bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30/10/2023, 14:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
Size

1.8MB
MD5

a10094931bc44436744583f1ab9b323f
SHA1

3542759eb0b64c4cd7c65b6b4b72d36e050f9ed4
SHA256

bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f
SHA512

c0b574f045aa15aeb8a7afd40efa883a415031b557af4257f1ec408738d2d1c70e9c91f10b6924b450317118f96193c857c2a1adc2d16dec3b628cb8787e83f4
SSDEEP

49152:8KJ0WR7AFPyyiSruXKpk3WFDL9zxnSu3OPV6Vp:8KlBAFPydSS6W6X9lnj3C6Vp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
464	Process not Found
2728	alg.exe
1820	aspnet_state.exe
2960	mscorsvw.exe
1708	mscorsvw.exe
268	mscorsvw.exe
2032	mscorsvw.exe
2096	ehRecvr.exe
836	ehsched.exe
984	elevation_service.exe
2480	dllhost.exe
2748	IEEtwCollector.exe
1520	GROOVE.EXE
2920	mscorsvw.exe
2464	maintenanceservice.exe
2648	mscorsvw.exe
112	mscorsvw.exe
2468	mscorsvw.exe
2484	mscorsvw.exe
1588	msdtc.exe
2980	msiexec.exe
2700	OSE.EXE
2488	OSPPSVC.EXE
1064	perfhost.exe
1688	locator.exe
2020	snmptrap.exe
1616	vds.exe
1700	vssvc.exe
1844	wbengine.exe
2068	WmiApSrv.exe
3044	wmpnetwk.exe
992	SearchIndexer.exe
2212	mscorsvw.exe
2736	mscorsvw.exe
1776	mscorsvw.exe
836	mscorsvw.exe
1836	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2980	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
768	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd39eaaa5cb36c99.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_en.dll	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_de.dll	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_te.dll	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_zh-CN.dll	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_sl.dll	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B8A.tmp\goopdateres_id.dll	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DCA1A4FC-9BC0-4A39-A14E-D54CC13482E9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DCA1A4FC-9BC0-4A39-A14E-D54CC13482E9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{03F3E179-6A67-433E-85F0-D04676DC21F5}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{03F3E179-6A67-433E-85F0-D04676DC21F5}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2768	ehRec.exe
1820	aspnet_state.exe
1820	aspnet_state.exe
1820	aspnet_state.exe
1820	aspnet_state.exe
1820	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2192	bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: 33	1776	EhTray.exe
Token: SeIncBasePriorityPrivilege	1776	EhTray.exe
Token: SeTakeOwnershipPrivilege	1820	aspnet_state.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeDebugPrivilege	2768	ehRec.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: 33	1776	EhTray.exe
Token: SeIncBasePriorityPrivilege	1776	EhTray.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeSecurityPrivilege	2980	msiexec.exe
Token: SeBackupPrivilege	1844	wbengine.exe
Token: SeRestorePrivilege	1844	wbengine.exe
Token: SeSecurityPrivilege	1844	wbengine.exe
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeManageVolumePrivilege	992	SearchIndexer.exe
Token: 33	992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	992	SearchIndexer.exe
Token: 33	3044	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3044	wmpnetwk.exe
Token: SeDebugPrivilege	1820	aspnet_state.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeDebugPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1776	EhTray.exe
1776	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1776	EhTray.exe
1776	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
680	SearchProtocolHost.exe
680	SearchProtocolHost.exe
680	SearchProtocolHost.exe
680	SearchProtocolHost.exe
680	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
680	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2920	2032	mscorsvw.exe	42
PID 2032 wrote to memory of 2920	2032	mscorsvw.exe	42
PID 2032 wrote to memory of 2920	2032	mscorsvw.exe	42
PID 2032 wrote to memory of 2648	2032	mscorsvw.exe	44
PID 2032 wrote to memory of 2648	2032	mscorsvw.exe	44
PID 2032 wrote to memory of 2648	2032	mscorsvw.exe	44
PID 268 wrote to memory of 112	268	mscorsvw.exe	45
PID 268 wrote to memory of 112	268	mscorsvw.exe	45
PID 268 wrote to memory of 112	268	mscorsvw.exe	45
PID 268 wrote to memory of 112	268	mscorsvw.exe	45
PID 268 wrote to memory of 2468	268	mscorsvw.exe	46
PID 268 wrote to memory of 2468	268	mscorsvw.exe	46
PID 268 wrote to memory of 2468	268	mscorsvw.exe	46
PID 268 wrote to memory of 2468	268	mscorsvw.exe	46
PID 268 wrote to memory of 2484	268	mscorsvw.exe	47
PID 268 wrote to memory of 2484	268	mscorsvw.exe	47
PID 268 wrote to memory of 2484	268	mscorsvw.exe	47
PID 268 wrote to memory of 2484	268	mscorsvw.exe	47
PID 992 wrote to memory of 2616	992	SearchIndexer.exe	63
PID 992 wrote to memory of 2616	992	SearchIndexer.exe	63
PID 992 wrote to memory of 2616	992	SearchIndexer.exe	63
PID 268 wrote to memory of 2212	268	mscorsvw.exe	64
PID 268 wrote to memory of 2212	268	mscorsvw.exe	64
PID 268 wrote to memory of 2212	268	mscorsvw.exe	64
PID 268 wrote to memory of 2212	268	mscorsvw.exe	64
PID 992 wrote to memory of 1652	992	SearchIndexer.exe	65
PID 992 wrote to memory of 1652	992	SearchIndexer.exe	65
PID 992 wrote to memory of 1652	992	SearchIndexer.exe	65
PID 268 wrote to memory of 2736	268	mscorsvw.exe	66
PID 268 wrote to memory of 2736	268	mscorsvw.exe	66
PID 268 wrote to memory of 2736	268	mscorsvw.exe	66
PID 268 wrote to memory of 2736	268	mscorsvw.exe	66
PID 992 wrote to memory of 680	992	SearchIndexer.exe	67
PID 992 wrote to memory of 680	992	SearchIndexer.exe	67
PID 992 wrote to memory of 680	992	SearchIndexer.exe	67
PID 268 wrote to memory of 1776	268	mscorsvw.exe	68
PID 268 wrote to memory of 1776	268	mscorsvw.exe	68
PID 268 wrote to memory of 1776	268	mscorsvw.exe	68
PID 268 wrote to memory of 1776	268	mscorsvw.exe	68
PID 268 wrote to memory of 836	268	mscorsvw.exe	69
PID 268 wrote to memory of 836	268	mscorsvw.exe	69
PID 268 wrote to memory of 836	268	mscorsvw.exe	69
PID 268 wrote to memory of 836	268	mscorsvw.exe	69
PID 268 wrote to memory of 1836	268	mscorsvw.exe	70
PID 268 wrote to memory of 1836	268	mscorsvw.exe	70
PID 268 wrote to memory of 1836	268	mscorsvw.exe	70
PID 268 wrote to memory of 1836	268	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe
"C:\Users\Admin\AppData\Local\Temp\bc5193aaa20da5fb52734f6e990dde0fafa4af862f6a28ecce64bf2f8f47a84f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2960

