577b728c34092790b13b40b

SHA1
8ce57ed561f191b9dd163016bd81aea548fe6d5c

SHA256
a09f3000d535c4ed19bfb2ed5d3419b4bb43aa7391124150f08c5d8931778bfb

SHA512
97393105a7292b4a4fe745e71b4af25029c52ea7fec38b62ac434fc437e12dbbe32fabe35f9537c0d49441855942b50eec188e46f003759402e8521bd6412649

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e6378e83c577b728c34092790b13b40b

SHA1
8ce57ed561f191b9dd163016bd81aea548fe6d5c

SHA256
a09f3000d535c4ed19bfb2ed5d3419b4bb43aa7391124150f08c5d8931778bfb

SHA512
97393105a7292b4a4fe745e71b4af25029c52ea7fec38b62ac434fc437e12dbbe32fabe35f9537c0d49441855942b50eec188e46f003759402e8521bd6412649

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e6378e83c577b728c34092790b13b40b

SHA1
8ce57ed561f191b9dd163016bd81aea548fe6d5c

SHA256
a09f3000d535c4ed19bfb2ed5d3419b4bb43aa7391124150f08c5d8931778bfb

SHA512
97393105a7292b4a4fe745e71b4af25029c52ea7fec38b62ac434fc437e12dbbe32fabe35f9537c0d49441855942b50eec188e46f003759402e8521bd6412649

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e6378e83c577b728c34092790b13b40b

SHA1
8ce57ed561f191b9dd163016bd81aea548fe6d5c

SHA256
a09f3000d535c4ed19bfb2ed5d3419b4bb43aa7391124150f08c5d8931778bfb

SHA512
97393105a7292b4a4fe745e71b4af25029c52ea7fec38b62ac434fc437e12dbbe32fabe35f9537c0d49441855942b50eec188e46f003759402e8521bd6412649

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6cc0edb3c9806749aa67b0a3da611f1e

SHA1
1035b97b38413d77e32d7f0bc4ded198a082b18c

SHA256
49691e9b05607deaf972aa3ecf5ce12a632aef07548c53e42e8321cc55ee3e3e

SHA512
12439f5e44e0fd99f94250df158a17a94c3990f729da5814e5cf111a3b8f002ea0e3b1a00970c054a743035268d80c57498c62d2fc308382085dae0a4f45d9ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6cc0edb3c9806749aa67b0a3da611f1e

SHA1
1035b97b38413d77e32d7f0bc4ded198a082b18c

SHA256
49691e9b05607deaf972aa3ecf5ce12a632aef07548c53e42e8321cc55ee3e3e

SHA512
12439f5e44e0fd99f94250df158a17a94c3990f729da5814e5cf111a3b8f002ea0e3b1a00970c054a743035268d80c57498c62d2fc308382085dae0a4f45d9ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e88e82268e7e51ab04a381f08b6f62b8

SHA1
657ca7d708991b1dc003329972e8d0e9c520891f

SHA256
c670ce11351bbe00aed8c4076bed523c35d2ba43be1029fe06d1832b25802d0d

SHA512
87bb0f49e6a19012489fe5f5f59cd5edc52d87d5a4f5f85a46d7116f0227b70685abcf5d8da33780d9febb7a986406436d136df6acecf016573de84afae84618

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4e4b0dd1f687caacf18c9813ba9d4837

SHA1
2e1a37b51357a4db858b112dd02d5483cb5e2b36

SHA256
2f69de62a863a3bc819c635501af752255f235b299311438ff68db811970cf56

SHA512
54d866e5530f2d3759b727f5504974a11960b918506d0f1feaa112d4b05d0aa4d683dcaaca10b9c2966bcc33a7ae4bf4520fa731eea0f0a5238e1cff612c1539

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9da84bd572068500e0ed9e2df1361e98

