3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
Size

2.1MB
MD5

8d23113553ee6b2f870b715f9e8da39a
SHA1

101a82d8071c27458adcc601a73dc5a891f7216c
SHA256

3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0
SHA512

0b3b845249f9d762d221ad8bd959829e5adc650f7142eca8d4b154cd78e264f1dffb5289a5b301291b5d2b593974bb00c98305808dafec61653daf1e4fd06ea9
SSDEEP

49152:3yG3tQ7ZMxg0K/th7KV8gbXHA/nTJFKLNiXicJFFRGNzj3:3y37R2g/nTJFK7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
468	Process not Found
2584	alg.exe
544	aspnet_state.exe
2364	mscorsvw.exe
1668	mscorsvw.exe
1320	mscorsvw.exe
3024	mscorsvw.exe
2972	dllhost.exe
1508	ehRecvr.exe
2572	ehsched.exe
1604	elevation_service.exe
1940	IEEtwCollector.exe
688	GROOVE.EXE
1564	mscorsvw.exe
1392	maintenanceservice.exe
2784	msdtc.exe
1116	msiexec.exe
1012	OSE.EXE
2272	OSPPSVC.EXE
524	mscorsvw.exe
1980	perfhost.exe
2540	locator.exe
2616	snmptrap.exe
2568	vds.exe
2392	vssvc.exe
1136	wbengine.exe
2328	WmiApSrv.exe
1240	wmpnetwk.exe
1388	SearchIndexer.exe
1748	mscorsvw.exe
2412	mscorsvw.exe
1524	mscorsvw.exe
1676	mscorsvw.exe
1856	mscorsvw.exe
2944	mscorsvw.exe
2188	mscorsvw.exe
2396	mscorsvw.exe
112	mscorsvw.exe
1152	mscorsvw.exe
2740	mscorsvw.exe
2768	mscorsvw.exe
2216	mscorsvw.exe
1696	mscorsvw.exe
1260	mscorsvw.exe
2804	mscorsvw.exe
2424	mscorsvw.exe
1892	mscorsvw.exe
1884	mscorsvw.exe
2280	mscorsvw.exe
2960	mscorsvw.exe
1948	mscorsvw.exe
2740	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1116	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
748	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f450c870cbc56ce8.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_ar.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_iw.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_vi.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_id.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_mr.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_sv.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_es-419.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\psuser_64.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_ur.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\MicrosoftEdgeUpdateOnDemand.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\MicrosoftEdgeUpdateCore.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_az.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_cy.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_pa.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdate.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_bs.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU712A.tmp\msedgeupdateres_hi.dll	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5A99DD9C-AA40-4E45-86EE-F4C3616412FE}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5A99DD9C-AA40-4E45-86EE-F4C3616412FE}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{AB923E4B-3AFF-4421-AE76-AE2F0516992A}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1544	ehRec.exe
544	aspnet_state.exe
544	aspnet_state.exe
544	aspnet_state.exe
544	aspnet_state.exe
544	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2588	3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	544	aspnet_state.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: 33	2992	EhTray.exe
Token: SeIncBasePriorityPrivilege	2992	EhTray.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeDebugPrivilege	1544	ehRec.exe
Token: SeRestorePrivilege	1116	msiexec.exe
Token: SeTakeOwnershipPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1116	msiexec.exe
Token: 33	2992	EhTray.exe
Token: SeIncBasePriorityPrivilege	2992	EhTray.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	1136	wbengine.exe
Token: SeRestorePrivilege	1136	wbengine.exe
Token: SeSecurityPrivilege	1136	wbengine.exe
Token: SeManageVolumePrivilege	1388	SearchIndexer.exe
Token: 33	1240	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1240	wmpnetwk.exe
Token: 33	1388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1388	SearchIndexer.exe
Token: SeDebugPrivilege	544	aspnet_state.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeDebugPrivilege	1320	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2992	EhTray.exe
2992	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2992	EhTray.exe
