blustealer | e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI-12042023-02.exe
Size

1.4MB
MD5

00ec65f5667134941484ca7ef40ef167
SHA1

e2aa6f59e21c3d69fe09e036a0db32249739874a
SHA256

e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497
SHA512

d4f09ab5aa9fe5f5ea4429c6dba4e45d3021ffd512148df900bfdcfb3d91c28ce9cf7638f18e857fe913bffac573db70586d6261474813b4baadf4831bf949f9
SSDEEP

24576:X4Ze+gp1yI/aLxE5HY9qzZyQ9HHgefs+LbeFgEC/fGKhQ8mI5EKq:7G1E5HGqzMCg3geEXGk+K

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 52 IoCs

pid	Process
464	Process not Found
436	alg.exe
308	aspnet_state.exe
1484	mscorsvw.exe
1536	mscorsvw.exe
1636	mscorsvw.exe
1700	mscorsvw.exe
784	dllhost.exe
1764	ehRecvr.exe
1960	ehsched.exe
1144	elevation_service.exe
1504	mscorsvw.exe
904	IEEtwCollector.exe
748	GROOVE.EXE
112	mscorsvw.exe
2152	mscorsvw.exe
2180	maintenanceservice.exe
2340	msdtc.exe
2416	mscorsvw.exe
2540	mscorsvw.exe
2572	msiexec.exe
2800	mscorsvw.exe
2840	OSE.EXE
2956	OSPPSVC.EXE
960	mscorsvw.exe
2212	mscorsvw.exe
112	mscorsvw.exe
2460	mscorsvw.exe
2596	mscorsvw.exe
2760	mscorsvw.exe
2520	mscorsvw.exe
2704	mscorsvw.exe
3012	mscorsvw.exe
2884	mscorsvw.exe
1060	mscorsvw.exe
2112	mscorsvw.exe
2288	mscorsvw.exe
2580	mscorsvw.exe
2620	mscorsvw.exe
2672	mscorsvw.exe
2552	mscorsvw.exe
3052	perfhost.exe
2520	locator.exe
3068	mscorsvw.exe
2068	snmptrap.exe
2240	vds.exe
2364	vssvc.exe
1620	wbengine.exe
2180	WmiApSrv.exe
2656	mscorsvw.exe
2628	wmpnetwk.exe
2268	SearchIndexer.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2572	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
772	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3ac2a31b47bf3ad0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\vds.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\alg.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\locator.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PI-12042023-02.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 1652	1780	PI-12042023-02.exe	26
PID 1652 set thread context of 680	1652	PI-12042023-02.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	PI-12042023-02.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	PI-12042023-02.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	PI-12042023-02.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9342E1BB-A333-44FE-AEDB-4B026B7D723B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9342E1BB-A333-44FE-AEDB-4B026B7D723B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	PI-12042023-02.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	PI-12042023-02.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	PI-12042023-02.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	PI-12042023-02.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 35 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{6069E04D-4FE4-4CED-8915-BE110D35F267}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2008	ehRec.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe
1652	PI-12042023-02.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1652	PI-12042023-02.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: 33	956	EhTray.exe
Token: SeIncBasePriorityPrivilege	956	EhTray.exe
Token: SeDebugPrivilege	2008	ehRec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: 33	956	EhTray.exe
Token: SeIncBasePriorityPrivilege	956	EhTray.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeBackupPrivilege	1620	wbengine.exe
Token: SeRestorePrivilege	1620	wbengine.exe