SHA1
8750a2c722ea69f70c80f8f2f6b79f4efb555aea

SHA256
f1d41452992cbc20ec7a1454aece00bce28f424b07dd57bcbf358d8483a75ecc

SHA512
fae808ab919e639c052bf535559303b4795eafd903cda41dbf4caf09477a3f63ba043b37b384dc1feac3caa8781e349dda3bbed74e3b29c50768d1db8989a6d8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
efa90d30dd38a1688fde04db4b8d5883

SHA1
b60b4c716513d1c719398329ea766f4a825ce145

SHA256
37824342e48ee288934a7a4855bb003f2f09d067c5e7c5d4f8088148e7363773

SHA512
b557759a4a17a01c84642890aa858df9dc793abe3420d33f2b92dc8072136350b026a17b2e89033ea64d6237d2c9e873d2ddec46a5b95ae5e51ef1dd98bc51a0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2e136acdfc2754cd7750aaf3f4da5613

SHA1
3a81c862a1274593feed8d9e67ddefe287d2aa1e

SHA256
5675030eca67bbe17217fbe07d1a14d9566f9057b851fe795b904855f31cd512

SHA512
60406b2896c45be87095885ae18d4071dcb05507e0a92d0a24f7b038a437144a19bb18d3ed6ca2eb053dcdfac3bf438e66642321fa51c2211d2b6f0a8d7e5cd5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1bb9f398a7f5a01a012e1d91901ba889

SHA1
ab065d0e3aaed3357a7ac06a867e7665885e5422

SHA256
7e10c35038ec19adc28166dcbf64d8af1ccbcc5d6780a9de16fa3da9bc5d7eb8

SHA512
b059b506517e7811401559e6d15dc7640e2946b5f1c6d9c64d57b6046f90d507d0b9904c22c2d970e6cc574128c9c5e094aeb698bfad58632cc083ee371bccc8

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
e2a9b206ba7054ee4d194d73f4b308bf

SHA1
63257e98b87aac81466d47904175bddeb4fc60c2

SHA256
0c3e75f798901cefcec6ac052731f81cd20756299d094da2d544ee8efee0776b

SHA512
ff598c031fc1b44818b0a55e004b27a3b6c88ad8ebc80d8b99b2a1add1b14fdfc3f49ea84c8f056cccea80b25efef51bf16db6d7dffb795401004acd4f852c92

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
70dad30b1667134d29f8aaa4de402008

SHA1
197dd8ea62bba194a1230382e2464abd3cf2c031

SHA256
b1699f21a8d6962b073cedd904e03c1d279adee8ab84139d95b814f69b6e1111

SHA512
730dd21bb4bd86d08681c3c41c7181bdc6051a5bc460e70c341515ecbf716274880e509411d183e09f7d15099062e6f36a24edf185592409400cc94fe0a529e2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a41f054304178fe5c396154bd7258420

SHA1
125e185341f43becd45bf77e0494b67307e654a5

SHA256
49606704c2e685d1ca320d8868941a0c1d1e6622b43a3e7c41e312cb061e46b7

SHA512
06fee20fc223866c778475c07a080125d6f9e2603ad1fa406e826b72ca63ec400e9611b83a4e7c1d34f0328986258a9eb4c4af88f487246cd2842e4360001c75

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
e25c8cb6467a388d3841dc505ffacc90

SHA1
8cc7f46c0a3e9b084f87652e8d2b61f8b8ef6f6d

SHA256
7de02725a2c56808a0b42260a883ed0ee647f478cb468b488b5ed893ff336e78

SHA512
704ae0e957fbb1055ecfff4b4aa22d171cd5d6965df76c0a15b79748325bec128106f420432b7902da3509172ff5c4435261ee2c4af9aa393aa1aa450349cd36

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
459391784984a24e5431d9997dfe97c3

SHA1
803de44fdf9b58fe07616dce770f8649cd160376

SHA256
5ff5cbf5f33f510b822bfda5398473fd321c7c4b83187dc3671900fa32b69aa1

SHA512
545223523565014a22b34623b17ee92c06c14a5361b944bc517e96678c54fa465d982cd7e77ed36182be236260693aecada9f10b77b3162570bd88b802db9455

