Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:39
Static task
static1
Behavioral task
behavioral1
Sample
a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
Resource
win7-20231215-en
General
-
Target
a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe
-
Size
1.2MB
-
MD5
50af73f56bcfb61ccf5e00487414b7f4
-
SHA1
5f38d45649003b3147eb485857929b8e9ede3bfa
-
SHA256
a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34
-
SHA512
bcf194357b4e7e6ead4fc6ac3b2f02b52374af5c8aab53f1196a3dad2e138706c89bd73972bc2ecb4698a8eef9a8599e4be06c49ba3838db7eb83804248c2808
-
SSDEEP
24576:DTN9gj3Htgtozpyj4mIexbUSAL2mZ7mzAWbeIYVgOBvWi:DYHyELexbUSCfmzz9YVgY
Malware Config
Signatures
-
Executes dropped EXE 42 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exedllhost.exemscorsvw.exemscorsvw.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exepid process 468 2844 alg.exe 2344 aspnet_state.exe 2608 mscorsvw.exe 464 mscorsvw.exe 2788 mscorsvw.exe 2476 mscorsvw.exe 608 ehRecvr.exe 928 ehsched.exe 3008 elevation_service.exe 824 IEEtwCollector.exe 832 dllhost.exe 880 mscorsvw.exe 2288 mscorsvw.exe 1604 GROOVE.EXE 2388 maintenanceservice.exe 2784 OSE.EXE 1236 OSPPSVC.EXE 880 mscorsvw.exe 844 mscorsvw.exe 2396 mscorsvw.exe 1592 mscorsvw.exe 2088 mscorsvw.exe 1240 mscorsvw.exe 2772 mscorsvw.exe 1276 mscorsvw.exe 580 mscorsvw.exe 1900 mscorsvw.exe 2156 msdtc.exe 1316 mscorsvw.exe 928 msiexec.exe 2336 perfhost.exe 3056 locator.exe 1464 snmptrap.exe 2340 vds.exe 2740 vssvc.exe 1156 wbengine.exe 1132 WmiApSrv.exe 1708 mscorsvw.exe 1700 wmpnetwk.exe 2720 SearchIndexer.exe 944 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 468 468 468 468 468 468 468 468 928 msiexec.exe 468 468 468 468 468 744 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
alg.exea24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exeaspnet_state.exemsdtc.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6a48d2893db14c9a.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\system32\dllhost.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeaspnet_state.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe aspnet_state.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe -
Drops file in Windows directory 37 IoCs
Processes:
mscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exea24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exeaspnet_state.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B899D7D3-50AA-4BF1-B83F-8FA003A86750}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B899D7D3-50AA-4BF1-B83F-8FA003A86750}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehRecvr.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\ehome\ehsched.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe -
Modifies data under HKEY_USERS 40 IoCs
Processes:
ehRecvr.exeehRec.exeOSPPSVC.EXEwmpnetwk.exeGROOVE.EXESearchIndexer.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1EFCD814-DC6F-423C-B376-A08BE7F748B2} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1EFCD814-DC6F-423C-B376-A08BE7F748B2} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 2436 ehRec.exe 2344 aspnet_state.exe 2344 aspnet_state.exe 2344 aspnet_state.exe 2344 aspnet_state.exe 2344 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 2124 a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe Token: SeShutdownPrivilege 2788 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2788 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: 33 2372 EhTray.exe Token: SeIncBasePriorityPrivilege 2372 EhTray.exe Token: SeShutdownPrivilege 2788 mscorsvw.exe Token: SeShutdownPrivilege 2788 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeDebugPrivilege 2436 ehRec.exe Token: 33 2372 EhTray.exe Token: SeIncBasePriorityPrivilege 2372 EhTray.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeDebugPrivilege 2844 alg.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2344 aspnet_state.exe Token: SeRestorePrivilege 928 msiexec.exe Token: SeTakeOwnershipPrivilege 928 msiexec.exe Token: SeSecurityPrivilege 928 msiexec.exe Token: SeBackupPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2740 vssvc.exe Token: SeAuditPrivilege 2740 vssvc.