cce2828d41c4018017e9be64b7c0838c01d0be57b941278acea820c4c7f4db14

Analysis

max time kernel
157s
max time network
172s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bb095c3d72529e3443ba09021dbed980.exe
Size

622KB
MD5

bb095c3d72529e3443ba09021dbed980
SHA1

0ebc66c21b8f22890a676a212fa3162ffc1ae3b8
SHA256

cce2828d41c4018017e9be64b7c0838c01d0be57b941278acea820c4c7f4db14
SHA512

a20c9c9c13f4937ef7ced8e07a13a5ec586ca1711af86ecf18c6d1c283ae22ad4d4aacac26deb167926bb66c299fe85ef8f01e7ac8344389d3dece80e82c80c5
SSDEEP

12288:Og4+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:OgxMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
472	Process not Found
1712	alg.exe
2720	aspnet_state.exe
2812	mscorsvw.exe
2540	mscorsvw.exe
1744	mscorsvw.exe
2156	mscorsvw.exe
1716	dllhost.exe
1672	ehRecvr.exe
2360	ehsched.exe
2932	elevation_service.exe
272	IEEtwCollector.exe
1948	mscorsvw.exe
1500	GROOVE.EXE
2952	mscorsvw.exe
2900	mscorsvw.exe
2812	maintenanceservice.exe
1808	msdtc.exe
292	msiexec.exe
2340	OSE.EXE
1760	mscorsvw.exe
1700	OSPPSVC.EXE
2564	mscorsvw.exe
2536	perfhost.exe
2744	locator.exe
2788	snmptrap.exe
2516	mscorsvw.exe
1704	vds.exe
2372	vssvc.exe
2952	wbengine.exe
2448	mscorsvw.exe
2332	mscorsvw.exe
2928	mscorsvw.exe
1008	mscorsvw.exe
700	WmiApSrv.exe
2260	wmpnetwk.exe
2592	mscorsvw.exe
2996	SearchIndexer.exe
2320	mscorsvw.exe
976	mscorsvw.exe
308	mscorsvw.exe
2076	mscorsvw.exe
1256	mscorsvw.exe
1776	mscorsvw.exe
2800	mscorsvw.exe
2388	mscorsvw.exe
2072	mscorsvw.exe
2244	mscorsvw.exe
2544	mscorsvw.exe
992	mscorsvw.exe
2204	mscorsvw.exe
2588	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
292	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\vssvc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\dllhost.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\wbengine.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\System32\alg.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e4fa3be82abf0469.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\msiexec.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\locator.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	NEAS.bb095c3d72529e3443ba09021dbed980.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8EDCDAE7-5428-4EA8-BBDD-AE00DB250DE2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8EDCDAE7-5428-4EA8-BBDD-AE00DB250DE2}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{05AB1E55-784E-467C-9194-4F640C23F9FB}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{05AB1E55-784E-467C-9194-4F640C23F9FB}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3044	ehRec.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: 33	1748	EhTray.exe
Token: SeIncBasePriorityPrivilege	1748	EhTray.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeDebugPrivilege	3044	ehRec.exe
Token: 33	1748	EhTray.exe
Token: SeIncBasePriorityPrivilege	1748	EhTray.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeSecurityPrivilege	292	msiexec.exe
Token: SeBackupPrivilege	2372	vssvc.exe
Token: SeRestorePrivilege	2372	vssvc.exe
Token: SeAuditPrivilege	2372	vssvc.exe
Token: SeBackupPrivilege	2952	wbengine.exe
Token: SeRestorePrivilege	2952	wbengine.exe
Token: SeSecurityPrivilege	2952	wbengine.exe
Token: SeManageVolumePrivilege	2996	SearchIndexer.exe
Token: 33	2996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2996	SearchIndexer.exe
Token: 33	2260	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2260	wmpnetwk.exe
Token: SeDebugPrivilege	2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	2268	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1748	EhTray.exe
1748	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1748	EhTray.exe
1748	EhTray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1948	1744	mscorsvw.exe	40
PID 1744 wrote to memory of 1948	1744	mscorsvw.exe	40
PID 1744 wrote to memory of 1948	1744	mscorsvw.exe	40
PID 1744 wrote to memory of 1948	1744	mscorsvw.exe	40
PID 1744 wrote to memory of 2952	1744	mscorsvw.exe	44
PID 1744 wrote to memory of 2952	1744	mscorsvw.exe	44
PID 1744 wrote to memory of 2952	1744	mscorsvw.exe	44