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ff4187f196324960eac80720d3e08bef

SHA1
8115c28e8826288c148d60f818dc2a45cd830f57

SHA256
002425c8e3d73b46bfdfb3bb9d27c6329ec9151bf61a440c702cd23f478dfb3d

SHA512
24f4a377fa88097cc22fa5813184bb60e91464b5a6fa53d6dac8d690891d3bcfceaad49245287a893c06874e3119496e7cf521eaeb3e7e0bee386db84dc718b9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5a190e0e1ea4a2ff6f14224ce498604b

SHA1
ea71393c5a768fa3b9f25d832e62a40e6d406eff

SHA256
cd7a277cf3d5e12e8371a88149cef5f497ea5cb69e2e45cda863c4dd1575ac3b

SHA512
82984fe061a8c6c6317b7178d82daabd86038290e2c784d294ca4c56943cf68e5685223820bd3afe438c77fa5cc4e8b7da3ba74dccaa783071fd5c6289ce0c47

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3cb291c681e5c67a213e506abe493273

SHA1
492d9e1df4e906814c28c49f8866dee7b661581b

SHA256
0e74825145d0869fdf1bd60a3ee1875270e88dc915b2562f4bda9c44c185ca6c

SHA512
72d914439e72b3ec5cc7c82ac23c8d60ef97bb1011208cd095b82610876caf8ebc46977c2573bf59658bd135fb6c16e71c8c7aaa5b64ee855ed44ad4dec9d6fe

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c534164042fc68df189ea090795e8fe2

SHA1
98791d0bd1dbc140c96637a3ad5e88295cc4bd98

SHA256
86572c33f7ed1d324922eb3c620d9faccda8c39cf61fd9f74053ba0b53b00bde

SHA512
85b448136143c5704cc5e2f00d232598672d05f9680a6cba23272a7dd99dedc927418607178bb1568fa7267c52722f06dcea04cb8f10366dfac37bf8c30ebd69

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
e25c8cb6467a388d3841dc505ffacc90

SHA1
8cc7f46c0a3e9b084f87652e8d2b61f8b8ef6f6d

SHA256
7de02725a2c56808a0b42260a883ed0ee647f478cb468b488b5ed893ff336e78

SHA512
704ae0e957fbb1055ecfff4b4aa22d171cd5d6965df76c0a15b79748325bec128106f420432b7902da3509172ff5c4435261ee2c4af9aa393aa1aa450349cd36

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
f851b6e1f5c8197e4a8dc3177ade497f

SHA1
82a8f603aec3dd0dcd3616f90a6fdbc947f6a4cb

SHA256
7201fa95458083050abb845360cd200e89cb8d711aa2fba44c8c45276f4fe5ac

SHA512
8898ca0b8190b90a5ee8b8cafb824b0a679a0037d6bc6a363201629c81f40e9f7605abe8ae1827fb3f3c9f6b333a15978875c7aa0f71041e1a9f503417176451

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
83f5679603c95dd80ddcb8efd01b1b3c

SHA1
fb27cada12155f0e2b18631bfe9f5b3ec0808659

SHA256
be5753b1b8b780e81a80c45c412aad9e42334470a0a31d131054ab09d205f047

SHA512
7ccf594430984bfeac3bd8b7ef3102195486c304876273dd785312805e65f2485fcfd8f2ee21841bf53114f28e0a096c1aa2f90c232157d0e1b46a7d6635f988

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
efa90d30dd38a1688fde04db4b8d5883

SHA1
b60b4c716513d1c719398329ea766f4a825ce145

SHA256
37824342e48ee288934a7a4855bb003f2f09d067c5e7c5d4f8088148e7363773

SHA512
b557759a4a17a01c84642890aa858df9dc793abe3420d33f2b92dc8072136350b026a17b2e89033ea64d6237d2c9e873d2ddec46a5b95ae5e51ef1dd98bc51a0