Token: SeSecurityPrivilege	1620	wbengine.exe
Token: 33	2628	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2628	wmpnetwk.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeDebugPrivilege	1652	PI-12042023-02.exe
Token: SeDebugPrivilege	1652	PI-12042023-02.exe
Token: SeDebugPrivilege	1652	PI-12042023-02.exe
Token: SeDebugPrivilege	1652	PI-12042023-02.exe
Token: SeDebugPrivilege	1652	PI-12042023-02.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
956	EhTray.exe
956	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
956	EhTray.exe
956	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	PI-12042023-02.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1780 wrote to memory of 1652	1780	PI-12042023-02.exe	26
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1652 wrote to memory of 680	1652	PI-12042023-02.exe	31
PID 1636 wrote to memory of 1504	1636	mscorsvw.exe	38
PID 1636 wrote to memory of 1504	1636	mscorsvw.exe	38
PID 1636 wrote to memory of 1504	1636	mscorsvw.exe	38
PID 1636 wrote to memory of 1504	1636	mscorsvw.exe	38
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	43
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	43
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	43
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	43
PID 1636 wrote to memory of 2152	1636	mscorsvw.exe	44
PID 1636 wrote to memory of 2152	1636	mscorsvw.exe	44
PID 1636 wrote to memory of 2152	1636	mscorsvw.exe	44
PID 1636 wrote to memory of 2152	1636	mscorsvw.exe	44
PID 1636 wrote to memory of 2416	1636	mscorsvw.exe	47
PID 1636 wrote to memory of 2416	1636	mscorsvw.exe	47
PID 1636 wrote to memory of 2416	1636	mscorsvw.exe	47
PID 1636 wrote to memory of 2416	1636	mscorsvw.exe	47
PID 1636 wrote to memory of 2540	1636	mscorsvw.exe	49
PID 1636 wrote to memory of 2540	1636	mscorsvw.exe	49
PID 1636 wrote to memory of 2540	1636	mscorsvw.exe	49
PID 1636 wrote to memory of 2540	1636	mscorsvw.exe	49
PID 1636 wrote to memory of 2800	1636	mscorsvw.exe	50
PID 1636 wrote to memory of 2800	1636	mscorsvw.exe	50
PID 1636 wrote to memory of 2800	1636	mscorsvw.exe	50
PID 1636 wrote to memory of 2800	1636	mscorsvw.exe	50
PID 1636 wrote to memory of 960	1636	mscorsvw.exe	53
PID 1636 wrote to memory of 960	1636	mscorsvw.exe	53
PID 1636 wrote to memory of 960	1636	mscorsvw.exe	53
PID 1636 wrote to memory of 960	1636	mscorsvw.exe	53
PID 1636 wrote to memory of 2212	1636	mscorsvw.exe	54
PID 1636 wrote to memory of 2212	1636	mscorsvw.exe	54
PID 1636 wrote to memory of 2212	1636	mscorsvw.exe	54
PID 1636 wrote to memory of 2212	1636	mscorsvw.exe	54
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	55
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	55
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	55
PID 1636 wrote to memory of 112	1636	mscorsvw.exe	55
PID 1636 wrote to memory of 2460	1636	mscorsvw.exe	56
PID 1636 wrote to memory of 2460	1636	mscorsvw.exe	56
PID 1636 wrote to memory of 2460	1636	mscorsvw.exe	56
PID 1636 wrote to memory of 2460	1636	mscorsvw.exe	56
PID 1636 wrote to memory of 2596	1636	mscorsvw.exe	57
PID 1636 wrote to memory of 2596	1636	mscorsvw.exe	57
PID 1636 wrote to memory of 2596	1636	mscorsvw.exe	57
PID 1636 wrote to memory of 2596	1636	mscorsvw.exe	57
PID 1636 wrote to memory of 2760	1636	mscorsvw.exe	58
PID 1636 wrote to memory of 2760	1636	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
"C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
  "C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:680

