d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1

Analysis

max time kernel
112s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
Size

1.3MB
MD5

ae31844f2363b5b7aabc7bc287ca04fb
SHA1

ff3daadaf3cb52885573fb592bc5279974a1bb28
SHA256

d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1
SHA512

0bfeadea8496702432bfdb0996717c59ee8ee3ea44cd24f6c4a9627d60276c9d79204bf5b2e191962c299950c48c0c675f8d389278eb186a194231f4866c2f90
SSDEEP

24576:Xgv9UlTBVmJK2JrzaQDQjHDlicG0y4Q+ZyWHRlMugdD+JsRgZRJ4fM430Eg6nETi:+WTSJTJXDIDlicG0y45PxlMPdlR8v4Uf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
468	Process not Found
2068	alg.exe
2816	aspnet_state.exe
2088	mscorsvw.exe
2544	mscorsvw.exe
3044	mscorsvw.exe
2740	mscorsvw.exe
2268	dllhost.exe
744	ehRecvr.exe
2396	ehsched.exe
2016	mscorsvw.exe
1804	elevation_service.exe
1824	IEEtwCollector.exe
1764	mscorsvw.exe
2192	GROOVE.EXE
2700	maintenanceservice.exe
2676	msdtc.exe
2920	msiexec.exe
1888	OSE.EXE
1896	mscorsvw.exe
2336	OSPPSVC.EXE
2484	perfhost.exe
1332	locator.exe
2776	snmptrap.exe
2624	vds.exe
748	vssvc.exe
304	wbengine.exe
1488	WmiApSrv.exe
1428	wmpnetwk.exe
2528	SearchIndexer.exe
2272	mscorsvw.exe
2832	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2920	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\System32\vds.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\System32\alg.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f754676899022096.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\locator.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2D2564FD-023C-43F6-955B-99EC46C3AED0}\chrome_installer.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{086F764C-60DC-4D60-9099-99FCCFE1EBA7}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{086F764C-60DC-4D60-9099-99FCCFE1EBA7}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{6D94B582-9ACD-41DD-B05D-0FBD72DC7BFB}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{6D94B582-9ACD-41DD-B05D-0FBD72DC7BFB}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1312	ehRec.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: SeShutdownPrivilege	2740	mscorsvw.exe
Token: 33	3060	EhTray.exe
Token: SeIncBasePriorityPrivilege	3060	EhTray.exe
Token: SeDebugPrivilege	1312	ehRec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeSecurityPrivilege	2920	msiexec.exe
Token: 33	3060	EhTray.exe
Token: SeIncBasePriorityPrivilege	3060	EhTray.exe
Token: SeBackupPrivilege	748	vssvc.exe
Token: SeRestorePrivilege	748	vssvc.exe
Token: SeAuditPrivilege	748	vssvc.exe
Token: SeBackupPrivilege	304	wbengine.exe
Token: SeRestorePrivilege	304	wbengine.exe
Token: SeSecurityPrivilege	304	wbengine.exe
Token: SeManageVolumePrivilege	2528	SearchIndexer.exe
Token: 33	2528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2528	SearchIndexer.exe
Token: 33	1428	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1428	wmpnetwk.exe
Token: SeDebugPrivilege	2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
Token: SeDebugPrivilege	2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
Token: SeDebugPrivilege	2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
Token: SeDebugPrivilege	2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
Token: SeDebugPrivilege	2156	d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3060	EhTray.exe
3060	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3060	EhTray.exe
3060	EhTray.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
308	SearchProtocolHost.exe
308	SearchProtocolHost.exe
308	SearchProtocolHost.exe
308	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2016	3044	mscorsvw.exe	37
PID 3044 wrote to memory of 2016	3044	mscorsvw.exe	37
PID 3044 wrote to memory of 2016	3044	mscorsvw.exe	37
PID 3044 wrote to memory of 2016	3044	mscorsvw.exe	37
PID 3044 wrote to memory of 1764	3044	mscorsvw.exe	42
PID 3044 wrote to memory of 1764	3044	mscorsvw.exe	42
PID 3044 wrote to memory of 1764	3044	mscorsvw.exe	42
PID 3044 wrote to memory of 1764	3044	mscorsvw.exe	42
PID 3044 wrote to memory of 1896	3044	mscorsvw.exe	48
PID 3044 wrote to memory of 1896	3044	mscorsvw.exe	48
PID 3044 wrote to memory of 1896	3044	mscorsvw.exe	48
PID 3044 wrote to memory of 1896	3044	mscorsvw.exe	48
PID 2528 wrote to memory of 308	2528	SearchIndexer.exe	61
PID 2528 wrote to memory of 308	2528	SearchIndexer.exe	61
PID 2528 wrote to memory of 308	2528	SearchIndexer.exe	61
PID 2528 wrote to memory of 2492	2528	SearchIndexer.exe	62
PID 2528 wrote to memory of 2492	2528	SearchIndexer.exe	62
PID 2528 wrote to memory of 2492	2528	SearchIndexer.exe	62
PID 3044 wrote to memory of 2272	3044	mscorsvw.exe	63
PID 3044 wrote to memory of 2272	3044	mscorsvw.exe	63
PID 3044 wrote to memory of 2272	3044	mscorsvw.exe	63
PID 3044 wrote to memory of 2272	3044	mscorsvw.exe	63
PID 3044 wrote to memory of 2832	3044	mscorsvw.exe	64
PID 3044 wrote to memory of 2832	3044	mscorsvw.exe	64
PID 3044 wrote to memory of 2832	3044	mscorsvw.exe	64
PID 3044 wrote to memory of 2832	3044	mscorsvw.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe
"C:\Users\Admin\AppData\Local\Temp\d5bbf6511785bedc6c577dbefaef86ad97ce275a65c86b352e645b4e27c90fa1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2268