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1bb9f398a7f5a01a012e1d91901ba889

SHA1
ab065d0e3aaed3357a7ac06a867e7665885e5422

SHA256
7e10c35038ec19adc28166dcbf64d8af1ccbcc5d6780a9de16fa3da9bc5d7eb8

SHA512
b059b506517e7811401559e6d15dc7640e2946b5f1c6d9c64d57b6046f90d507d0b9904c22c2d970e6cc574128c9c5e094aeb698bfad58632cc083ee371bccc8

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
e2a9b206ba7054ee4d194d73f4b308bf

SHA1
63257e98b87aac81466d47904175bddeb4fc60c2

SHA256
0c3e75f798901cefcec6ac052731f81cd20756299d094da2d544ee8efee0776b

SHA512
ff598c031fc1b44818b0a55e004b27a3b6c88ad8ebc80d8b99b2a1add1b14fdfc3f49ea84c8f056cccea80b25efef51bf16db6d7dffb795401004acd4f852c92

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
70dad30b1667134d29f8aaa4de402008

SHA1
197dd8ea62bba194a1230382e2464abd3cf2c031

SHA256
b1699f21a8d6962b073cedd904e03c1d279adee8ab84139d95b814f69b6e1111

SHA512
730dd21bb4bd86d08681c3c41c7181bdc6051a5bc460e70c341515ecbf716274880e509411d183e09f7d15099062e6f36a24edf185592409400cc94fe0a529e2

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a41f054304178fe5c396154bd7258420

SHA1
125e185341f43becd45bf77e0494b67307e654a5

SHA256
49606704c2e685d1ca320d8868941a0c1d1e6622b43a3e7c41e312cb061e46b7

SHA512
06fee20fc223866c778475c07a080125d6f9e2603ad1fa406e826b72ca63ec400e9611b83a4e7c1d34f0328986258a9eb4c4af88f487246cd2842e4360001c75

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
e25c8cb6467a388d3841dc505ffacc90

SHA1
8cc7f46c0a3e9b084f87652e8d2b61f8b8ef6f6d

SHA256
7de02725a2c56808a0b42260a883ed0ee647f478cb468b488b5ed893ff336e78

SHA512
704ae0e957fbb1055ecfff4b4aa22d171cd5d6965df76c0a15b79748325bec128106f420432b7902da3509172ff5c4435261ee2c4af9aa393aa1aa450349cd36

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
e25c8cb6467a388d3841dc505ffacc90

SHA1
8cc7f46c0a3e9b084f87652e8d2b61f8b8ef6f6d

SHA256
7de02725a2c56808a0b42260a883ed0ee647f478cb468b488b5ed893ff336e78

SHA512
704ae0e957fbb1055ecfff4b4aa22d171cd5d6965df76c0a15b79748325bec128106f420432b7902da3509172ff5c4435261ee2c4af9aa393aa1aa450349cd36

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
459391784984a24e5431d9997dfe97c3

SHA1
803de44fdf9b58fe07616dce770f8649cd160376

SHA256
5ff5cbf5f33f510b822bfda5398473fd321c7c4b83187dc3671900fa32b69aa1

SHA512
545223523565014a22b34623b17ee92c06c14a5361b944bc517e96678c54fa465d982cd7e77ed36182be236260693aecada9f10b77b3162570bd88b802db9455

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ff4187f196324960eac80720d3e08bef

SHA1
8115c28e8826288c148d60f818dc2a45cd830f57

SHA256
002425c8e3d73b46bfdfb3bb9d27c6329ec9151bf61a440c702cd23f478dfb3d

SHA512
24f4a377fa88097cc22fa5813184bb60e91464b5a6fa53d6dac8d690891d3bcfceaad49245287a893c06874e3119496e7cf521eaeb3e7e0bee386db84dc718b9