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1484

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 1ec -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 1ec -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 24c -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 284 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 278 -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 238 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 298 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 280 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 294 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 258 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 294 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 158 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 158 -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:784

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:904

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2840

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
982c50e083c647a266b5d9105c78e6d0

SHA1
852bebb1b07362badd6a36b67048a764845cdecd

SHA256
e34afa0e2ef1669281dfdd833f4573de83e80cf202572ab3df6b93198b75f974

SHA512
f09715e62665e05c98edc3a000a076f413a6e2fb976a254df5026f32e0c61417e55a17c37c696a17ad6a11d3c756a75a46f6ed8988f10825253aaf355e889a3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7698dd267bf0de38f3c96b4a66ba1d71

SHA1
25cc934799325a2d409e1eaadf0603f2634627b9

SHA256
ae1167b213a43b49d55bd777057ce94373e818e2353bf66fd6fa40c1f9a963b9

SHA512
48d0630976f8939ef2adfc76d0abba751afb8899ddc063916cd4a157b1db18f2bf2e49c954834008ce930edef2449195198ef6c4285949ccaa162ed6a5e8a65f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5e7cc1bb6adceee30fa751157b7e9b71

SHA1
8a8fc9ba5960d3f8f6b78fdff7fcc58ed46c190d

SHA256
5739aef354438e0fcb7141b19314f97bf4ae4973de82fdd5678fcab2ad9bbabc

SHA512
6b695286f944d5449194fb6fa2acca6c072448f4d2b1ed87663abc304e466787a1efa05825f46e587fe177b2af4af36d238a1eda1c37bb7ceba9eeac18a5e424

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
85e1c00746f82d0796cac9880206a4d1

SHA1
d12f0a1ddeb9aa381dbef30aa381d607c08f173b

SHA256
bcd35108c1a3df02c063efd6602fdffe37c61a4b94c7bee60d84c89468bae6b4

SHA512
e772889df5fbce4b2cdb6e5b0ffd637818a0cf07d6863b67cfe13c289856f8431c063902f43c56d842907b51ac18315e9a86ae8450b218abaf7c7a61000fc10a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
348eb19651570aaff1ec2090e2868b64

SHA1
ff6e267fa0438eddba5d2b2699515a82bcf22657

SHA256
e8533df119a499edd66ba3e033e830a663f404042e16de720a05abd05ec8ac2f

SHA512
0c0b6db76ed91d26cddfd30d6574f38621413702900f7b5907fec7d6fc61a7a0f2ff1380603c147e932138060a9e34837c0723a4325c0f24c437525f73693fbf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ff9832d4484d1d7637038066e67d5592

SHA1
c9d07d597c68c8a1f1e0156d09b9f5310ab1d572

SHA256
983a82767228d1397c93ad631cd2360041a8a613de2fe8219d49949a0ef5d50a

SHA512
ee61be793878bf5eab9cd12c29be6b7d8deb7c9172f42fdabea8117748965dafbf643c5f5dbdff42c36f29e2bd4cd52135893d18cdf739f94b32ae5aa6a3fe41

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ff9832d4484d1d7637038066e67d5592

SHA1
c9d07d597c68c8a1f1e0156d09b9f5310ab1d572

SHA256
983a82767228d1397c93ad631cd2360041a8a613de2fe8219d49949a0ef5d50a

SHA512
ee61be793878bf5eab9cd12c29be6b7d8deb7c9172f42fdabea8117748965dafbf643c5f5dbdff42c36f29e2bd4cd52135893d18cdf739f94b32ae5aa6a3fe41

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ae16004a3da669ecb4066524ca017f49

SHA1
9f74844c3bf76fb479cda845b4d5508aa7e62ac2

SHA256
170f51402af0e66d7c03d9172437afbffeb5634e4466728988f48ae4304bee39

SHA512
b3aabe01442c8bbd546dc6c371954c546d521bcbacf57324041190c2ca035a456b572e0391be5120e727e7929c1af1ec9f7a359592c2c3c26c962943b0d3378f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
a2b5f3502b826443904dc11281e1af69

SHA1
c36421f7e55527f27937e6a0f2621192e2c6db57

SHA256
fe97b2c4c2a9ed87334233097a5ad06428b0dfe24ada8a4acdd65acc91ed7433

SHA512
abd7f7112dbd13f9d8cb5d59f165698711d8850911beb9feb5e2d14903d7f1e0dfb56e4bf84f40342f950d944fb1498a42f241088dce882d27bd54a59b90b2b8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
525be875047bd996e148c086eb7c9fca

SHA1
dfe0101b6f4ed868e0405e802abde156eef5ab5d

SHA256
094af3c8b45f2f4594e4d34d9f0a2d3d4f434b92bfcb0540e7b28b15d83b7960

SHA512
c2585dd386f88cf89b609c30a781e508b0607faa37d676ef2bdb82ba9eb0f1a6888589006e5c95a71e5df8f72cf9031cac84b193555845fe8ff2cff0e8d387b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
525be875047bd996e148c086eb7c9fca

SHA1
dfe0101b6f4ed868e0405e802abde156eef5ab5d

SHA256
094af3c8b45f2f4594e4d34d9f0a2d3d4f434b92bfcb0540e7b28b15d83b7960

SHA512
c2585dd386f88cf89b609c30a781e508b0607faa37d676ef2bdb82ba9eb0f1a6888589006e5c95a71e5df8f72cf9031cac84b193555845fe8ff2cff0e8d387b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
525be875047bd996e148c086eb7c9fca