PID 1744 wrote to memory of 2952	1744	mscorsvw.exe	44
PID 1744 wrote to memory of 2900	1744	mscorsvw.exe	45
PID 1744 wrote to memory of 2900	1744	mscorsvw.exe	45
PID 1744 wrote to memory of 2900	1744	mscorsvw.exe	45
PID 1744 wrote to memory of 2900	1744	mscorsvw.exe	45
PID 1744 wrote to memory of 1760	1744	mscorsvw.exe	50
PID 1744 wrote to memory of 1760	1744	mscorsvw.exe	50
PID 1744 wrote to memory of 1760	1744	mscorsvw.exe	50
PID 1744 wrote to memory of 1760	1744	mscorsvw.exe	50
PID 1744 wrote to memory of 2564	1744	mscorsvw.exe	52
PID 1744 wrote to memory of 2564	1744	mscorsvw.exe	52
PID 1744 wrote to memory of 2564	1744	mscorsvw.exe	52
PID 1744 wrote to memory of 2564	1744	mscorsvw.exe	52
PID 1744 wrote to memory of 2516	1744	mscorsvw.exe	56
PID 1744 wrote to memory of 2516	1744	mscorsvw.exe	56
PID 1744 wrote to memory of 2516	1744	mscorsvw.exe	56
PID 1744 wrote to memory of 2516	1744	mscorsvw.exe	56
PID 1744 wrote to memory of 2448	1744	mscorsvw.exe	60
PID 1744 wrote to memory of 2448	1744	mscorsvw.exe	60
PID 1744 wrote to memory of 2448	1744	mscorsvw.exe	60
PID 1744 wrote to memory of 2448	1744	mscorsvw.exe	60
PID 1744 wrote to memory of 2332	1744	mscorsvw.exe	61
PID 1744 wrote to memory of 2332	1744	mscorsvw.exe	61
PID 1744 wrote to memory of 2332	1744	mscorsvw.exe	61
PID 1744 wrote to memory of 2332	1744	mscorsvw.exe	61
PID 1744 wrote to memory of 2928	1744	mscorsvw.exe	62
PID 1744 wrote to memory of 2928	1744	mscorsvw.exe	62
PID 1744 wrote to memory of 2928	1744	mscorsvw.exe	62
PID 1744 wrote to memory of 2928	1744	mscorsvw.exe	62
PID 1744 wrote to memory of 1008	1744	mscorsvw.exe	63
PID 1744 wrote to memory of 1008	1744	mscorsvw.exe	63
PID 1744 wrote to memory of 1008	1744	mscorsvw.exe	63
PID 1744 wrote to memory of 1008	1744	mscorsvw.exe	63
PID 1744 wrote to memory of 2592	1744	mscorsvw.exe	66
PID 1744 wrote to memory of 2592	1744	mscorsvw.exe	66
PID 1744 wrote to memory of 2592	1744	mscorsvw.exe	66
PID 1744 wrote to memory of 2592	1744	mscorsvw.exe	66
PID 1744 wrote to memory of 2320	1744	mscorsvw.exe	68
PID 1744 wrote to memory of 2320	1744	mscorsvw.exe	68
PID 1744 wrote to memory of 2320	1744	mscorsvw.exe	68
PID 1744 wrote to memory of 2320	1744	mscorsvw.exe	68
PID 2996 wrote to memory of 872	2996	SearchIndexer.exe	69
PID 2996 wrote to memory of 872	2996	SearchIndexer.exe	69
PID 2996 wrote to memory of 872	2996	SearchIndexer.exe	69
PID 1744 wrote to memory of 976	1744	mscorsvw.exe	70
PID 1744 wrote to memory of 976	1744	mscorsvw.exe	70
PID 1744 wrote to memory of 976	1744	mscorsvw.exe	70
PID 1744 wrote to memory of 976	1744	mscorsvw.exe	70
PID 1744 wrote to memory of 308	1744	mscorsvw.exe	71
PID 1744 wrote to memory of 308	1744	mscorsvw.exe	71
PID 1744 wrote to memory of 308	1744	mscorsvw.exe	71
PID 1744 wrote to memory of 308	1744	mscorsvw.exe	71
PID 1744 wrote to memory of 2076	1744	mscorsvw.exe	72
PID 1744 wrote to memory of 2076	1744	mscorsvw.exe	72
PID 1744 wrote to memory of 2076	1744	mscorsvw.exe	72
PID 1744 wrote to memory of 2076	1744	mscorsvw.exe	72
PID 1744 wrote to memory of 1256	1744	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NEAS.bb095c3d72529e3443ba09021dbed980.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bb095c3d72529e3443ba09021dbed980.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1ac -NGENProcess 1e0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 208 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 258 -NGENProcess 1e0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 278 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 274 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 26c -NGENProcess 1f0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 20c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 28c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 28c -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1d8 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 198 -NGENProcess 1b8 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 244 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1716