2992	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
952	SearchProtocolHost.exe
952	SearchProtocolHost.exe
952	SearchProtocolHost.exe
952	SearchProtocolHost.exe
952	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
2932	SearchProtocolHost.exe
952	SearchProtocolHost.exe
2932	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1564	1320	mscorsvw.exe	42
PID 1320 wrote to memory of 1564	1320	mscorsvw.exe	42
PID 1320 wrote to memory of 1564	1320	mscorsvw.exe	42
PID 1320 wrote to memory of 1564	1320	mscorsvw.exe	42
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 1748	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 1748	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 1748	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 1748	1320	mscorsvw.exe	60
PID 1388 wrote to memory of 952	1388	SearchIndexer.exe	61
PID 1388 wrote to memory of 952	1388	SearchIndexer.exe	61
PID 1388 wrote to memory of 952	1388	SearchIndexer.exe	61
PID 1388 wrote to memory of 1540	1388	SearchIndexer.exe	62
PID 1388 wrote to memory of 1540	1388	SearchIndexer.exe	62
PID 1388 wrote to memory of 1540	1388	SearchIndexer.exe	62
PID 1320 wrote to memory of 2412	1320	mscorsvw.exe	63
PID 1320 wrote to memory of 2412	1320	mscorsvw.exe	63
PID 1320 wrote to memory of 2412	1320	mscorsvw.exe	63
PID 1320 wrote to memory of 2412	1320	mscorsvw.exe	63
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	64
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	64
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	64
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	64
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	65
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	65
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	65
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	65
PID 1320 wrote to memory of 1856	1320	mscorsvw.exe	66
PID 1320 wrote to memory of 1856	1320	mscorsvw.exe	66
PID 1320 wrote to memory of 1856	1320	mscorsvw.exe	66
PID 1320 wrote to memory of 1856	1320	mscorsvw.exe	66
PID 1320 wrote to memory of 2944	1320	mscorsvw.exe	67
PID 1320 wrote to memory of 2944	1320	mscorsvw.exe	67
PID 1320 wrote to memory of 2944	1320	mscorsvw.exe	67
PID 1320 wrote to memory of 2944	1320	mscorsvw.exe	67
PID 1320 wrote to memory of 2188	1320	mscorsvw.exe	68
PID 1320 wrote to memory of 2188	1320	mscorsvw.exe	68
PID 1320 wrote to memory of 2188	1320	mscorsvw.exe	68
PID 1320 wrote to memory of 2188	1320	mscorsvw.exe	68
PID 1388 wrote to memory of 2932	1388	SearchIndexer.exe	69
PID 1388 wrote to memory of 2932	1388	SearchIndexer.exe	69
PID 1388 wrote to memory of 2932	1388	SearchIndexer.exe	69
PID 1320 wrote to memory of 2396	1320	mscorsvw.exe	70
PID 1320 wrote to memory of 2396	1320	mscorsvw.exe	70
PID 1320 wrote to memory of 2396	1320	mscorsvw.exe	70
PID 1320 wrote to memory of 2396	1320	mscorsvw.exe	70
PID 1320 wrote to memory of 112	1320	mscorsvw.exe	71
PID 1320 wrote to memory of 112	1320	mscorsvw.exe	71
PID 1320 wrote to memory of 112	1320	mscorsvw.exe	71
PID 1320 wrote to memory of 112	1320	mscorsvw.exe	71
PID 1320 wrote to memory of 1152	1320	mscorsvw.exe	72
PID 1320 wrote to memory of 1152	1320	mscorsvw.exe	72
PID 1320 wrote to memory of 1152	1320	mscorsvw.exe	72
PID 1320 wrote to memory of 1152	1320	mscorsvw.exe	72
PID 1320 wrote to memory of 2740	1320	mscorsvw.exe	73
PID 1320 wrote to memory of 2740	1320	mscorsvw.exe	73
PID 1320 wrote to memory of 2740	1320	mscorsvw.exe	73
PID 1320 wrote to memory of 2740	1320	mscorsvw.exe	73
PID 1320 wrote to memory of 2768	1320	mscorsvw.exe	74
PID 1320 wrote to memory of 2768	1320	mscorsvw.exe	74
PID 1320 wrote to memory of 2768	1320	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe
"C:\Users\Admin\AppData\Local\Temp\3de9a8d1b94d695532d2fb00961f9ce902624eb9432a27687256ba2d875e19b0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2364

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 284 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 298 -NGENProcess 264 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 25c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 29c -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2ac -NGENProcess 2b4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2ac -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2972