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:744

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3513876443-2771975297-1923446376-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3513876443-2771975297-1923446376-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2492
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
75b7b351a63db68678ba68f0e3bc98d5

SHA1
f279232ed41a61e1a7ce6ac67fd7b7fdea052967

SHA256
961ff33e9f00efaed7e29dd8c70b93e4f2fdbb3917dc09eb3badff3becc8acb3

SHA512
552c7a5c215ffd581ec882d5ff6fe7af491d81a9e40a1083cabeb0fa2169dc2f4f1f62fb6482170aedaf66aacbe9757aba60ca3fd872f33be0c10ae60fb6a7ec

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
f61ef4924cbf6cffe31983bebdad700c

SHA1
37139ed0f3c35cb5860c00491212c80272272584

SHA256
8acf7f1cfdbd6717fb01ac0d751edb40d90ca4f5ba19c8f0975e5fa3ab0c6c27

SHA512
f42f4a7f0ef98d30daea05dca3a97604d26d0b84e17b42c5be190a89455026ae2562fc77600397629d8d5c4533b16fe4b3105d34ef7e4cd686653beccaaa73ed

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
cf144ba6515fe12df3ddd52e8347a1d5

SHA1
80fb62e418e3a64652cf1a3efe586a0db50c5444

SHA256
c77a8eea6e11a60e919265032a649b4285f968a986960cfcda37a9f15a7fc75f

SHA512
ee4424c6a239f8be9487628eabd190472af500fdeb310152ca33acb420f4dcd0b42ae9f0fab0046b89894fb3f1f39a9f733513468d836e6968f7d6a86e99ce34

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
e293d73418420571b2b79fdf38648d38

SHA1
adf46b9a3ab237473531763e54fc5f7750ea36be

SHA256
6a33b8e40ffae0ddd81e90501590dd074a1218c0167ffbc4a3c3e20081c7e9f9

SHA512
a4cda73ec26f5d54ad2fc5c557eed247b83b6f9a50f891f504c291ed66cf580f9b05f9aeb974bd895e187905d8c7a4f48a54612882dae56e747af1d05845240b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
f011c8f43e474fd9eb37917bd0a7413b

SHA1
6459d2ef4c6255cbe9cc81ee455950e727f85bd2

SHA256
b72167edf67edccb9160709673815798dd43053fdb87c43ce21f72cada649865

SHA512
d8f70cbcdd4d1d595f0a13494961c48422e72c90240457ed664d71b7a4b368a4369f4509a011ae76db1c29842cc0707c7678bb1f032f9b3deb4466e6c25dac8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6e0a7bb545a5e8decab2e8d57d7514a1

SHA1
004eb83d7a74d59fd0822f2fb4dade887001e648

SHA256
b45fbe6aca375d6830367bde2fde2c014b761bfb97b68633cffc5f2d7bacc912

SHA512
ba964d9261da0780f8afae5af287e01c3b19e8991f09d643cad91988eb014d2ea784609d197937d7edcfae24f647f70f51712a09e9842ca058fbf1ba9c1ef514

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
4f44ed4d21c3581f668f335e11c38c2a

