blustealer | 421845b1fbf3828e4f4fe3e7147f501a422bd6ae755e388a089c67d005770b58

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-05-2023 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.4MB
MD5

98ac95047944a90076ed642f2b56fc7f
SHA1

e34b95acbdbead3a7057f6e42673bed24aa573c9
SHA256

421845b1fbf3828e4f4fe3e7147f501a422bd6ae755e388a089c67d005770b58
SHA512

8d415d64193df913602752c3004a7a24d7bc0ab29129eda9a1e9653e7cbfbaccb5ada7a1aa4a8b4ea81ff7fc2696fea242caf722e655b43f41cdc952738c5f74
SSDEEP

24576:N8whh2b5/1L3Y5zhzKSYIb34DSNCZlk0pRIIV6Kkcd4UiivgEvyV1jBSH:w91Lo5zgSYUI24ZlkwRI+9WUiiv7vyX0

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 29 IoCs

pid	Process
460	Process not Found
1152	alg.exe
804	aspnet_state.exe
1584	mscorsvw.exe
1668	mscorsvw.exe
1248	mscorsvw.exe
1908	mscorsvw.exe
860	dllhost.exe
1236	ehRecvr.exe
1552	ehsched.exe
1988	elevation_service.exe
1808	IEEtwCollector.exe
1844	GROOVE.EXE
1984	maintenanceservice.exe
1920	mscorsvw.exe
2092	msdtc.exe
2232	msiexec.exe
2404	OSE.EXE
2452	OSPPSVC.EXE
2536	perfhost.exe
2568	locator.exe
2668	snmptrap.exe
2772	vds.exe
2844	vssvc.exe
2920	wbengine.exe
3060	WmiApSrv.exe
2168	wmpnetwk.exe
2248	SearchIndexer.exe
2600	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2232	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa48e972decfa14c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 1088	1300	Purchase Order.exe	28
PID 1088 set thread context of 1160	1088	Purchase Order.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Purchase Order.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Purchase Order.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{108AD753-F2F0-42A2-945A-000A8ADF5F18}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{108AD753-F2F0-42A2-945A-000A8ADF5F18}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F7695AAB-74B6-4452-8F1D-962F0D7BF3B5}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F7695AAB-74B6-4452-8F1D-962F0D7BF3B5}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1480	ehRec.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe
1088	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1088	Purchase Order.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: 33	1316	EhTray.exe
Token: SeIncBasePriorityPrivilege	1316	EhTray.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeRestorePrivilege	2232	msiexec.exe
Token: SeTakeOwnershipPrivilege	2232	msiexec.exe
Token: SeSecurityPrivilege	2232	msiexec.exe
Token: SeDebugPrivilege	1480	ehRec.exe
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe
Token: SeBackupPrivilege	2920	wbengine.exe
Token: SeRestorePrivilege	2920	wbengine.exe
Token: SeSecurityPrivilege	2920	wbengine.exe
Token: 33	1316	EhTray.exe
Token: SeIncBasePriorityPrivilege	1316	EhTray.exe
Token: 33	2168	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2168	wmpnetwk.exe
Token: SeManageVolumePrivilege	2248	SearchIndexer.exe
Token: 33	2248	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2248	SearchIndexer.exe
Token: SeShutdownPrivilege	1908	mscorsvw.exe
Token: SeDebugPrivilege	1088	Purchase Order.exe
Token: SeDebugPrivilege	1088	Purchase Order.exe
Token: SeDebugPrivilege	1088	Purchase Order.exe
Token: SeDebugPrivilege	1088	Purchase Order.exe
Token: SeDebugPrivilege	1088	Purchase Order.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1088	Purchase Order.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1300 wrote to memory of 1088	1300	Purchase Order.exe	28
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1088 wrote to memory of 1160	1088	Purchase Order.exe	32
PID 1908 wrote to memory of 1920	1908	mscorsvw.exe	45
PID 1908 wrote to memory of 1920	1908	mscorsvw.exe	45
PID 1908 wrote to memory of 1920	1908	mscorsvw.exe	45
PID 1908 wrote to memory of 2600	1908	mscorsvw.exe	59
PID 1908 wrote to memory of 2600	1908	mscorsvw.exe	59
PID 1908 wrote to memory of 2600	1908	mscorsvw.exe	59
PID 2248 wrote to memory of 3016	2248	SearchIndexer.exe	60
PID 2248 wrote to memory of 3016	2248	SearchIndexer.exe	60
PID 2248 wrote to memory of 3016	2248	SearchIndexer.exe	60
PID 2248 wrote to memory of 2052	2248	SearchIndexer.exe	61
PID 2248 wrote to memory of 2052	2248	SearchIndexer.exe	61
PID 2248 wrote to memory of 2052	2248	SearchIndexer.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 170 -NGENProcess 174 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 170 -NGENProcess 174 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:860