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeBackupPrivilege 1156 wbengine.exe Token: SeRestorePrivilege 1156 wbengine.exe Token: SeSecurityPrivilege 1156 wbengine.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeDebugPrivilege 2344 aspnet_state.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeManageVolumePrivilege 2720 SearchIndexer.exe Token: 33 2720 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2720 SearchIndexer.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: 33 1700 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1700 wmpnetwk.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2372 EhTray.exe 2372 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2372 EhTray.exe 2372 EhTray.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
SearchProtocolHost.exepid process 1528 SearchProtocolHost.exe 1528 SearchProtocolHost.exe 1528 SearchProtocolHost.exe 1528 SearchProtocolHost.exe 1528 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exeSearchIndexer.exedescription pid process target process PID 2476 wrote to memory of 880 2476 mscorsvw.exe mscorsvw.exe PID 2476 wrote to memory of 880 2476 mscorsvw.exe mscorsvw.exe PID 2476 wrote to memory of 880 2476 mscorsvw.exe mscorsvw.exe PID 2476 wrote to memory of 2288 2476 mscorsvw.exe mscorsvw.exe PID 2476 wrote to memory of 2288 2476 mscorsvw.exe mscorsvw.exe PID 2476 wrote to memory of 2288 2476 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 880 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 880 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 880 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 880 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 844 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 844 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 844 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 844 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2396 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2396 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2396 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2396 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1592 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1592 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1592 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1592 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2088 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2088 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2088 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2088 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1240 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1240 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1240 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1240 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2772 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2772 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2772 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 2772 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1276 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1276 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1276 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1276 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 580 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 580 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 580 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 580 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1900 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1900 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1900 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1900 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1316 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1316 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1316 