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1672

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:272

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2340

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:700

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3618187007-3650799920-3290345941-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3618187007-3650799920-3290345941-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
2713f5bb447ec2a174a2fe1bcb59c2c0

SHA1
e1ac998a9d86b69ee1cc7b5d6d2c64a15bfcbf9b

SHA256
7b3fe4fe70550ab567a259aca53b7c53854c53624dda9b4afb978458fc8882d5

SHA512
78aca056d8b0c42765cbfca2b91eb74a6687a20466beaba14a67d616167444b91a3f0b2fac50523e2feea5955d97fa04fcc53e88dde7b01b0dc2ce1311e00028

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d0c6698f3f4b846b0832a5da37a63a57

SHA1
65fdfb95e880088ea37b1cba620d37e252a7fb6a

SHA256
ab310dc59141a97cc6d6f0194831769d47f9916b03b0fd992d734187589ebe79

SHA512
6224da76ed5c3d9038c009e24935dba8ad8d04b9c682ab7982d67cd1ea44a366402a01a6f1542bdd38b97dcaff4745be35dd8a4e5e47490d3934f06ba2185ff5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6fb0df2a796f44484092fcc4986c14a8

SHA1
eaa4adbe17fe310f029e1431a4021a24aa6596c2

SHA256
6991368bd72fd510162ad14ac25dfde5c78e3ae062ee4d75c1f0753c5a9912db

SHA512
4637bde98a22950a9134b8e94715749e1fbbab49a36d3c72208b599b4ca1e2c7b9e386e04850c6016b7a6ad724f27426c71cbed41bfec980ff0a4b279a46a178

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
35d4ca8eae261f6cde72cc87bc21768a

SHA1
a5c22542726c4f09fdbeb7e7734edd4727a6c966

SHA256
4277b00bb2e2a55e33ec82341ad8cc2fade0901c497715fe4e7d2a91618188ee

SHA512
7c37f79ff4634060f39ee129c0790cd2828cdc250e9c5f5eb9cb56ef1b4e3a5dc6a67f6ba30a566ca893b6ed274a0651f921ee6821080a25cb6c9d9876b6bfd7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0d577090f125a78c22c7dfcc5a2a067d

SHA1
333b25ccf4a9aec4cff198af5017689ddb42f683

SHA256
275acb61510c72c979b4f2843094a81629d322f3b7332069aa0f324136fc6909

SHA512
a4f953d8a69198531d0b365d55f512e936ab0bb8983818425eabeb15315700f39f43d8e02b7ffa768a534f8816a1a601ea591b046e5485967488cc7d8bac2677

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
91950b710cf8516432bfa0cb7042249f

SHA1
8c1f882c4e1a08df4c524870a45acad5682befd5

SHA256
3b8ca949b073d45f37541fb0e400327138a93d29ef7ad3850511702e6dd14181

SHA512
cc48fabb71f20428262e3c73c655bedb4f933939308859ac00f7813336993b84433601c6dc2703ead2bc1c18c6c64716f4e4c2dcf00eddccf2e4d827c5e22061

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
1db916940271f23ec35b3b5cf3a35f2e

SHA1
ff6a4e490e59707716de26fbb8db44f82e279405

SHA256
b7aadeda32d1798a567c4372caadca92a947c07c611d5a1ff419103c259525fb

SHA512
d9dc838b7afd88c8a91c7b5cf021e6ae80b2868345141e7f0fdd31f636925525b5076d2c0f7b2cb733a9344a7913396c509348b72333d60f2aabad60e730d6a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
dfbf45a5802aa182c18cc7cb44534b4d