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1508

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1940

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1012

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3185155662-718608226-894467740-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3185155662-718608226-894467740-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
781071a78f4618e16e90abe739183f31

SHA1
aab4ab3aa2de2d7f1d6c475e66bc904aeca4f2b5

SHA256
9ed7732fc209bf6f6e420ebad55fce5bed95e99fd899b919b101e23c3471fe22

SHA512
fdc4c04143e47a63607ad2897751bbbb48cb3a061a5e6d4aed86b50a73d784d818c207d05104df5753d7bcb6b4355cf4555f7f7c4b6e569dab765f9a7e223a3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a0b6d8196c5036eb7f4eff16c9c70da5

SHA1
bbd86acfa4398bc927d8c36d56c39def49f3abfe

SHA256
6bd5c72c5bc1a3ee066753c268337f586ebffaca555658c7c7bba543929ab1bd

SHA512
e021bb310f24de7a272d1d9607931b658f4342f7ef94a31ff2fd846ddcd92e557da16e768d8bbcf8aa4570cc9c04e4e26f6d89204ecd708111808ffddf8e2ed4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fec054ecb1f696d1040cc17096caa37b

SHA1
9acc15e8bf8a876d01adf323498657b83d684c6c

SHA256
19962cc7ca6abd46b1a1b90dff145fd9e9754cd9502bdf2e98e7e1b1b84ab096

SHA512
9ce4964c3799583eb70551bb8cfc8ed410841a87674c9345ad522bd999d240e85d2b82a3d23552bc1d75e7daea7b1c5404badd7c094c31a60d2c163d231c211c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e09bdb7991dcc78d2f69e3a31a42d3fd

SHA1
2d29371b1446273f24073878e4a2658339249620

SHA256
dd2c7525f6a148867dc8308e6e9c639b6d4338e6de3076558250d9b0105701fb

SHA512
c74e8ca286633e5548a68ae68e2877ba3a2d01e6b879043d443d36790a7e9e6a6d79b5747b356144fc4a17cfeaa88dd7d1318d261ef3ba5b69cb697b510b5aec

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
778f1cccc76372f6cc38e772b7231957

SHA1
56e5c201d6b6eec3135e6c45a9a08a489dc75c8d

SHA256
793fb8fe68cf19db71d2c8ad3039b00b4362c309bd4bc35df6b9a988ae3f4120

SHA512
da233469a345b6b05979e64e9b6e420f7ead10f72290c4f62b809be46de7b5bca1378ac1667d3b536812b88d2a51440e9c57a404ae94219eee39f228d9a93cb6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c2b1a7637968eec29f101c41c371a770

SHA1
a26c264c5abbef492ecbd5daebe407021aad3f3e

SHA256
4381af37858a8f08661abbbe7525336091eeb4f7772c78eb9383bb0023676b9f

SHA512
d2f9acfabb306201b1292c5ecece85fd98459a1abcaee2232ddee695a92aef44e81f0875592e6cd5c10c1e4f7073ad8be7c0cd83d7fa490b54cae4d8bb1a7bc5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e81b5523e5f72ce1ebf2ffef6e4239ad

SHA1
addd171904a43f180a93bbd7ba9c25188345c8b9

SHA256
d4944d740999c4accebbfb89c67c495c87680c873d95d2785ef9a90b8937c5c6

SHA512
aed082c07a96bbb1210109da5fdb8447e76ea862969b99006a78bc51e773ac5a4467a443e2cbfb324f610af173288ccf58aac829240dd639da9e3064e9c23a97

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
196e46a2a1e0703b8783772ab71943e3

SHA1
2d686d52a381dbc751d19ba58eb07ad095f21819

SHA256
0e1e319789b791a3d2ca77fee24750394215e1c48320855f95a3cc2bf578caa9

SHA512
9017e531eaebe1196ff1c2ac7bfaba7b250614cae81893a4981146b65658bd8ac028bd40b819fd1f0bb24844364205b0c1a1cf353fdf7b182f3b0544b095ba83

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
196e46a2a1e0703b8783772ab71943e3