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1236

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1808

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1844

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1984

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2404

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2452

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2647223082-2067913677-935928954-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
de93e9cdc508e3565cd7665183d4b1d7

SHA1
6c11036cc4b33ca5211b8ada945d0ac15ccd420b

SHA256
081fd58a5848b3f26eedd3f726b706a4dd2e2c14ec9405e595c51ab7904865c0

SHA512
72c2c9dfd7b6a8a1fd9b2ea79fd2e89273645fb56d3686244555825ddd2a81b4eb705a3ce3edb5a3fb48576e31334c132bd0cb1978cef656944e978ce993aa2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ce00ae7d297a6cb68fffe87c50d46e3e

SHA1
f8364d6cd1a59f4acd2bb1a3adfba5a7281b4f50

SHA256
b994f2a594ab32a1f209948bd53d4a96d7090fb2c4c30a1f0913a1716dff78e5

SHA512
81a249f05e295fcd6fe86740bdaf7c44f85efcdf2b3c6afcc0cf08aba303617c0fe63bbe0d1a613b1acd8b2927b6f4500af1935938030c3ca296359f1be8982f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
00e5f1b53e76a3986d9fbf235e0ac480

SHA1
ddea7e6b063b2b2659f44e872919bf8ed59f56ec

SHA256
6ed1b9baf18363fb5223f132c66b5b297dbd6ca40ac46f5891057f1b4e4b13ee

SHA512
53d7d87cbb93143dd5d4680633d9ee780bae77ed01d0fd9bbc5917e714177478d5646f9fd82fea6049bb94461c20af3554e1caf3ee1393b005b4856f0d32bd22

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
32c78092fed0b5d757c4bbea7c902e95

SHA1
09c8f86b84fba0144e87f6b05d75f4e74dc6b94b

SHA256
e776036881717cf287eeb6e16b4f8253097d66b478462b8a1588446b080fc40d

SHA512
416d2c39b2291277c952620737132e7135f4a5db623d9cc4aafd159ee4508aa20857a2532b16890cb52828395db42cf50cac653e190b845c9877ce78b6b2c5c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
253b46ced232c7da62bf1d96d96da79c

SHA1
cd8a3378ae679a0c3f51bf9810bee4841fdaa758

SHA256
b3d903431c7a215ce20a80e282c33acc2eb71ef76c56f1eca464419d264766b0

SHA512
db275b6efdb94a0ab9b5b6012b96f9756f24dee292cfd906e2394f23adbfa9c1516f28d5b37ed66c5ab6d2a1f46102aa2284fe4cfe4fe80a892bfd1f7ce0e4f8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bc4c1ffc465a4f5d5bc157c9b2d5a195

SHA1
6214bece421724c26fa9d53f64e48675799b0201

SHA256
cac37eee4d455c302c5392eb163c3f1e0bceedfc9fe3c568d6cd5ba1d6f35484

SHA512
4ffa57d9bee2cb726690934a0065c180e112f1d9b3acab1c203c156893e7cebc3f5027326758b7cfed26341a5a58dcd4e9268017d8fca122f8f2d8ef0db325c9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c194b25c6f7750aefec4cafb5bd17959