SHA1
ddb7367e3077faa7dd6fd0d5ce5bb38f84595a48

SHA256
8635d9606fa80e1f74aa5b4ed2d64c77f67e9efcc4b8bef1868d237b420780e9

SHA512
996ae5fff966711d19f61648de8ac58dadc3437c8160bdf28015124761f3c043377dbed9c2bdbb800f534325bb7c5a25eda7662414e22d608c47b4ba43d95aae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
dfbf45a5802aa182c18cc7cb44534b4d

SHA1
ddb7367e3077faa7dd6fd0d5ce5bb38f84595a48

SHA256
8635d9606fa80e1f74aa5b4ed2d64c77f67e9efcc4b8bef1868d237b420780e9

SHA512
996ae5fff966711d19f61648de8ac58dadc3437c8160bdf28015124761f3c043377dbed9c2bdbb800f534325bb7c5a25eda7662414e22d608c47b4ba43d95aae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f06547687754fac1f8dcbfea2fa2f2c2

SHA1
dff301ca1bebb435d5d6618fd0a07c597b4c41e7

SHA256
a459686b93b416136e07f466aa688ea0c5564f77b2086f7cebb624b0c18c090c

SHA512
2ec746eaacbbe9504a7807ced30109e618918fd8457caf151584993a4f854f218e50f3e8c7f6f8b39f4c34701e8343b2c76d4bfa4a5211be07368b0f7273e8ff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
8778255df4f53ebd6f5d51147be6dcae

SHA1
5e8f942e89fa272f63ecc17588f6c4e3270fcdda

SHA256
1ce66aaff165b897d7fe8e15fcc3ff94959aab2be2a0938fa24f07d63c8788b4

SHA512
91d0e3ca1a3612a0f527035f061e079dabb6aa3075e506d250a1437a9937e54601ba38a36c74111c6e36efb5ba77108c633cea2bb553d669b19dd6890b934ab4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
b9a02e86aa8fcd17d3832a6781921052

SHA1
566553f591c1e8a5eaa080de7fd957d7688da236

SHA256
bcfb6c231b71e654af6adf8090a6bd1d2b5faf5fede28ace2ebd6b2d2886a415

SHA512
fdfab023bfbd6f32ae9e7ccba646a77a72a1079b80f9a6da70da712a58b5868a4fee9bc801d7faa1abfbb80b2cdee7455b5f11b0fc265bc7f005a3471dae7891

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
b9a02e86aa8fcd17d3832a6781921052

SHA1
566553f591c1e8a5eaa080de7fd957d7688da236

SHA256
bcfb6c231b71e654af6adf8090a6bd1d2b5faf5fede28ace2ebd6b2d2886a415

SHA512
fdfab023bfbd6f32ae9e7ccba646a77a72a1079b80f9a6da70da712a58b5868a4fee9bc801d7faa1abfbb80b2cdee7455b5f11b0fc265bc7f005a3471dae7891

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
df383e047285763a082b9389586eb528

SHA1
52307b12efb2c30371bfe525e8a88eace85fb482

SHA256
3ab9dcaf7c686766f3e00908de2c6f3c4736a3e59397b1f85bc084e97165c723

SHA512
06fc4af9423f223afa2c846db6b4b4b512af02a76c32e57bf385a3a94b462be89468a5859730f5090e8d795b976124292bb9ec775b8cdabc1f085b03fc37299d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
df383e047285763a082b9389586eb528

SHA1
52307b12efb2c30371bfe525e8a88eace85fb482

SHA256
3ab9dcaf7c686766f3e00908de2c6f3c4736a3e59397b1f85bc084e97165c723

SHA512
06fc4af9423f223afa2c846db6b4b4b512af02a76c32e57bf385a3a94b462be89468a5859730f5090e8d795b976124292bb9ec775b8cdabc1f085b03fc37299d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
cd1aa4a28bb50fcf71823cbde61eb5dd

SHA1
768afd77b393b821bb74c54584b470ef983de339

SHA256
e496ea8790d98dfa22354c270dbdbd62f99fc1c7db7f5718d8c4c5cd4d2527e7

SHA512
ead70fc9b9d10e77c7d30fe274560c1609b08da5e9a710f3937fea6b03e58c909d7ec3213c6375f0efe879f74cd7697f51acd5b9e4611b34691bbe17ed42381c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cf9e622456f5769bcd19bc8252b489aa