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e0816b5f93a13d036e772db9fd7cd0c6

SHA1
c5ba397647d1a5f6cbd654d337474a3e6e8173a6

SHA256
0f2965c3eb41dff58783c36287a41ed6bcb68136b63c28b3a365546dd1a05b61

SHA512
77b3255fb6591284413998211183f99991a1445587a0ea40e4cc2a7a303bb8edb40cc83a8512b549764d6ba69ef2b283432ff22254efa5148bf9601a852ca1df

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5a190e0e1ea4a2ff6f14224ce498604b

SHA1
ea71393c5a768fa3b9f25d832e62a40e6d406eff

SHA256
cd7a277cf3d5e12e8371a88149cef5f497ea5cb69e2e45cda863c4dd1575ac3b

SHA512
82984fe061a8c6c6317b7178d82daabd86038290e2c784d294ca4c56943cf68e5685223820bd3afe438c77fa5cc4e8b7da3ba74dccaa783071fd5c6289ce0c47

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3cb291c681e5c67a213e506abe493273

SHA1
492d9e1df4e906814c28c49f8866dee7b661581b

SHA256
0e74825145d0869fdf1bd60a3ee1875270e88dc915b2562f4bda9c44c185ca6c

SHA512
72d914439e72b3ec5cc7c82ac23c8d60ef97bb1011208cd095b82610876caf8ebc46977c2573bf59658bd135fb6c16e71c8c7aaa5b64ee855ed44ad4dec9d6fe

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c534164042fc68df189ea090795e8fe2

SHA1
98791d0bd1dbc140c96637a3ad5e88295cc4bd98

SHA256
86572c33f7ed1d324922eb3c620d9faccda8c39cf61fd9f74053ba0b53b00bde

SHA512
85b448136143c5704cc5e2f00d232598672d05f9680a6cba23272a7dd99dedc927418607178bb1568fa7267c52722f06dcea04cb8f10366dfac37bf8c30ebd69

Download Submit
memory/512-148-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/580-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-74-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/580-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-69-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/580-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-214-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-93-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/580-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/916-405-0x0000000003D60000-0x0000000003E1A000-memory.dmp

Filesize
744KB

Download
memory/916-411-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/944-92-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/944-82-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/944-88-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/968-222-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/968-213-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1012-264-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1124-58-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1124-55-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1124-60-0x00000000085A0000-0x0000000008750000-memory.dmp

Filesize
1.7MB

Download
memory/1124-54-0x0000000000E50000-0x0000000000FC0000-memory.dmp

Filesize
1.4MB

Download
memory/1124-57-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1124-150-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1124-59-0x0000000008280000-0x00000000083B8000-memory.dmp

Filesize
1.2MB

Download
memory/1124-56-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1380-186-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/1380-217-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/1380-277-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/1380-212-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/1388-434-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1480-160-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1480-174-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1480-154-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1480-184-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1480-260-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1480-171-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1480-173-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1484-211-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1484-198-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1484-190-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1616-239-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1616-250-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1628-98-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1740-185-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-276-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-180-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1832-275-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1832-263-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1904-123-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1912-99-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1912-137-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1920-131-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/1920-124-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/1920-149-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1948-172-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1948-165-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1948-176-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1948-262-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1980-126-0x0000000004840000-0x00000000048FC000-memory.dmp

Filesize
752KB

Download
memory/1980-125-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/1980-106-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1980-110-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1980-112-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/1980-107-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1980-108-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2056-278-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2056-289-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2160-302-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2160-291-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2192-444-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2268-311-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2360-325-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2360-309-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2380-471-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2380-467-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2448-485-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2448-486-0x0000000000500000-0x0000000000709000-memory.dmp

Filesize
2.0MB

Download
memory/2456-333-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2464-483-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2548-347-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2640-352-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2732-369-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2824-370-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2824-381-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2920-392-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3012-393-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3012-404-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download