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 214 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2096

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:984

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2480

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2748

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2700

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2084844033-2744876406-2053742436-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2084844033-2744876406-2053742436-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1652
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
7f21533c6305f540f7657b81a23e25b0

SHA1
06e9a7f29d41517a273ac82d01df31ddf654d4fe

SHA256
38b3d335e9686b312720633113caaa3454449998bed5702ae3bf4f1881871b06

SHA512
b4f299135c7f50843f509d0a3d2688a58f564b6365048223a74baae36e7b9b68f8d54c1e1cfc3b69c323172140e384a6cb23cc3e5c36da19e5b74a94efaf6960

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9b3287564eaab50afc78b412134e9d92

SHA1
207391f16f1634d107fd38e7d7c68d63af009d54

SHA256
27f008886f784f3208291ce7ff2cd0ff6c216eeacbf1dc15e8c4bfd95e0d4c29

SHA512
6a212474ccb6e004a412594a738695af7d1a504dbdbb8704aabe0ddc9b71ca8ccda743455422d5f8592b69c1f18f59cbc822cdc22c2c698d2f415aa985b5c594

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
720ad612babf8cf3550858eabdfdda95

SHA1
02cdbbea8db98c20b86f6995cae54fb931da3573

SHA256
f0ddab727578a696d743c541890e817386928c90cf908a6249b2bc60fd0da2f1

SHA512
0c51616dd37b829d8a46303826c69c69bc1818a72827de04e17b200f6c6628d75fa98231a928c61c73f3fddb077639a94e4fbaa7ea4e850ec209f6591942586a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
b4f4ed6228fca625a8cb8fd4464f9be1

SHA1
d1fe5a7b3092f8e89d7591cd23496d1ab8a84c4c

SHA256
eb105c5d949e3777e36bc67c4c78804f6dc41572c976afd0b5921326e70ca6db

SHA512
334120d0ae4007af72588ae9b4b7adace3724007f7d62e699d2610725748100cca90a542673a9f9321f1deb493d8d6f701c7c856e146f13e368928cbf1f4d2a5