SHA1
b10f795fd39e871a7bdf2234c8906a7143483cb9

SHA256
8849e045cc953e359023f082406b1eb5e840111cd067910387e8d33fabecd723

SHA512
42c90c533641c6df67d7a8dbe60bd0612463f583708fdd0bed10fd482f5f91ee2b1417bd1f11d96f88128b547cd47c1ef3042ca957f36342c0662d7b427d8d0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6ea5a9e907c37cc6395a14077147f383

SHA1
3893a5b76638d340ad5b5c5472f60135457fd380

SHA256
771d929d80af6a367de05e6c07ebbee59fd3a5b736d7a98530f08d64bb7d8685

SHA512
7ba1ea7824a7a0e464157dd6848c3f3799395b19354b31af8d09e105d9782e0f51af71f46a84d909889019ef6e0f16a1d6958eccc09047c5a0b53a7f5a08eba1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6ea5a9e907c37cc6395a14077147f383

SHA1
3893a5b76638d340ad5b5c5472f60135457fd380

SHA256
771d929d80af6a367de05e6c07ebbee59fd3a5b736d7a98530f08d64bb7d8685

SHA512
7ba1ea7824a7a0e464157dd6848c3f3799395b19354b31af8d09e105d9782e0f51af71f46a84d909889019ef6e0f16a1d6958eccc09047c5a0b53a7f5a08eba1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
aadec690a6d94aac2a163dee86834159

SHA1
cb52efe194b5af6c459bf554e65a89cd9e24c3cf

SHA256
432ba5f847ad2f65d09e0d43f794042d88d10e35a2574064f643fb336a571332

SHA512
4460328b4018d7f7c21e048a11ad01c33031b17cefdf0bf81ea5ecb945ca4d17ba900b2b59e1d9dc367dbbd58d34467e5eab41c417fb1331442687af9e78d011

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e0246165c825646084befceea93ec20e

SHA1
d55567ad11783320d81ed4306fb4632810735301

SHA256
d85e4eb43f9817825affb68211ae124086a2636ac51bb2602ff1368124ac5da4

SHA512
b50c1f5cd3a1ca590fca6a7dd18f6a849e1fe7c095337b374d9bd0860816ea5259b8ac69ad639d1cdd3a53b9ba5a9eb12cf9d427473a27209c10296a4db640fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc4eb9f3215a689687f17500bac9a058

SHA1
10f327cabc25743e61a9fc326a122b5a5bec15ba

SHA256
eb45a2415f0528e346754930ca7e1ecae0b986848824601ec04821dc32047c83

SHA512
5ea55fa4bdffde72df3ba8cad8b289dbb2bec6d32eb5d8de56c64b1579eb8943e9e536ba7586dbc09da3b4dfb9d1e00eb36f5926005b33c2bc6363bda1e5be5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc4eb9f3215a689687f17500bac9a058

SHA1
10f327cabc25743e61a9fc326a122b5a5bec15ba

SHA256
eb45a2415f0528e346754930ca7e1ecae0b986848824601ec04821dc32047c83

SHA512
5ea55fa4bdffde72df3ba8cad8b289dbb2bec6d32eb5d8de56c64b1579eb8943e9e536ba7586dbc09da3b4dfb9d1e00eb36f5926005b33c2bc6363bda1e5be5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc4eb9f3215a689687f17500bac9a058

SHA1
10f327cabc25743e61a9fc326a122b5a5bec15ba

SHA256
eb45a2415f0528e346754930ca7e1ecae0b986848824601ec04821dc32047c83

SHA512
5ea55fa4bdffde72df3ba8cad8b289dbb2bec6d32eb5d8de56c64b1579eb8943e9e536ba7586dbc09da3b4dfb9d1e00eb36f5926005b33c2bc6363bda1e5be5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bc4eb9f3215a689687f17500bac9a058

SHA1
10f327cabc25743e61a9fc326a122b5a5bec15ba

SHA256
eb45a2415f0528e346754930ca7e1ecae0b986848824601ec04821dc32047c83

SHA512
5ea55fa4bdffde72df3ba8cad8b289dbb2bec6d32eb5d8de56c64b1579eb8943e9e536ba7586dbc09da3b4dfb9d1e00eb36f5926005b33c2bc6363bda1e5be5c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6cb794c382d7e8d9535b513216a05ad0