SHA1
dfe0101b6f4ed868e0405e802abde156eef5ab5d

SHA256
094af3c8b45f2f4594e4d34d9f0a2d3d4f434b92bfcb0540e7b28b15d83b7960

SHA512
c2585dd386f88cf89b609c30a781e508b0607faa37d676ef2bdb82ba9eb0f1a6888589006e5c95a71e5df8f72cf9031cac84b193555845fe8ff2cff0e8d387b7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e93282290aa319964f04f0c8ed21ce4f

SHA1
26eaa86970c897274367218fb386300865c0713b

SHA256
af46e404fd67678af3243e6d4fe4abce4f057c287ecaf4745c2df18b1cb87eaf

SHA512
55b5eb287b103bdfd3bdd3243e46fe3d78fc583319cbb1f432bc943020754c1f61f6fc1e26b6db37d53ebd269ab1325635ba091423c00e2b146e2aca76e99795

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e93282290aa319964f04f0c8ed21ce4f

SHA1
26eaa86970c897274367218fb386300865c0713b

SHA256
af46e404fd67678af3243e6d4fe4abce4f057c287ecaf4745c2df18b1cb87eaf

SHA512
55b5eb287b103bdfd3bdd3243e46fe3d78fc583319cbb1f432bc943020754c1f61f6fc1e26b6db37d53ebd269ab1325635ba091423c00e2b146e2aca76e99795

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
05418c585c86be23914341ecaaec4ce2

SHA1
650aaeffe44aaf29ea32d925666520e61f3a6dac

SHA256
394a9bb830892a1f6f145d7c066a43c27ba1d26eb869450121b9ee65bf7b9151

SHA512
f1053633599f32c6f08af037e7daa321b7c5f333ac53c5d33b9b5f267c360934ff93e94604327676e23628ee74fa700e77aa9961393b52214d196fc666fdb1ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8f69c9ce411c82cc5267d83b44a3f48

SHA1
4a5c1a400f174759ede1540a1780c01678f87c83

SHA256
690e70ea0d3eaa0905404365475ad839e1402f16873144ae5a541463a988f7d7

SHA512
5b9632d83cc6a0bc63e8058a46bd11c59cee968905dc5e1078baa084fddc545bab7e6e6c12266b55c0c4302030bd6610194f0d52517078e5d5afc4dfdcf6a7c4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2095a25987ecb171e65b821c6c60abff

SHA1
bc8d87434ca6ba161fd4b676a2216b66719dcd35

SHA256
52bf1bfee5a5567bf57221fa309c9f2aecdb9d99bf72312dba4eacb30de21585

SHA512
bd6bd0b7f35f9d4bf3f06cc666ddf8d2fdefe9fc5e8670d527445d62ceaf22a13bbd99d72f54d2f0a2e7fc69e775983dcb277ae86ced739139a34a608b96ee1b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fa081af2cba245aa1b37458a8634ed7e

SHA1
2ad28c24a88ec8b849c93d04ffb3107d3c23dbc1

SHA256
31d5e4f70548eff8824df35c4aedf9f11ba63de8f4fec5e5048697cf848a3487

SHA512
df7affeecfe2beffab42709f12c33945042a88422c9b6519d9bd5fe7e80ceb04da4c1513b6110dbdabccf9579c507245acca7dcf67d2fbde20ae801e78506b4f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
46bed5974bbac979514fd6e44220422c

SHA1
58c74a3187cf3caaad0bc7ca053bb3d5e7ace7a5

SHA256
752010d48677bafa0d922538b9b87a0c507dc1a2f739f50e6fc94bfc73c4f80e

SHA512
7e2e7297baee338a22e9294879099aedb253570a9c71695e859bf6c178873d7a074e4d6b5c12923a0d268c48c46d2ab8b7d40e9b77e8bc8912c33881b066739a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ad7338853211a643de9777efcc93d903

SHA1
117a54f74c21acec4c5d4a1369bb43db4c5f7980

SHA256
84afec6db6757a9839ac2e774326b0340402beb197eca7a064bae65144913a99

SHA512
160cd345fa6195f4bdd72fae9f8be8401f36ff90961e3ea75919d7c5c3eb7498f856040944a3f133bc104e68746a02a90198018234ae89cd7a509cb8a7ba4763

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
bfe5ec6d7fc4fb122e1ee15af4375df0