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ae0d5bbfddcae2d1aa414be38062c13b

SHA1
916f183add088ed60da35329f28b121b9ed01773

SHA256
8e86383f2d43e55e0fee4cd7b3bada58d9c470ba307eb349c6eecaf7e796412a

SHA512
c0d4034c1d520ce7781d3b013666048f1b749aad6ed7269caea6ff078c5ec92f99ac7df88315eca44cdf5da37b99403ecd5432b7cfd03a66e73fdc1adc57e8b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
99ce6a82f60a769fe4a528f2348e4b3f

SHA1
664337831d5d8ed37cc800695b71b7a613833d95

SHA256
c0fb8bfc3649f556ccf0b84211007dc551671e404ec152f81d4b157e53d0565a

SHA512
dd5160cfb2c5a239c89c9c86f9a133c74321db40ca70627964c6b9afb1f874398b40bb2869e2e536d41d2bf4e0aa7c8b08f963f472eaa54ac086634836e6627d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7a5c24f24641e48c27eeb5c4140061cc

SHA1
9525319f3d898e82068b7ff826d3f0da1ae63328

SHA256
0afb842d857256ff66b984eb885b8394561cbdab9488df8866a5641a99c162c4

SHA512
734007f3942e43c64359c27c2e043a00d0442d99df62e1e94117b1e768bf81de664dbb9d41510bba55a4230e1824d48fcb3ef7ff36c886727d38fc0c7e077429

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7a5c24f24641e48c27eeb5c4140061cc

SHA1
9525319f3d898e82068b7ff826d3f0da1ae63328

SHA256
0afb842d857256ff66b984eb885b8394561cbdab9488df8866a5641a99c162c4

SHA512
734007f3942e43c64359c27c2e043a00d0442d99df62e1e94117b1e768bf81de664dbb9d41510bba55a4230e1824d48fcb3ef7ff36c886727d38fc0c7e077429

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
167b6ba8a3774e68bc99905ac9237974

SHA1
249b651fde7d2482a1d818ebcad078c062251c45

SHA256
d91681423c7222e118bba8c0109bf074fc2de16cbccba3ae58faa0793b5984e5

SHA512
ca0d46babb5b16f3b468585092143bdc54c8476d1ca0daa89ef3dbe8dfbb1df670c2792c8a3d671c6ff7ea4b65a65140c7a1938b65d1c59f9f6837812997ed9b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e44036ba586a3ddd9b8157e533d75c7d

SHA1
df80ee75ab209a8f12eec27a058806ed119b83a5

SHA256
f97c0b21e50fda9c6d7f6bec34720820a767d7f4dd20269a04d28cfe241d12f3

SHA512
2e3373399f59ab42cc11ef3a60e23a120ff6b6c446f76cd3ef7a21328a96e5b499f5234255c165931b00a38c0bfdc730ca43c84a9a198c300f8631d7e22251a9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0f4e76ff42761e5da87c0c4792f20472

SHA1
57d346afe73d6ee224a3dcd6a2675bae02ba88a6

SHA256
35f21a39920e35f57b33fdf8b96df807c55759711622a3e5e26ce9bda60142b6

SHA512
edcb5943abb663f1c5772167c01eb2c16aaf8192ad7cf457566ff852f38b23389b290f37ff356e114af464a5d7864b9740ad624c4e12a41d1078ec64294b4c89

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
13e9eb241198d0e0e9b0b493dce09ef6

SHA1
7ac8f0b2a70d7fe0830168dcbc0e59f93295b5b0

SHA256
946270eabd4b4d37f2968bc65a7e614601da38af7e266ef8066e1e1694fdb3fa

SHA512
0c6fb6f871a427f6f3db6abf22ad0e5df059b3c0c823658c6a2d46eddd65a41d9c55d374ac4736245a1c482829885d3532c53437851d35f03398af3da3347e59

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d4807a9ea60452981c2e62e039add016

SHA1
178c813c80890cc1b3fa0b56fd92df77a80a72cc

SHA256
e8172c4ae04179b66ca541b00342580a51cf2e36dd1c938783d5aa352a14fe13

SHA512
03b0344dad8d4ee9b7dd4fa716ca703668e993d2ad37d3db0fd74a2773db1ef0efa76a2b3f21d172023dee4aef414c6f34442786e2a00073a8545da620c45357

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d4807a9ea60452981c2e62e039add016

SHA1
178c813c80890cc1b3fa0b56fd92df77a80a72cc

SHA256
e8172c4ae04179b66ca541b00342580a51cf2e36dd1c938783d5aa352a14fe13

SHA512
03b0344dad8d4ee9b7dd4fa716ca703668e993d2ad37d3db0fd74a2773db1ef0efa76a2b3f21d172023dee4aef414c6f34442786e2a00073a8545da620c45357