SHA1
fd07cc01de1168954c7d06b47583b1d031855c79

SHA256
3e1da459f4cc1f20ac53ae5233558316b09b275ce0460082e76fbe684c877924

SHA512
246446baa34538aa43cfba03854df7c02d3daf91ed56af3e7f633aaec3b7010104de0974922a4a866b18d979209248465806afef73985b77acada25ca03651e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6cb794c382d7e8d9535b513216a05ad0

SHA1
fd07cc01de1168954c7d06b47583b1d031855c79

SHA256
3e1da459f4cc1f20ac53ae5233558316b09b275ce0460082e76fbe684c877924

SHA512
246446baa34538aa43cfba03854df7c02d3daf91ed56af3e7f633aaec3b7010104de0974922a4a866b18d979209248465806afef73985b77acada25ca03651e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
acc837c99ca0009de646c2762e0f9d03

SHA1
02bf09967b80bb47d4dc5055cf7ddf6316406131

SHA256
af2a7c8915e31a34325b519c9af76b2899d7b8949e5adab4d0aa6d4a87188754

SHA512
594cd37e99da9bf7f4e72ceda9bd968e2a7ab5996d729c43629ba7431f0f633a2af54f1f0674b728f2efe45e05cf98953a0136a6fdc32aa558be92bf9a3ed1b5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3a71c78f1a3b188c5d8e396cf63dab8b

SHA1
d2c1d44e6defedcd4f29f98bc2febbd6dd6534f8

SHA256
05439fc11d4b51ca5d98602d3269a2d31bf99ae158824991e9340f95d6358e77

SHA512
8b2c3f9b6e2163ba22e87dff2a8c2a5491621842cc6f8f73be218bfe2577a900ae0ef9c776c73eebfdf1d06df169fdb3bc358f4f95a5588da03765885390eac6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
57d0a1a79b862634fca10b3741baab01

SHA1
220f7f866f40553f9d986bd49585120379135083

SHA256
64f9f3cd33154e917e53d9aa5931463960335f8cfc96bd7edafe6997e66e5341

SHA512
df9b49401785b34df4af83bedb33d9f8e517df0c09fc330d61690cbe71ebbd9533c769f2a935efc354bb7f41de156f976f134ce76b86cb0425c45695560ab4e7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
32dbdfd1ce997334a00075afdd854f69

SHA1
bd9c13ac57c688895bd8f76efd03e0125a566ace

SHA256
662da4ff6414a2d8f56de6b7c89d532ba38098596d31b9329593ae17d3c0d5ae

SHA512
3d57cdbd8bc27242e65ed0f391be34f3dabb380b99b6d79fcbbe4c3b16415c196c2e31667cd5938447b953d8ce0f1836b0362dd106f539e07a87cd8c9179f52c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7c26b012ce0eaea473baf71fa69da9bc

SHA1
2d5b31640a94181f9ee88fe4c355fd717c2f5f12

SHA256
5ca0225828a5ba4b6c87d060cda28d3f8ab57f456d4ea318822f08702affd7e6

SHA512
619fa5e85ccc3afabb3032c9b04e048f5c0712e9a50dc4321951b71d8d6e63c54f9da475ccd7e2850570ad7f6925e0871be58c464cb3f025d10a94ff8f2288bd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
116b011adde5bfef3f73f1df923c5265

SHA1
8e8616da7c9058cca39195c633418b7d893f8aa7

SHA256
5e1fe610d31c90a6e6d59528f24e80eecdf164c703f2e2fb5ba71e879599565a

SHA512
6a1f39e4b9bdf69cce3980a49f6bb9e9cf5c439b8eec6f9bbedaa5588d707bc7484f985cbd5574648310602aa2d09c5d9c7a219d36dbbeed299116ec39ab1a60

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c45b861a418c67cd1b7614d632252ead