SHA1
0fd42ae4cf9f99e1d167af1952a420eea7232d37

SHA256
770b569d637f9c778d836e233cde70dd521660488bae70495b2e43f94bf38031

SHA512
22268f45de88ce1dd1dac572d332bf8f472f3a51ecde49426dd2ea8eaa7926bdd7b68a9007d46c57f41e85e91533cd90af43891354b0c0f6da3b6ddff40fb39d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
2ddc08112f7d7cb25f20eda9156e688d

SHA1
8863665898cbf08a0bfda5456cae343b66cd703a

SHA256
565e146c9d3d578493e9826a2e8666af53cedd1ccced6cca5731f95311ece4e0

SHA512
ad0a50902ca7a458a231940e15eb992c45a49e0d71f7f566541b6e9dae9b06de354531370860dcb04b6f02cd228f46ff0f9d5c10570c0cddd304e538675ffccd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
e160fb17d1b5fcc5d3dcaa06c7e4ff0b

SHA1
7fde00123c0ef307ae771e896334682e5788cc75

SHA256
72b797442ad7b5850479b69e4f2b0d67c715e13c24941953a3eea3c0c427fe7e

SHA512
ed3fcd31969a6c7083f0e139b97a860c45ada745807b4a12069700576aa0e298412244f50f9ca1a9153fd55d0ba3a2a7e1c617010f09f6c311444c0a0374855f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
771095b1e071e2476bb0a913df564f73

SHA1
c2fcd013e65f8582838aeba34b9f3a704737c23d

SHA256
f97f93be2856a14b116594c26ae5e440b2a9c377e2c54ee2d429a2f3d2e3a86a

SHA512
e5a507f54829bcf7b8b404fc26b9ac6216f169863b7bfed21f473120a5b3915c29461692b02a880fbfd4daf0ac8cd39c0a3858fa88085c6d629dc6a567134838

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
dd3fa27c3d2aa9d44782f1cdbb6c3919

SHA1
919cf5f73977f69c2836885c02b5ae15dce0fc06

SHA256
2c1a757f516e847e4432a69c25a59b3cf7ca6a4115a61f0cf856680c73f49d7c

SHA512
9cdd708ae9bed130763ea7fb5b89ae62d65a7d2dbf6ce45dac642c8d840c8434b2bb972bb8067af05c7a7f3a4a4e2756093fc3f7130c63a8556dbdf4ef763e96

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
ee82c8432d04f80b6e36d22aeeb2621a

SHA1
af517468bc93100faaf1a394ff54199113d6aedc

SHA256
85b4a8c7ff5fddd013615ddfdb54d00f9dae3836d676f23d9f78c738f95a3dbf

SHA512
66457125fe1cce33066d8ff2fe5b03b32cec658739a9c31d0e02a988302762060da24ef0ee016ea527e8bd0d20fdc5a117faa571c07afc2f8b9d72a10160bffc

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
f9aa7100628e929ed540c61af8e78812

SHA1
095cc349989db8f9285c4d56aaf310e676135190

SHA256
bd12b292343baeb656279d6ab0059eebc499c8c9d576558da5f673c6352940da

SHA512
1c0494647f5543e069de433bccd8624fe0d9c40ab627c9af96c8aa8453306fa9f75b0d1fdd752664c5114bfe5bd2bc7c1747f4f71911ebd511ca76d8edc78356

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
f36f3c5ebfa461c2c1c3e8692b397458

SHA1
86d48ae6da48099435931ab38776203207e2091f

SHA256
551d8e4232f22e79a4dd2db76f0adf48d85ee28e44500ed4649e484881944045

SHA512
564c445bff9f3f19d3952b7abf1d36dbe49b42cbd1dea17d70359e4956be20156bf75e35f79630966e22293ef79338654fae3206cca0957021343488c7c34932

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
170eb5c3dd0a92bf78f1d3599f168f33

SHA1
e13aad50897438191e351fc73b9876334c092111

SHA256
4cf25e47699005c499a9022228c2723541df3b2fed497e9ab2dd181148a80e75

SHA512
2e5770d59aefca752b9415eefb2bc75599587c705583274c2c3207eb22fd5ebac7353a53404f0f960311f18067a833b558f7b1c935ad08022fb590c5e212b3d2