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d51e67cbcfd5d7adaae192ffc4eee0aa

SHA1
462e2584ab34a64213266e2b8ef5205eabdfcdf9

SHA256
f1d6af03381b7a83d83346bafe2c428138440d80b25ddb0568de7b4e54caff22

SHA512
5abde45fd612c077086eea56e31d80ed392846af165918063bfee9f72dd87d331d821f29fdf832048930edb1433e78076c492146fd71079cd83dca622dade0a9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
76e1af358eae41cef63edb73d213567c

SHA1
36da8e4d77147eb43fc43aa54cd3ef7fcad27b9f

SHA256
d91c90f22d2ce63e1a125f14b424588a179fccf8bede114994f23c2a57b8b96f

SHA512
816b779c2b742218f3df3f21cf5ac294e302f4c818f8dd366cc3addf11d071fc1ed46d936a990bb12d2dbb782c5cdb01d1d1ec22bb5dda22a40bc63a5d52e2a7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
de05c6347e040fc5dc45ab2336c386d6

SHA1
bab69027dff209e148abeba9281db944d9d78f6b

SHA256
a7f9252816e427dfedb692875c87e67f429cb7657f89998120d5ea08721e4088

SHA512
9f432151aa14c2f150d13c127ca6b38c2817446105bcfc7b624ea568c61d39b6f2dfb795a486aabb757d3ee5ac51702ecd707e514a26eb2395b067b75bb6016d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
de05c6347e040fc5dc45ab2336c386d6

SHA1
bab69027dff209e148abeba9281db944d9d78f6b

SHA256
a7f9252816e427dfedb692875c87e67f429cb7657f89998120d5ea08721e4088

SHA512
9f432151aa14c2f150d13c127ca6b38c2817446105bcfc7b624ea568c61d39b6f2dfb795a486aabb757d3ee5ac51702ecd707e514a26eb2395b067b75bb6016d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
de05c6347e040fc5dc45ab2336c386d6

SHA1
bab69027dff209e148abeba9281db944d9d78f6b

SHA256
a7f9252816e427dfedb692875c87e67f429cb7657f89998120d5ea08721e4088

SHA512
9f432151aa14c2f150d13c127ca6b38c2817446105bcfc7b624ea568c61d39b6f2dfb795a486aabb757d3ee5ac51702ecd707e514a26eb2395b067b75bb6016d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
de05c6347e040fc5dc45ab2336c386d6

SHA1
bab69027dff209e148abeba9281db944d9d78f6b

SHA256
a7f9252816e427dfedb692875c87e67f429cb7657f89998120d5ea08721e4088

SHA512
9f432151aa14c2f150d13c127ca6b38c2817446105bcfc7b624ea568c61d39b6f2dfb795a486aabb757d3ee5ac51702ecd707e514a26eb2395b067b75bb6016d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c3cfe93165c0815f80eca8f9bda7376a

SHA1
6969d07552efe734d578db6414b5e6599ff94e5c

SHA256
a8a718bb3b3622a78ba81a434d6cf8520136c1d74b299e17b39bc6cf54e95579

SHA512
32eafc86b9181032c8e175cf0b897bb5116d3cc567992d0b4f61f86b39292dff9b70312f952800aeae275c72364fef0f04b098fb67eccb17acf013d5db39da69

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c3cfe93165c0815f80eca8f9bda7376a

SHA1
6969d07552efe734d578db6414b5e6599ff94e5c

SHA256
a8a718bb3b3622a78ba81a434d6cf8520136c1d74b299e17b39bc6cf54e95579

SHA512
32eafc86b9181032c8e175cf0b897bb5116d3cc567992d0b4f61f86b39292dff9b70312f952800aeae275c72364fef0f04b098fb67eccb17acf013d5db39da69

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b9c032caa5abefbaff246904e8b759c1

SHA1
0185cae1bc1f0c2ed079dd6445ebafbe6a7482a9

SHA256
48443046612e3186b55a5253a81bc74965a940227d0128e7a599bcdaab219fe7

SHA512
e34b9c2e9bd7f03aa0383a90e84ce07c556f0338a4da38ec42c2404573a74f464a3244ab2b9d8255c366557fa8bc9059ea9e873cc7f151b576b1a7fbe764d5d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b17b540f82e20dc96a20dd7a06f9071f