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1316 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1708 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1708 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1708 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 1708 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 944 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 944 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 944 2788 mscorsvw.exe mscorsvw.exe PID 2788 wrote to memory of 944 2788 mscorsvw.exe mscorsvw.exe PID 2720 wrote to memory of 1528 2720 SearchIndexer.exe SearchProtocolHost.exe PID 2720 wrote to memory of 1528 2720 SearchIndexer.exe SearchProtocolHost.exe PID 2720 wrote to memory of 1528 2720 SearchIndexer.exe SearchProtocolHost.exe PID 2720 wrote to memory of 2900 2720 SearchIndexer.exe SearchFilterHost.exe PID 2720 wrote to memory of 2900 2720 SearchIndexer.exe SearchFilterHost.exe PID 2720 wrote to memory of 2900 2720 SearchIndexer.exe SearchFilterHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe"C:\Users\Admin\AppData\Local\Temp\a24de830ddb5c7b767fdfdcdf8962de56b1438e02fed16849f3fcdf9e939db34.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:464
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1e8 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 184 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 184 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 278 -NGENProcess 288 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:944
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵PID:880
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2288
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:608
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:928
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3008
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:824
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:832
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1604
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2388
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2784
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1236
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2156
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2336
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3056
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1464
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2340
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1132
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2900
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
706KB
MD56dc47e4b4ed6b9d9ac84da55083ad7ac
SHA1dcfe4059e0baecf103d6239267e990d6165e90e0
SHA2566ef0a5a67e358db151e6149a98b6b825fbde3d7f6cb03dec97ece4666c84b86b
SHA5129e1e5852f9e5e05181cfd2db50434b3024b812e6980cafe6ca2bf435edc634e379a3e86a3eb314e26d92d56f90e7cf0b6a841703dc9d67701a04c63ff3eaacdb
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
4.4MB
MD5da77574d83d31c68af71edd75d5e00a9
SHA183af7d2d34d9eb87f2c52fa8c9e1fecb42e96b5f
SHA256e1dfe9160700e2eaa3c171b41bb5fbf5448d2918cf1e0f102df780bbe5ce5514
SHA512e94c9737509b30749f375bee835d6f72a89056ebd8e2d3a992dde9f97f37307aea0cbfb6ac5d8e291ee624a384ac441d6e838bb40df0d934c0bdcac8eb0956fa
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
781KB
MD5ac17f042179282308f0757a0f15abb68
SHA18d37b353640bbe5b1c233c3c7dc0500fb01c52f6
SHA256a14e8103db0d41f1e40cb6fc9cb2c349d0e8b36fe5ad37ac0fecc0ada8076bd1
SHA5124682aa1b0b616408ff2d0050ac2813b5ec189fe47dcd42c866ce6506e412ad92af84fee2d4a0bd698c801b4f7d92028d5ef37087b6f213ea2bd7ea62ba57969c
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
2.6MB
MD5369a09eb5c314e39abeca66a077db372
SHA1d0244f1cb77f8f7f7f3008814ae1f68993fac760
SHA25657e7bd412f46cba112733e9a3e0d1d5934ef2a900fb4ea67612913468c5b357a
SHA512cbbfef7d9a8166ea5c4d2f49f32f798e80dfbb5a0cad38cdcdd56fbafd359f58841f6291322244fc9d000bb337f4863eb168c3c62165644c1233bee08f9ee842
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