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
691KB

MD5
c70bb8d4f3ef60843b421aeab2738c7c

SHA1
2e516faa8765c7d1275607ba5388f85324215dd9

SHA256
97fad3be10afd4917ba2b6cf032218c27b8f6de0737f0d6e357ba7840f28fe38

SHA512
c148bc06d2535e30a1bbc787a5b44e8f7a3468716bae3199f8ee558d5d85fd84575f4665ad3ea8f86f684be11b19a7462e1a4c810d314f19865d1f76b5c088f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
d1830a443a301e9dcd5a0afd2081bbeb

SHA1
7d6723ac51f447d910489cd0697b2b6bfcb72a87

SHA256
3e878ef647fd9d5e026666d6f3c91ff0d18b8602cdc6e8cd32b934811720ce23

SHA512
5938f5ec74007761abdaa30cce01017dc1e9528be8cfc3ae5c4c265e0f520f82cca45a6f3fa8a6907209c55dd9f9082452b8bda59b647257dd6bba704d0044c7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
0560590a6d267e5980400f7a9a863cca

SHA1
2cc7120178b6fb06ecc270240fae6b9e8cd3b7b6

SHA256
767ee897442fa8baf14ebdd457c1a60ab6bf029b81951489984331268d68e192

SHA512
1b24c5a586c25c01964d899a332989aea5dba0c640b5177a1b93e139c90323e79d54446b1351d7b6457d963c548fd23157780bbbede673e6852e30d02e36f6b4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
7a470d08969b62968e61e783e908e656

SHA1
704aef8f5ff555aa7b4dd3bea7412a641301766d

SHA256
b031aef6fd367bdd13cf75b5eda2ffbb20d42971cd451db6518f0ad3d2881704

SHA512
30ebe293d8932b0d46f00a1663206868e45e08969e5c9fd9597cd3cab3880a528ffe4a355f7342a7f43d7242643be73690a680f28845487ec59e55ab50f1ab55

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
cd7c118a46e50d68cc29b5e5b4ae933a

SHA1
7c58774a4523bcc8cd34ae17cf0495472762e54e

SHA256
b8cfb4045bcac0c98971a471bc8b1ed8888431a7cc7da67ec6c405a367458e8a

SHA512
153b004630740e0bd977ee60db52cea3027579d7244a3362078959a6c8ce80b3333043b0ddf8359191a529b6cedca9eb619d2f231fce9ae7d1a39c41ab896e9e

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6cbdcb7ac668b8e665da08031453218a

SHA1
1ad474ba480dde1ecd0136f5c24c0598eec227d8

SHA256
6c95a546d5669a72d901898fe1880910b3c19e139331f29a5b34035fd872228c

SHA512
e796aff55d87c1f2fd87c54e8aeb14d729e1823ecd48b3d6c49cbd18b747f6417d780be3e6b2b7b5f9724bffb72d3402cd855054d706844a59dea8aa296e10d0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
16c439aaed86f4f8fd4f843de98e3a9c

SHA1
e6f513b0818ae27151ef865e6a5990ffaba02a68

SHA256
18c80a9a23e768155e82e5ac54733fff427f32ba8fabf95a13d6ebac5fa32589

SHA512
a3d3add5455d255d594e4a5cb559e237d0abbaec664f52d575d4752c88d49ec30fc554a6a007fd8ae28db72e8033d820fa5f72d2737aad4d31e46dc7c5ea117e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
c70bb8d4f3ef60843b421aeab2738c7c

SHA1
2e516faa8765c7d1275607ba5388f85324215dd9

SHA256
97fad3be10afd4917ba2b6cf032218c27b8f6de0737f0d6e357ba7840f28fe38

SHA512
c148bc06d2535e30a1bbc787a5b44e8f7a3468716bae3199f8ee558d5d85fd84575f4665ad3ea8f86f684be11b19a7462e1a4c810d314f19865d1f76b5c088f5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
91950b710cf8516432bfa0cb7042249f

SHA1
8c1f882c4e1a08df4c524870a45acad5682befd5

SHA256
3b8ca949b073d45f37541fb0e400327138a93d29ef7ad3850511702e6dd14181

SHA512
cc48fabb71f20428262e3c73c655bedb4f933939308859ac00f7813336993b84433601c6dc2703ead2bc1c18c6c64716f4e4c2dcf00eddccf2e4d827c5e22061