SHA1
df6f34275381858c96f64811db4073427b325848

SHA256
1c6e8ce5889155925bcf9335e6be8b9964233ad2621bcd5b702e52bdac2fe7e3

SHA512
37131f5317168b71d618751dc3794a7a25841df33c68e6f4db0668c4cb189f6661cb88e6c266a851aa1ea36a0cfdd36279fe6fd6c0aacee86b41a14150a93abd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a1102bd35ba102c01df0abbb0464b36e

SHA1
9c12ac4988ea75916c82f5a5782c2d3c2d63c5b6

SHA256
0a912634856cb0fbbaa3f0d49cb29ecca8daccacd6b062124ae5eb858e6bf176

SHA512
1602b5de90b7a7a3fc0158b4deb8a82f16e09cc9de5444a9856bc2a0d1f5c86433d38accb4db5a95b6e1830a5ace41b9e756804ab082f6230a3782b18673dc0c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f628d9907ca5a78a9c99424143e67507

SHA1
853d18f984fcae9d7ef197898d14cfe8e0c11f93

SHA256
387bdb4e24013a188798d60e16e4f52977895c338035273a2281cea39caf3128

SHA512
cde76a04d221179075713c7fe815688ee169a1d54879af1e60b057d9329df1b4123f50b61bbd4c9f5b82b8732351227fc8efadea2459d3d3061478e25b89ba90

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
757afccf64b2d42bb94e52ff3d616790

SHA1
53041dc35bb6f6813e713a59866eaad5c2c40f11

SHA256
539480f3d1cce1f3cfe36c1a961004b7832b35d8d40e2dd102e0c01c865a6620

SHA512
f432fa4959f78ef4c607e1903c774b5a744112a9664e724d769fe4725abc52f8e61ae52a1f9ca3bd25fd6a3715cf416aa0e495a93a3c69bc070ba10d26268295

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
56e84ec485c67e2cb86903d1526c017c

SHA1
fb05b5f0e1719dc7f4e42719355eadcbe8c31de5

SHA256
c3cd37cc4bf2495a35f80e8af876031d145215c22811cfa2feabc683758322b0

SHA512
428c20c285ca8ab547749530781a4aa40da3f8640d089171e80c449692004502f262a00687856ff4623af4e190e8f47374af3af066952e2e95008cda0d7c2cfa

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5b6e54d1872a1af29e4072d34f4aea65

SHA1
e5d23f62aa1b45ec83356215eba6c474670cf609

SHA256
1bcd67171c3c7944e683562bdf586a66fe35fb21cdef432220a1ed4e7e0c8e6e

SHA512
e8da0a128a374c4a3cecf71481e0a043b78b44d3ac56813c9546a3384dd4d92de5b6c32fb3e6bb8c0a40cc6f6434756d3884e0721135a5c5a7c5b3bfc172c02d

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
8423a7d8d5608d10e1d354d89625adb0

SHA1
74baf1ba56751267f66a2a53e62803ef0029c897

SHA256
3a1cc1c0239fbf3f040d01dfbbf67f67f2e77131ee67d427958af557ba3d30fc

SHA512
d8dfbc8723c81e74b90948cc994e93389975fa3796605723aa96340e34906e05d0de195425b02340a55cf1d462fc23191fdd5d75d4e16149c3bca46fed9619dd

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
03daebcb64605980d73fae49e48178fd

SHA1
96523e3181db3cffa240e01dc924d0dfe8ad0c35

SHA256
571c75069f2935be6d2e038114dbb0702f04693a4a7c7aba0fe158beb9b978f3

SHA512
5db17b03a00b43d6607d7097d92916780ee101ab1cab2c299552af1f4f2b3649743643b2896378e6c670edc672dc26933f419ec0e196023c327f7f85ff063f61

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
588328ab1e2f90325648654e4bd2a431

SHA1
32b01bd46a28b18e2b7bacd8e0598232660ca42e

SHA256
7425750bbc3b00a256e061f6593d9e851b76532d603d9b82b610558c00b3823c

SHA512
77548928844455e5f7cf2a77eee9ad051eff216961a848b3a5aea5653ad2c387a70c83630f755cdfcd1a454bad689588238f819c9cb85e8b2de08dd910d4dd4a

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3f249fef38ed744ae92c75eb8e1b3c3c

SHA1
adc2c749bdcfbc4146c513516741aef06a12e754

SHA256
554e54c44568065087027dee42c454f0251ef3a03990cb24a35516d05536335e

SHA512
fae1aac6a14df66b67b72e3fac4c4924bb0ab7424ddbd10b44357203e7d9e67734d552680d76deca67dcf3c36b75764ed464bfc1f5a2ab496de698ca461dca44

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cab4c03bd6419160094f2d74e57ad5a4