2.1MB
MD5c16c22f61c7ca1a8deeb944ab2fcc2ca
SHA1b01ab409e9cd68b3a14f37cedb8ed7344bd3a79d
SHA2563a4cfa559b4132aae11eaab5a2af643d2d7754c924b8ae89a4c74211a3aeea7c
SHA5128b11d36e1be54a9c4cfab52f08c9095fbf35ccd6417c7322fb3992c27ca3b5110a922d3c24112956a2605e0296a599a938a4a2e023027c1eea1cbeb7c0330c55
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
2.0MB
MD57e1d58c763c2b8335a0e6f9fc3bf93f8
SHA1b1543e3223e50c2f9d24bf73184f357de3d2f4a9
SHA25613c17af1d1dbadc62aacda9aea517f502f7e0256537133a599f3592ab7b4960f
SHA51275143cb05c0bf879283874874671c6e1509ca409aea023aeeca40560dcc92ead4da7d64788c4e4053cf68e780ad36778e190dba490b2cacca1f71938d9d92cbf
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD5070825070fe2ad27fe6916a1c85fbc1f
SHA1e61dd571327cf256c865ece3432c2a1fee79dfe4
SHA256f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73
SHA51231b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
872KB
MD5803b15f35ea605f6ccebcefcbbfb8acb
SHA16837ba43c08f8c557ad97b6dd04065c363535639
SHA256f41a2c132e2d89bef88de66587d78a0615a6b41b27210a28dc7a465434ffe9ba
SHA512ade6e0161a8dee724670767273ff50bd79270f9dca804559a37c05c4dbf7af315a60cb7ae4309ef39efba167ec5ce7e5806c05cc10c9418a8833bcfaa7cb97e5
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
512KB
MD577850ceb2a300952e23fe99f98b70962
SHA18c21398f884f1806a0d8d33de2e9cd0b7daa7a42
SHA2564f20b6903100b9d6442a4ce08ea98d4c1e6aa6a997150413fb1f7b745ecabafe
SHA512177020c06f9b544790e944125979fa6a773951c30a17309d601b562ee80858a68a7354bc5d8dbadc4d930f84eb3ebbae8a056936a8f200a650be17ebb874ca69
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
678KB
MD526ff8a0ecfad34d913b70cc0bb349258
SHA1a31852456425243b8ce7b44eee6d725360da9ab3
SHA256d07dba969f5759dfe35efa7eacc394e2fed6af94c91c8aca181d7dd0f5506e6e
SHA51281f4ccde58a5001131ba2c5536a4e7506687f5daf65ae567a700d30b53236d6491ab28a4148c079c9564543ea5c63fd1e548eff92a896c87d68f5debae5e4cea
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
625KB
MD572c922f2f17fb420d3dd777d1cc899c2
SHA147a8663ff01b97ca4d49a98798395671b7c83e2a
SHA256d9039fe5dd7e8c1c97ebc4d0f7d6fec3a558dd8ef0adf1467db185e11b39c122
SHA512913bea0902666292692bccd692f655f6415ca0d83f16feb7beab1decf5d966a9c81be759bf8478796f862ee18162af36169241ad68c3d5da10c9c4242f368fed
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD54a90f979005182f42a43092d66f9119e
SHA16f9da1362cbf1b75456615c0b34c64531e7c92e4
SHA25645c7de564c14191a78f1c7f75cba411a51d9678bd137100c34ab0e9684df71a5
SHA5124d883c31e62b4b025afbda6edac91f1fd69b6ceb87481ae07690af25ec433fd29abc1303c71691a6996143476036d2b089af74a836b95358d4deca8c8bfdddca
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
192KB
MD5b307dfc6d5af8d8be66937ace8b5aba4
SHA151ac7276a9f9c342924bd7c1d03df21a36b62e8e
SHA2563fae61f755a5a0b79742c29a46cfba99926c61cb51e410fd869a7c1f4e4cb29a
SHA512502affa34af80f5bdb38f82fd25626196f30661635e3e0c2ec1476869e30ccf42fe77db9f750f429b8847660ff1932a514c89d049f319900de3cb6e1d3320d37
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
576KB
MD51c008ceef301f9cc50392ce91b617c2d
SHA190113b044bcbf1093f32104d262a0e6707e1e919
SHA256dec21e2ee4a4203ab4ec63fa167c9ba80bb6dcee51b3f827eb05ead7753fd7da
SHA512b817419d8e01e9e62f84ead3dc134b547aa2f149926aef778b5d1e05cf84e502ac427177c9a0577a2bdedf088e86d4d172a687295be410375261af903d5063d9
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
453KB
MD5747404634d454f263a5f9c0dea5e88a1
SHA1b629f1439401b1327cd20fd86aba0b75bd371b87
SHA256786d4080af16bc68813239eaa4a3de5b50aebb0f0c0a87ba1f604987284560cb
SHA51244dfaff118a973c4f8a9635af7056d460bb4f36a0fa9579b33c18120cb27bceaedfeb80e4578477b335385393c1497706ba1e529599e2e5710c4a6cc40be6de3
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
656KB
MD5e5f27dde116c0e3132ef664994be108c
SHA1ab1f85fceee3b8dc06e161d203858b88e7d0a893
SHA25692e23362632931bcc2fad6a8a38e474268ffa8edd2600019c7c652d2eccb2c5d
SHA5128b1aa0162f1f5d6439695f00be53e084e8de7e82946989138d770f66f26b040a5877ff21f90b5d99d38f83fd40aa02e9d6d416acc9538079e1b4d2a4cb3575b1
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
128KB