SHA1
2d686d52a381dbc751d19ba58eb07ad095f21819

SHA256
0e1e319789b791a3d2ca77fee24750394215e1c48320855f95a3cc2bf578caa9

SHA512
9017e531eaebe1196ff1c2ac7bfaba7b250614cae81893a4981146b65658bd8ac028bd40b819fd1f0bb24844364205b0c1a1cf353fdf7b182f3b0544b095ba83

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b31ed4a3441692df0b99e3b91ee1f1ff

SHA1
9f72281b41742630b1971a7a0984c7fc4ccbad7d

SHA256
18f40a83838c32866fba7cf7bd3221d24cbf22a4aea27ba197f7711133efcd3f

SHA512
c6896aee19c83f60056e1885ffa95d21194e3b6ae00fbd1c846d62aa3c3f7140b41ae887ec4ccda9b3453652b7749f70c8a5311beced988597630a77f4d85ac3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
a13abf57dbd161e64e78a588a9142fad

SHA1
68dd9ff26d78b6449cdd0d4928886e80427c0911

SHA256
5cb33ce08abc9279da3152920bb630a0bf11f3717de302ae754c1b2f2d6e6900

SHA512
fa9a7a69c76e0650600f0b0282c9f1601cd2c7f72a579f4077d0d988e227c059ff5a78a83ff522cf93ab593146b0905fdddf73ca8a4309f94396a6069cf071d1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
52c0af3307eb1dedcf92647c2eb8aacd

SHA1
ffcaff935bce3a81f658b479110f9e3a1808c93c

SHA256
5ecf533db6b12d3e457e75c87825e704bdb0291a5a650d4a7381e8a91ce2b277

SHA512
ab4018e8224e1e74b761ddc3c02e8a6be5566f7b0fe4c636b25a22e2ece2d1f98d3dd0de8c05e3805019b3a6a209b9755c4c5cd753342bde8aeb679b49b76bb2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
52c0af3307eb1dedcf92647c2eb8aacd

SHA1
ffcaff935bce3a81f658b479110f9e3a1808c93c

SHA256
5ecf533db6b12d3e457e75c87825e704bdb0291a5a650d4a7381e8a91ce2b277

SHA512
ab4018e8224e1e74b761ddc3c02e8a6be5566f7b0fe4c636b25a22e2ece2d1f98d3dd0de8c05e3805019b3a6a209b9755c4c5cd753342bde8aeb679b49b76bb2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
473aef87ee7e09a32c93708d8d6f6dea

SHA1
07c6ff54816263659f88915312329544784528b4

SHA256
ec82176474cb9db5adcaa88b2924a7af772f5d93ff5098589e719ea3c06364b5

SHA512
0cafc772fa9fdc8a357cc21a7f7fd92c83a610842fd6233997672a24f2a8e66f6440b686ffa3bd09fd6a30da2d4d03e59b2c92de61da35440fc370e9da5080e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
473aef87ee7e09a32c93708d8d6f6dea

SHA1
07c6ff54816263659f88915312329544784528b4

SHA256
ec82176474cb9db5adcaa88b2924a7af772f5d93ff5098589e719ea3c06364b5

SHA512
0cafc772fa9fdc8a357cc21a7f7fd92c83a610842fd6233997672a24f2a8e66f6440b686ffa3bd09fd6a30da2d4d03e59b2c92de61da35440fc370e9da5080e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
95a459692971c9b14084851ab857ce05

SHA1
f70bea5ca0683386732e953fcf416753ba8a7c37

SHA256
c81933e528f039ec7cd70ee317516ce339111b10d432a955aa523caab639c888

SHA512
b0553dadbf38721710950e277077f7535c0ae83468c83882076e62c9ccb4c29f0a03f32f29519cf966e4f706be56fc7b9f848d0b6478199b7f6b25838656adff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6b07489541579905867016e7b4543792

SHA1
8d25751a1044ea9c19d4c79caf68e2fa6962caae

SHA256
f52edd15dc806282b60e80c01c1849afcfdf761535625ac1aa70b48b1eb6e600

SHA512
63b5a4878e36920d742411a5802cb05fd37810882f5c356363d16517046cca9bab77d46031ace2e0e3fa675065a5a0e1eb8d032615e778e62c98bde21d9681c6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
445616d6a2ed1552f5b9db6b4a0503f4