SHA1
c33e80945b2c375963939526c123122cbd2fd9f2

SHA256
0a71a468e6bbc0181b963aff8c8e1dcfc5224ea51775a5ef7c65ddd5cbde682a

SHA512
2f6690b5ce35459b4d2cd1bd6fa4808b34610582db77fd0c217d1b4d042e5827403370607d6b5d7825f7daf2f7fe01c83ebc1626bd5adb4f6a5ff30d379e7e57

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
fca7e1895e2e6e68e5cc5282ae475e88

SHA1
3a7c74db7ebd1aaab29936f8745d696efa715200

SHA256
95beca51cb18d384329f17aba0f1b5495fc0663e895697b569d90ac0e3e6b4d1

SHA512
35cebd05d6d79a945fd233b55dcac85835e039ae20560302fcfa20e827047f31812db8b19d3d20475766e776607aeed896cf5e25dfc1b1dbadf37fa88d704ef1

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
be696e2dd9c7229f656d45079e5ba92b

SHA1
ecd17b61931fe908c1b57bc79c0caebd241659ff

SHA256
92ad05421db76546fbde7bb9486f5fb5c9515a4995341c2bb39dd9b8b29e420e

SHA512
2df22c473db66f2529899f1b5802948550186e69efac38423e5fc1a31bb451b49d8766cbf6b4136abd21d0b7494a809cb39b1e2d1d272246c061797e5ba87b77

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
70a05243956911a0ea1ff66e5f09c239

SHA1
9aeeeaa3cb113c8817a65f68c44f0f57b35f93cd

SHA256
394b3ad5beedd42a12506a0f2e3bba2dc4ec8dd6f2d0f0f801d69e6da00abd61

SHA512
18e98a1c758081c3afdedeef303c9f0d1361f8cd6a924ea9c1c63790716008a6229ce1ed73bc3f1e8cee6d8e30e3b816c830fce64bc0f32ae37a0cc03411b39f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
011ba57e0000b1f300cda6b6a5764bc0

SHA1
3e03ac945bf8c44e315edd424f9fb54433f41eb3

SHA256
efbf85bc10c0a804ec16e0f7433cadc973b5159ae79affc4b0c109c9b98c0cbc

SHA512
ab598c9cf5b449bc16d1f19a8ee955a4ec744e843591c200fd423868c11489f9d0480ff43ef2aeb7c81775d1eaef4f90454a51d6aee6e532b5d86458728f2f1a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a8ddace6190166a9468cf31ada1bc570

SHA1
0b81aefdb5578ef62a2c6eea22920fd89f13563d

SHA256
1f52d79600ec3f90192414f8e889e8f8e737a3cf9a6e7a90d72d736c463b9493

SHA512
0f1822a12e653baaf4603ca5f3bbe24cb4e360bb7cb93809c233f33d1f7e8b21ea12789290eb148eb952232149365123bfbf58424921c63b3385e065fc0963d7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
0420ccf56391a419742614538f1abb52

SHA1
19288adae86b5f944ab0f6a6f9d1c152b8b97fba

SHA256
dd2e3ed1ba0670ee690e1f01c8d9731f602114b64bf4490b690104da8b6dc694

SHA512
be9a9dd1db5ad7d23b8f39c3e20ea6746b5dfa0e32de804e43e8fbf456cafe4ab69bf7020cfe82dac0621facd99580597e849987be521f48d4c17c1ac6f277aa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
614b1cc205fb1550bb5153465a73c132

SHA1
34ad2e330754e736cd1a13d5ac841ad1c27e972f

SHA256
429ac342ae5febf73d05c196a1b55f5e7272d24444a84b2cff81e75ed5c8a963

SHA512
29527321cce2f61ed707113c6a3aa255116af28224d1be4bbdac0ca06cfefccdd34b1eb6d693db651132ec36a342800bbb012d0038f8353521cca12435fe78f1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
68586025578e3630629b5337739dc0f1