SHA1
fc97a1293f4cad0744f5dd6cd0229876d0f32688

SHA256
aa17bfb5148e74af3650ac67fafd0dfeeb3449468a2a702e69c1a9c6ad95f346

SHA512
86a0a129068f1609dbb24db63f9529b757f168bbfe29be1f55bb52239b66cd39f9516ca622ea5fb08d7bb643f3358739486ac76ec5eb63d73a4a21276ec2d0de

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
9e3b31fc0d8c42c396bf34aa80f23b0b

SHA1
b43704aae76b8752c504d22281e7d7c80e57918e

SHA256
671339f61ef9dcef83d23fc30f968c86566404fc196df18dab184861e8a005ce

SHA512
66fff6aab7a4d89ee9cdc3aca483feb5e193a4be4bede90fbf61dfc6a4c2dc39012f87974e64a56e0d35673024ecc2af13235013f22dc0c382b19ce06d037f8e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
424a77390d58ea789f0fee889ce0ca72

SHA1
d26e4690a40c789e65890e0b40ce70366a09f020

SHA256
f8eabd236a2ee2ee09dfdcb9843b391b0df7a6c4ff22e13ed77f8d644060c37f

SHA512
d9d3fcf47f5c9a01d5118546b3b38d4c7006df3ae7618e7c69d5e2f1cd4a3cf54c8d8b228ecaf6f1df14d8432eb6647f78526304defe3e6612306107a5b406eb

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
2aa5e951e9726fdf08e2b550270a9773

SHA1
f5c8b52af76adbf7462b41c9098f968602a59e56

SHA256
ab139f68ba904cae1ebea205abaa8f955a6372e006e92def929418d872bdec2a

SHA512
6f8f280f2e2b892c9a3dee00ab4da269b1669f883437297bbc592a6d53110bf79678e6a7a6cee786ee940530748df8b70f5c8d610666660962c5f0c744bf5ec5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ea1e559e3820ee9150af771ee9d7cd84

SHA1
c144b3b4fa004fe696104df061e96e689f713bf7

SHA256
f4950f58bbd6637a82f416a1edcc91a4894507e51ae4dbe9fd59cb790f440c23

SHA512
4c09dd5d70a6c8b24a3a5dacd21fdeb49ab55449543a948fe54d52c1ed9e0df2b90871f2902caf0ba65ba7134a436056fbf2abcf25f2d10507ce61178e1eff5d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
7bedc137070278a4cd6eb01c652c736b

SHA1
40745ea38ffdd2fff9d1945f4b8d1fcad9b9374f

SHA256
931412e650c7a46a078d42c1ee9431de3b35ae9f9da660b70e529736fcf9d5a0

SHA512
73ebf99198eebfcc7c0ce7db6feb3333127eb26dddbea4e7a732acba3665879bad4c66f6b1bd525f752e510b87f3e1d06c7e98a213787225edbfe7c45d3b7660

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4b7a5b2f31182c8f28a15a72b63f7f03

SHA1
26b0ef43de27f65854df28e19f026655456b7702

SHA256
56fb6e4e73a5b3428b9b3e781bf3597ec911b0cacc00b56f5d1a12f9d2042d9e

SHA512
7201b785d9b836b25a832c7cc4d6c412817fc1c9af3116022335e1757c72353daff6410a996ab0cdc85922649c29d551186d2d02f80f86ade93c506078ec4b7b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
8a0c4c4ff3bca367f7dfd956c84f0bfa

SHA1
d8ebe0b60a1822ddd4c01cdf7dcdcb05b89342b1

SHA256
1ce9599cfce11f2d03a7646924166431a31b3fc7186f5f3ccb1741d82064d852

SHA512
a935da755ced03dc81e193ac4ca1a11c45691a8898b36a16e2c7b7883f841f9184243ff552d3665c2bba689ea05c8f23aed180a3be99ecb0abaabec8fc7df660

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
2aa5e951e9726fdf08e2b550270a9773

SHA1
f5c8b52af76adbf7462b41c9098f968602a59e56

SHA256
ab139f68ba904cae1ebea205abaa8f955a6372e006e92def929418d872bdec2a

SHA512
6f8f280f2e2b892c9a3dee00ab4da269b1669f883437297bbc592a6d53110bf79678e6a7a6cee786ee940530748df8b70f5c8d610666660962c5f0c744bf5ec5