SHA1
cc1a23ad6d56b95ea22e45773584d44d03c21caf

SHA256
f6d48bb1e3937b5117b85f3df6ce3380ee240158a2e253810f8795d3abf52e1a

SHA512
7c84be8a2e4389e084379a91359b00a0b3d7f7eaff9669ae013ab9ecb48356fb7a0ef8a9f7cbace43e89a6f0c4be005b4643855b0fead091074d5115cbe3a8a0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cc630d9d2d1e6610372658df56f5a9cd

SHA1
81654e379b5f46821bf97c18c453acdcd3ee8a0f

SHA256
cbb5d2adb71bbc583c1e77b2834ef73426bcc8db68a99e85a6f3840e18648de4

SHA512
775a26ca7de4544d387c89cd188a767e085aa0cc70a9d657a7321c395ec607e78262d1f254996efed83e33aa52483d4af78e4bee4bd4cc45fe499824d5cc5025

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d97210441abd08e5a0c10a3e3fac184f

SHA1
65c8fa1927e9ca7b277b5e97d2f4d1833e30c575

SHA256
6bc66b128a4af8ded7c76be889bccc3855399e996f75b84b770d68ba448cfc1a

SHA512
4b8da552d99426d8b6846e8d6b134d497dcba24a4fc09bd87aeb74ae00b69d01da77ddc75119b062f2334b1bc01ff4d44c661d4872da1e6c525597ead88fd738

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
4515e57243dbe0a3b99d65618e03424a

SHA1
495f166f691fb0d8490c558f2b3e14da881c8514

SHA256
cb655de8eba5ede5625bc2f1be43f59fd4f2e766db3c8ffa33f56e13bb99bb4f

SHA512
6797744b63b44c2f62ccebb78fc3b51887e82af965aef6f3b18e75e2c46511911cd6c885f72eb82da280fc25b0aa5dbde16f6f1474ed27542ebbfcb9b942b134

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6444dc22f49fafb354fe2973db6bb5cf

SHA1
7d6ddfe2e4e158f92cbaebf3f790f1e29ba922ba

SHA256
3de90ac483ca04080378c581909c47088e0401e8bef8354001831f811738b36b

SHA512
921126a8b8de79ac465b5e4b5d1204ef8b6126d1d3d3edb2e0337ab5d0542fcca0daacb1d94e0021c56998292a25a7d33909fb4b5bb6a792a8bf29a5f6b10fa3

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
79679a869bccfd4d18c448d8efbb37cd

SHA1
a6af16c3bed27e0d78131ccc570b50a3bb2e5445

SHA256
69b4f4bdffeb5042097d6247813795f09109de786884075a937e82ae7030106b

SHA512
ffe34e3267f6de8e911893c911da9a071041c2cf6fe7c51ae9ee3584feeebb09d5b3a8c979bc1eb2d7dee9e0deca3d1ea97dfe16e781df90c41ad8e04435f469

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
268d194df733de41ede9ca5bca9b8416

SHA1
738a14049053ed41eef3f3495ef8fb833ea8f776

SHA256
4335cba935b72a717a1a6b88a90bdfa914fbf3bbc95783d6fb24a8ac81e25dc0

SHA512
5c863e4e6e6f8dabbc52ca4ac71c1552a21987152a7b76e2f13e414487e06ba9151d6dda803bb6cbd14950978197162da7933a02b5a36ca15761232bfedad657

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1739ddbeebb8ed32237e081558dd3b51

SHA1
957bc6ec06f3de65e0410f567123e0ed8f162c11

SHA256
ec203f7b693c4724985ca6015f49f2cce44c02042ec9954df14d09c727b26931

SHA512
ce876ec9369bef620d6d8172ebcf808339aec4ba5c02853f8c84c82b867476bc5564156e8148a9532d5250594be769afb9e0b8b3fc250373316608330917c58d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
6538415ce6fffa84c07a062b1fcaadea

SHA1
64b197af8a70d7ed11a55e0967e0a4cf7c1ace58

SHA256
fa8f0cbf28a1a170638d53e55d2cbbbf7572a27d3c912bfa790622022c1e1538

SHA512
3cc1f338af96934f02602b138eea2f25c7342632e1c33afce1308d088537c7d87b048abc8e825222513878f01f630779fca00aa3a7cde21d8ba05528dfea13a1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9aec7e7ab2a20f9f8f61357d96c0f556