SHA1
fb076c19b626d09a7a3d5bc31324009f64761962

SHA256
f8a42370027700502f4a3a2d629e44406ca92d1ef6f6f7c10182e96321a4b16e

SHA512
3dca3d1928a7a2cdd74d1ec1f1d1475471e11f86742cf5663faa2ede755900bf3ec7164b43cbb251d1008a27c4373db8adf6dab7757c1845f3a5096ae0925cbe

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ace05d254cb9fa53bea964d513dcc432

SHA1
c288db85008978db5c98a5a01e9e41e425c2779d

SHA256
e92d7cbb6ac4761dfb9cd8c7a83b8c352def161d6969e3e50405808b58de146e

SHA512
2e326ebfc9fb99753e164e2319e4e740d13d7520a8ad126bb6f0b88288f121cf87e0f3f83a033321ebf8a03a965b4996724698fdaf8680e04922232693f49204

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
86e2102af240589d1f2385a7d5e59181

SHA1
9fe5fed182d7d68209a81eb48d1ab9f0b85b6fad

SHA256
b2de48fb8b98de10658d46799a1a9c7f68ffbcff8a0d23203f487b7361378331

SHA512
bdae225a5f12c104b0e933d4af689ed7256f81acc9772b4d328d201a38ca6bbedf2c90a0fe68720b066bba128563fc59ed54d866aa2c88cd5e8fffa69cb4b61a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
fffa82155ae54ec956879becfe12755f

SHA1
6007d2306f7cb9051ed9b12defaf3520638badd3

SHA256
11eb14f6bbac83a3218aa6fd89660d6dabaac341a20f53bf8ff1db51244bc579

SHA512
9b9811d1a3b3f41cd6c9773f7c5572d85696b81531fb576ec5ca549a4502a975dcbe4d55d31a4a68b0fe1d1e0d865699b6e654f41bc4ceded95ef24d8ff08e6a

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
1f166102972d8c7d06df8c0792b870d3

SHA1
840bf087475b2cb5e9303759046a124e116690eb

SHA256
33ab3712bc77d055f000cf4fb8501ad206b8ef29233f265452f59c655e308129

SHA512
7d59a81608e1b7db138ade0b37246907d4fd212239a023c67dd0c0b9fd6de985d2f00ffb66c040a9afc6268d9a959e83ad30abc54654cc5498f1e41703f1e19a

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1f166102972d8c7d06df8c0792b870d3

SHA1
840bf087475b2cb5e9303759046a124e116690eb

SHA256
33ab3712bc77d055f000cf4fb8501ad206b8ef29233f265452f59c655e308129

SHA512
7d59a81608e1b7db138ade0b37246907d4fd212239a023c67dd0c0b9fd6de985d2f00ffb66c040a9afc6268d9a959e83ad30abc54654cc5498f1e41703f1e19a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
61ff150ac03f2de6711bdb31aede8f56

SHA1
0cd2096a30f4ae1e0808381b4a072a3d3e22a5cf

SHA256
fdb358330555c2625d9624248936f97c4d597876e70657544f2c9a25467c13c1

SHA512
62ac556bc0d88aaa6de6f6421fde78b97844276d8305e10947833c1181823eddb07114e23d724284f203e9806da77e3007e17c12f5aae4848769972b8db636ca

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
61ff150ac03f2de6711bdb31aede8f56

SHA1
0cd2096a30f4ae1e0808381b4a072a3d3e22a5cf

SHA256
fdb358330555c2625d9624248936f97c4d597876e70657544f2c9a25467c13c1

SHA512
62ac556bc0d88aaa6de6f6421fde78b97844276d8305e10947833c1181823eddb07114e23d724284f203e9806da77e3007e17c12f5aae4848769972b8db636ca

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.3MB

MD5
03daebcb64605980d73fae49e48178fd

SHA1
96523e3181db3cffa240e01dc924d0dfe8ad0c35

SHA256
571c75069f2935be6d2e038114dbb0702f04693a4a7c7aba0fe158beb9b978f3

SHA512
5db17b03a00b43d6607d7097d92916780ee101ab1cab2c299552af1f4f2b3649743643b2896378e6c670edc672dc26933f419ec0e196023c327f7f85ff063f61

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
88f703f7eb9b957ba69a214fa2732b4c

SHA1
47f6e1da8d49ccfae6b97637b4947b82f9975d1c

SHA256
e819e1cc0d03da0330096081f79ee2d0b1ab6e0d7a3fecf3c884da28e26e8c7e

SHA512
dc2c7250169a045ac8519d551fc36a1351cfefc2b8d692865036fc42e84ce0f6d6655dd7b538cb93536eb111262c9e9f1852ef30f92c1ba6bf5e74df3e1b9be5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3f249fef38ed744ae92c75eb8e1b3c3c