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ff9832d4484d1d7637038066e67d5592

SHA1
c9d07d597c68c8a1f1e0156d09b9f5310ab1d572

SHA256
983a82767228d1397c93ad631cd2360041a8a613de2fe8219d49949a0ef5d50a

SHA512
ee61be793878bf5eab9cd12c29be6b7d8deb7c9172f42fdabea8117748965dafbf643c5f5dbdff42c36f29e2bd4cd52135893d18cdf739f94b32ae5aa6a3fe41

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
a2b5f3502b826443904dc11281e1af69

SHA1
c36421f7e55527f27937e6a0f2621192e2c6db57

SHA256
fe97b2c4c2a9ed87334233097a5ad06428b0dfe24ada8a4acdd65acc91ed7433

SHA512
abd7f7112dbd13f9d8cb5d59f165698711d8850911beb9feb5e2d14903d7f1e0dfb56e4bf84f40342f950d944fb1498a42f241088dce882d27bd54a59b90b2b8

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fa081af2cba245aa1b37458a8634ed7e

SHA1
2ad28c24a88ec8b849c93d04ffb3107d3c23dbc1

SHA256
31d5e4f70548eff8824df35c4aedf9f11ba63de8f4fec5e5048697cf848a3487

SHA512
df7affeecfe2beffab42709f12c33945042a88422c9b6519d9bd5fe7e80ceb04da4c1513b6110dbdabccf9579c507245acca7dcf67d2fbde20ae801e78506b4f

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ad7338853211a643de9777efcc93d903

SHA1
117a54f74c21acec4c5d4a1369bb43db4c5f7980

SHA256
84afec6db6757a9839ac2e774326b0340402beb197eca7a064bae65144913a99

SHA512
160cd345fa6195f4bdd72fae9f8be8401f36ff90961e3ea75919d7c5c3eb7498f856040944a3f133bc104e68746a02a90198018234ae89cd7a509cb8a7ba4763

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
bfe5ec6d7fc4fb122e1ee15af4375df0

SHA1
fc97a1293f4cad0744f5dd6cd0229876d0f32688

SHA256
aa17bfb5148e74af3650ac67fafd0dfeeb3449468a2a702e69c1a9c6ad95f346

SHA512
86a0a129068f1609dbb24db63f9529b757f168bbfe29be1f55bb52239b66cd39f9516ca622ea5fb08d7bb643f3358739486ac76ec5eb63d73a4a21276ec2d0de

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
9e3b31fc0d8c42c396bf34aa80f23b0b

SHA1
b43704aae76b8752c504d22281e7d7c80e57918e

SHA256
671339f61ef9dcef83d23fc30f968c86566404fc196df18dab184861e8a005ce

SHA512
66fff6aab7a4d89ee9cdc3aca483feb5e193a4be4bede90fbf61dfc6a4c2dc39012f87974e64a56e0d35673024ecc2af13235013f22dc0c382b19ce06d037f8e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
424a77390d58ea789f0fee889ce0ca72

SHA1
d26e4690a40c789e65890e0b40ce70366a09f020

SHA256
f8eabd236a2ee2ee09dfdcb9843b391b0df7a6c4ff22e13ed77f8d644060c37f

SHA512
d9d3fcf47f5c9a01d5118546b3b38d4c7006df3ae7618e7c69d5e2f1cd4a3cf54c8d8b228ecaf6f1df14d8432eb6647f78526304defe3e6612306107a5b406eb

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
2aa5e951e9726fdf08e2b550270a9773

SHA1
f5c8b52af76adbf7462b41c9098f968602a59e56

SHA256
ab139f68ba904cae1ebea205abaa8f955a6372e006e92def929418d872bdec2a

SHA512
6f8f280f2e2b892c9a3dee00ab4da269b1669f883437297bbc592a6d53110bf79678e6a7a6cee786ee940530748df8b70f5c8d610666660962c5f0c744bf5ec5

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
2aa5e951e9726fdf08e2b550270a9773

SHA1
f5c8b52af76adbf7462b41c9098f968602a59e56

SHA256
ab139f68ba904cae1ebea205abaa8f955a6372e006e92def929418d872bdec2a

SHA512
6f8f280f2e2b892c9a3dee00ab4da269b1669f883437297bbc592a6d53110bf79678e6a7a6cee786ee940530748df8b70f5c8d610666660962c5f0c744bf5ec5