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
91950b710cf8516432bfa0cb7042249f

SHA1
8c1f882c4e1a08df4c524870a45acad5682befd5

SHA256
3b8ca949b073d45f37541fb0e400327138a93d29ef7ad3850511702e6dd14181

SHA512
cc48fabb71f20428262e3c73c655bedb4f933939308859ac00f7813336993b84433601c6dc2703ead2bc1c18c6c64716f4e4c2dcf00eddccf2e4d827c5e22061

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
dfbf45a5802aa182c18cc7cb44534b4d

SHA1
ddb7367e3077faa7dd6fd0d5ce5bb38f84595a48

SHA256
8635d9606fa80e1f74aa5b4ed2d64c77f67e9efcc4b8bef1868d237b420780e9

SHA512
996ae5fff966711d19f61648de8ac58dadc3437c8160bdf28015124761f3c043377dbed9c2bdbb800f534325bb7c5a25eda7662414e22d608c47b4ba43d95aae

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
8778255df4f53ebd6f5d51147be6dcae

SHA1
5e8f942e89fa272f63ecc17588f6c4e3270fcdda

SHA256
1ce66aaff165b897d7fe8e15fcc3ff94959aab2be2a0938fa24f07d63c8788b4

SHA512
91d0e3ca1a3612a0f527035f061e079dabb6aa3075e506d250a1437a9937e54601ba38a36c74111c6e36efb5ba77108c633cea2bb553d669b19dd6890b934ab4

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
e160fb17d1b5fcc5d3dcaa06c7e4ff0b

SHA1
7fde00123c0ef307ae771e896334682e5788cc75

SHA256
72b797442ad7b5850479b69e4f2b0d67c715e13c24941953a3eea3c0c427fe7e

SHA512
ed3fcd31969a6c7083f0e139b97a860c45ada745807b4a12069700576aa0e298412244f50f9ca1a9153fd55d0ba3a2a7e1c617010f09f6c311444c0a0374855f

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ee82c8432d04f80b6e36d22aeeb2621a

SHA1
af517468bc93100faaf1a394ff54199113d6aedc

SHA256
85b4a8c7ff5fddd013615ddfdb54d00f9dae3836d676f23d9f78c738f95a3dbf

SHA512
66457125fe1cce33066d8ff2fe5b03b32cec658739a9c31d0e02a988302762060da24ef0ee016ea527e8bd0d20fdc5a117faa571c07afc2f8b9d72a10160bffc

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
f9aa7100628e929ed540c61af8e78812

SHA1
095cc349989db8f9285c4d56aaf310e676135190

SHA256
bd12b292343baeb656279d6ab0059eebc499c8c9d576558da5f673c6352940da

SHA512
1c0494647f5543e069de433bccd8624fe0d9c40ab627c9af96c8aa8453306fa9f75b0d1fdd752664c5114bfe5bd2bc7c1747f4f71911ebd511ca76d8edc78356

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
f36f3c5ebfa461c2c1c3e8692b397458

SHA1
86d48ae6da48099435931ab38776203207e2091f

SHA256
551d8e4232f22e79a4dd2db76f0adf48d85ee28e44500ed4649e484881944045

SHA512
564c445bff9f3f19d3952b7abf1d36dbe49b42cbd1dea17d70359e4956be20156bf75e35f79630966e22293ef79338654fae3206cca0957021343488c7c34932

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
170eb5c3dd0a92bf78f1d3599f168f33

SHA1
e13aad50897438191e351fc73b9876334c092111

SHA256
4cf25e47699005c499a9022228c2723541df3b2fed497e9ab2dd181148a80e75

SHA512
2e5770d59aefca752b9415eefb2bc75599587c705583274c2c3207eb22fd5ebac7353a53404f0f960311f18067a833b558f7b1c935ad08022fb590c5e212b3d2

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
c70bb8d4f3ef60843b421aeab2738c7c

SHA1
2e516faa8765c7d1275607ba5388f85324215dd9

SHA256
97fad3be10afd4917ba2b6cf032218c27b8f6de0737f0d6e357ba7840f28fe38

SHA512
c148bc06d2535e30a1bbc787a5b44e8f7a3468716bae3199f8ee558d5d85fd84575f4665ad3ea8f86f684be11b19a7462e1a4c810d314f19865d1f76b5c088f5