SHA1
adc2c749bdcfbc4146c513516741aef06a12e754

SHA256
554e54c44568065087027dee42c454f0251ef3a03990cb24a35516d05536335e

SHA512
fae1aac6a14df66b67b72e3fac4c4924bb0ab7424ddbd10b44357203e7d9e67734d552680d76deca67dcf3c36b75764ed464bfc1f5a2ab496de698ca461dca44

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0f4e76ff42761e5da87c0c4792f20472

SHA1
57d346afe73d6ee224a3dcd6a2675bae02ba88a6

SHA256
35f21a39920e35f57b33fdf8b96df807c55759711622a3e5e26ce9bda60142b6

SHA512
edcb5943abb663f1c5772167c01eb2c16aaf8192ad7cf457566ff852f38b23389b290f37ff356e114af464a5d7864b9740ad624c4e12a41d1078ec64294b4c89

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0f4e76ff42761e5da87c0c4792f20472

SHA1
57d346afe73d6ee224a3dcd6a2675bae02ba88a6

SHA256
35f21a39920e35f57b33fdf8b96df807c55759711622a3e5e26ce9bda60142b6

SHA512
edcb5943abb663f1c5772167c01eb2c16aaf8192ad7cf457566ff852f38b23389b290f37ff356e114af464a5d7864b9740ad624c4e12a41d1078ec64294b4c89

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d4807a9ea60452981c2e62e039add016

SHA1
178c813c80890cc1b3fa0b56fd92df77a80a72cc

SHA256
e8172c4ae04179b66ca541b00342580a51cf2e36dd1c938783d5aa352a14fe13

SHA512
03b0344dad8d4ee9b7dd4fa716ca703668e993d2ad37d3db0fd74a2773db1ef0efa76a2b3f21d172023dee4aef414c6f34442786e2a00073a8545da620c45357

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
76e1af358eae41cef63edb73d213567c

SHA1
36da8e4d77147eb43fc43aa54cd3ef7fcad27b9f

SHA256
d91c90f22d2ce63e1a125f14b424588a179fccf8bede114994f23c2a57b8b96f

SHA512
816b779c2b742218f3df3f21cf5ac294e302f4c818f8dd366cc3addf11d071fc1ed46d936a990bb12d2dbb782c5cdb01d1d1ec22bb5dda22a40bc63a5d52e2a7

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f628d9907ca5a78a9c99424143e67507

SHA1
853d18f984fcae9d7ef197898d14cfe8e0c11f93

SHA256
387bdb4e24013a188798d60e16e4f52977895c338035273a2281cea39caf3128

SHA512
cde76a04d221179075713c7fe815688ee169a1d54879af1e60b057d9329df1b4123f50b61bbd4c9f5b82b8732351227fc8efadea2459d3d3061478e25b89ba90

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5b6e54d1872a1af29e4072d34f4aea65

SHA1
e5d23f62aa1b45ec83356215eba6c474670cf609

SHA256
1bcd67171c3c7944e683562bdf586a66fe35fb21cdef432220a1ed4e7e0c8e6e

SHA512
e8da0a128a374c4a3cecf71481e0a043b78b44d3ac56813c9546a3384dd4d92de5b6c32fb3e6bb8c0a40cc6f6434756d3884e0721135a5c5a7c5b3bfc172c02d

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
8423a7d8d5608d10e1d354d89625adb0

SHA1
74baf1ba56751267f66a2a53e62803ef0029c897

SHA256
3a1cc1c0239fbf3f040d01dfbbf67f67f2e77131ee67d427958af557ba3d30fc

SHA512
d8dfbc8723c81e74b90948cc994e93389975fa3796605723aa96340e34906e05d0de195425b02340a55cf1d462fc23191fdd5d75d4e16149c3bca46fed9619dd

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
03daebcb64605980d73fae49e48178fd

SHA1
96523e3181db3cffa240e01dc924d0dfe8ad0c35

SHA256
571c75069f2935be6d2e038114dbb0702f04693a4a7c7aba0fe158beb9b978f3

SHA512
5db17b03a00b43d6607d7097d92916780ee101ab1cab2c299552af1f4f2b3649743643b2896378e6c670edc672dc26933f419ec0e196023c327f7f85ff063f61

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
588328ab1e2f90325648654e4bd2a431

SHA1
32b01bd46a28b18e2b7bacd8e0598232660ca42e

SHA256
7425750bbc3b00a256e061f6593d9e851b76532d603d9b82b610558c00b3823c

SHA512
77548928844455e5f7cf2a77eee9ad051eff216961a848b3a5aea5653ad2c387a70c83630f755cdfcd1a454bad689588238f819c9cb85e8b2de08dd910d4dd4a