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ea1e559e3820ee9150af771ee9d7cd84

SHA1
c144b3b4fa004fe696104df061e96e689f713bf7

SHA256
f4950f58bbd6637a82f416a1edcc91a4894507e51ae4dbe9fd59cb790f440c23

SHA512
4c09dd5d70a6c8b24a3a5dacd21fdeb49ab55449543a948fe54d52c1ed9e0df2b90871f2902caf0ba65ba7134a436056fbf2abcf25f2d10507ce61178e1eff5d

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
7bedc137070278a4cd6eb01c652c736b

SHA1
40745ea38ffdd2fff9d1945f4b8d1fcad9b9374f

SHA256
931412e650c7a46a078d42c1ee9431de3b35ae9f9da660b70e529736fcf9d5a0

SHA512
73ebf99198eebfcc7c0ce7db6feb3333127eb26dddbea4e7a732acba3665879bad4c66f6b1bd525f752e510b87f3e1d06c7e98a213787225edbfe7c45d3b7660

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4b7a5b2f31182c8f28a15a72b63f7f03

SHA1
26b0ef43de27f65854df28e19f026655456b7702

SHA256
56fb6e4e73a5b3428b9b3e781bf3597ec911b0cacc00b56f5d1a12f9d2042d9e

SHA512
7201b785d9b836b25a832c7cc4d6c412817fc1c9af3116022335e1757c72353daff6410a996ab0cdc85922649c29d551186d2d02f80f86ade93c506078ec4b7b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
8a0c4c4ff3bca367f7dfd956c84f0bfa

SHA1
d8ebe0b60a1822ddd4c01cdf7dcdcb05b89342b1

SHA256
1ce9599cfce11f2d03a7646924166431a31b3fc7186f5f3ccb1741d82064d852

SHA512
a935da755ced03dc81e193ac4ca1a11c45691a8898b36a16e2c7b7883f841f9184243ff552d3665c2bba689ea05c8f23aed180a3be99ecb0abaabec8fc7df660

Download Submit
memory/112-398-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/112-383-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/112-251-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/308-104-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/436-103-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/436-83-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/436-89-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/680-130-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/680-138-0x0000000000A70000-0x0000000000B2C000-memory.dmp

Filesize
752KB

Download
memory/680-133-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/680-124-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/680-126-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/680-127-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/748-250-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/748-367-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/784-149-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/904-234-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/960-369-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1144-188-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1144-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1144-180-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1144-345-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1484-105-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1504-230-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1504-187-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1504-204-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1536-118-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1636-121-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1636-117-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1636-342-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1636-125-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1652-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-326-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1652-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-70-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/1652-75-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/1700-148-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1764-344-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1764-158-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1764-167-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1764-166-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1764-197-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1764-152-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1764-164-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1780-55-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/1780-58-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1780-57-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/1780-59-0x0000000008340000-0x0000000008478000-memory.dmp

Filesize
1.2MB

Download
memory/1780-54-0x0000000001230000-0x00000000013A4000-memory.dmp

Filesize
1.5MB

Download
memory/1780-60-0x000000000AD10000-0x000000000AEC0000-memory.dmp

Filesize
1.7MB

Download
memory/1780-56-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/1960-163-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1960-175-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1960-172-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1960-343-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2008-338-0x0000000000110000-0x0000000000190000-memory.dmp

Filesize
512KB

Download
memory/2008-346-0x0000000000110000-0x0000000000190000-memory.dmp

Filesize
512KB

Download
memory/2008-237-0x0000000000110000-0x0000000000190000-memory.dmp

Filesize
512KB

Download
memory/2152-282-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2180-277-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2180-258-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2212-386-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2212-368-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2340-372-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2340-261-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2416-303-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2460-409-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2460-397-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-443-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-432-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2540-324-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2572-378-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2572-307-0x00000000005D0000-0x00000000007D9000-memory.dmp

Filesize
2.0MB

Download
memory/2572-381-0x00000000005D0000-0x00000000007D9000-memory.dmp

Filesize
2.0MB

Download
memory/2572-301-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2596-413-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2704-455-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2760-431-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2800-357-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2800-327-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2840-328-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2956-339-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3012-456-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/3012-453-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3012-467-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download