SHA1
9e523702814bad031607b7a2f910276d8ac41441

SHA256
3f1c46a34c6b5aca2014866d782eafba3691811859a9af1643f12f90b120a75c

SHA512
ad3b0af379ca161b2db80b0f21fcae1653a70283c76460afe39d6746bf4c423aa91dd0ed8466980dd69757608d103ed8d6de4970f97c7b496afe5d3d879a8624

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ec1518b776ac047b77db49f14ba479a6

SHA1
48ca0d721a1c90a15dc9ec78f9caebd35bff870d

SHA256
e0b3ae1cc592ba9523bea03d2846247adeae50819ada898f7662fcfa22eb506c

SHA512
49122357d81eb5b80db0e2bc0b68440e879283fc145f2e860fe65d5d8c9b2ef7d3673314e728f81bd1957f72d53add0ecf4f8599980c8a3df2fb2087bded0c32

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9f716b91904a032a6c4ab9be8a19d919

SHA1
11f0ec641ed6cb368ed8a21604f38758e4442e2d

SHA256
0f62c1e79174258e8712ac42eb1cb0a898b1a5305fbfda91b3b3c6a67da780ae

SHA512
70f6bcf62f1c0825036046c760496f3eb96925659bdc6668a8d7f041a04479ac0d4eb15519ced5076fe409a55769de6ab2bba1ed889a11cab835993b505e66f4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
011ba57e0000b1f300cda6b6a5764bc0

SHA1
3e03ac945bf8c44e315edd424f9fb54433f41eb3

SHA256
efbf85bc10c0a804ec16e0f7433cadc973b5159ae79affc4b0c109c9b98c0cbc

SHA512
ab598c9cf5b449bc16d1f19a8ee955a4ec744e843591c200fd423868c11489f9d0480ff43ef2aeb7c81775d1eaef4f90454a51d6aee6e532b5d86458728f2f1a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bc4c1ffc465a4f5d5bc157c9b2d5a195

SHA1
6214bece421724c26fa9d53f64e48675799b0201

SHA256
cac37eee4d455c302c5392eb163c3f1e0bceedfc9fe3c568d6cd5ba1d6f35484

SHA512
4ffa57d9bee2cb726690934a0065c180e112f1d9b3acab1c203c156893e7cebc3f5027326758b7cfed26341a5a58dcd4e9268017d8fca122f8f2d8ef0db325c9

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bc4c1ffc465a4f5d5bc157c9b2d5a195

SHA1
6214bece421724c26fa9d53f64e48675799b0201

SHA256
cac37eee4d455c302c5392eb163c3f1e0bceedfc9fe3c568d6cd5ba1d6f35484

SHA512
4ffa57d9bee2cb726690934a0065c180e112f1d9b3acab1c203c156893e7cebc3f5027326758b7cfed26341a5a58dcd4e9268017d8fca122f8f2d8ef0db325c9

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6ea5a9e907c37cc6395a14077147f383

SHA1
3893a5b76638d340ad5b5c5472f60135457fd380

SHA256
771d929d80af6a367de05e6c07ebbee59fd3a5b736d7a98530f08d64bb7d8685

SHA512
7ba1ea7824a7a0e464157dd6848c3f3799395b19354b31af8d09e105d9782e0f51af71f46a84d909889019ef6e0f16a1d6958eccc09047c5a0b53a7f5a08eba1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
e0246165c825646084befceea93ec20e

SHA1
d55567ad11783320d81ed4306fb4632810735301

SHA256
d85e4eb43f9817825affb68211ae124086a2636ac51bb2602ff1368124ac5da4

SHA512
b50c1f5cd3a1ca590fca6a7dd18f6a849e1fe7c095337b374d9bd0860816ea5259b8ac69ad639d1cdd3a53b9ba5a9eb12cf9d427473a27209c10296a4db640fe

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
32dbdfd1ce997334a00075afdd854f69

SHA1
bd9c13ac57c688895bd8f76efd03e0125a566ace

SHA256
662da4ff6414a2d8f56de6b7c89d532ba38098596d31b9329593ae17d3c0d5ae

SHA512
3d57cdbd8bc27242e65ed0f391be34f3dabb380b99b6d79fcbbe4c3b16415c196c2e31667cd5938447b953d8ce0f1836b0362dd106f539e07a87cd8c9179f52c