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
c70bb8d4f3ef60843b421aeab2738c7c

SHA1
2e516faa8765c7d1275607ba5388f85324215dd9

SHA256
97fad3be10afd4917ba2b6cf032218c27b8f6de0737f0d6e357ba7840f28fe38

SHA512
c148bc06d2535e30a1bbc787a5b44e8f7a3468716bae3199f8ee558d5d85fd84575f4665ad3ea8f86f684be11b19a7462e1a4c810d314f19865d1f76b5c088f5

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
d1830a443a301e9dcd5a0afd2081bbeb

SHA1
7d6723ac51f447d910489cd0697b2b6bfcb72a87

SHA256
3e878ef647fd9d5e026666d6f3c91ff0d18b8602cdc6e8cd32b934811720ce23

SHA512
5938f5ec74007761abdaa30cce01017dc1e9528be8cfc3ae5c4c265e0f520f82cca45a6f3fa8a6907209c55dd9f9082452b8bda59b647257dd6bba704d0044c7

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
7a470d08969b62968e61e783e908e656

SHA1
704aef8f5ff555aa7b4dd3bea7412a641301766d

SHA256
b031aef6fd367bdd13cf75b5eda2ffbb20d42971cd451db6518f0ad3d2881704

SHA512
30ebe293d8932b0d46f00a1663206868e45e08969e5c9fd9597cd3cab3880a528ffe4a355f7342a7f43d7242643be73690a680f28845487ec59e55ab50f1ab55

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
cd7c118a46e50d68cc29b5e5b4ae933a

SHA1
7c58774a4523bcc8cd34ae17cf0495472762e54e

SHA256
b8cfb4045bcac0c98971a471bc8b1ed8888431a7cc7da67ec6c405a367458e8a

SHA512
153b004630740e0bd977ee60db52cea3027579d7244a3362078959a6c8ce80b3333043b0ddf8359191a529b6cedca9eb619d2f231fce9ae7d1a39c41ab896e9e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6cbdcb7ac668b8e665da08031453218a

SHA1
1ad474ba480dde1ecd0136f5c24c0598eec227d8

SHA256
6c95a546d5669a72d901898fe1880910b3c19e139331f29a5b34035fd872228c

SHA512
e796aff55d87c1f2fd87c54e8aeb14d729e1823ecd48b3d6c49cbd18b747f6417d780be3e6b2b7b5f9724bffb72d3402cd855054d706844a59dea8aa296e10d0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
16c439aaed86f4f8fd4f843de98e3a9c

SHA1
e6f513b0818ae27151ef865e6a5990ffaba02a68

SHA256
18c80a9a23e768155e82e5ac54733fff427f32ba8fabf95a13d6ebac5fa32589

SHA512
a3d3add5455d255d594e4a5cb559e237d0abbaec664f52d575d4752c88d49ec30fc554a6a007fd8ae28db72e8033d820fa5f72d2737aad4d31e46dc7c5ea117e

Download Submit
memory/272-158-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/272-165-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/272-197-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1500-193-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1500-231-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1500-191-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1672-108-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1672-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1672-135-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1672-124-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/1672-121-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/1672-115-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1672-107-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1672-179-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1712-91-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1712-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1712-13-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1712-19-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1716-92-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1716-93-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1716-100-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1716-160-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1744-64-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/1744-63-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/1744-58-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/1744-57-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-134-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1808-257-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1808-247-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1948-170-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1948-209-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-178-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1948-181-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-208-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2156-75-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2156-76-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2156-83-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2156-146-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2268-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2268-1-0x0000000001CF0000-0x0000000001D57000-memory.dmp

Filesize
412KB

Download
memory/2268-6-0x0000000001CF0000-0x0000000001D57000-memory.dmp

Filesize
412KB

Download
memory/2268-74-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2360-122-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2360-131-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2360-120-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2360-177-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2540-72-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2540-44-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2720-25-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2720-106-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2812-28-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2812-52-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2812-232-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2812-35-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2812-236-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2812-34-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2812-246-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2812-29-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2812-265-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2812-255-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2900-242-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-225-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-216-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-223-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2900-240-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-241-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2932-140-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2932-147-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2932-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2952-200-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2952-204-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2952-210-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-219-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2952-218-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-164-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-192-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-156-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/3044-154-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-239-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download