SHA1
b17516cbd7ff00ab0fb54158b2bbdb1d53ddeb3b

SHA256
75af56823e7835443ad68eb0ff258e863e6a414016115c06fa4eb8e6623d4e9e

SHA512
070be2872f5e5bb39274de194d647fe1ca1cb2e439e78a7e60333836925e6973dac707a612666926d71a25f686288a073b9d5fb0c34c2be8ee560f7d4b16b949

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a4fcd74b8b492a99dc64a65493fe0558

SHA1
e1f1817ec1b21ba451732898a650ac0fb9540ba1

SHA256
5eb6813bcb1b66dc89acf20e56287049c9bf81df55b059e537c28e833985a37c

SHA512
291b13894b973ab710d6a987ba7edbf11c3ce21be15a73a884b0d7dde3137b297510ba42a21c933d59fdc361a8215f1e4ba3930ade91f44baea49e059381e058

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e0a04dc6d1fa7b07aa56ccddf543952f

SHA1
843b5c85a33fcb7a0a01393f2bf4219161664089

SHA256
4b9cfab8d48d08bd5d8936db33873a058499df7ae2f2a6220e2d5b459ac1a174

SHA512
daa87643d1561e2561f0f3336f345df85cdf02d22599c999e6a196514b2bc1dc3a5ddd01cdd4747b96bab5dc3364b5f72138ab53224a1b7d22a9a8ca7c9eacd5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
828aec94eb143f6103da61dcd963a080

SHA1
582dc9fb3dbc10b579f247c82a0b2e1d2eb4ff96

SHA256
f04825d632e8b57c998ae5f3a304eb8c9e1ecfafdd5f8b0f7d28b999398b8a15

SHA512
fb4c16036eb7a68cec8e1e0351f33f10a4cbda713dc132a4c081e494d2e0db02fd896073cb10a4730e49b02f163eeff58fcea4df998a95f067ba879964046911

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1774c75359bbdb935ef971038316ca43

SHA1
3b38e27b1f8340ce3b626557eac6d473861696c2

SHA256
cac18600905d2b928dc89cf472d0028bf52955f4dda620b10a039dc018eab92c

SHA512
1e6066c54ef3d8263794b8c1b5ab95d4b6c71cf7e8dc9c10157f244c311b6eb3be5623e1f490cca715c440cee0e14346f44cf72043e57c7eff8f956e3b96ebf3

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c239615136df5f772e86c774c42c80b8

SHA1
766fddde87eb4a2d2cd0843385fb9753a85b5f82

SHA256
2e390ee1a4c241d3dc083700f0c2b4f0dd6ff6cf93155b73e3d19fd35a8a4d6d

SHA512
fc1771a804611bf5c4011db1d79d2d29c56a77b751ad1e00380bba6b751d38c2504d82864b67a7fda7aed2e44caeddb535e278ceeaa26111d7a66d49e1ab8113

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
6538415ce6fffa84c07a062b1fcaadea

SHA1
64b197af8a70d7ed11a55e0967e0a4cf7c1ace58

SHA256
fa8f0cbf28a1a170638d53e55d2cbbbf7572a27d3c912bfa790622022c1e1538

SHA512
3cc1f338af96934f02602b138eea2f25c7342632e1c33afce1308d088537c7d87b048abc8e825222513878f01f630779fca00aa3a7cde21d8ba05528dfea13a1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c2b1a7637968eec29f101c41c371a770

SHA1
a26c264c5abbef492ecbd5daebe407021aad3f3e

SHA256
4381af37858a8f08661abbbe7525336091eeb4f7772c78eb9383bb0023676b9f

SHA512
d2f9acfabb306201b1292c5ecece85fd98459a1abcaee2232ddee695a92aef44e81f0875592e6cd5c10c1e4f7073ad8be7c0cd83d7fa490b54cae4d8bb1a7bc5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c2b1a7637968eec29f101c41c371a770

SHA1
a26c264c5abbef492ecbd5daebe407021aad3f3e

SHA256
4381af37858a8f08661abbbe7525336091eeb4f7772c78eb9383bb0023676b9f

SHA512
d2f9acfabb306201b1292c5ecece85fd98459a1abcaee2232ddee695a92aef44e81f0875592e6cd5c10c1e4f7073ad8be7c0cd83d7fa490b54cae4d8bb1a7bc5

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
196e46a2a1e0703b8783772ab71943e3

SHA1
2d686d52a381dbc751d19ba58eb07ad095f21819

SHA256
0e1e319789b791a3d2ca77fee24750394215e1c48320855f95a3cc2bf578caa9

SHA512
9017e531eaebe1196ff1c2ac7bfaba7b250614cae81893a4981146b65658bd8ac028bd40b819fd1f0bb24844364205b0c1a1cf353fdf7b182f3b0544b095ba83

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
a13abf57dbd161e64e78a588a9142fad

SHA1
68dd9ff26d78b6449cdd0d4928886e80427c0911

SHA256
5cb33ce08abc9279da3152920bb630a0bf11f3717de302ae754c1b2f2d6e6900

SHA512
fa9a7a69c76e0650600f0b0282c9f1601cd2c7f72a579f4077d0d988e227c059ff5a78a83ff522cf93ab593146b0905fdddf73ca8a4309f94396a6069cf071d1

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cc630d9d2d1e6610372658df56f5a9cd

SHA1
81654e379b5f46821bf97c18c453acdcd3ee8a0f

SHA256
cbb5d2adb71bbc583c1e77b2834ef73426bcc8db68a99e85a6f3840e18648de4

SHA512
775a26ca7de4544d387c89cd188a767e085aa0cc70a9d657a7321c395ec607e78262d1f254996efed83e33aa52483d4af78e4bee4bd4cc45fe499824d5cc5025

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6444dc22f49fafb354fe2973db6bb5cf

SHA1
7d6ddfe2e4e158f92cbaebf3f790f1e29ba922ba

SHA256
3de90ac483ca04080378c581909c47088e0401e8bef8354001831f811738b36b

SHA512
921126a8b8de79ac465b5e4b5d1204ef8b6126d1d3d3edb2e0337ab5d0542fcca0daacb1d94e0021c56998292a25a7d33909fb4b5bb6a792a8bf29a5f6b10fa3

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
79679a869bccfd4d18c448d8efbb37cd

SHA1
a6af16c3bed27e0d78131ccc570b50a3bb2e5445

SHA256
69b4f4bdffeb5042097d6247813795f09109de786884075a937e82ae7030106b

SHA512
ffe34e3267f6de8e911893c911da9a071041c2cf6fe7c51ae9ee3584feeebb09d5b3a8c979bc1eb2d7dee9e0deca3d1ea97dfe16e781df90c41ad8e04435f469

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
268d194df733de41ede9ca5bca9b8416

SHA1
738a14049053ed41eef3f3495ef8fb833ea8f776

SHA256
4335cba935b72a717a1a6b88a90bdfa914fbf3bbc95783d6fb24a8ac81e25dc0

SHA512
5c863e4e6e6f8dabbc52ca4ac71c1552a21987152a7b76e2f13e414487e06ba9151d6dda803bb6cbd14950978197162da7933a02b5a36ca15761232bfedad657

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1739ddbeebb8ed32237e081558dd3b51

SHA1
957bc6ec06f3de65e0410f567123e0ed8f162c11

SHA256
ec203f7b693c4724985ca6015f49f2cce44c02042ec9954df14d09c727b26931

SHA512
ce876ec9369bef620d6d8172ebcf808339aec4ba5c02853f8c84c82b867476bc5564156e8148a9532d5250594be769afb9e0b8b3fc250373316608330917c58d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
6538415ce6fffa84c07a062b1fcaadea

SHA1
64b197af8a70d7ed11a55e0967e0a4cf7c1ace58

SHA256
fa8f0cbf28a1a170638d53e55d2cbbbf7572a27d3c912bfa790622022c1e1538

SHA512
3cc1f338af96934f02602b138eea2f25c7342632e1c33afce1308d088537c7d87b048abc8e825222513878f01f630779fca00aa3a7cde21d8ba05528dfea13a1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
6538415ce6fffa84c07a062b1fcaadea

SHA1
64b197af8a70d7ed11a55e0967e0a4cf7c1ace58

SHA256
fa8f0cbf28a1a170638d53e55d2cbbbf7572a27d3c912bfa790622022c1e1538

SHA512
3cc1f338af96934f02602b138eea2f25c7342632e1c33afce1308d088537c7d87b048abc8e825222513878f01f630779fca00aa3a7cde21d8ba05528dfea13a1

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9aec7e7ab2a20f9f8f61357d96c0f556

SHA1
b17516cbd7ff00ab0fb54158b2bbdb1d53ddeb3b

SHA256
75af56823e7835443ad68eb0ff258e863e6a414016115c06fa4eb8e6623d4e9e

SHA512
070be2872f5e5bb39274de194d647fe1ca1cb2e439e78a7e60333836925e6973dac707a612666926d71a25f686288a073b9d5fb0c34c2be8ee560f7d4b16b949

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e0a04dc6d1fa7b07aa56ccddf543952f

SHA1
843b5c85a33fcb7a0a01393f2bf4219161664089

SHA256
4b9cfab8d48d08bd5d8936db33873a058499df7ae2f2a6220e2d5b459ac1a174

SHA512
daa87643d1561e2561f0f3336f345df85cdf02d22599c999e6a196514b2bc1dc3a5ddd01cdd4747b96bab5dc3364b5f72138ab53224a1b7d22a9a8ca7c9eacd5

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
828aec94eb143f6103da61dcd963a080

SHA1
582dc9fb3dbc10b579f247c82a0b2e1d2eb4ff96

SHA256
f04825d632e8b57c998ae5f3a304eb8c9e1ecfafdd5f8b0f7d28b999398b8a15

SHA512
fb4c16036eb7a68cec8e1e0351f33f10a4cbda713dc132a4c081e494d2e0db02fd896073cb10a4730e49b02f163eeff58fcea4df998a95f067ba879964046911

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1774c75359bbdb935ef971038316ca43

SHA1
3b38e27b1f8340ce3b626557eac6d473861696c2

SHA256
cac18600905d2b928dc89cf472d0028bf52955f4dda620b10a039dc018eab92c

SHA512
1e6066c54ef3d8263794b8c1b5ab95d4b6c71cf7e8dc9c10157f244c311b6eb3be5623e1f490cca715c440cee0e14346f44cf72043e57c7eff8f956e3b96ebf3

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c239615136df5f772e86c774c42c80b8

SHA1
766fddde87eb4a2d2cd0843385fb9753a85b5f82

SHA256
2e390ee1a4c241d3dc083700f0c2b4f0dd6ff6cf93155b73e3d19fd35a8a4d6d

SHA512
fc1771a804611bf5c4011db1d79d2d29c56a77b751ad1e00380bba6b751d38c2504d82864b67a7fda7aed2e44caeddb535e278ceeaa26111d7a66d49e1ab8113

Download Submit
memory/524-449-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/524-454-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/544-107-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/544-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-127-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-305-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/688-366-0x00000000009E0000-0x0000000000A46000-memory.dmp

Filesize
408KB

Download
memory/688-362-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/688-421-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1012-424-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1012-434-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/1116-431-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1116-423-0x0000000000580000-0x0000000000789000-memory.dmp

Filesize
2.0MB

Download
memory/1320-151-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1320-152-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1320-329-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1320-158-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/1392-385-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1392-390-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1392-405-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1392-404-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1508-304-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1508-365-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1508-318-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1508-330-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1508-311-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1508-312-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1508-320-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1508-303-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1544-414-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/1544-351-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/1544-353-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-349-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-399-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/1544-403-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/1544-398-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-411-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/1564-382-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/1564-446-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1564-396-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-371-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1564-464-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1604-391-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1604-344-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1604-335-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1604-334-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1668-140-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1668-167-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1940-354-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1980-458-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2272-428-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2272-441-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2272-442-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2364-132-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2364-147-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2540-465-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2572-317-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2572-319-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2572-327-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2572-378-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2584-30-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2584-193-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2588-175-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2588-0-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2588-1-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2588-7-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2588-6-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2588-299-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2616-468-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2784-397-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2972-192-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2972-185-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2972-186-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2972-352-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/3024-169-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/3024-168-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-342-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-176-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download