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c45b861a418c67cd1b7614d632252ead

SHA1
c33e80945b2c375963939526c123122cbd2fd9f2

SHA256
0a71a468e6bbc0181b963aff8c8e1dcfc5224ea51775a5ef7c65ddd5cbde682a

SHA512
2f6690b5ce35459b4d2cd1bd6fa4808b34610582db77fd0c217d1b4d042e5827403370607d6b5d7825f7daf2f7fe01c83ebc1626bd5adb4f6a5ff30d379e7e57

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
fca7e1895e2e6e68e5cc5282ae475e88

SHA1
3a7c74db7ebd1aaab29936f8745d696efa715200

SHA256
95beca51cb18d384329f17aba0f1b5495fc0663e895697b569d90ac0e3e6b4d1

SHA512
35cebd05d6d79a945fd233b55dcac85835e039ae20560302fcfa20e827047f31812db8b19d3d20475766e776607aeed896cf5e25dfc1b1dbadf37fa88d704ef1

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
be696e2dd9c7229f656d45079e5ba92b

SHA1
ecd17b61931fe908c1b57bc79c0caebd241659ff

SHA256
92ad05421db76546fbde7bb9486f5fb5c9515a4995341c2bb39dd9b8b29e420e

SHA512
2df22c473db66f2529899f1b5802948550186e69efac38423e5fc1a31bb451b49d8766cbf6b4136abd21d0b7494a809cb39b1e2d1d272246c061797e5ba87b77

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
70a05243956911a0ea1ff66e5f09c239

SHA1
9aeeeaa3cb113c8817a65f68c44f0f57b35f93cd

SHA256
394b3ad5beedd42a12506a0f2e3bba2dc4ec8dd6f2d0f0f801d69e6da00abd61

SHA512
18e98a1c758081c3afdedeef303c9f0d1361f8cd6a924ea9c1c63790716008a6229ce1ed73bc3f1e8cee6d8e30e3b816c830fce64bc0f32ae37a0cc03411b39f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
011ba57e0000b1f300cda6b6a5764bc0

SHA1
3e03ac945bf8c44e315edd424f9fb54433f41eb3

SHA256
efbf85bc10c0a804ec16e0f7433cadc973b5159ae79affc4b0c109c9b98c0cbc

SHA512
ab598c9cf5b449bc16d1f19a8ee955a4ec744e843591c200fd423868c11489f9d0480ff43ef2aeb7c81775d1eaef4f90454a51d6aee6e532b5d86458728f2f1a

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
011ba57e0000b1f300cda6b6a5764bc0

SHA1
3e03ac945bf8c44e315edd424f9fb54433f41eb3

SHA256
efbf85bc10c0a804ec16e0f7433cadc973b5159ae79affc4b0c109c9b98c0cbc

SHA512
ab598c9cf5b449bc16d1f19a8ee955a4ec744e843591c200fd423868c11489f9d0480ff43ef2aeb7c81775d1eaef4f90454a51d6aee6e532b5d86458728f2f1a

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a8ddace6190166a9468cf31ada1bc570

SHA1
0b81aefdb5578ef62a2c6eea22920fd89f13563d

SHA256
1f52d79600ec3f90192414f8e889e8f8e737a3cf9a6e7a90d72d736c463b9493

SHA512
0f1822a12e653baaf4603ca5f3bbe24cb4e360bb7cb93809c233f33d1f7e8b21ea12789290eb148eb952232149365123bfbf58424921c63b3385e065fc0963d7

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
0420ccf56391a419742614538f1abb52

SHA1
19288adae86b5f944ab0f6a6f9d1c152b8b97fba

SHA256
dd2e3ed1ba0670ee690e1f01c8d9731f602114b64bf4490b690104da8b6dc694

SHA512
be9a9dd1db5ad7d23b8f39c3e20ea6746b5dfa0e32de804e43e8fbf456cafe4ab69bf7020cfe82dac0621facd99580597e849987be521f48d4c17c1ac6f277aa