SHA1
0a7ed4d5ffb7f01b9c79244cbfc5a539e15e8be7

SHA256
43a6d86169c21b6a39005bebfca4f624dfaad7fda5d662d8425713bedc12080b

SHA512
c72a577b12905f006c546200a4ca544c9e404ca9904b088648eacff7725ca98eafee9fc538a73df87c48115295be4714ea69d059af660dd63dd59f2347077a5b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
4f44ed4d21c3581f668f335e11c38c2a

SHA1
0a7ed4d5ffb7f01b9c79244cbfc5a539e15e8be7

SHA256
43a6d86169c21b6a39005bebfca4f624dfaad7fda5d662d8425713bedc12080b

SHA512
c72a577b12905f006c546200a4ca544c9e404ca9904b088648eacff7725ca98eafee9fc538a73df87c48115295be4714ea69d059af660dd63dd59f2347077a5b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
b384b53821d8f1538fd0285f576e2ef2

SHA1
d60cceb7e7a6d6ded604d7309ff1cc01391e5e33

SHA256
8c5762dda3475e8395e6371491a569a87b89dc3eeebcd4b0d52afe473dfb5d41

SHA512
dec7c7aee935f4fe9c0af5962c31253f19c839b8fc288b5dcf04936d2ebe3697d33b2b172f91dbbd2d3a488d6a159ef968886e39b501409c3d4d53607fe06bc4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
a839d6531984d28c4967546d2a04d4db

SHA1
18c7cbf60dbc7b1760236c9c725345a73f14b2da

SHA256
894f0a590bc2572a284ee4f24e051d77bc074686a8aa6e03a9897726637255a9

SHA512
de64c82f7e9184b61acfa7ebb232cc32b6afabca774223c258ed43b8f762f7aec2dc788bb3bff10527c1174ddbc31b4a2f70acdf8e47f1feff4b49d66a8a2a18

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9a7b65d0445ad5403f7204c4ac221266

SHA1
7c3c004d86ec634897ef26b56812f1f99ab3c406

SHA256
63115bb189648c41489602694585d763813d72ab4a5608abfd7ab806b1bdb611

SHA512
74e8454d0259935499ea9fc0ab04b3c0a987e3e8f67e435bdff8fc7b9c03d29c642f508ff25c25206d4bec23367d9480b1e5a6275756faecbcec8798fff432b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ad876fb783e1326cb97e4fe482289503

SHA1
0f42d4be1c100547aba93e5d7598d912e6f498a0

SHA256
2f62143b1aac0514fb589b75833c36514b03e211aabd9ff50755f07319267dde

SHA512
bfe8f3b354296e1e3bb32770b707e839fb6dbd0fdf0a0ee17dc4cfb8267a77e980c740bcb88bea5bf0019aa9e856bd75541d72d19dd93403b886ba60e575ef15

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
bdfab8d50e977c80a0d50a6ab5963188

SHA1
721336367cf334ae38039d0898a794b71690c366

SHA256
1000a4f102d9a11eaf52791eda9e000716624063398772a94e99029cd1c084ef

SHA512
b71e8fdbc799822072753d8693b19ce30df339b008811e48ac3024319a74f7665cf1e9a818cbc50a446a1fc4e44c31d23064118b206a8bf8fe3e6ec3e58a2043

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
fb482c6c4a4059298373a8022c144644

SHA1
2c7dd304574f67363115630d916df6b6928a386d

SHA256
62dbbe1392dfaac2d65dcde7026a45241f35504c19ba9dc006566efd395437fe

SHA512
f2d1e174c55dd9cc62883a2b3703f94cd694c520b42cb40b029a7adb76846a65090d8687df9d911f236626c404a0d69d98cd0f95068c84daa9b6e9c5cb1c8b0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
fb482c6c4a4059298373a8022c144644

SHA1
2c7dd304574f67363115630d916df6b6928a386d

SHA256
62dbbe1392dfaac2d65dcde7026a45241f35504c19ba9dc006566efd395437fe

SHA512
f2d1e174c55dd9cc62883a2b3703f94cd694c520b42cb40b029a7adb76846a65090d8687df9d911f236626c404a0d69d98cd0f95068c84daa9b6e9c5cb1c8b0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
85d3b0db24a950d1c14ca6a854d64425

SHA1
31256bed18dff37b5a79a87804dd12ba4f692614

SHA256
5672037d2154285759e1477ef1ccf41a69e97f63dc2383a50df86134b4a760e3

SHA512
55bb8f6ff3975c3b88449ab7380646f9b735527ceec93c63d20f248968723984b97660fa1e95fae9e63007e9ea4e68fd24d2e32a372c3e5e156a12488ad2ba0d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
6176235abff07da0689258600c65049e