MD548577beb49da3221be55023215fe241e
SHA11bf8be3521fac2cc3642c57277441840cde43cd1
SHA2569b2a77002a09fa394f1e4dac1374a7956332e815764b6aa2e900b6d02b125f5e
SHA512a2f6128a939dba1527723225a43895a0c123af1aae4c991d5374a0a66e612e9de94c1a9a79d4401d0d8b4101d5169cfbfd6f706aaa6835116082846bce13ca8f
-
C:\Windows\SysWOW64\perfhost.exeFilesize
587KB
MD580d853932fc94981101eefbb342461a1
SHA12db6d458852df0a3016df0e01f15b7cdba15fad7
SHA256ccbd76f714c80b4c27555f1dde35f3fa354837e7ed50c8f843f37d6265357249
SHA512242d1e02642f67467d21180d2a82d5c513fb732a3c47ed874cb3bd88c45686604fcfa5ecb82e1db08c2a1f60dae0dc339f2101e0cdad5ebf7652bed12666e55e
-
C:\Windows\System32\VSSVC.exeFilesize
2.1MB
MD523ee2244f9370d48a82aaf4653cb81a8
SHA14edcac60d88ad4ebf92feffdc83b155bdfaf606c
SHA25609b7269936826d16d4e00e3e0706b24c3d7ea64027631b30dd7f7cc523e8ef0c
SHA51226f37224215af86f64268ea95145d280550da689dbe19b829adfdfb075537a5d596ebd056b5880b4ad723f31eca039a278bddc1c9ee7f679e01a4b227854f108
-
C:\Windows\System32\dllhost.exeFilesize
577KB
MD5955287f244f328d189bb2b8096c2c7d9
SHA1b08940ce60a67f7bcae717ec9da20b0dc7042361
SHA2563e4d2b13a7d9b31d887788d8eaa0e7aab461a135ccd3da143c04af5e68dbbae0
SHA5121038de171aaaaa518901ed3406a4ff4f76b9e9c0219c5fd7f5782988e79ad93b96ff10555022a0f0ac4dd231896d9678b306778f7310930b0847c06b177c24f7
-
C:\Windows\System32\vds.exeFilesize
1.1MB
MD5d1de2b2fd6b3f17ff9abda26c88ea2c3
SHA15145017ed0cb21b0c5d758dc6507e0f5018c2ef3
SHA2567ddb953da6a1345fd4cae538dc6b00c3a4c3dfb7a50a98936f5e31e3d806ebb9
SHA512bad2c279d1bacf58acf455986fb6272fd3e8c7c06ab8f500865610bb14855211ecaf88032e28932549750b6d51831d60312a762cb0295f76cd34760b89f50efd
-
C:\Windows\System32\wbengine.exeFilesize
640KB
MD5b1032a04b4e76ca84a84be29ffcd49ac
SHA140de51f7cef048c2c714db55cbac4201c18d1229
SHA256c326f783eec6a953bbc887e4f2dfb386c731f30c1ec443527e7689d5c8e37f7a
SHA5122a620094e59108b5e3377928f6fbbb12143de7365621657f28187d76b238e5d6c31a0dadee74a1048bfc4b17e00e5982e8e8ffd5c6e9f90c22978f0c428a16ca
-
C:\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD50cffb2a0dd17c003c90373c5077558c6
SHA1463f7cf2652205651ee9ad82b5f627134af5c25a
SHA256c2a25dc4c7f1ea92a7c4cac1eb6dde815794a8b7c342fa7bd15976411d289683
SHA512e6c38120240851116cf637e3a2f00fb7d5e37a1b569197773e26f74cf47a901392f24130ed731b6a4ab3b909cb8a7840b0e5fd535a7482a1bd80628e3b5371d9
-
C:\Windows\system32\fxssvc.exeFilesize
1.2MB
MD5e67a6a2a7e98d52924b0258e127dd07e
SHA1461072f42353e72e693a70c0dc6ac9bc229a18dc
SHA25624c6fde70edf98d93218c2dd64d2e1db5960a694df189fb261fae9f8820d9f4d
SHA5127252e64e49ff88aab23e35b3faff154d1d74e35e9a2d3744d3d58a52f4f7a39a600633e9be7804ef3fde237e0130571b6629b3fa0a177f5568eb9332bfe562a3
-
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
648KB
MD5b64efdccadf1b9a89347e1cc540ede7b
SHA13c1834846b9fc640b7ce3526c1bfddee877804ea
SHA256aa2514552a68beae6471254b18dcbac440e9391a227005eb6907bfd6d087321a
SHA51237d300349edbeea52c71f6cdf2c14e81c043ecb921dc54298d19930028002962fd912866c9b1dbc0695d12007e7b83283fcac93d3788551123876fe57bf38aa2
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
603KB
MD5e457dcdd6aaaf9cea59a82ef9e5cca70
SHA1e6dee940af3da24b37d4debded653512a7c771b3
SHA256c52d0cc3a2c959991948e257b8232ec37cf6c21e2d4368dbf7a12a0a404e7bc3
SHA51248a9cc0a8721a1fc6a45502237d51757bbdf79c6a4ae56c4284d01ae768cfeeb8713f8afdaa7368ca4c01e82d145e9b8ebf0187bd396b804d711ca8fcd9b9003
-
\Windows\System32\Locator.exeFilesize
577KB
MD56a34df3fda1dfa429ac8e794fe32901c
SHA1eca24480ba4c25cccb520edf2843c4060e2c9d46
SHA256d692962c1efea463aec48e865128deaf7952debbd591bdb1dfe125618716578c
SHA512c21555d605dd4870f2ddf0ce66650dc0b812e01342f95ca3591dc9e4f558a2b32ca497879f1be75523e43dea543d42144d966b62c3802443c0d90f6e6da998d7
-
\Windows\System32\alg.exeFilesize
644KB
MD53bf8f5f3502564b314c13c0da47d9da0
SHA145e86f07a71e2e7019a3ff9a6ac1e92438b4448b
SHA25603d2b30f18e74dd71c452f6584ea03b32687333b20e387d74ecd8b15b2ae80b2
SHA512bae97c04495ec72eec186bc6989ad36d64f61cf083f1ef918b6238e1abf311ac798e1a256503a597467246302e7f8e7713dfd4585af530866130f113f6cf65b1
-
\Windows\System32\ieetwcollector.exeFilesize