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
614b1cc205fb1550bb5153465a73c132

SHA1
34ad2e330754e736cd1a13d5ac841ad1c27e972f

SHA256
429ac342ae5febf73d05c196a1b55f5e7272d24444a84b2cff81e75ed5c8a963

SHA512
29527321cce2f61ed707113c6a3aa255116af28224d1be4bbdac0ca06cfefccdd34b1eb6d693db651132ec36a342800bbb012d0038f8353521cca12435fe78f1

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
68586025578e3630629b5337739dc0f1

SHA1
9e523702814bad031607b7a2f910276d8ac41441

SHA256
3f1c46a34c6b5aca2014866d782eafba3691811859a9af1643f12f90b120a75c

SHA512
ad3b0af379ca161b2db80b0f21fcae1653a70283c76460afe39d6746bf4c423aa91dd0ed8466980dd69757608d103ed8d6de4970f97c7b496afe5d3d879a8624

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ec1518b776ac047b77db49f14ba479a6

SHA1
48ca0d721a1c90a15dc9ec78f9caebd35bff870d

SHA256
e0b3ae1cc592ba9523bea03d2846247adeae50819ada898f7662fcfa22eb506c

SHA512
49122357d81eb5b80db0e2bc0b68440e879283fc145f2e860fe65d5d8c9b2ef7d3673314e728f81bd1957f72d53add0ecf4f8599980c8a3df2fb2087bded0c32

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9f716b91904a032a6c4ab9be8a19d919

SHA1
11f0ec641ed6cb368ed8a21604f38758e4442e2d

SHA256
0f62c1e79174258e8712ac42eb1cb0a898b1a5305fbfda91b3b3c6a67da780ae

SHA512
70f6bcf62f1c0825036046c760496f3eb96925659bdc6668a8d7f041a04479ac0d4eb15519ced5076fe409a55769de6ab2bba1ed889a11cab835993b505e66f4

Download Submit
memory/804-98-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/860-166-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1088-78-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-74-0x0000000000660000-0x00000000006C6000-memory.dmp

Filesize
408KB

Download
memory/1088-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-69-0x0000000000660000-0x00000000006C6000-memory.dmp

Filesize
408KB

Download
memory/1088-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1088-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-132-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1088-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1152-97-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1152-83-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1152-89-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1160-117-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1160-110-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1160-129-0x0000000000E70000-0x0000000000F2C000-memory.dmp

Filesize
752KB

Download
memory/1160-106-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1160-122-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1160-120-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1236-358-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1236-190-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1236-152-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1236-164-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1236-146-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1236-167-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1236-168-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1248-131-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1248-124-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/1300-58-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1300-57-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1300-56-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1300-60-0x0000000008640000-0x00000000087F0000-memory.dmp

Filesize
1.7MB

Download
memory/1300-54-0x00000000008D0000-0x0000000000A36000-memory.dmp

Filesize
1.4MB

Download
memory/1300-55-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1300-59-0x00000000083A0000-0x00000000084D8000-memory.dmp

Filesize
1.2MB

Download
memory/1480-223-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1480-412-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1480-306-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1480-362-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1552-360-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1552-163-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1552-637-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1552-169-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1584-103-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1668-130-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1808-632-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1808-382-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1808-194-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1844-383-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1844-221-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1908-141-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1920-247-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1920-411-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1984-226-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1984-243-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1988-381-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1988-173-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/1988-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1988-179-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2092-248-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2168-364-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2168-642-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2232-249-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2232-272-0x0000000000510000-0x0000000000719000-memory.dmp

Filesize
2.0MB

Download
memory/2232-561-0x0000000000510000-0x0000000000719000-memory.dmp

Filesize
2.0MB

Download
memory/2232-486-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2248-384-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2248-643-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2404-277-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2452-552-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2452-279-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2536-302-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2568-304-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2600-415-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2600-558-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2668-305-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2668-592-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2772-328-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2772-593-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2844-331-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2844-604-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2920-351-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3060-638-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/3060-352-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download