SHA1
477233abbfb6242658af1b62a468b15c94293154

SHA256
459d310d07fd9325dd52a0d8deeff5b131354cb200d8dde7214cc35a8c3e3019

SHA512
6effbd83f53bd216571760f87414d1ce353c2a286f20835977101824e9e5c11c480301544c77883214eb876ce7c8faa98dc87d4b2cb0b36df1ee6ff067b52eb7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
fe629ff88a1a6d02e524bd682b63799a

SHA1
fb51b728e4eea2ee2e1472618f7be558f4f409d4

SHA256
56ed6258eca483e80811195dce1fa8b2704695ab48c3bc7c507641f9a10c2270

SHA512
9c809bbdf13d10c04b60afe345ab8c99da97405b525f64a5dc3a089074192412ceae710967b9f8edc844132746ade6a491e3d97659a83fcc0c422e7e70025a01

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
fe629ff88a1a6d02e524bd682b63799a

SHA1
fb51b728e4eea2ee2e1472618f7be558f4f409d4

SHA256
56ed6258eca483e80811195dce1fa8b2704695ab48c3bc7c507641f9a10c2270

SHA512
9c809bbdf13d10c04b60afe345ab8c99da97405b525f64a5dc3a089074192412ceae710967b9f8edc844132746ade6a491e3d97659a83fcc0c422e7e70025a01

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4cc87264ef5f52df37402200bcc0bf02

SHA1
0fb06ea4832841d2eedbc0cef4ab258fdd9273d8

SHA256
52d0c156e7ebff116ca5765d0ae3d7a167f5d73526edf544c9f7c5130b669a72

SHA512
b95a8d5906e054b18e8381c3817b92d57903bcaa97071552b87f056bf68271abdec61fb486f46a98629f83d37640e3be85316aa128219040bf1a1b7b7ce35749

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4cc87264ef5f52df37402200bcc0bf02

SHA1
0fb06ea4832841d2eedbc0cef4ab258fdd9273d8

SHA256
52d0c156e7ebff116ca5765d0ae3d7a167f5d73526edf544c9f7c5130b669a72

SHA512
b95a8d5906e054b18e8381c3817b92d57903bcaa97071552b87f056bf68271abdec61fb486f46a98629f83d37640e3be85316aa128219040bf1a1b7b7ce35749

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9f9408375b9e918229809119562b2d6c

SHA1
c9a2de920c29bfb9780338e99ad234c9fc927839

SHA256
b868c20fc77ce8b2181b6a9e0c58eb65e80f1ff58229515c5a6255959b29c876

SHA512
217a533c758575fdbb4e57f591c626f74c0f7461870fe19d3799b1ff1a6b420c9cb39d1309c8d5dbdf43873e40dc39e24b594e4c3851b3dce3abbe5f63f96eea

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c2fb4b6f3bd7c1f723f18e5d8a782af3

SHA1
cbe63314f29e7b980e275635c94e89d98bb1cfbf

SHA256
ed1ff7c415c9ab1760bb1de3cd7285d03a7a2096d8cc4b798c21251a933405ff

SHA512
731e08eeffea4b6aff5fec012db8647f88eb57b980b42ed8b069e694ca48e7972644e0cc96107cf40268ff247633fab3ae0ee2a0a6d7723537cc3b0a6669107e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
0b8d7046edef89e0388fbec45c600afe

SHA1
fd9fa5c26eaaf8d8322087766637ea619d253c20

SHA256
7e5404fee703cb2f8f4c89dd21da2f3dcd0b388044d5fe87bf2c5ce26dc6b713

SHA512
11de87bc135f70ceec36e93e8bd4cd932f86d7b5a5260af21660df50a96fe55fc76ddc1fbe29a748fd85068f1997190760c56a8fc655ec8fdeea10f756814b8c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3e14867db738225452c807807ba86233

SHA1
f0130f0ab6f2acd01c949bf71c8d22546e9bdae2

SHA256
491e2de2b8227a56f52172ba3cb94f04c9cef0708c0136056375fc8322debff8

SHA512
bddcd91d99d1cb375c8c515715fc0efc1ab6c3719affeebd11982d550403651d96aa5752d9368a768b5e8d59c1d25a36e0c3af26b6da1aab77b7065c2259dfd2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
07597c7b031aec28bfc51bacb51ce3a5