674KB
MD5574fdcd0d35577552f320ddb25439eb0
SHA1d3889b13bd1f6993592ea6d2c41c36fb0dec8821
SHA2569245a98fd9a74711226d766d6d39e48e2cdf32443050432ca142c19bc1f19162
SHA5128548239502ac3c0aef0774f36deed049d2eb4673f5cb1d13e35fe4fa91f4f022efa6c0e7017736202d448dd9c9431be28837d301744e33cd114bafaa7d789b86
-
\Windows\System32\msdtc.exeFilesize
705KB
MD5dda7a218d9fe14f2465e1ee519c95333
SHA1a27e5f5e43cfc59cd89eab0211dd1186a16891d1
SHA256365047eb4afecbb532a75349a7bc0d95768b0bc27c7f7cf808e3315e28b954bb
SHA512092a8329ffae7ff67c0eddc10bf7703765b1a8a60d094ae0237d343c4244bc24e950f3d1c8c88e0f358a7a9046d9cfb66c263c1db75f4f31bbd0e262f580ba64
-
\Windows\System32\msiexec.exeFilesize
95KB
MD5a2ac5da042a18225e91c5cf5777fc587
SHA165f7f2f7282741f7aa38386f63b2f824474ac497
SHA25668ef5be364f3e5f08293f24e5863e79534e10fc12900cbc94468a25a06ec3311
SHA51293381291d2da820b02b7d8d2c53a5933e7e33c29535dce960a83bf18ec3889ed406ada472ab0af13428e8ea51875741ab64b858164cdec6b0aa0607ab622a79d
-
\Windows\System32\msiexec.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\System32\snmptrap.exeFilesize
581KB
MD567cc7b953c7e9d6224a0067e92edd7f3
SHA15101295ecf6fb79e17e0bdbf07964382a22c3349
SHA256a32955cc3c8ec6dc28c3fedc56c9168df77cd24b46a9fe2ee3e23ff7249d6322
SHA5125c32ddc30b5fdb192aa2b3f1c0e3368108730964f2c4076f1d97091029fd3ef68dd2ca0494f0549a475342562912e21df421e2eb2dc5c5a355900f604c977d64
-
\Windows\System32\wbem\WmiApSrv.exeFilesize
765KB
MD532f23c601c31233d57d564c59a7c0804
SHA1d8f9ada4cf83716811634a646ff481ff3eb0978b
SHA256c29aeba3da019e463b7d09eb3b33763c4b3f04469d69936279e02e390c515909
SHA5121bf8e5e0c24bf5fe646a1c520104d5b252efd9c6f626933686218f4a33c0cb4f6a2256357854fe6ef2f89e7e593d84d3528cb753dc8409ed899d619f6249fa89
-
\Windows\System32\wbengine.exeFilesize
576KB
MD552074b586cabc78014d8e4185718a5f0
SHA1c22daffcf923bc63cab6aa7ab094ac3eec89ebdc
SHA256f565029804fb30ab355ba611b5d035f93f9e8b54c90769daa710e646997239f4
SHA512bea414908f28b139bb9cf77f179c2f1929bac30247406bd7a89ed8652fc83a11d721e9ce4410e6c46345e72a1bc3697be48936f9caf2c94146904bdee4be0371
-
\Windows\ehome\ehrecvr.exeFilesize
704KB
MD51f4c6888cb0945f27e41b2a0706c166e
SHA19a624d6d91e305c49d507df472b596fc54563c1d
SHA256e288468025f7cd4759d0b454c7b38aed442b2e76900184661b6730ef50ecbfd8
SHA512541d5ad6b7ea75e98ad5c70106da27e566c98548eb3e6867aa362717f10ad130d4f4dfc1544f6b7e6efb1743dcea0133a418f6b98ae5591dce4069c5971feafe
-
\Windows\ehome\ehsched.exeFilesize
691KB
MD5a6bbd3a190ea2347a76cc9481a772b83
SHA1d9d84d1fb412a0db87e78a200773c4a65540f8ad
SHA256bb53d7f2853b64f4b8562ed4b5bfd8b71c8b14b6dd99612c470e5c49819497cd
SHA5126793a2236921776a558c8ac5de4da246d4c0608137bb8489c0aff67e8624427e004c65ed9df2cb6a0fb168a5d7d1f4901f40873dae10d9e32b7d437abd3a5e80
-
memory/464-89-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/464-61-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/464-62-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/464-54-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/464-55-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/608-115-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/608-114-0x00000000008A0000-0x0000000000900000-memory.dmpFilesize
384KB
-
memory/608-139-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/608-248-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/608-122-0x00000000008A0000-0x0000000000900000-memory.dmpFilesize
384KB
-
memory/608-199-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/824-168-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/824-273-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/824-157-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/824-278-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/832-196-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/832-197-0x00000000008D0000-0x0000000000930000-memory.dmpFilesize
384KB
-
memory/880-198-0x0000000000530000-0x0000000000590000-memory.dmpFilesize
384KB
-
memory/880-223-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/880-225-0x000007FEF5A30000-0x000007FEF641C000-memory.dmpFilesize