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3f249fef38ed744ae92c75eb8e1b3c3c

SHA1
adc2c749bdcfbc4146c513516741aef06a12e754

SHA256
554e54c44568065087027dee42c454f0251ef3a03990cb24a35516d05536335e

SHA512
fae1aac6a14df66b67b72e3fac4c4924bb0ab7424ddbd10b44357203e7d9e67734d552680d76deca67dcf3c36b75764ed464bfc1f5a2ab496de698ca461dca44

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3f249fef38ed744ae92c75eb8e1b3c3c

SHA1
adc2c749bdcfbc4146c513516741aef06a12e754

SHA256
554e54c44568065087027dee42c454f0251ef3a03990cb24a35516d05536335e

SHA512
fae1aac6a14df66b67b72e3fac4c4924bb0ab7424ddbd10b44357203e7d9e67734d552680d76deca67dcf3c36b75764ed464bfc1f5a2ab496de698ca461dca44

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cab4c03bd6419160094f2d74e57ad5a4

SHA1
fb076c19b626d09a7a3d5bc31324009f64761962

SHA256
f8a42370027700502f4a3a2d629e44406ca92d1ef6f6f7c10182e96321a4b16e

SHA512
3dca3d1928a7a2cdd74d1ec1f1d1475471e11f86742cf5663faa2ede755900bf3ec7164b43cbb251d1008a27c4373db8adf6dab7757c1845f3a5096ae0925cbe

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
86e2102af240589d1f2385a7d5e59181

SHA1
9fe5fed182d7d68209a81eb48d1ab9f0b85b6fad

SHA256
b2de48fb8b98de10658d46799a1a9c7f68ffbcff8a0d23203f487b7361378331

SHA512
bdae225a5f12c104b0e933d4af689ed7256f81acc9772b4d328d201a38ca6bbedf2c90a0fe68720b066bba128563fc59ed54d866aa2c88cd5e8fffa69cb4b61a

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
fffa82155ae54ec956879becfe12755f

SHA1
6007d2306f7cb9051ed9b12defaf3520638badd3

SHA256
11eb14f6bbac83a3218aa6fd89660d6dabaac341a20f53bf8ff1db51244bc579

SHA512
9b9811d1a3b3f41cd6c9773f7c5572d85696b81531fb576ec5ca549a4502a975dcbe4d55d31a4a68b0fe1d1e0d865699b6e654f41bc4ceded95ef24d8ff08e6a

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1f166102972d8c7d06df8c0792b870d3

SHA1
840bf087475b2cb5e9303759046a124e116690eb

SHA256
33ab3712bc77d055f000cf4fb8501ad206b8ef29233f265452f59c655e308129

SHA512
7d59a81608e1b7db138ade0b37246907d4fd212239a023c67dd0c0b9fd6de985d2f00ffb66c040a9afc6268d9a959e83ad30abc54654cc5498f1e41703f1e19a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
61ff150ac03f2de6711bdb31aede8f56

SHA1
0cd2096a30f4ae1e0808381b4a072a3d3e22a5cf

SHA256
fdb358330555c2625d9624248936f97c4d597876e70657544f2c9a25467c13c1

SHA512
62ac556bc0d88aaa6de6f6421fde78b97844276d8305e10947833c1181823eddb07114e23d724284f203e9806da77e3007e17c12f5aae4848769972b8db636ca

Download Submit
memory/112-391-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/112-384-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/268-140-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/268-211-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/268-134-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/836-189-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/836-324-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/836-190-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/836-197-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/984-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/984-333-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/984-212-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1520-320-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1520-313-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1520-366-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1708-163-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1708-123-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1708-114-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1708-115-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1820-172-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1820-85-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1820-93-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/1820-86-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/2032-158-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2032-306-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2032-152-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2096-309-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2096-174-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2096-173-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2096-181-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2096-184-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2096-185-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2096-318-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2096-186-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2192-286-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2192-1-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2192-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2192-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2192-7-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2192-6-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2464-363-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2480-303-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2480-336-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/2480-289-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/2648-373-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2648-380-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2648-374-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2648-381-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2648-361-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2648-360-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2648-379-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2728-28-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2728-159-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2748-307-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2748-364-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2768-362-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-341-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/2768-300-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-339-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-372-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/2768-301-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/2768-329-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/2768-365-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/2768-302-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-390-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/2920-368-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2920-331-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2920-340-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2920-358-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2920-367-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2920-369-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2960-105-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2960-132-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2960-98-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2960-99-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download