SHA1
bee51a9624d12bc92c65fab7a6bb9c9ceb60a6ad

SHA256
37f4f9fce2e815ea63ce5e9ad647ea0d506ffa7688ba4e03584f5b5c1eb9356f

SHA512
fafd1b9a8a0da4c550d1796cb63453b2ccdf46d5fa9267fed12cf91376f49221e8154f5092fc4ad4c1cd47cfb076206905f92d5346b52abc72545e496f51dbe1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2032bc10d09fead674e336c445972b8c

SHA1
4715df45c59237eea3acfae0352d86b58bc1d5c1

SHA256
30d9ad4ecef2e62b0e39686c96d80f33de8dde40f772a7ba8ec52b146882b911

SHA512
3f41f7e59f0f1d463091a866c3fc8e5e7ce4ad0afb6f4bca9fcf855ad18c3c4c148011af701c8851fe5dfbaa0eba57bf447899e98c21e7bc65b9f08b45abc218

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c4ea749f72bfc969ecd573e3eff38eaf

SHA1
51aab89ef3ff3310b7704acf005974ba424d7234

SHA256
6575e4d9c291caef999fb36a75076ce6b574bc8c1fbf31c35175187c33e84d6d

SHA512
18ac0cbc7e08186be5b4d9cf4499f8ba9ef3d230581e655a846ec73b0e7927ae761192110c1963aed08a102d7211594b14955f6098c846fbbf0ded09a429f487

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
c33b8f5be9bde0baf1e3a2a3e8e9ceb2

SHA1
b1fe589c86353e01747f065e9ab8d8fcfd0dd9a8

SHA256
e4d105e2674a778580cb85ef9fdbf08165e9f55dc83dd6c419c3a99da0fce865

SHA512
bdea5df8e69bd19431d72ce7d0c0b8ea122923dfc568680678cdcc3fa85f957bce586bb119e3e0b2e92cb8ebcb82dca8b5c6729dc0fb40285cf47ca5b21678af

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
f7daf7c64cce51ac0d0aa092f7b67d3d

SHA1
cf950dbfc451def2ea9a1597ff75cc4f456b96c9

SHA256
a63a997358a29fefdbba8801b4e47169bc16af51ce28f6dfa1744ed69dbfbf01

SHA512
d7a68b7d13565f77015d111a29c36eda624eb7b93a15030fe418c1d2f38446298d51bb44dad1f4c4dc588e2a0dbc1a0badc3cb9cc0157b6ae65996dfedc3fa8f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d578bf170dde9cda334ca1d0a9b70432

SHA1
585379739deb5d2296ec2f72b9775eaed640a942

SHA256
5cee0bd193a227486d87e44b5e588e0a92b642ad53591bf0e7f442884e2eac88

SHA512
88fe27d980bf0226d8f66b144883475c62da97b316d3f79dbb899cc77b17a861c4117e4810ae8ef71b43818d156b675b945b565176723396727fc4896f03433f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
f30a43920c599114f0400f3a58bc75cd

SHA1
f0f076f17952976f48a933252ac1499ec96e8445

SHA256
6afcd10786dd1d840ef0d9417b76934fd8442c29f21a9da12e942605a3b9fa45

SHA512
b635d26f7a2c0295668da945f08e36e70c3917c19302b6d71a565043d7f93a1d0e6bd9c7ce582e92dbbfeb143c2cb884402e08d36a77de43a33f72c30e2c5300

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
60bbf6b57cb549e115a48b8826b9da6a

SHA1
0db24c7b49a5a1ff3eaccd59da05bd0adad2ece4

SHA256
fd001c2be50a8cd9ee7aa8547e3db3e9a8e47626d4d6f1e13451bf0bfb33e470

SHA512
a68009389a62021286186cfd499bcd1dfa74b416df4aa8b920ef173c87e6565ad0c5184e42a019d4afdf95a0e1dd5eecad6d413f9dd43cc847a24e3f8c66cfbc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
b0dceae88a8e064b2db2c144b4b88c39

SHA1
891e4bf4fffe999d435c3be5ac23c8587c3f7a4c

SHA256
0c30c21916c772d2cfb1b8ce4435cdebbb71f8f92c2d7f73e8406d0e275600b8

SHA512
fe9a1971dd4f9ea02c93f59ddba10a755ec5e9cc599d90db1c543db885c4d6f0641b087779fb8a986b79bb8592f59081dfeb82d0fd84170568241a7292e882dc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d6c65cc8ad13e86188b2e92f5f076ede

SHA1
53bbc030d8426f6e301f626ee05afbe6d281da45

SHA256
3809cbd31dc7085081c8f22e197314a3fa69a10d7e26e90dec1c657b192a3286

SHA512
68cd27426bff2ff857c3a9719cd1a8830a56977ac56154343d852d5467cfbfd26d5f0d57c19f5f5b590cc30a935b67d1dac91d5dddfa71516f57c02e04c6db28

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
906d901cdf628660d9858111561ae4fb

SHA1
3121b46af5b3e8ccfde4f1e5bf7d6ca498f603e3

SHA256
edf27d4501bdd0e6e964019bb4b7e4b95674e0a7fa961a4a639f6340f09c3543

SHA512
8dd0b85af71f07c848fd024fb19d6b9de0c3dc8549b7d58710268cf43324db5d134436735003b648cdd5c4789cab28e52377f02a2abbffad6fa04941dbc53289

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
af86b727b12b1606bdddefd0d92bffa9

SHA1
c47e5981a16b873277eb8a76799a208b1a85048c

SHA256
555289664bcd8c9079e9f52710babaed864746bd9cc98bdeb8d7652cc36ab4a9

SHA512
18faea8f4f57ddc7647f5a5d5645bdd0eacbc0086da91bc8d8a483c0b1aa33603f6c1c75b0955c6ef2bd51629e57d2481846961cd67af4ca001334d69f2b73f1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
af86b727b12b1606bdddefd0d92bffa9

SHA1
c47e5981a16b873277eb8a76799a208b1a85048c

SHA256
555289664bcd8c9079e9f52710babaed864746bd9cc98bdeb8d7652cc36ab4a9

SHA512
18faea8f4f57ddc7647f5a5d5645bdd0eacbc0086da91bc8d8a483c0b1aa33603f6c1c75b0955c6ef2bd51629e57d2481846961cd67af4ca001334d69f2b73f1

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
73b2f08c65e59b27903d908b73ef9441

SHA1
45f8e968bd38737bd021461b59a9501eac573f59

SHA256
8daa2ea911e5bb7e1c6cd4d694168560b4a01b046ca9fdc71f77f195b3a206c4

SHA512
7d72a7f319ad57c2df4e43c1101f7d6e79c3e02f9d67833ab3ba7b711a09bf6871c377ec451d84002138fcf639ffdbe840ea64ec5faea4274944d996a62cc8be

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
73b2f08c65e59b27903d908b73ef9441

SHA1
45f8e968bd38737bd021461b59a9501eac573f59

SHA256
8daa2ea911e5bb7e1c6cd4d694168560b4a01b046ca9fdc71f77f195b3a206c4

SHA512
7d72a7f319ad57c2df4e43c1101f7d6e79c3e02f9d67833ab3ba7b711a09bf6871c377ec451d84002138fcf639ffdbe840ea64ec5faea4274944d996a62cc8be

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.5MB

MD5
f7daf7c64cce51ac0d0aa092f7b67d3d

SHA1
cf950dbfc451def2ea9a1597ff75cc4f456b96c9

SHA256
a63a997358a29fefdbba8801b4e47169bc16af51ce28f6dfa1744ed69dbfbf01

SHA512
d7a68b7d13565f77015d111a29c36eda624eb7b93a15030fe418c1d2f38446298d51bb44dad1f4c4dc588e2a0dbc1a0badc3cb9cc0157b6ae65996dfedc3fa8f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c6dd82bbfe0b2ca701ffecb6fde3d6da

SHA1
9c6e73567b686f519c79ba1bccb92b6d98f1a256

SHA256
c66e876d2e661aa183d80e2f50e59f28ffe7a26284c5ac46f18503a25a56a102

SHA512
e19066a5e64d5a0d03a9122e8752a25291e8a2ae573c62f1dd36695aea6d3ee38d22702160455c6533811ace7967cc958f66089dcff3c1667aea5c6149c73095

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
f30a43920c599114f0400f3a58bc75cd

SHA1
f0f076f17952976f48a933252ac1499ec96e8445

SHA256
6afcd10786dd1d840ef0d9417b76934fd8442c29f21a9da12e942605a3b9fa45

SHA512
b635d26f7a2c0295668da945f08e36e70c3917c19302b6d71a565043d7f93a1d0e6bd9c7ce582e92dbbfeb143c2cb884402e08d36a77de43a33f72c30e2c5300

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ad876fb783e1326cb97e4fe482289503

SHA1
0f42d4be1c100547aba93e5d7598d912e6f498a0

SHA256
2f62143b1aac0514fb589b75833c36514b03e211aabd9ff50755f07319267dde

SHA512
bfe8f3b354296e1e3bb32770b707e839fb6dbd0fdf0a0ee17dc4cfb8267a77e980c740bcb88bea5bf0019aa9e856bd75541d72d19dd93403b886ba60e575ef15

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ad876fb783e1326cb97e4fe482289503

SHA1
0f42d4be1c100547aba93e5d7598d912e6f498a0

SHA256
2f62143b1aac0514fb589b75833c36514b03e211aabd9ff50755f07319267dde

SHA512
bfe8f3b354296e1e3bb32770b707e839fb6dbd0fdf0a0ee17dc4cfb8267a77e980c740bcb88bea5bf0019aa9e856bd75541d72d19dd93403b886ba60e575ef15

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
fb482c6c4a4059298373a8022c144644

SHA1
2c7dd304574f67363115630d916df6b6928a386d

SHA256
62dbbe1392dfaac2d65dcde7026a45241f35504c19ba9dc006566efd395437fe

SHA512
f2d1e174c55dd9cc62883a2b3703f94cd694c520b42cb40b029a7adb76846a65090d8687df9d911f236626c404a0d69d98cd0f95068c84daa9b6e9c5cb1c8b0b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
6176235abff07da0689258600c65049e

SHA1
477233abbfb6242658af1b62a468b15c94293154

SHA256
459d310d07fd9325dd52a0d8deeff5b131354cb200d8dde7214cc35a8c3e3019

SHA512
6effbd83f53bd216571760f87414d1ce353c2a286f20835977101824e9e5c11c480301544c77883214eb876ce7c8faa98dc87d4b2cb0b36df1ee6ff067b52eb7

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3e14867db738225452c807807ba86233

SHA1
f0130f0ab6f2acd01c949bf71c8d22546e9bdae2

SHA256
491e2de2b8227a56f52172ba3cb94f04c9cef0708c0136056375fc8322debff8

SHA512
bddcd91d99d1cb375c8c515715fc0efc1ab6c3719affeebd11982d550403651d96aa5752d9368a768b5e8d59c1d25a36e0c3af26b6da1aab77b7065c2259dfd2

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c4ea749f72bfc969ecd573e3eff38eaf

SHA1
51aab89ef3ff3310b7704acf005974ba424d7234

SHA256
6575e4d9c291caef999fb36a75076ce6b574bc8c1fbf31c35175187c33e84d6d

SHA512
18ac0cbc7e08186be5b4d9cf4499f8ba9ef3d230581e655a846ec73b0e7927ae761192110c1963aed08a102d7211594b14955f6098c846fbbf0ded09a429f487

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
c33b8f5be9bde0baf1e3a2a3e8e9ceb2

SHA1
b1fe589c86353e01747f065e9ab8d8fcfd0dd9a8

SHA256
e4d105e2674a778580cb85ef9fdbf08165e9f55dc83dd6c419c3a99da0fce865

SHA512
bdea5df8e69bd19431d72ce7d0c0b8ea122923dfc568680678cdcc3fa85f957bce586bb119e3e0b2e92cb8ebcb82dca8b5c6729dc0fb40285cf47ca5b21678af

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
f7daf7c64cce51ac0d0aa092f7b67d3d

SHA1
cf950dbfc451def2ea9a1597ff75cc4f456b96c9

SHA256
a63a997358a29fefdbba8801b4e47169bc16af51ce28f6dfa1744ed69dbfbf01

SHA512
d7a68b7d13565f77015d111a29c36eda624eb7b93a15030fe418c1d2f38446298d51bb44dad1f4c4dc588e2a0dbc1a0badc3cb9cc0157b6ae65996dfedc3fa8f

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d578bf170dde9cda334ca1d0a9b70432

SHA1
585379739deb5d2296ec2f72b9775eaed640a942

SHA256
5cee0bd193a227486d87e44b5e588e0a92b642ad53591bf0e7f442884e2eac88

SHA512
88fe27d980bf0226d8f66b144883475c62da97b316d3f79dbb899cc77b17a861c4117e4810ae8ef71b43818d156b675b945b565176723396727fc4896f03433f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
f30a43920c599114f0400f3a58bc75cd

SHA1
f0f076f17952976f48a933252ac1499ec96e8445

SHA256
6afcd10786dd1d840ef0d9417b76934fd8442c29f21a9da12e942605a3b9fa45

SHA512
b635d26f7a2c0295668da945f08e36e70c3917c19302b6d71a565043d7f93a1d0e6bd9c7ce582e92dbbfeb143c2cb884402e08d36a77de43a33f72c30e2c5300

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
f30a43920c599114f0400f3a58bc75cd

SHA1
f0f076f17952976f48a933252ac1499ec96e8445

SHA256
6afcd10786dd1d840ef0d9417b76934fd8442c29f21a9da12e942605a3b9fa45

SHA512
b635d26f7a2c0295668da945f08e36e70c3917c19302b6d71a565043d7f93a1d0e6bd9c7ce582e92dbbfeb143c2cb884402e08d36a77de43a33f72c30e2c5300

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
60bbf6b57cb549e115a48b8826b9da6a

SHA1
0db24c7b49a5a1ff3eaccd59da05bd0adad2ece4

SHA256
fd001c2be50a8cd9ee7aa8547e3db3e9a8e47626d4d6f1e13451bf0bfb33e470

SHA512
a68009389a62021286186cfd499bcd1dfa74b416df4aa8b920ef173c87e6565ad0c5184e42a019d4afdf95a0e1dd5eecad6d413f9dd43cc847a24e3f8c66cfbc

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d6c65cc8ad13e86188b2e92f5f076ede

SHA1
53bbc030d8426f6e301f626ee05afbe6d281da45

SHA256
3809cbd31dc7085081c8f22e197314a3fa69a10d7e26e90dec1c657b192a3286

SHA512
68cd27426bff2ff857c3a9719cd1a8830a56977ac56154343d852d5467cfbfd26d5f0d57c19f5f5b590cc30a935b67d1dac91d5dddfa71516f57c02e04c6db28

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
906d901cdf628660d9858111561ae4fb

SHA1
3121b46af5b3e8ccfde4f1e5bf7d6ca498f603e3

SHA256
edf27d4501bdd0e6e964019bb4b7e4b95674e0a7fa961a4a639f6340f09c3543

SHA512
8dd0b85af71f07c848fd024fb19d6b9de0c3dc8549b7d58710268cf43324db5d134436735003b648cdd5c4789cab28e52377f02a2abbffad6fa04941dbc53289

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
af86b727b12b1606bdddefd0d92bffa9

SHA1
c47e5981a16b873277eb8a76799a208b1a85048c

SHA256
555289664bcd8c9079e9f52710babaed864746bd9cc98bdeb8d7652cc36ab4a9

SHA512
18faea8f4f57ddc7647f5a5d5645bdd0eacbc0086da91bc8d8a483c0b1aa33603f6c1c75b0955c6ef2bd51629e57d2481846961cd67af4ca001334d69f2b73f1

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
73b2f08c65e59b27903d908b73ef9441

SHA1
45f8e968bd38737bd021461b59a9501eac573f59

SHA256
8daa2ea911e5bb7e1c6cd4d694168560b4a01b046ca9fdc71f77f195b3a206c4

SHA512
7d72a7f319ad57c2df4e43c1101f7d6e79c3e02f9d67833ab3ba7b711a09bf6871c377ec451d84002138fcf639ffdbe840ea64ec5faea4274944d996a62cc8be

Download Submit
memory/744-132-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/744-110-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/744-205-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/744-126-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/744-123-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/744-118-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/744-187-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/744-111-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1312-233-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

Filesize
9.6MB

Download
memory/1312-192-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

Filesize
9.6MB

Download
memory/1312-237-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/1312-179-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

Filesize
9.6MB

Download
memory/1312-224-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/1312-240-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

Filesize
9.6MB

Download
memory/1312-265-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/1312-171-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/1764-208-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-263-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-238-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1764-196-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1764-185-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1804-169-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1804-155-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1804-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1824-183-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-193-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2016-137-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2016-149-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2016-231-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-138-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2016-167-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-211-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2068-95-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2068-14-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2068-22-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2068-16-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2088-32-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2088-31-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2088-75-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2088-38-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2156-76-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2156-0-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2156-1-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2156-6-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2192-203-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2192-200-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2192-255-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2268-153-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2268-103-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2268-94-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2268-97-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2396-202-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2396-125-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2396-124-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2396-143-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2544-87-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2544-47-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2676-227-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2676-242-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2700-246-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2700-214-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2700-253-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2700-220-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2740-140-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-77-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-78-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2740-85-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2816-28-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2816-109-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2920-260-0x0000000000630000-0x00000000007C2000-memory.dmp

Filesize
1.6MB

Download
memory/2920-261-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2920-258-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/3044-54-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3044-55-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3044-61-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3044-60-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3044-134-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download