9.9MB
-
memory/880-222-0x0000000000530000-0x0000000000590000-memory.dmpFilesize
384KB
-
memory/928-127-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/928-243-0x0000000000380000-0x00000000003E0000-memory.dmpFilesize
384KB
-
memory/928-235-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/928-135-0x0000000000380000-0x00000000003E0000-memory.dmpFilesize
384KB
-
memory/1236-266-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/1236-280-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/1236-277-0x0000000000160000-0x00000000001C0000-memory.dmpFilesize
384KB
-
memory/1604-226-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1604-231-0x00000000004E0000-0x0000000000547000-memory.dmpFilesize
412KB
-
memory/2124-7-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/2124-2-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2124-0-0x0000000000390000-0x00000000003F7000-memory.dmpFilesize
412KB
-
memory/2124-76-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2124-165-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2288-229-0x0000000000220000-0x0000000000280000-memory.dmpFilesize
384KB
-
memory/2288-233-0x000007FEF5A30000-0x000007FEF641C000-memory.dmpFilesize
9.9MB
-
memory/2288-239-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2344-27-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2344-28-0x0000000000240000-0x00000000002A0000-memory.dmpFilesize
384KB
-
memory/2344-113-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2344-34-0x0000000000240000-0x00000000002A0000-memory.dmpFilesize
384KB
-
memory/2388-264-0x0000000000B20000-0x0000000000B80000-memory.dmpFilesize
384KB
-
memory/2388-241-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/2388-244-0x0000000000B20000-0x0000000000B80000-memory.dmpFilesize
384KB
-
memory/2388-267-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/2436-276-0x000007FEF47E0000-0x000007FEF517D000-memory.dmpFilesize
9.6MB
-
memory/2436-291-0x0000000000D10000-0x0000000000D90000-memory.dmpFilesize
512KB
-
memory/2436-237-0x0000000000D10000-0x0000000000D90000-memory.dmpFilesize
512KB
-
memory/2436-195-0x0000000000D10000-0x0000000000D90000-memory.dmpFilesize
512KB
-
memory/2436-192-0x000007FEF47E0000-0x000007FEF517D000-memory.dmpFilesize
9.6MB
-
memory/2436-183-0x000007FEF47E0000-0x000007FEF517D000-memory.dmpFilesize
9.6MB
-
memory/2436-279-0x000007FEF47E0000-0x000007FEF517D000-memory.dmpFilesize
9.6MB
-
memory/2476-97-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2476-103-0x0000000000A50000-0x0000000000AB0000-memory.dmpFilesize
384KB
-
memory/2476-95-0x0000000000A50000-0x0000000000AB0000-memory.dmpFilesize
384KB
-
memory/2476-170-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2476-102-0x0000000000A50000-0x0000000000AB0000-memory.dmpFilesize
384KB
-
memory/2608-38-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2608-75-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2608-44-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2608-39-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2784-251-0x000000002E000000-0x000000002E0B5000-memory.dmpFilesize
724KB
-
memory/2784-258-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2788-150-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2788-84-0x0000000000330000-0x0000000000397000-memory.dmpFilesize
412KB
-
memory/2788-77-0x0000000000330000-0x0000000000397000-memory.dmpFilesize
412KB
-
memory/2788-78-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2844-94-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2844-21-0x0000000000870000-0x00000000008D0000-memory.dmpFilesize
384KB
-
memory/2844-14-0x0000000000870000-0x00000000008D0000-memory.dmpFilesize
384KB
-
memory/2844-13-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/3008-143-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/3008-152-0x00000000008A0000-0x0000000000900000-memory.dmpFilesize
384KB
-
memory/3008-263-0x00000000008A0000-0x0000000000900000-memory.dmpFilesize
384KB
-
memory/3008-257-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB